A Model Regime of Privacy Protection
Last year I blogged about an article by Daniel J. Solove and Chris Hoofnagle titled “A Model Regime of Privacy Protection.”
The paper has been revised a few times based on comments—some of them from readers of this blog and Crypto-Gram—and the final version has been published.
Abstract:
A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as “commercial data brokers” have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices—principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.
Definitely worth reading.
Jim Harper • February 6, 2006 1:14 PM
At a conference a couple of weeks ago, I asked Dan Solove how his proposal represents a way forward given the failings we already know of Fair Information Practice laws. The Fair Credit Reporting Act has existed for more than 30 years, for example, and credit reporting is rife with unfairness.
A model law is one thing, but what can actually be passed into law is quite another. My sense is that the FCRA protects credit bureaus more than consumers. Any new federal law will inevitably come with preemption of state laws that might address the issues better. Indeed, the reason they will pass, if they do, is because of those business-friendly provisions.
I have advocated for common law causes of action such as negligence (in the case of data breaches that permit identity fraud) and commercial defamation or interference with prospective economic advantage (in the case of bad data). Dan has made clear to me (and he’s right) that I owe the world more thinking on this.
There is general agreement on using liability to get data aggregators and data holders to internalize the risks their activities create, but I encourage people to withhold judgment on whether that liability should come through prescriptive bureaucratic regulation, or something else, such as common law remedies.