Federalization in information privacy law.

• Author: Bellia, Patricia L.

FEATURE CONTENTS INTRODUCTION I. THE VERTICAL AND HORIZONTAL DIMENSIONS OF INFORMATION PRIVACY REGULATION II. STATE-FEDERAL DYNAMICS IN INFORMATION PRIVACY LAW A. Quasi-Constitutional Provisions B. "Federal-First" Regulatory Responses C. Federal Provisions Reacting to State Regulatory Activities D. Summary III. INFORMATION PRIVACY REGULATION AND FEDERALISM THEORY IV. THE FEDERAL ROLE IN INFORMATION PRIVACY REGULATION CONCLUSION INTRODUCTION

In early 2007, as mega-retailer TJX began disclosing details of a massive network security breach involving at least 45.7 million credit card accounts, (1) members of Congress introduced an array of bills promising strong and comprehensive federal protection of personal data. (2) Although the 110th Congress failed to adopt any significant data privacy legislation, let alone any deserving the labels "strong" or "comprehensive," data security breaches will keep information privacy issues on federal legislative and regulatory agendas for the foreseeable future.

Paul Schwartz's provocative essay suggests that Congress should not seek to adopt a comprehensive federal information privacy law. (3) The positive case for federalization, he argues, is weak: state-level regulation of data privacy is unlikely to lead to the sort of "race to the bottom" that often justifies federal regulation in other areas, such as environmental law. (4) Moreover, a comprehensive information privacy law brings the danger of "ossification." (5) Particularly if such a law is broadly preemptive of state law efforts, we will lose the benefit of state experimentation with innovative privacy law protections. (6) Schwartz's ultimate conclusion appears to be a narrow one. He argues that it would be unwise for Congress to impose unitary federal information privacy rules that both block more stringent state law rules and eliminate the sector-specific distinctions that now exist in federal law. (7) Although I agree with that narrow conclusion, it rests on descriptive and theoretical premises that have far broader implications for federal regulation of information privacy. If adoption of a unitary and truly comprehensive privacy statute is (as I would contend) unlikely, then we are left with difficult questions about what the relationship between federal and state law should be and whether there is any role for a non-sector-specific federal approach to information privacy. Because I disagree with some of the descriptive and theoretical points that drive Schwartz's analysis, my views on these questions differ from his in significant ways. In particular, the case for federal regulation of data privacy is stronger than Schwartz suggests, even when federal regulation would preempt state law in favor of a unitary federal standard. In addition, I view carefully crafted minimum privacy standards that cut across sectoral lines as unproblematic, so long as such standards permit stronger sector-specific approaches.

My analysis proceeds as follows. In Part I, I first seek to separate the "vertical" and "horizontal" strands of Schwartz's claims--that is, respectively, those arguments focusing on the federal-state balance in information privacy regulation and those arguments focusing on the putative scope of a federal statute in relation to sectoral federal privacy laws. I then briefly discuss the horizontal issues to identify and put to one side my narrow disagreement with Schwartz's approach on these questions.

Parts II through IV focus on the vertical dimensions of information privacy law and explore the key premises, explicit and implicit, upon which Schwartz's opposition to a federal information privacy law rests. I begin in Part II with the descriptive claims. Schwartz views states as "especially important laboratories for innovations in information privacy law," (8) and that view supports his normative claim that Congress should not adopt a broadly preemptive information privacy law. (9) While I agree with much of his descriptive account, I suggest that it may overstate the role of states as engines of experimentation and change. I then turn in Part III to theories about the proper allocation of regulatory authority between state and federal authorities. Like many scholars who consider federalism questions in other areas of the law, Schwartz seems sympathetic to theories of competitive federalism. Such theories assume that allowing states and localities to compete for citizens' loyalty by experimenting with different policy approaches will generate better regulatory outcomes. This approach and other closely related efficiency-based approaches to allocating regulatory authority are widespread in existing federalism scholarship. Even if we accept these efficiency-based perspectives, however, the case for federalization of information privacy law is stronger than Schwartz suggests. Finally, in Part IV, I move beyond the efficiency-based perspectives. Such perspectives, I argue, cannot explain or justify a number of federal information privacy statutes that are better understood as efforts to articulate and federalize privacy expectations. We should not lightly disable the federal government from playing that role.

1. THE VERTICAL AND HORIZONTAL DIMENSIONS OF INFORMATION PRIVACY REGULATION

   Schwartz argues that it would be a "mistake" for the United States to adopt "a comprehensive or omnibus federal privacy law for the private sector." (10) Parsing this claim proves more difficult than it first appears, for there are at least three categories of arguments that one opposing such a privacy law might raise. First, one might claim that any regulatory intervention--state or federal--is unnecessary or even counterproductive in light of the possibilities for market-based responses to privacy and security breaches. (11) Schwartz does not appear to make this claim, and indeed in other contexts has expressed skepticism about the adequacy of market responses to data privacy threats. (12) Second, one might focus on the vertical aspects of federal information privacy regulation. One might accept the need for action by legislatures or regulatory agencies but conclude that state regulation is preferable to federal regulation; or one might argue that even though federal intervention itself may be appropriate, such regulation becomes problematic if it broadly preempts state law. Schwartz focuses heavily on these vertical dimensions of information privacy law. Although he specifically opposes a comprehensive and strongly preemptive federal statute, some of his arguments call into question federal regulations that are not strongly preemptive of state approaches and federal regulations that target specific sectors. (13)

   Third, one might focus on the horizontal features of federal regulation--that is, the interplay of any federal information privacy law with other sector-specific federal rules. One might argue that a comprehensive approach to regulating the collection, storage, and use of data across varied industries is inappropriate, even if sector-specific deviations from those rules survive. Or one could argue that a comprehensive approach is not generally problematic, but becomes so if it displaces sector-specific rules. Here, Schwartz appears to be unenthusiastic about any form of comprehensive regulation, (14) but especially opposes regulation that displaces existing sectoral laws. (15)

   In my view, Schwartz's claims about the vertical dimensions of information privacy offer the most significant challenge to current and future regulations. Federalism issues are often overlooked in debates over what the privacy law landscape should look like. I devote most of the remainder of this Essay to these issues. Before turning to them, however, I note my overall agreement with much of Schwartz's discussion of the horizontal dimensions of information privacy regulation, as well as a narrow point of disagreement.

   I agree with Schwartz that a horizontally preemptive statute--that is, one that eliminates any sector-specific privacy approaches--would be problematic (although the possibility of such a statute being adopted seems rather remote). First, this approach fails to acknowledge that information privacy interests vary depending on the type of information at issue. Citizens have different interests in shielding information depending on how sensitive it is: one has a different interest in protecting information about one's health than one has in protecting information about one's shoe purchases. Second, as discussed in Part III, at least in theory one of the benefits of having multiple regulatory regimes--whether by state or by sector--is that it permits experimentation with various regulatory options. Passage of a horizontally preemptive statute does not eliminate the opportunity for sectoral experimentation, because the obstacles to a subsequent Congress's enactment of a sector-specific regulation are political rather than structural. Eliminating sector-specific distinctions, however, does cut existing experiments short.

   My disagreement relates to the question whether it is appropriate for Congress to adopt any baseline federal information privacy protections while preserving sectoral protections that exceed the baseline, or to adopt protections where there are gaps in sector-specific protection. Schwartz acknowledges the possibility of such baseline or interstitial regulation and considers some of its advantages, but he fears that adopting a federal baseline violates a principle of "regulatory parsimony." (16) Schwartz writes approvingly of Congress's caution in information privacy regulation in the 1970s, when Congress opted not to enact "a broad regulation of information use that would include the private and public sectors in one fell Swoop." (17) To this objection about regulatory parsimony we might also add another objection that Schwartz raises against regulations that are both comprehensive and strongly preemptive--that...