A new administrion is a federal privacy law.
It is a conversa
The US should learn from this. It has after all its own longstanding experience of how state by state commerce rules can at times create difficulties and additional expense. Law-making and enforcement is notoriously especially tricky. Imagine what happens with ddegree of protection and oversight.
This creates excessive regulatory burdens and hampers innovation.
But it is easily solved: recognise that the sensitivity of personal data can be classified not only by its technical category but also by its potency.
The US administration – as the government whose states are creating and debating the most privacy laws, and that oversees some of the largest technology organizations in the world – has an opportunity to address the proliferation of data-hungry organizations, control their appetites, while also appreciating the true variety of personal data beyond simple technical classifications.
To do so would not only earn the simultaneous approval of ‘big tech’ and small innovators, but also legislators, policymakers and privacy professionals who labour under this absurdity every day. And it would lay the foundations for the most modern and up to date privacy framework in the world.
A new administration in the most influential economy in the world triggers news hopes and expectations in every industry. But if major change were to be on the agenda, what would be the most beneficial, transformative, impactful or prudent new data privacy initiatives that the new US administration ought to introduce?
A federal privacy law
The obvious – and trickiest – first area for the new administration is a federal privacy law.
It is a conversation that appears every time a state introduces its own bill or law, as their frequent arrival only highlights the absence of anything federal.
The good news is that the various laws and bills in progress at the moment have largely the same motivations and aim to safeguard the same core rights of the individual.
The bad news is that their construction and provisions overlap by roughly 95%. Why is this bad news? Because those 5% differences are lethal.
5% of difference multiplied across dozens of states’ own laws has the potential to create gargantuan complexity. Frankly, untenable complexity.
Europe recognised this danger. With 28 countries (pre-Brexit) with a long history of – and reliance on – co-operation, when each of those countries had their own un-co-ordinated data privacy legal frameworks, chaos ensued. GDPR was essential to solve a real and present problem.
The US should learn from this. It has after all its own longstanding experience of how state by state commerce rules can at times create difficulties and additional expense. Law-making and enforcement is notoriously especially tricky. Imagine what happens with data flows, that have a foot in each of the business and legal camps. And yet, the US is seemingly willingly walking into a bizarre situation of hopelessly applying an “it’s OK, we’ve crossed the state lines” attitude to technology and data.
But aside from the apparent madness of the situation, what could be the practical consequences of the new administration not focusing on a federal privacy law?
 | Innovation and development would be inhibited as it simply becomes too hard to be ambitious. |
| Data subjects will lose faith in their rights to data privacy and their ability to hold organizations to account, as their rights will be practically impossible to keep track of. |
| The confusion and practical difficulty of multiple state laws will likely lead to mass non-adherence, whether deliberate or otherwise, which will undermine not only the individual laws but also the principles of data privacy as a whole. |
 | Filling the gap left by Privacy Shield |
When it was struck down in July 2020, nowhere was it mentioned what businesses who were in good faith accredited with Privacy Shield ought to now do instead. Especially as Standard Contractual Clauses were also called into question.
The ruling focused instead on US surveillance practices and their incompatibility with the EU’s data privacy requirements, and the toothlessness of the US Ombudsman to enforce EU data subjects’ rights in the US. Both are important areas in need of redress.
But with the status quo deemed unsuitable, six months on businesses are still unclear how to build a framework through which they can legitimately transfer EU data into the US without relying on SCCs, that have themselves already suffered warning shots. After all, they are recognised as not covering all scenarios and many US companies are simply incapable of adopting the extra measures that the EDPB requires.
Of course, offering business advice is not the court’s job. But the previous administration has not picked up the ball and announced even a pathway to a solution, so it must fall to the new administration to do so – and fast.
| UPDATE: On the first day of the new adminstration, Christopher Hoff was appointed as Deputy Assistant Secretary for Services at the Department of Commerce. Hoff’s key role is to oversee discussions with the European Commission on a new framework to protect transfers of personal information between Europe and the US. Hoff is a seasoned privacy professional, having been a chair of APEC’s Cross Border Privacy Rules Panel and a chief Privacy Officer at Huron. By placing a privacy expert in a broad international trade role, the new administration is signalling a reassuring appreciation of privacy’s centrality to international trade. |
 | Catch up with technology |
Data privacy almost universally categorises all personal data as the same: any data that can be used to identify an individual is deemed personal data.
There may be varying levels of sensitivity that bring with them their own protection requirement, but fundamentally, all personal data is to be treated the same.
But while this casts a wide net of protection – which is good in many ways – in practice, this does not work.
Location data for example is a broad category. Is the data from your mobile phone that can record your whereabouts, typical journeys, patterns and deviations as sensitive as the data your smart vacuum cleaner processes? Technically, they are the same category of data, the same level of sensitivity and require the same degree of protection and oversight.
This creates excessive regulatory burdens and hampers innovation.
But it is easily solved: recognise that the sensitivity of personal data can be classified not only by its technical category but also by its potency.
The US administration – as the government whose states are creating and debating the most privacy laws, and that oversees some of the largest technology organizations in the world – has an opportunity to address the proliferation of data-hungry organizations, control their appetites, while also appreciating the true variety of personal data beyond simple technical classifications.
To do so would not only earn the simultaneous approval of ‘big tech’ and small innovators, but also legislators, policymakers and privacy professionals who labour under this absurdity every day. And it would lay the foundations for the most modern and up to date privacy framework in the world.
| For more commentary on the future of data privacy, take a look at the Periodic Table of Data Privacy: an industry-renowned project that seeks to keep privacy professionals and business leaders up to date and informed on the practical application of data privacy |
Back