Chapter 3: Federalist Silos: a Sectoral Approach to Privacy Legislation
How do we think about privacy, as a body politic, and how should we? Liberal democratic political systems like ours are built on a theory of liberty – the government should not hinder the liberty of the people except where reasonably necessary.
As you may know, I teach a Health Law, Policy and Regulation class in the Masters of Healthcare Leadership and Administration program at the University of Texas at Dallas, and I like to draw a continuum on the whiteboard to make this point. At one end is Order, and at the other is Liberty:
Liberty ß-----------------------à Order
With absolute liberty, every man (and woman, I’m using traditional English) is free to do whatever he wants; however, what happens when one man’s wants conflict with another’s? Your freedom to swing your fist ends at the tip of my nose: if your exercise of liberty conflicts with mine, who’s wins? Thus the state must put some limits on liberty. But as no man is an island, in some way almost anything you do impacts me, at least in some remote fashion (the old “beating of a butterfly’s wing” scenario). That can lead to further erosion of liberty. In fact, the more you erode liberty, the more order you get (think of totalitarian countries: there is much order – the trains run on time – but much misery).
Western civilizations run much toward the liberty side, and so we often speak of things in terms of “rights” of citizens. You sould say we fetishize “rights” in the US: we even have the Bill of Rights in the Constitution.
And so you’ll often hear talk of a “right to privacy.” Of course, the word “privacy” does not appear in the Constitution. But Samuel Warren and future Supreme Court Justice Louis Brandeis wrote a famous Harvard Law Review article in 1890 entitled “The Right to Privacy,” based on a concept of “the right to be let alone.” And of course, the Supreme Court basically invented it as a constitutional right (a penumbra of an emanation) in Roe v. Wade (with a concurrence from Potter Stewart, who in the predecessor case of Griswold v. Connecticut noted that “With all deference, I can find no such general right of privacy in the Bill of Rights, in any other part of the Constitution, or in any case ever before decided by this Court.”).
Likely due in large part to this lack of a central “right of privacy” in American jurisprudence, US law does not view privacy as an inherent right in individuals. Rather, privacy rules tend to eminate from specific types of information or specific relationships between individuals where privacy and confidentiality expected or required. For example, ethical and legal obligations bind attorneys, physicians, psychologists, and clergy to maintain the confidences of their clients, patients, or penitents. Likewise, certain information in certain hands is also often the subject of statutory or regulatory grants of privacy, due to the particularly sensitive nature of the information: banking information, educational information, tax information.
This results in the US having a legal privacy framework built into certain areas of business and life: in other words, the US has a “sectoral” approach to privacy. Compare instead the European approach: the General Data Protection Regulation (“GDPR”) is based on a nearly-Constitutional concept of a right of privacy in citizens of EU countries. There, the right to privacy exists as a force of nature, and law must bend to it. In the US, the underlying right isn’t nearly so insistent, so the law has more flexibility (and if there is no specific law on point, there is no right to privacy).
I could get pretty esoteric about why the US sytems is better. The “privacy” we are talking about here is the privacy of information about a person (not the right of someone to put a camera in your bathroom), and information wants to be free. I can gain information about you just by looking at you: the color of your hair, your mannerisms. That is your information; if you have an absolute right to privacy of information about you, then theoretically I can’t tell someone else what color hair you have, without your permission. But while the information is about you, should it be yours? If so, you should be able to make me give it back to you; but I can’t unsee your hair color or your mannerisms. That’s no way to run a legal system.
Anyway, weren’t we talking about HIPAA? Sorry for the digression.
So, the US has a sectoral system: federally, we have HIPAA for health information, Gramm-Leach-Bliley for banking information, and FERPA for educational records. We have COPPA to protect kids, CAN-SPAM and other laws regulating e-commerce and the internet, and an FTC rule that requires businesses to have “reasonable” data privacy and security protections.
As a federal system of government, we also have other laws at the state and local levels. Many states have their own version of HIPAA, and all have specific laws binding physicians and hospitals to maintain the privacy of medical records. Some states have other, general data privacy laws (the California Consumer Privacy Act brings GDPR-style regulation to businesses operating in California, for example), laws regarding biometric information (the Illinios BIPA is the source of much litigation against Facebook), and laws requiring specific data security measures (Nevada and Massachusetts both require personal information in electronic form to be encrypted in transit and at rest).
In 2003, California passed the nation’s first data breach notification law, requiring businesses in California to notify affected individuals if they are aware of a breach of computerized data that contains “personal information.” Other states followed suit, and in 2018, Alabama became the last state to enact a similar law. These laws are all similar: usually it’s only electronic or computerized data, but statutes vary in the definitions of what information triggers the duty is different, the timing of resporting, and whether governmental entities should be notified. In 2009, as part of HITECH, HIPAA added its own data breach notification law*, but it applies to all data, not just computerized data.
The purposes of these laws is to let the individual know that their data is “in the wild;” none of these breach notifications laws assume that the reporting entity is in violation of the law or liable for damages: it’s entirely possible that a reporting entity complied with every law and took all reasonable precautions, but was still attacked by a bad actor or suffered some other calamity that was of no fault of their own. But even if the reporting entity is innocent, the need to report is still there: the individual needs to know so they can protect themselves.
That’s the American solution to privacy: all these privacy laws, each in its silo, each tailored to the peculiarities of the industry in question. This sectoral approach helps explain some of the limitations on HIPAA: it only applies to certain entities and certain data (see Chapters 7 and 8). But it also allows the rest of the business of healthcare to continue to operate as it should. As I noted above, perfect privacy is the enemy of good health care, and HIPAA’s structure (such as allowing uses and disclosures for treatment, payment, and healthcare operations without the need for consent or authorization) is a brilliant fix.
Should we have a more general law? Maybe: many states have followed California’s lead in one way or another, with general privacy laws for their citizens, and some privacy oriented congressmen (such as Senator Ron Wyden of Oregon) regularly sponsor general national data privacy bills, but so far none has come forward. Personally, I think the sectoral approach has served us well, and balances the equities well. I would not want a US version of the GDPR: some provisions, such as the “right to be forgotten,” would do violence to our American concept of personal rights and private property. If I have obtained information about you fair and square (you told me freely, I observed it, it is public knowledge, etc.), and I can use that data (combined with other data, for example) for a profitable purpose, why shouldn’t I be able to do so? The data’s about you, but if I have it fair and square (I did the research, I gathered the information, etc.), the data I’ve got should be my property. That’s the American way.
*Ed. note: I considered giving breach notification its own Chapter; but the Privacy Rule is turning 20, not 21. Then again, given the lack of speed with which I’m getting through this, it might be time for a 21st by the time I’m done.