Obstacles to a National Privacy Law
Last month I described a proposal from Microsoft for federal legislation to establish baseline privacy protections for consumers and to provide organizations with a uniform national standard. Though there is much to debate in that proposal, I want to accept the basic idea for the sake of argument. What are the obstacles to a uniform, preemptive federal privacy law?
The legislative mechanics are daunting. Bills introduced in Congress begin their journey by referral to one or more committees. Most real legislative work is done in committees by a relatively small group of staff members and, occasionally, elected members, too. I was a congressional staffer for many years, and I have a staff view of the legislative process.
So which committee would be principally responsible for a privacy bill? The answer is nearly all of them. Almost every legislative committee on Capitol Hill could claim some jurisdiction over a privacy bill that applied to every U.S. organization.
In the House of Representatives, the committee responsible for interstate commerce matters would have a stake in the bill. So would the government reform committee that deals with general laws applicable to federal agencies. The judiciary committee has jurisdiction over some civil liberties issues, the courts and numerous federal agencies. Don't forget the banking committee and education committee, both of which enacted privacy laws years ago.
I could continue, but the point should be clear. Legislation with incredibly broad application could not move easily through Congress under normal rules. Congress knows how to deal with this type of legislation through select committees or other ad hoc arrangements, but it does so only rarely. It takes a broad consensus or tremendous political pressure to start the process. Neither is visible right now.
A second problem is that we already have privacy laws and rules. Let's mention just a few: Fair Credit Reporting Act (credit bureaus), Gramm-Leach-Bliley (financial institutions), Family Educational Rights and Privacy Act (schools) and the Health Insurance Portability and Accountability Act (healthcare). Each addresses some slice of privacy. Each differs from the others in significant ways.
To establish a uniform standard, you must raise or lower existing standards. If the uniform law lowered standards in some areas, the howling from record subjects would be loud. If that new law raised standards, record keepers would howl even louder.
It's not impossible to find consensus on tough issues. We do it, sometimes badly, all the time. What is most difficult is changing current rules in a way that, in effect, produces random groups of winners and losers. Organizations that already invested in privacy are unlikely to welcome change, and that makes the job much tougher.
Remember that it took many years to push the Data Protection Directive through the European political process. Each country with a privacy law worked hard to preserve as much of its existing policy and structure as possible. The European Union let stronger national laws remain in place or otherwise accommodated many national differences. The task would have been even harder, but European laws were roughly at the same level of generality as the directive. Our privacy laws often are filled with minutiae, and it is harder to find compromises at that level.
In some ways, it may be too late to consider an omnibus federal law in the United States. We may have traveled too far down the so-called sectoral path to abandon all sectoral laws in favor of something different.
Though Microsoft is right that a uniform law would have many benefits, the benefits would be spread inconsistently. International companies and domestic companies with many lines of business would gain the most. Record subjects would benefit. Small businesses, newspapers, schools, landlords, bookstores, most Web sites and utilities would be less likely to see any advantage.
Another set of problems is transitional. Though we probably have a dozen or so major federal privacy laws, most states have hundreds of small, uncoordinated laws with some privacy effects. Preempting those laws would require a detailed review of laws in each state. Many existing laws would need repeal, replacement or adjustment. The process would take years and could exacerbate the randomness and unfairness.
My list of problems is by no means complete, but it is enough for now. I am not suggesting that a uniform federal law is a bad idea. My point is that privacy in the United States has become a particularly difficult subject for a general, preemptive federal law. Anyone who wants one must recognize the major obstacles and be willing to work hard to develop a consensus sufficient to overcome them. That won't be easy, and it won't happen quickly.
Finally, if a serious uniform privacy proposal ever began to move on Capitol Hill, it would be a rare entity that could not find an argument for full or partial relief from the law's application. I doubt that Washington has enough lobbyists to represent all the industries, organizations, trade associations, federal and state agencies and others who would demand an exemption from a uniform federal privacy law.