Data privacy laws and legislation are in the news these days for a variety of reasons, and in a variety of countries. For example, government officials from the European Union (EU) and the United States (US) are currently engaged in a heated debate about the privacy of data that crosses national borders. There is hope that this debate can be resolved by something called the Privacy Shield, a new ‘Safe Harbor’ arrangement intended to maintain ‘transatlantic data flows’ by assuring Europeans that their privacy rights will not be negatively impacted if their data is transferred to the US (for example, when Europeans do business with American companies). At the same time, the clock has started ticking on an even more stringent EU data protection regulation, the GDPR.
One challenge posed by these debates and developments is to fully understand the way that data privacy and its legal protections are handled in different jurisdictions. The challenge is particularly acute in the US because it has a lot of different data privacy protections but no over-arching data protection legislation. So how can you get a comprehensive view of US data privacy protection? There are several good sources listed at the end of this article. I leaned on these and other sources when I put together this 15 page white paper: Data privacy and data protection: US law and legislation. Among the 80 or so references at the end of the paper you will find links to a lot of the federal privacy laws, and some of the articles I cited (articles without links may be available via Google Scholar using the Lazy Scholar plugin for Chrome or Firefox, or a good college library).
In addition to federal data privacy legislation, most of the 50 states have some privacy statues of their own. The white paper does not review these state laws, but makes the point that they are sometimes more protective of privacy than federal law, and they may be aggressively enforced by state attorneys general. Consumers in the US have another defender of data privacy in the Federal Trade Commission (FTC). The white paper discusses this agency's role in policing the privacy and security of personal data. Here is an abstract of the paper:
Over the last four decades, the privacy of personal data has been the subject of legislation and litigation in both the US and the EU. Protection of personal data privacy under the law has been shaped by the interests of multiple constituencies: individuals, commercial organizations, government agencies, law enforcement, and national security services. This white paper examines the development of data privacy legislation in the US as an ongoing balancing act, with security interests on one side, and the interest of the individual on the other. The complex and arguably incomplete nature of US data privacy law is often criticized by countries that have more comprehensive data protection legislation. Yet that very complexity can obscure some data privacy protections that are then overlooked by critics. The paper serves to provide a neutral review of US data privacy legislation; however, it also observes that interests other than those of the individual have tended to prevail in US data privacy legislation, notably the interests of commerce, as well as those of state security agencies, particularly those that respond to the complex technical realities of data communication and data processing with a “collect everything” approach to electronic surveillance.
Hopefully, all or parts of this paper will prove helpful to We Live Security readers as the data privacy debates roll on. Data protection will continue to evolve in the EU and US with the arrival of the General Data Protection Regulation (GDPR), also known as the European Data Protection Regulation (the GDPR is not discussed in the white paper - it probably merits one of its own). Knowing how data privacy protection has evolved in the US so far should help inform its further progression. And there is no doubt in my mind that progress needs to be made. The trust-eroding effects of weak privacy protection on our economy are clearly reaching measurable proportions.
Some helpful sources for US data privacy law and legislation:
- The Electronic Privacy Information Center or EPIC has information about US privacy legislation
- The FTC has a role in Protecting Consumer Privacy
- Privacy issues are addressed at the Electronic Frontier Foundation or EFF
- The resource page at International Association of Privacy Professionals
- The Privacy Library at StaySafeOnline.org
- To compare the US and other countries try the Global Data Protection Handbook
- The National Conference of State Legislatures covers state privacy law: