Privacy’s Zietgeist Moment
Privacy has seemingly come center stage. Companies like Google, Microsoft, and eBay have joined forces to support a federal law that would impose uniform standards for the collection, use, and transfer of information across the private sector. Activists and officials hope to update the Privacy Act of 1974 for the twenty-first century. Senator Leahy has a renewed interest in data breach legislation, proposing the Personal Data Privacy and Security Act in July. The American Recovery and Reinvestment Act of 2009, the stimulus bill, includes a data breach notification requirement for health providers. The Federal Trade Commission recently published its final rule on data breach notification for e-health records.
Strengthening the nation’s commitment to privacy is crucial. But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale Law Journal) illuminates, a unitary federal information privacy statute should give us pause. Today’s information privacy law landscape is mainly comprised of federal sector-specific statutes and stronger state regulation. Schwartz makes a compelling case for remaining on that course, rather than adopting a uniform federal privacy statute. As Schwartz underscores, a uniform federal approach would likely preempt stronger state law rules, eliminating successful experimentation at the state level. California exemplifies this trend: its privacy innovations include allowing consumers to freeze their credit in the face of identity theft among others. New York and Connecticut are now considering bills that would set limits on companies that track consumers across websites to deliver targeted advertisements based on their online behavior. A uniform federal law would likely extinguish state-driven innovations whereas most federal sectoral privacy laws, such as the Gramm-Leach-Bliley Act, only provide a federal floor for information privacy and security, not a ceiling. Schwartz highlights the possibility that a comprehensive information privacy law may ossify, thus making the loss of state experimentation all the more grave. The piece also spearheads an important discussion about whether the centralizing forces at work today undermines the contributions of competitive federalism.
Schwartz’s piece is a must read. Here is the abstract for Preemption and Privacy:
A broad coalition, including companies formerly opposed to the enactment of
privacy statutes, has now formed behind the idea of a national information privacy law. Among the benefits that proponents attribute to such a law is that it would harmonize the U.S. regulatory approach with that of the European Union and possibly minimize international regulatory conflicts about privacy. This Essay argues, however, that it would be a mistake for the United States to enact a comprehensive or omnibus federal privacy law for the private sector that
preempts sectoral privacy law. In a sectoral approach, a privacy statute regulates only a specific context of information use. An omnibus federal privacy law would be a dubious proposition because of its impact on experimentation in federal and state sectoral laws, and the consequences of ossification in the statute itself. In contrast to its skepticism about a federal omnibus statute, this Essay views federal sectoral laws as a promising regulatory instrument. The critical question is the optimal nature of a dual federal-state system for information privacy law, and this Essay analyzes three aspects of this topic. First, there are general circumstances under which federal
sectoral consolidation of state law can bring benefits. Second, the choice between federal ceilings and floors is far from the only preemptive decision that regulators face. Finally, there are second-best solutions that become important should Congress choose to engage in broad sectoral preemption.