Purdue’s chief privacy officer discusses need for a uniform federal privacy standard

Note: Trent Klingerman, Purdue's chief privacy officer, will be part of an ITaP-sponsored panel discussion on privacy issues at 5:30 p.m., Oct. 29, in the Krannert Auditorium. The panel in conjunction with National Cybersecurity Awareness Month will also feature Audrey Mills from Eli Lilly, J.J. Thompson from Sophos, and Joanna Lyn Grama from Vantage Technology.

Our time spent online grows each year. In 2000, the average American spent 9.4 hours online each week. In 2018, that number climbed to 24 hours per week. During our time spent online, we share loads of data with little insight into how it’s collected, used, and traded. Now is an opportune time to reassess the need for clear and consistent privacy standards that:

  • Articulate consumer privacy rights and protections in a way that is consistent and clear.
  • Set reasonable rules for the processing and handling of personally identifiable information (PII).
  • Establish security standards for protecting PII.

Establishing a single, U.S. federal standard will take much of the confusion out of the state of privacy law, in America as well as the world.

There is no single “right to privacy” in the United States. Rather, privacy rights are found in a myriad of privacy laws from a host of state and federal sources. U.S. privacy protections depend entirely on the context of the relationships between the provider and recipient of information, such as in the context of a patient’s relationship with their healthcare provider or a student’s with their school, and draw on the substantive law of many different areas to construct privacy and data security protections.

For example, the right to privacy is sometimes thought of as a constitutional right, found in the “penumbras” of the First (privacy of beliefs), Third (privacy of the home), Fourth (privacy of the person and possessions) and Fifth (privacy of personal information) Amendments of the U.S. Constitution.

The right to privacy is also found in the common law as the torts of “invasion of privacy,” “false light,” “misappropriation of likeness” and “public disclosure of private facts.” These torts are interpreted differently from jurisdiction to jurisdiction, rendering it exceedingly difficult to plainly articulate the right to privacy in any given situation.

Finally, federal and state statutes and regulations govern with great detail and considerable complexity the privacy rights of individuals with respect to their health care information (HIPAA), education information (FERPA), consumer financial information (GLBA) and social security numbers (Privacy Act and numerous state laws).

Each of these laws contains its own detailed and complex regulatory compliance standards. These standards are varied and there is little overlap. No institution can comply with any one of the foregoing privacy rules and rest comfortably that it has complied with them all. 

The development of new laws governing the processing and handling of personally identifiable information based on the place the data originates has created an additional privacy complication. In May 2018, the European Union implemented comprehensive data privacy protections under its General Data Protection Regulation (GDPR). The GDPR regulates the consumer privacy rights and data privacy protection standards for personal data that originates within the EU and is transferred outside of it.

The law is one of the broadest, most comprehensive data privacy laws in the world. It requires that any entity that processes or controls PII disclose to the individual the lawful basis for processing the individual’s data. The GDPR also provides each individual with certain rights with respect to their data, including the rights to access, correct, restrict, object, complain, erase and withdraw consent to their data. And ultimately, the GDPR requires entities that process and control data to disclose the identities and purposes of each party with whom the data is shared.

The GDPR applies to most entities that receive PII from individuals in the EU, regardless of where the entity is located. In the coming months, similar protections will extend to individuals residing in the State of California.

The California Consumer Privacy Act (CCPA) becomes effective in January 2020 and offers GDPR-like rights and protections to a narrower class of individuals. Like the GDPR, the CCPA places strict transparency requirements on certain businesses that receive and process PII. It gives Californians a set of privacy rights, including the right to know what personal information a business collects about them and how the data is used and shared.

Like the GDPR, the CCPA gives an individual the right to request deletion of their personal data. The CCPA is limited in its application because it must yield to federal privacy protections, such as the ones that protect health care and financial information.

In the immediate wake of California’s enactment of the CCPA, as many as 15 additional states are considering and proposing similar state privacy laws. Many are similar, but there are slight variations. One can easily imagine a difficult privacy landscape becoming untenable as entities engaged in interstate commerce struggle to comply with numerous general state laws as well as existing federal protections.

Last month, the Business Roundtable, an association of CEOs of leading U.S. companies, proposed a “Framework for Consumer Privacy Legislation.” The framework provides an insightful set of guiding principles from which federal legislation could be constructed. Key principles include:

  • A call for uniformity of the single federal standard.
  • A risk-based approach to privacy protection under which the risks of data processing are balanced against the relative benefits and interests.
  • A statement of individual rights to transparency, control, access, correction and deletion of their PII that is consistent with other legal requirements for data retention and integrity.
  • Clear and reasonable data security standards, breach notification rules and enforcement mechanisms that protect individual rights and promote accountability in businesses that process and handle PII.

One straightforward cure for the incredible complexity caused by the multiple and varied state and federal privacy regimes is the enactment of a single federal law that provides clear, consistent and comprehensive standards for how companies handle PII, such as that outlined in this framework. Such a law could strengthen consumer trust, settle expectations of both individuals and businesses and create a regulatory environment that highlights transparency. 

This article is part of a series for National Cybersecurity Awareness Month. For more information visit https://itap.purdue.edu/privacy

Writer: Trent Klingerman, deputy general counsel and chief privacy officer, Office of Legal Counsel, klingert@purdue.edu