By Thomas S. Markey, McNees Wallace & Nurick LLC
Facebook. Google. Yahoo. These companies, and many more, have made headlines related to their expansive collection and use of personal information, and for data breaches exposing that information. Now, as the World Wide Web celebrates its 30th birthday, Congress considers whether a national data privacy law is the best approach to regulating companies’ data-collection practices.
Spurred in part by current events, Congressional hearings on data privacy are part of a global trend toward providing greater protection for individuals’ personal information. In the European Union, the General Data Protection Regulation (GDPR), which took effect last year, imposes many new and unfamiliar obligations and requirements on organizations that collect personal information. For example, individuals may request access to their personal information, and in some instances, may even ask an organization to delete that information. By its terms, GDPR reaches beyond EU borders and applies to U.S. businesses that offer goods and services to people in the EU or monitor the behavior of people in the EU — even if those businesses have no physical presence there.
GDPR carries stiff penalties for non-compliance; EU regulators have already levied fines for violating GDPR, and Facebook could be fined up to $1.63 billion related to a 2018 data breach exposing the personal information of 50 million users, which is currently under investigation.
Moreover, GDPR is influencing legislation around the world, including in the United States. The California Consumer Privacy Act of 2018 (CCPA), which takes effect on January 1, 2020, incorporates many elements of GDPR, including an expansive definition of protected personal information. The CCPA also gives consumers, among other rights, the right to request access to their personal information, the right to be forgotten and the right to opt-out of the sale of their personal information. Further, businesses must include certain information in their online privacy policies, which they must update annually. Although CCPA does not apply to all organizations, any company doing business in California or with California residents must evaluate the applicability of CCPA. Significantly, GDPR and CCPA allow consumers to sue for damages under certain circumstances arising from the violation of those laws.
Most recently, the Washington state senate overwhelmingly passed a privacy bill, which draws inspiration from both GDPR and CCPA. Among other features, the bill requires companies to disclose what personal information they collect; gives individuals the ability to access, correct and, in some circumstances, delete their information; and obligates companies to perform risk assessments regarding their data processing activities. This legislation currently is under consideration in the Washington state house, and legislators in Hawaii, Maryland, Massachusetts, New Jersey and New York have also introduced data privacy bills.
The trend toward providing greater protection for individuals’ personal information is also reflected in recent court decisions. In late 2018, the Pennsylvania Supreme Court issued its landmark decision in Dittman v. UPMC. In this case, current and former employees of the University of Pittsburgh Medical Center and UPMC McKeesport allege that UPMC, as a condition of employment, required the employees to provide certain personal and financial information, which UPMC stored on its computer system without adequate security measures, such as proper encryption, adequate firewalls or a sufficient authentication protocol. Pennsylvania’s highest court ruled that UPMC owed its employees a duty to exercise reasonable care when collecting and storing their personal and financial information. The court did not rule that UPMC did, in fact, fail to exercise reasonable care —the parties will now litigate this issue in the trial court — but the Dittman ruling is significant for any company with employees in Pennsylvania, and it opens the door for future arguments that companies owe a similar duty when collecting and storing their customers’ personal information.
Facing a patchwork of state privacy regulations and court decisions, and concerned about increasing compliance costs and the practical difficulties of complying with competing regimes, companies began lobbying Congress for a national data privacy law. In February, the House Energy and Commerce Subcommittee and the Senate Commerce, Science, and Transportation Committee held hearings on federal privacy legislation, and on March 12 —the 30th anniversary of the World Wide Web — the Senate Judiciary Committee convened a hearing to “examine GDPR and CCPA, focusing on opt-ins, consumer control, and the impact on competition and innovation.”
Although federal privacy legislation would simplify companies’ compliance efforts and codify individuals’ rights into a single set of standards, many questions remain unanswered. How broadly would the legislation define “personal information”? Would federal legislation preempt state laws such as CCPA, or set a floor, allowing states to enact laws that are more protective of personal information? Would federal legislation address data breach response? Would consumers have to opt-in to having their personal information collected (the GDPR approach, generally speaking), or would it be enough for companies to allow consumers to opt-out?
However the debate over federal privacy legislation unfolds, change to the current business environment is here. At first, businesses may fear new regulations. But the global trend toward protecting individuals’ personal information reflects consumer demand. Even Facebook recognizes this, announcing last week a sweeping shift toward encrypted communications on Facebook, Messenger, Instagram and WhatsApp. Accordingly, businesses can gain a competitive advantage by recognizing what their customers want and preparing for changes in the law — whether spurred by court decisions or new legislation.
Thomas S. Markey practices in the Privacy & Data Security Group at McNees Wallace & Nurick LLC and is a member of the International Association of Privacy Professionals and the Pennsylvania Bar Association Cybersecurity & Data Privacy Committee.