Privacy piracy: the shortcomings of the United States' data privacy regime and how to fix it.

• Author: Fairclough, Bradyn

1. INTRODUCTION II. BACKGROUND: AN OVERVIEW OF THE U.S.MODEL AND THE EUMODEL A. The U.S. Model: Criticisms 1. Constitutional Barriers to Protection 2. Court Precedential Barriers 3. Federal Privacy Law Failures 4. Enforcement Problems 5. Corporate Barriers to Reform B. The EU Model III. ANALYSIS: PROPOSED SOLUTIONS TO THE U.S. DATA PRIVACY PROBLEM A. Keeping the Current U.S. Model 1. Continued Self-Regulation 2. Private Right of Action and Increased Litigation: Where is the Harm? 3. The FTC is Catching Up 4. Leave it to the States B. Adopting the Enforcement Framework of the EU Model C. Collaborative Governance Approach IV. RECOMMENDATION V. CONCLUSION I. INTRODUCTION

   2015 was an unkind year to people who cheat. A group of hackers obtained and threatened to leak gigabytes of personal information of the users of Ashley Madison, (1) a website used by individuals seeking to have an extramarital relationship, if the site was not shut down immediately. (2) To the humiliation of thousands of users, the hacker group leaked names, sexual fantasies, credit card information, addresses, and more. (3)

   The news was frightening for many because of Ashley Madison's practice of never deleting their users' private information. (4) However, injuries stemming from data breaches do not only affect the unsympathetic. Simply shopping at Target put 40 million credit and debit card accounts in jeopardy when the company announced that they had been the victim of a data leak in 2013. (5)

   Even more troubling to some is not just that companies are not adequately protecting against incidents of data leakage, but that these companies will often leak the information on purpose. (6) Many websites use up to 100 tools to track consumer data. (7) Companies will often sell a consumer's location, age, and other personal details to "data brokers," who in turn distribute this information to third parties. (8) Not only are these facts shocking to some, it is even more shocking that businesses in the united States actually have a large role in creating the rules that regulate their actions. (9)

   The data leaks at Ashley Madison, Target, and many other companies suggest that consumer protection requirements for businesses are not stringent enough. This Note will discuss the United States's data privacy problem and some solutions scholars have proposed to affect widespread compliance by businesses and protection for consumers. Part II will discuss the history of data privacy in the United States and in the European Union (EU). Part III will analyze proposed solutions to the U.S. privacy problem and discuss their viability. Part IV will recommend a solution that the United States can implement to provide more protections to its citizens without damaging its growing data-driven economy.

2. BACKGROUND: AN OVERVIEW OF THE U.S. MODEL AND THE EU MODEL

   Modern-day data privacy laws protecting private information in the United States and the EU grew out of the 1970s Fair Information Practice Principles (FIPPs). (10) The FIPPs outline eight essential pillars of effective data security: 1) transparency, 2) purpose specification, 3) use limitation, 4) data minimization, 5) data accuracy, 6) individual participation, 7) security, and 8) accountability. (11) Although the United States developed the principles, the country has not yet fully embraced them; instead, the United States relies on a fractured system comprised of various acts and statutes that did not begin with a glance at the FIPPs, but rather grew out of what each industry individually needed. 12 The EU, however, has made a conscious effort to incorporate the FIPPs into its Data Directive; the Data Directive is widely recognized globally as providing more protection for consumers' private information than the EU's regulations. (13) This Part will discuss the data protection models that both the United States and the EU adopted.

   1. The U.S. Model: Criticisms

      The United States utilizes a "sectoral model" to regulate how businesses use private consumer information. (14) A sectoral model utilizes legislation, regulation, and self-regulation. (15) Essentially, the sectoral model works like this: Congress passes narrowly tailored laws that barely infringe on the marketplace's role of self-regulation, and the Federal Trade Commission (FTC) and the Department of Commerce monitor businesses relying primarily on industry standards. (16) By partially relying on self-regulation, businesses are expected to abide by intangible industry practices and unwritten codes of conduct that they themselves create and interpret. (17) The sectoral model is used for several reasons. For one, supporters of the model claim that businesses are in the best position to decide what regulations are best for them and their consumers. (18) In addition, another policy reason for this model is that it helps the economy, especially today, as the economy has become more data-driven. (19) Although businesses have become more data-driven and tech savvy over time, there is one thing that will always drive businesses: profits. (20)

      Many have criticized the self-regulated model as being ineffective and laden with conflicts of interest because it asks businesses to regulate themselves when loose regulation could mean a much larger profit. (21) The government has developed laws to regulate the use of private information, but they are often industry-specific and the government applies them narrowly. (22) Businesses ultimately decide how the laws should be implemented in their day-to-day operations. (23) To further complicate the issue, the court system then interprets these laws, resulting in varied outcomes. (24) To illustrate this inconsistency between the courts and what a private citizen might believe is protected by law, it is instructive to note that a Pennsylvania court recently held there is no "common law duty to protect and safeguard confidential information." (25)

      The U.S. government is also concerned about infringing on the marketplace and burdening the country's increasingly data-driven economy with over-invasive regulation. (26) President Obama called for action to provide stricter regulation (27) and met considerable opposition, especially in a report decrying any benefits of overarching regulation similar to the EU model. (28) The president even revised his plan and proposed a bill, stressing the new regulation would not burden the economy, but Congress again opposed the bill with new criticisms that the proposed protections were too weak. (29)

      In fact, this cycle has been repeated several times before. (30) Congress or the president will feel that industry practices relating to data security are lacking and begin to threaten and propose stricter legislation. (31) Businesses will respond by purporting to implement stricter policies, pacifying Capitol Hill. (32) Then, as time passes, businesses will shy away from their self-made regulations and the cycle starts all over again. (33)

      There is a constant tension between free information, profits, and consumer protection. (34) For example, some new proposed government regulation has required default opt-out policies for the collection and use of information instead of the default opt-in policies that companies use now. (35) On the other side, many argue that increased government regulation and constant pop-ups (36) requesting consumers to opt-in could spell the end of "free internet" and severely hamper many businesses' valuable revenue streams from advertising. (37) There have also been other legal roadblocks to increased data privacy.

      1. Constitutional Barriers to Protection

         The Constitution and the courts have also not helped data privacy laws progress in the United States. (38) The U.S. Constitution does not contain an explicit right to privacy, but rather those rights are implied in certain areas. (39) Rather than being based in the firm footing of a fundamental right to data privacy, the data privacy laws in the United States are based largely in principles of tort and contract law, which can be conflicting. (40) This is in stark contrast to the EU, where the right to privacy is specifically guaranteed. (41)

      2. Court Precedential Barriers

         In addition, the First Amendment also causes problems for U.S. data privacy law reform. One company has successfully made the argument that prohibitions on the use of consumers' information violates businesses' right to freedom of speech. (42) Another instance where the Supreme Court has not advanced consumer data privacy interests was in Sorrell v. IMS Health, where the Court held that a pharmaceutical company should be allowed to access doctors' prescribing records or they would be denied the ability to better target potential new customers. (43) Furthermore, courts have also regularly found that data privacy violations are not a cognizable injury, (44) and an advertiser's use of private information does not deprive a consumer of monetary benefit. (45)

      3. Federal Privacy Law Failures

         Not only have the courts held up privacy law in this area, but several federal data privacy laws fail to help consumers because they are narrowly focused. The Fair Credit Reporting Act (FCRA) allows credit agencies to disclose personal information as long as they implement "reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer." (46) The Gramm-Leach-Bliley Act (GLBA) later added more to the FCRA, requiring financial institutions to notify customers of how their information is used and afford them the ability to opt out of disclosure to third parties, prohibiting the disclosure of account numbers to third parties, and requiring the FTC to create a Safeguards Rule for businesses. (47) The Cable Communications Policy Act (CCPA) requires cable companies to disclose to customers how their private information is being used. (48) The Health...