New Challenges to Data Protection Study – Country Report: United States
Author(s): Chris Jay Hoofnagle
Abstract: This report is one of 11 country reports produced for the “New Challenges to Data Protection” study, commissioned by the European Commission, and describes the ways in which US law addresses the challenges posed by the new social-technical-political environment.
The hallmark of the US federal approach to privacy is sectoral regulation. A panoply of statutes now regulates specific types of government and business practices, with no broadly-applicable privacy statute governing data collection, use, or disclosure. The Federal Trade Commission has encouraged self-regulation in a number of sectors, and the development of privacy-enhancing technologies. The US approach to privacy is incoherent, sectorally-based, and largely driven by outrage at particular, narrow practices. Still, several innovations from the US approach deserve attention internationally.
First, increasingly, privacy statutes create evolving standards of care, thus encouraging innovation for handling of data and avoiding the reification that can result from prescriptive, detailed regulation. For instance, the Fair Credit Reporting Act mandates an evolving “maximum possible accuracy” standard.
Second, in the direct marketing context, the US has imposed advertiser liability for violations of telemarketing, fax, and spam laws. This is a promising approach to address the use of difficult-to-identify and prosecute service providers that are responsible for illegal marketing campaigns.
Third, audit requirements for access to personal information has had a profound effect in encouraging industry and citizen policing of privacy violations. Audit logs have substantiated long-suspected privacy problems regarding “browsing” of files, and news media access to celebrities’ medical records.
Fourth, the US has briefly experimented with “data provenance,” a requirement that buyers of personal information exercise diligence to ensure against misuse of data. Data provenance responsibilities can create incentives to reduce gray and black market sales of personal information.
Finally, most federal privacy law acts as a floor of protections, allowing states to enact stronger rules. This has created a tension between state and federal governments, resulting in a leveling up of protections, because states (which tend to be more activist on privacy issues) can act where the US Congress is occupied with other issues.
NB: The final report, an executive summary of the final report, both by Douwe Korff and Ian Brown (et al), and one of two working papers, as well as two further country reports (on France and Germany) and a Comparative Chart, all by Douwe Korff, all also produced for the Comparative Study of Different Approaches to New Privacy Challenges in Particular in the Light of Technological Developments, can be found on SSRN.
Keywords: Privacy, Data Protection, Comparative