38584
post-template-default,single,single-post,postid-38584,single-format-standard,stockholm-core-2.4,qodef-qi--no-touch,qi-addons-for-elementor-1.6.7,select-theme-ver-9.5,ajax_fade,page_not_loaded,,qode_menu_,wpb-js-composer js-comp-ver-7.9,vc_responsive,elementor-default,elementor-kit-38031
Title Image

Lessons of the Past: U.S. Federal Privacy and Security Legislation Should Improve the GDPR

Lessons of the Past: U.S. Federal Privacy and Security Legislation Should Improve the GDPR

The United States’ data privacy and security laws are a patchworked system of varying industry and state requirements.[1] These differing regulations are burdensome for companies to follow and do not adequately protect U.S. citizens.[2] This discrepancy has led many to advocate for federal privacy legislation in the U.S. similar to the General Data Protection Regulation[3] (“GDPR”).[4] Doing so could give consumers a clear understanding of their rights, help businesses grasp their specific obligations for achieving compliance, and provide a sufficient method to hold violators accountable.[5] While implementing a comprehensive federal regulation like the GDPR may resolve some of the U.S.’s regulatory woes in this space[6], there is a tremendous opportunity to learn from its virtues and shortcomings.[7]

Recent events indicate that the appetite for federal data privacy and cyber security legislation is at an all-time high.[8] This momentum has culminated into multiple bills that attempt to offer a comprehensive solution to privacy and security.[9] Most of these bills provide some overlap with provisions in the GDPR.[10] However, two issues split both parties: (1) an individual right of action and (2) whether the legislation would preempt state laws.[11] Republicans generally favor preempting state laws and opposing a federal private right of action to reduce complications for businesses and to focus on nefarious actors.[12] On the other hand, Democrats support including a private right of action to empower consumers and oppose preemption to allow states to impose stricter privacy rights.[13]

(1) Preemption of State Laws

Preempting state laws would make federal law the exclusive remedy for consumers whose information is mishandled.[14] Preempting allows consistent regulation and enforcement and lowers the cost of compliance for businesses.[15] Democrats argue that if state laws are not preempted, consumers will have more choice to sue under federal or state laws, and states would remain free to enact more protective privacy legislation to better protect citizens.[16] Democrats also argue that preemption could potentially lead to weaker protections overall.[17]

While the GDPR aimed to harmonize the rules of its member states, fragmentation remains.[18] There are various interpretations of its rules by the supervisory authorities, and member states have the ability to provide more specific provisions in certain instances.[19] Years after its implementation, industry and consumer groups have criticized its failure to fulfill its purpose to be a “one-stop-shop” for data regulation.[20] In light of these repercussions, the U.S. should preempt state laws. Additionally, some bills propose rulemaking authority for the Federal Trade Commission or a specialized agency.[21] These agencies are more likely to have better resources than what is available in each state.

(2) Private Right of Action

A private right of action would permit individuals to enforce federal privacy protections without any showing of harm.[22] An individual rights provision provides a means of recovery for individuals and increases enforcement by shifting costs away from under-resourced agencies.[23] This type of rule would also mitigate the industry’s influence on the regulatory agency.[24] However, there are potential downsides to this type of private litigation,[25] the more concerning of which is that it leads to “over-enforcement” or “ruinous liability.”[26] Additionally, the supreme court’s ruling in Spokeo v. Robins[27] created obstacles in establishing standing.[28] The Supreme Court’s ruling has led to other courts to question legislative determinations constituting privacy harms, making it difficult for individuals to demonstrate “injury in fact.”[29]

Under the GDPR, a plaintiff does not need to meet a “de minimis” threshold to be entitled to damages.[30] However, companies are concerned with how this dramatically increases their risk exposure and whether judges will continue to recognize the wide range of damages that can be claimed under this rule.[31] The solution is not a black and white approach to providing a private right of action, but it also does not need to be as broad as the GDPR. Creating narrower circumstances that allow individual rights of action when the injury is sufficient to establish standing for courts and to avoid frivolous lawsuits should address the concerns of both parties.[32]

Passing a comprehensive federal data privacy and security bill is essential to protect U.S. citizens and stay on track with the rest of the world. Regulators may be close to doing so soon. However, to resolve the differences between party lines, they should create a better standard by learning from the examples set by the GDPR.

Footnotes[+]

Vertis McMillan

Vertis McMillan is a second-year J.D. candidate at the Fordham University School of Law and a staff member of the intellectual Property, Media & Entertainment Law Journal. He holds a B.S. in Finance from the University at Albany (SUNY).