sign in sign up
<<
Home , Data security, Information privacy, Personal data, Privacy, Privacy law, Right to privacy

May 9, 2019 Protection and Law: An Introduction

Recent controversy surrounding how third parties protect  Federal Securities Laws: may require the privacy of in the digital age has raised controls and reporting responsibilities. national concerns over legal protections of Americans’  (FTC) Act: prohibits electronic data. The current legislative paradigms governing “unfair or deceptive acts or practices.” cybersecurity and data privacy are complex and technical, and lack uniformity at the federal level. This In Focus  Gramm-Leach-Bliley Act: regulates financial provides an introduction to data protection laws and an institutions’ use of nonpublic personal information. overview of considerations for Congress. (For a more  Health Insurance Portability and Accountability Act: detailed analysis, see CRS Report R45631, Data Protection regulates providers’ collection and Law: An Overview, by Stephen P. Mulligan, Wilson C. disclosure of protected health information. Freeman, and Chris D. Linebaugh).  Video Privacy Protection Act: provides privacy Defining Data Protection protections related to video rental and streaming. As a legislative concept, data protection melds the fields of Of these laws, the FTC Act’s prohibition of “unfair or data privacy (i.e., how to control the collection, use, and deceptive trade practices” (UDAPs) is especially important dissemination of personal information) and data security in the context of data protection. The FTC has brought (i.e., how to (1) protect personal information from hundreds of enforcement actions based on the allegation unauthorized access or use and (2) respond to such that companies’ data protection practices violated this unauthorized access or use). Historically, many laws prohibition. One of the well-settled principles in FTC addressed these issues separately, but more recent data practice is that companies are bound by their data privacy protection indicate a trend toward combining and data security promises. The FTC has taken the position data privacy and security into unified legislative schemes. that companies act deceptively when they handle personal information in a way that contradicts their posted privacy Federal Data Protection Laws policy or other statements, or when they fail to adequately While the Supreme Court has interpreted the to protect personal information from unauthorized access provide individuals with a , this right despite promises that that they would do so. In addition to generally guards only against intrusions. Given broken promises, the FTC has maintained that certain data the limitations in , Congress has enacted a protection practices are unfair, such as when companies number of federal laws designed to provide statutory have default that are difficult to change or protections of individuals’ personal information. However, when companies retroactively apply a revised privacy these statutory protections are not comprehensive in nature policy. However, while the FTC’s enforcement of the and primarily regulate certain industries and subcategories UDAP prohibition fills in some statutory gaps in federal of data. These laws, which differ based on their scope, who data protection law, its authority has limits. In contrast to enforces them, and their associated penalties, include: many of the sector-specific data protection laws, the FTC  Children’s Online Privacy Protection Act: provides Act does not require companies to abide by specific data data protection requirements for children’s information protection policies or practices, and generally does not collected by online operators. reach entities that have not made explicit promises concerning data protection.  Communications Act of 1934: includes data protection provisions for common carriers, cable operators, and satellite carriers. State Data Protection Laws Adding to the complex patchwork of federal laws, some  Computer and Act: prohibits the states have developed their own statutory frameworks for unauthorized access of protected computers. data protection. Every state has passed some form of data breach response , and many states have consumer  Consumer Financial Protection Act: regulates unfair, protection laws of various types. In addition, California has deceptive, or abusive acts in connection with consumer created a comprehensive data protection regime through the financial products or services. California Consumer (CCPA), which goes into  Electronic Communications Privacy Act: prohibits effect on January 1, 2020. the unauthorized access or interception of electronic communications in storage or transit. The CCPA governs any company doing business in California that meets certain minimum thresholds,  Fair Credit Reporting Act: covers the collection and including companies with websites accessible there. The use of data contained in consumer reports. law provides consumers with three main “.” First, consumers have a “right to know” information that

www.crs.gov | 7-5700

Data Protection and : An Introduction businesses have collected or sold about them, requiring orders or equitable relief. It may generally only seek civil businesses to inform consumers about the penalties after a company has violated a cease-and-desist being collected. Second, the CCPA provides consumers order or settlement agreement. The FTC also lacks with a “right to opt out” of the sale of their personal jurisdiction over certain entities including banks, information. Third, the CCPA gives consumers the right, in nonprofits, and common carriers. certain cases, to request that a business delete any information collected about the consumer (i.e., “right to Federalism and Preemption. Another legal issue Congress delete”). The CCPA will be enforced via civil penalties in may need to consider with respect to any federal data enforcement actions brought by the California Attorney protection program is how to structure the federal-state General. regime—that is, how to balance whatever federal program is enacted with the programs and policies in the states. If Foreign Data Protection Law Congress seeks to adopt a relatively comprehensive system In addition to U.S. states like California, some foreign for data protection, Congress could expressly preempt many nations, including , South Korea, and Japan have state laws related to a particular subject matter. Congress enacted comprehensive data protection legislation. The EU, could alternatively take a more modest approach to state in particular, has long applied a more wide-ranging data law by expressly preserving state laws in some ways and protection regulatory scheme, and its most recent data preempting them in others. Congress has the option to protection law, the General Data Protection Regulation generally leave intact state schemes parallel to or narrower (GDPR), has served as a model for other jurisdictions than the federal scheme, or to render such parallel developing data protection policy. The GDPR requires any regulation invalid. entity that processes personal data to identify a legal basis for its action (such as or “legitimate interests”), and First Amendment. Although legislation on data protection it enumerates eight data privacy rights afforded to could take many forms, several approaches that would seek individuals. The regulation also includes data breach to regulate the collection, use, and dissemination of notification requirements, data security standards, and personal information online may have to confront possible conditions for cross-border data flows outside the EU. limitations imposed by the First Amendment of the U.S. Constitution. While the Supreme Court has recognized that Issues for the 116th Congress data protection regulation can implicate the First Data protection policy proposals are constantly evolving, Amendment, this does not mean such laws would be and there is no agreed-upon menu of data protection invalid. Instead, the validity of a given options. Depending on the contours of a federal proposal, may depend upon the nature of the law it regulates could implicate various legal concerns, including (e.g., commercial matters can be subject to less scrutiny limitations imposed by the U.S. Constitution. from a court) and whether the law singles out particular viewpoints or speakers for regulation. Conceptual Issues. A primary conceptual point of debate in data protection policy is whether to utilize a so-called Private Rights of Action. Finally, Congress may seek to “prescriptive” approach in which the law defines data establish a private right of action allowing a private plaintiff protection rules and obligations, or an “outcome-based” to bring a lawsuit based on a violation of the new data model where legislation focuses on the outcomes of protection law. However, it may be difficult to prove that organizational practices, rather than dictating what those someone has been harmed by many of the violations that practices should be. Both the GDPR and CCPA use a might occur under a hypothetical data protection regime. prescriptive approach, but some observers and Trump Victims of data breaches and other privacy violations, Administration officials have advocated for an outcome- generally speaking, are not always clearly harmed. This based paradigm. Another overarching issue is how to define obstacle could run up against the limits of the federal the contours of the data that the federal government courts’ “judicial power” under Article III of the U.S. proposes to protect or the specific entities or industries that Constitution. Any federal private right of action, therefore, it proposes to regulate. Whereas some federal proposals would be limited in its application to cases in which would cover all “personal” information, others have sought individuals can show a concrete and particularized harm to avoid dual layers of regulation by stating that the from a statutory violation. proposed requirements would not apply if regulated by existing federal privacy law. Stephen P. Mulligan, [email protected], 7-8983 Chris D. Linebaugh, [email protected], 7-2465 Enforcement. Agency enforcement is another key issue. Wilson C. Freeman, [email protected], 7-9954 There are multiple federal agencies responsible for enforcing the myriad federal data protection laws, such as IF11207 the FTC, Consumer Financial Protection Bureau, Federal Communications Commission, and Department of Health and Human Services. Of these agencies, the FTC is often viewed as the leading data protection enforcement agency, given its significant experience. However, there are several legal constraints on its enforcement ability. In particular, the FTC cannot seek monetary penalties for first-time UDAP violations, but may only seek cease-and-desist

www.crs.gov | IF11207 · VERSION 1 · NEW