Partner Kirk Nahra recently spoke at the World Bank Group Data Privacy Day, where he gave the following remarks on the evolution of US privacy and security law.
The United States has always had privacy law. For most of our history it mainly regulated the government in connection with its citizens.
About 20 years ago we started modern privacy—presumably why we have Data Privacy Day—which began to regulate commercial entities in dealings with consumers, employees and others.
The US today has mainly either sector specific laws, like health care, financial services or education, or laws that regulate particular practices like telemarketing. For most of this period, companies focused on compliance—which became increasing complicated—and privacy advocates focused on the need for expansion and change and the gaps that were becoming increasingly significant.
For example, I work a lot with the health care rules, mainly HIPAA. These rules were written for the health care industry of the mid-1990s, focused on doctors, hospitals and health insurers. They work well where they apply, but now we have wearables, mobile apps, consumer health support groups and a broad variety of health care activities that do not involve a doctor or a hospital, meaning that HIPAA isn’t involved even though there is lots of health care information.
That’s a result of the sector-specific US approach so far (compared to GDPR, for example, where health information is regulated regardless of who has it).
At the same time, privacy advocates also identified all the new sources of data (think at least of the internet of things) that was largely unregulated, and identified a wide variety of new and different and perhaps worse privacy risks. There’s a media report almost every day. And then add in biometrics, facial recognition, big data and artificial intelligence to the debate.
And while compliance for companies was getting more extensive and complicated, there was no real reason to think that privacy was actually better protected.
Now, for the first time there are over-lapping pressures that are changing that approach. We have GDPR in Europe, that is pushing some interest in a global approach.
We have CCPA in California, which is putting other states on notice and putting pressure on the federal government (and on companies).
And we have an increasing array of privacy and data security “scandals,” any one of which could have been the tipping point on national legislation, but none of which has been so far.
Today, states all over the country are trying to pass their own law. The CCPA history made for a confusing and not well written law (whatever you think of the general substance), and the weird process won’t get replicated in other states. So the path in other states isn’t as easy or obvious (and these laws may not look much like CCPA). But they will come, although not likely too many this year.
At the same time the US Congress is looking at a federal law. It’s a perfect Washington project - everyone is building their case, stating their talking points, having hearings and press conferences, writing white papers and the like. Bills are getting written.
Is something meaningful going to pass this year? Virtually no chance. My view is that there will be a law sometime in the next administration, whoever turns out to be in charge.
The one wild card for faster passage at the federal level is if 3-5 meaningful states pass something sooner.
Then there will be pressure to pass a federal law—coming from companies as well as consumer advocates.
So lots of activity, a great time to be in the privacy field and the privacy profession, and a very complicated public policy topic and challenge across the US and the world.
At the same time, this issue has never been more important, and I applaud your efforts to promote these issues, educate your workforce and others and stress the importance of privacy interests around the world.