So we continue in this series on the California law on the protection of consumer privacy (CCPA) – Many other privacy initiatives are under way in the US. We all know that in the face of increasing consumer data breaches and growing privacy concerns, many countries have significantly changed their privacy regulations. To do this, these countries use global or umbrella-type regulations that cover all kinds of data without unnecessarily separating protections from data types. However, the protection of consumer privacy in the United States is currently managed according to a sectoral approach, both at federal and state-specific levels. And while this may seem like a messy clutter of industry-specific provisions, each of the measures is born out of the need to respond to a very specific need. In this article, we will help you understand the history of the landscape of privacy in the United States and its current state.
At the most abstract level, although the US Constitution does not explicitly include the right to privacy, the Supreme Court found that the Constitution implicitly grants a right to privacy against government intrusions.
As stated in the Fourth Amendment of the American Constitution
The right of the people to be secure in their persons, their homes, their papers and their effects against unreasonable searches and seizures, must not be violated, and no warrant may be issued, but on the basis of a probable cause, supported by oath or solemn affirmation, and describing in particular the place of the search and the persons or objects to be seized.
The Protection of Privacy in Health Care – HIPPA
In the health sector, for example, the concept of informed consent was developed in the United States. origin for rare, risky and potentially life-threatening situations, such as medical research surgery. In the health sector, help can not be obtained without disclosing intimate physical and behavioral information to others. If you do not disclose this confidential information, you risk death or serious permanent damage.
Rooted in the oath of Hippocrates, this ethical rule frames a fiduciary role between the doctor and his patient. The physician receives health information in trust for use only for legitimate health care purposes. The use of this medical information for other purposes would constitute a breach of trust, contrary to the first principle of the oath of Hippocrates, "Do no harm". An excerpt from the oath administered says "I will respect the privacy of my patients because their problems have not been disclosed to me that the world may know."
Research shows that patients trust their doctor to make appropriate decisions about disclosure of health information, including sharing information with other health professionals responsible for patient care. We do not really want people rush to the hospital by ambulance to check the privacy settings of their electronic health record portal application or that doctors and nurses fail to provide care to an unconscious person because they do not know the privacy choices of this person
It is not surprising that the Law on Transferability and Accountability for Health Insurance (HIPAA) dated back to the early 1990s, when it became apparent that the medical care industry would become more efficient by computerizing medical records. In addition, the sector also needed new standards for health data management. These standards included rules on the portability of medical information and the establishment and protection of the patient's right to the confidentiality of medical information. It was also necessary to ensure that people could keep their health cover when they left their jobs.
The Protection of Privacy in Finance – GLBA
Similarly, we have the same story with the financial sector. In an effort to digitize financial records and reports of mishandling and data breaches, regulators have sought to protect consumers for their financial records and transactions. The law Gramm-Leach-Bliley (GLBA) requires financial institutions (companies offering financial products or services, such as loans, investment or investment advice, or assurances) to explain their information, share practices with their customers and safeguard sensitive data. GLBA has also asked financial institutions offering consumer credit services, financing or investment advice and / or insurance to fully explain their information-sharing practices to their customers. Companies must give their customers the opportunity to unsubscribe if they do not want their sensitive information to be shared. While many consider critical information, such as bank balances and account numbers, to be confidential, in reality these data are systematically bought and sold by banks, credit card companies, and others. GLBA required limited privacy protection against such sales of personal data, as well as an excuse (obtaining personal information by false pretenses).
Confidentiality of Data Today
And enter the modern era of massive data uses and cloud services. The IMD Global Competitiveness Center has been a pioneer in researching competition between countries and businesses to lay the foundation for future prosperity. In their study 2018 the United States is at the top of the ranking, followed by Singapore, Sweden, Denmark and Switzerland. According to the latest data on the use of the computer and the Internet published by the National Administration of Telecommunications and Information ] (NTIA), the rapid movement of Americans to mobile Internet service seems to be at the expense of broadband connections at home. ). At the same time, many Americans are using more computer devices on a daily basis. These two findings suggest that technological change is causing a profound shift in the way Americans use the Internet, which could lead to a new digital divide based on the use of particular types of Internet devices and services.
Billions of people have been affected by data breaches and cyberattacks in 2018-765 million only in April, May and June. Losses in excess of tens of millions of dollars, according to the global digital security company Positive Technologies. Cyber attacks have increased 32% in the first three months of the year and 47% between April and June, compared to the same periods of 2017, according to Positive Technologies. There has been no such "significant" violation as the September 2017 Equifax data breach, in which approximately 143 million Americans were threatened with identity theft for life. Violations and cyberattacks continue to worsen and there is no expectation of a slowdown.
European privacy observers say they continue to see an increase in the number of reports of breaches of data protection and complaints about respect for life private. This should not be surprising because, as we pointed out in our series GDPR the European Union began to apply its general regulation on data protection. Among its provisions, the GDPR requires that organizations that are victims of a violation that may have exposed personal information about Europeans inform the competent authorities. The number of data breach reports recorded since the entry into force of the GDPR has reached about 3,500 in Ireland, more than 4,600 in Germany, 6,000 in France and 8,000 in the United Kingdom.
Because of all this and in the absence of a US federal entity instituting complete protections of confidentiality, states began to take over.
Let us be clear, the notion of states enforcing local laws to protect their own residents is not new. The 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws requiring private or government entities to inform individuals of security breaches of information involving personally identifiable information. Legislation related to the right to privacy and social media content has been discussed and enacted in several states, including California's "online erasure" law protecting minors from digital tracing. However, the United States is still far behind those of European Union countries in terms of protecting privacy online. (For example, the Advocate General of the European Court of Justice, Maciej Szpunar, recommended that the court rule in the case of the "right to be forgotten", thus protecting both adults and children. the miners.) Jumping on this train speaks volumes about the growing concern over the lack of complete federal regulation:
Hawaii – S.B. 418
Massachusetts – S.D. 341
New Mexico – Consumer Information Protection Act (S.B. 176)
Rhode Island – Consumer Privacy Protection Act (S.B. 234)
Washington – Washington Personal Information Protection Act (S.B. 5376 / H.B. 1854)
New Jersey – A.B. 4640 / S.B. 3153
New York – Online Consumer Protection Act (S.B. 2323 / A.B. 3818)
New York – S.B. 1177
New York – Right to Know Act (S.B. 224 / A.B. 3739)
North Dakota – H.B. 1485
Virginia – H.B. 2535
Arizona, H.B. 2259
California, A.B. 288
Connecticut, H.B. 6601
New Jersey, S.B. 2634 / A.B. 3923
But this is not for lack of trying: US federal data privacy legislation is complicated, and the adoption of a comprehensive federal bill on Data privacy involves confronting two polarized sides on the issue of preemption on state laws and other federal laws like HIPAA and GLBA, which manage data by sector or industry.
Here is just a sample of what is on offer:
US Data Dissemination Act (ADD) (S. 142)
Personal Information Protection and Consumer Rights in Social Media Act (S. 189)
Data Protection Act (S. 3744)
Consumer Data Protection Act
Online Consumer Notification to End Edge Provider Network Transgressions
(CONSENT) (article 2639)
Law on the transparency of the information and the control of the personal data (H.R. 6864)
Privacy, Protection and Security of Privacy Act (H.R. 6547)
Data Broker's Accountability and Transparency Act (H.R. 6548 / S. 1815)]
To further complicate matters, the implementation of what will be enacted will also be difficult. While state attorneys general have an important role to play, the Federal Trade Commission (FTC) sees itself as the "supreme policeman in the protection of privacy." The FTC has the general power to prohibit "unfair and deceptive trading practices" under Article 5 of the FTC Act, and attempted to establish a baseline for data security through more than sixty (60) enforcement actions. However, companies have begun to aggressively push back the FTC's legal authority to control data security practices, and the FTC has limited jurisdiction over banks, insurance companies, entities nonprofit and even some internet service providers.
So, what's the next step? Is the United States becoming a country with 50 completely different laws, or will we see the federal government intervene?
What we do know is that the 21st century economy will be fueled by personal data. But we do not yet know what rules will govern this information, with whom this information will be shared and what protections will be put in place. A basic law on data protection would provide a legal framework to answer these questions.
The US Congress should partner with other advanced economies in its approach to data protection by creating a single, comprehensive framework for data protection. Significant federal laws and regulations should seek to resolve differences between existing federal and state rights and legal responsibilities. This would not only simplify compliance for US companies, but would also strengthen and align the US with new data protection standards. Congress could put in place an effective privacy regime with at least the following four qualities:
A simpler and more complete approach to individual digital dignity is warranted, particularly after this past year, characterized by a growing scale of digital management violations and failures. A basic privacy framework could ensure that all businesses become responsible and ethical data managers, bring the US into compliance with global standards, and better protect the data of their citizens.