TOWARDS A NATIONAL PRIVACY LAW
Corporate Counsel Section
Continued from page 30
of legislation detailing the steps
that must be taken following a data
breach. But, no uniformity exists
among existing federal and state
data breach laws. So, a business
whose data has been breached must
potentially navigate through fifty
different state laws, as well as federal
legislation like HIPAA, in responding
to a data breach.
The European Union was
perhaps the first organization to
comprehensively address the privacy
of personal information, adopting
a broad General Data Protection
Regulation (known as GDPR) that
took effect in May 2018. The
following month, California enacted
a consumer privacy law that is
modeled to some extent on the
European Union regulation.
Although amendments recently
were proposed to the California law
(poised to become effective January
1, 2020), it generally expands
consumers’ rights regarding their
personal information, imposes
additional obligations on covered
businesses that collect personal
information from California
residents, and creates an express
private right of action for consumers
if their personal information is
compromised. To date, at least
nine other states have proposed
similar, although not identical,
data protection laws.
To address the countless data
breaches that seemingly occur
almost daily now, and the complex,
confusing, and conflicting patchwork
of state and federal laws that
currently exist, several proposals
have been introduced recently in
Congress for the creation of a
uniform and comprehensive federal
privacy law. For instance, earlier
this year, Florida Senator Marco
Rubio proposed the American
Data Dissemination Act which
would require the Federal Trade
Commission to promulgate data
privacy rules, permit Congress
to make changes to the proposed
rules, task the FTC with
enforcement responsibilities, and
supersede state laws. As one would
expect, other legislative proposals
6 >= ? / ? - ) * < ? : 5 ; 2
+??.38>?7>0=<1
offered to date provide different
suggestions for protecting sensitive
data and responding to data
breaches compromising such data.
Senate and House of
Representatives committees held
hearings in late February regarding
privacy and data protection issues.
Significantly, committee members
in both chambers expressed
bipartisan support for establishing
a national data protection
standard, although differing on
precisely what that standard should
be and whether federal legislation
should preempt state laws. Given
the divergent views that exist
regarding the scope and content of
a national privacy law, it is unclear
whether Congress will follow the
lead of the European Union,
California, and other states that
have proposed privacy legislation,
or adopt some other approach to
protecting personal information
in any legislation it enacts.
Because of the pending
legislative efforts to address privacy
issues and the apparent momentum
that exists for such legislation, the
privacy landscape very likely will
change in the coming months,
at least to
some extent.
Businesses that
collect and use
individuals’
personal
information
should keep
abreast of future
privacy law
developments.
Authors:
Michael Hooker
and
Jason Pill –
Phelps Dunbar
#;