Breach, Compliance Management, Data Security, Privacy

Between a rock and a hard place: U.S. federal privacy law

President Biden may soon announce an Executive Order that will include mandatory breach notification for software vendors that sell to the federal government. Today’s columnist, Ilia Kolochenko of ImmuniWeb, outlines the history of privacy and notification laws and prospects for a national breach law in the U.S.

Three years ago, the European Union (EU) overhauled its 1995 data protection directive with the enforcement of the General Data Protection Regulation (GDPR). Perhaps somewhat unintendedly, GDPR created a novel privacy philosophy and culture.

The EU’s high privacy standard possibly inspired the California Privacy Right Act (CPRA) and many other national laws around the globe, including recent updates of the Personal Data Protection Act (PDPA) in Singapore and the upcoming modernization of privacy laws in Canada and Switzerland. Gradually more countries perceive GDPR as a north star for individual privacy rights, data protection and breach notification rules. The U.S. does not currently have a comprehensive privacy and data protection law at the federal level, however, it’s once again a hot topic in the Congress today. Following the ongoing SolarWinds investigation, President Biden’s administration is about to release a new Executive Order (EO) to impose mandatory breach notification duty upon software vendors - but only to their clients from the U.S. federal government, leaving a huge gap for everybody else.

Despite a narrow room for maneuver, purposely left for EU member states in enforcement and implementation of GDPR, such as certain elements of employment privacy or the provision of consent by children, the regulation strongly harmonized and unified European privacy legislation.

A consistent privacy law significantly reduces costs of compliance, enhances data portability, favors cross-border business expansion, and offers a predictable privacy protection framework to individuals. Strong privacy also indirectly enhances data security: The less data an organization processes because of imposed privacy restrictions, the less data can get compromised later in a data breach. Furthermore, a robust data inventory program allow for more efficient analysis and higher ROI from corporate data, minimizes storage of excessive data, and reduces operational costs.

However, the body of privacy law remains a continuously evolving matter. For example, composed of 99 articles with 173 recitals, GDPR has been continuously shaped by European Data Protection Board (EDPB) guidelines and judicial decisions. For instance, in its C-311/18 milestone ruling of July 16, 2020, better known as Schrems II, the European Court of Justice (ECJ) invalidated the Privacy Shield Framework that had facilitated PII data transfer of European residents to the U.S. There’s no silver bullet from further ECJ rulings, however, a federal privacy law in the U.S. will certainly augment interoperability of the U.S. and EU privacy regimes.

Mandatory data breach notification to victimized individuals was one of the key novelties introduced by GDPR in 2018. It’s now progressively followed by other jurisdictions, including Brazil, Mexico and Japan. As of today, all 50 U.S. states have similar, but diverging data breach notification laws, often complemented by a sector-specific privacy legislation that covers the health, genetic or biometric data of state residents. In February, Facebook agreed to pay a record $650 million settlement in a biometric privacy class action lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA). The new federal law will likely bring an overarching protection, addressing breach notifications, privacy rights and data security for all industries in all states.

After passing CCPA, California became the first state to enact a comprehensive privacy law, which will be further enhanced and expanded in 2023 with California Privacy Rights Act (CPRA). California also pioneered in many contiguous legislative areas, such as IoT security. According to the International Association of Privacy Professionals (IAPP), most U.S. states are developing privacy laws inspired by CCPA/CPRA or GDPR. New York addressed PII protection and safeguarding concerns with the SHIELD Act enacted in March 2020. At the federal level, different laws, such as HIPAA, FCRA and GLBA, selectively cover privacy and data protection in specific industries. This convoluted patchwork of overlapping regulations makes compliance incredibly complex, expensive and keeps data protection officers (DPOs) awake at night.

A federal privacy law in the United States will probably alleviate compliance only if it preempts state privacy laws in a comprehensive manner. For example, HIPAA allows U.S. states to enact legislation offering a better privacy protection for health records by the virtue of state law. Contrasted to HIPAA, the CAN-SPAM Act of 2003, the federal law curbing spam and abusive marketing practices, has a general preemption and supersedes state laws regulating spam. Absent the general preemption, a federal privacy law will unlikely bring consistency, but make compliance even more burdensome, time-consuming and exorbitant. Convergence towards centralization, harmony and consistency across the country - are key factors for the eventual success of the new law.

Other crucial and complex ingredients for success of a federal privacy law are private right of action, enforcement and rule-making authority that may either add complexity or ease compliance across multistate jurisdictions. A private right to sue, when one’s PII gets stolen or otherwise mishandled, is not indispensable and may eventually bring more troubles than benefits, such as surge of frivolous litigation. However, individuals should have a simple and cost-free mechanism to redress violations of their privacy rights. Some jurisdictions offer an equilibrated approach by granting a private right to sue after investigation of the alleged violation by competent data protection authority (DPA).

Importantly, future federal data protection regulators should have a sufficiently broad investigatory and enforcement authority spanning from injunctions to fault-based monetary penalties for violations. Most likely, state Attorney Generals and the FTC, currently acting as the primary federal regulator of poor cybersecurity and deceptive privacy practices in U.S. commerce under the Section 5(a) of the FTC Act, will be jointly empowered to enforce the new federal law. Rule-making authority under the new law will likely come under the FTC, where the agency has a solid experience.

The million-dollar question is the eventual extraterritorial application of a future federal privacy law, and possible restrictions on transferring American residents’ PII to foreign countries. Europe supplied rocket fuel to its local data storage and cloud providers with GDPR’s restrictions of PII data transfer, storage and processing in the non-EEA countries. U.S. lawmakers should consider implementing similar provisions to offer domestic IT companies with a competitive advantage and equilibrate European advancement.

Finally, possible statutory exemptions from the new law could be a decisive factor for its ultimate success. For instance, if governmental sector, non-profit or SMEs are broadly excluded and thus remain de facto underregulated, chances for an adequacy decision by the European Commission are feeble – meaning that the EU companies will continue struggling while transferring PII to the United States.

In a nutshell, the future federal privacy law should carefully balance individual privacy rights and economic interests of American enterprises, while considering the international landscape of emerging privacy regulations indoctrinated by GDPR. To minimize further conflicts with the EU legislation and its foreign siblings, the federal law should be consonant with the doctrinal privacy values of GDPR. To reduce the economic burden of divergent multistate compliance within the country, the federal law should also create a monolith national legislation, precluding states from passing supplementary regulations, otherwise, one day too much compliance will probably just kill compliance.

Ilia Kolochenko, chief architect and CEO, ImmuniWeb

Ilia Kolochenko

Ilia is the founder and Chief Architect at ImmuniWeb, a global application security company serving large customers from regulated industries in over 50 countries. He started his career as a penetration tester and has 15 years of security auditing and digital forensics practice. Today, Ilia drives continuous product improvement and leads data scientists, security analysts and software engineers at ImmuniWeb. Ilia holds a Bachelor degree in Computer Science and Mathematics, a Master of Legal Studies from Washington University in St. Louis and a Master of Science in Criminal Justice (Cybercrime Investigation) from Boston University. He is currently a Doctoral student (Ph.D. in Cybersecurity Leadership) at Capitol Technology University. Ilia Kolochenko is a Member of Europol Data Protection Experts Network (EDEN), GIAC Advisory Board Member and a Committee Member at Boston University MET CIC (Cybercrime Investigation & Cybersecurity) Center. Ilia is a CIPP/US, CIPP/E and GLEG certified professional.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.