LegiStorm

Summary:

Recent high-profile data breaches and other concerns about how third parties protect the privacy of individuals in the digital age have raised national concerns over legal protections of Americans' electronic data. Intentional intrusions into government and private computer networks and inadequate corporate privacy and cybersecurity practices have exposed the personal information of millions of Americans to unwanted recipients. At the same time, internet connectivity has increased and varied in form in recent years. Americans now transmit their personal data on the internet at an exponentially higher rate than in the past, and their data are collected, cultivated, and maintained by a growing number of both "consumer facing" and "behind the scenes" actors such as data brokers. As a consequence, the privacy, cybersecurity and protection of personal data have emerged as a major issue for congressional consideration. Despite the rise in interest in data protection, the legislative paradigms governing cybersecurity and data privacy are complex and technical, and lack uniformity at the federal level. The constitutional "right to privacy" developed over the course of the 20th century, but this right generally guards only against government intrusions and does little to shield the average internet user from private actors. At the federal statutory level, there are a number of statutes that protect individuals' personal data or concern cybersecurity, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Children's Online Privacy Protection Act, and others. And a number of different agencies, including the Federal Trade Commission (FTC), the Consumer Finance Protection Bureau (CFPB), and the Department of Health and Human Services (HHS), enforce these laws. But these statutes primarily regulate certain industries and subcategories of data. The FTC fills in some of the statutory gaps by enforcing a broad prohibition against unfair and deceptive data protection practices. But no single federal law comprehensively regulates the collection and use of consumers' personal data. Seeking a more fulsome data protection system, some governments—such as California and the European Union (EU)—have recently enacted privacy laws regulating nearly all forms of personal data within their jurisdictional reach. Some argue that Congress should consider creating similar protections in federal law, but others have criticized the EU and California approaches as being overly prescriptive and burdensome. Should the 116th Congress consider a comprehensive federal data protection law, its legislative proposals may involve numerous decision points and legal considerations. Points of consideration may include the conceptual framework of the law (i.e., whether it is prescriptive or outcome-based), the scope of the law and its definition of protected information, and the role of the FTC or other federal enforcement agency. Further, if Congress wants to allow individuals to enforce data protection laws and seek remedies for the violations of such laws in court, it must account for standing requirements in Article III, Section 2 of the Constitution. Federal preemption also raises complex legal questions—not only of whether to preempt state law, but what form of preemption Congress should employ. Finally, from a First Amendment perspective, Supreme Court jurisprudence suggests that while some privacy, cybersecurity, or data security regulations are permissible, any federal law that restricts protected speech, particularly if it targets specific speakers or content, may be subject to more stringent review by a reviewing court.