Student Blog: Data Privacy and Protection: The GDPR, CCPA, and the Future of Federal Regulations
by Kellen Safreed, 2L Editor
As data collection, use, and analysis become increasingly central to the operations of many companies, users and governments are growing concerned about the risks this data harvesting may pose to individual privacy. Scandals over the past few years, such as Cambridge Analytica’s improper use of Facebook user data during the 2016 U.S. presidential campaign,[1]major hacks of companies like Equifax and Target,[2]as well as a range of other breaches,[3]have made data privacy a major issue. Consequently, we need to consider what legislation can or should do to mitigate risks to our personal data.
In 2018, the European Union’s new data privacy framework, the General Data Privacy Regime[4], went into effect. This comprehensive regulation applies standards and rules for data collection and use across the EU and applies globally to all companies collecting data on users located within the bloc.[5]A similar regulation, the California Consumer Privacy Act[6], is set to be enforced beginning in 2020. It, too, applies not only to companies within its jurisdiction, the State of California, but also to all companies nationwide and around the world which use the data of California residents. Due to their global reach and potential for heavy fines, these two pieces of legislation are set to be influential in their own right and as potential models for future regulations.[7]
A major question is what, if anything, the U.S. federal government will do in the sphere of data protection. Current federal action in this area is limited to a “patchwork” of regulations which are limited to specific industries and types of data collection, with essentially free range given to companies who fall outside of current statutory ranges.[8]This is a stark contrast to the GDPR and CCPA, which are blanket regulations based on data collection and use per se.
My development article looks at the requirements imposed by the GDPR and CCPA, the consequences of noncompliance, and what U.S. companies should do to meet adhere to the regulations as cleanly and inexpensively as possible. I also consider possible avenues for federal legislation, including what that legislation may look like and how it could interact with current federal and state regulations.
A potential alternative to such federal legislation is the application of fiduciary duties, i.e. care, loyalty, and confidentiality, to data-collecting entities.[9]This could have the benefit of both better integrating into current U.S. legal structures and avoiding creating a new constitutional right to privacy while still correcting the current, major power imbalance between corporations and individual users.
[1]Melissa Quinn, California data-privacy law may become the model for Congress, Washington Examiner(July 22, 2019, 12:01 AM) https://www.washingtonexaminer.com/news/california-data-privacy-law-may-become-the-model-for-congress [https://perma.cc/RE58-FY9R]
[2]Almudena Arcelus, Brian Ellman, & Randal S. Milch, How Much Is Data Security Worth, 15 SciTech Law.10 (2019).
[3]Zachary N. Layne, The Modern Threat: Data Breaches, Security Measures, and a Call for Changes, 23 N.C. Banking Inst.159 (2019).
[4]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L. 119/1).
[5]Stephen Mulligan et al., Data Protection Law: An Overview, Congressional Research Service (March 25, 2019).
[6]California Consumer Privacy Act of 2018, A.B. 375, Ch. 55, § 3(2018), eff. Jan. 1, 2019.
[7]Catherine Barrett, Are the EU GDPR and the California CCPA Becoming the De Facto Global Standards for Data Privacy and Protection?, 15 SciTech Law.24 (2019).
[8]Stephen Mulligan et al., Data Protection Law: An Overview, Congressional Research Service 54 (March 25, 2019).
[9]Lindsey Barrett, Confiding in Con Men: U.S. Privacy Law, the GDPR, and Information Fiduciaries, 42 Seattle U. L. Rev.1057, 76 (2019)