Reconsidering the Merits of a Federal Data Privacy Law
By Rachel Davis
Americans have expressed growing concerns about the extent of data collection, with many feeling that the security of their information has diminished over time.[1] These concerns are well-founded. The increasing use of artificial intelligence (AI) in major sectors of the economy—banking, healthcare, commerce, education—has exacerbated the need for robust data privacy protections for citizens.
In commerce, for example, companies are collecting more data about consumers than ever and in more ways than ever before all thanks to the “Internet of Things” (IoT), or the ability for smart devices to communicate and share data with each other.[2] The extensive sharing of information across platforms and with third-party advertisers heightens the risk of data leaks.[3] The European Union (EU), in response to these concerns, has made efforts to address data privacy and mitigate the aforementioned risks through the General Data Protection Regulation (GDPR) and its ePrivacy directive. American consumers may feel a misguided sense of security from companies’ compliance with EU’s enforcement efforts. For instance, Google is attempting to do away with cookies this year in response to ePrivacy directive. But this move does not mean the end of Google’s data collection for targeted ads, nor does it assure data privacy for users in the US.[4]
In the healthcare sector, traditionally one of the slowest to embrace change, investment in AI is increasingly rapidly and projected to surge thirteenfold by 2030.[5] As healthcare robots gain greater autonomous functions, they will inevitably accumulate and use more data, heightening the associated privacy risks in handling and storing this information.[6] Home-health, such as mobile health applications and “care” robots, is gaining traction. However, this falls outside of the major the major healthcare privacy act—the Healthcare Insurance Portability and Accountability Act (HIPAA). Consequently, users are compelled to depend on laws that prioritize business protection rather than actively enforcing patients’ rights.[7]
Data privacy protection in the United States operates through a patchwork of sector-specific laws.[8] Although these laws provide essential protection, this patchwork makes it difficult for consumers trying to comprehend their data privacy rights. Additionally, implementing a broadly applicable amendment to one statute would necessitate adopting the same changes across all others, posing a cumbersome and likely challenging process given the current state of Congress.
There should be a general federal law data privacy law that safeguards the rights of data holders, such as consumers, patients, and the general lay person, rather than focusing on the data controller or processer (i.e. business).[9] While some state laws focus on ex post facto enforcement, it is important to consider pre-emptive requirements to ensure these rights—and the security of people’s data.[10] Numerous other considerations extend beyond the scope of a blog post.
Data privacy should be a bipartisan issue—Congress has every reason to collaborate across party lines to enact substantial data privacy legislation. This need has been echoed by moves from both the Federal Trade Commission and the House of Representatives.[11] Given the substantial US investment in and the rapidly evolving nature of AI, the imperative for a federal data privacy law has never been greater.
Rachel Davis is a 2L at Vanderbilt Law School from Houston, Texas. She will clerk after law school before returning to Texas to practice litigation.
[1] See Colleen McClain, Michelle Faverio, Monica Anderson, & Eugenie Park, How Americans View Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/.
[2] See What is the internet of things (IoT)?, IBM, https://www.ibm.com/topics/internet-of-things (last visited Jan. 7, 2024).
[3] See supra note 2.
[4] See Jonathan Chadwick, Google turns off cookies for MILLIONS–how to tell if you’re affected, Daily Mail (Jan 5, 3:10 A.M.), https://www.msn.com/en-us/money/other/google-turns-off-cookies-for-millions-how-to-tell-if-you-re-affected/ar-AA1mv8Rl.
[5] Coursera Staff, AI in Health Care: Applications, Benefits, and Examples, Coursera (Nov. 29, 2023), https://www.coursera.org/articles/ai-in-health-care.
[6] Drew Simshaw, Nicolas Terry, Kris Hauser, & M.L. Cummings, Regulating Healthcare Robots: Maximizing Opportunities While Minimizing Risks, 22 Richmond J.L. & Tech. 1, 13 (2016).
[7] See id., at 28 (noting that medical apps and care bot will fall in a “HIPAA-free zone,” and that although it is possible that some state privacy laws would apply to medical applications, even the most “pro-privacy” state laws “would not currently apply to “consumer robots.”); Seth P. Berman, GDPR in the U.S.: Be Careful What You Wish For, GovTech, https://www.govtech.com/analysis/gdpr-in-the-us-be-careful-what-you-wish-for.html (last visited Jan. 11, 2024).
[8] See, e.g., Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191; Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; Fair Credit Reporting Act of 2003, 15 U.S.C. §§ 1681–1681.
[9] See Data Controllers and Processors, GDPR, https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/ (last visited Jan. 10, 2024).
[10] See Frederic D. Bellamy & Ashley N. Fernandez, A new era of privacy laws takes shape in the United States, Reuters (Nov. 15, 2023), https://www.reuters.com/legal/legalindustry/new-era-privacy-laws-takes-shape-united-states-2023-11-15/.
[11] See Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Report to Congress (2000), https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000.pdf; American Data Privacy and Protection Act, H.R. 8152, 117th Cong. 2022.
Leave a Response