The White House (via the Department of Commerce) has released a “discussion draft” of consumer privacy legislation intended to codify President Obama’s 2012 Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy. The 2012 Framework included a Consumer Privacy Bill of Rights and called for baseline protections for consumers and greater certainty for businesses founded on the following principles:
- Individual control over personal data;
- Transparency regarding an entity’s privacy and security practices;
- Respect for context in which consumers provide/businesses collect the data;
- Security and responsible handling of personal data;
- Consumer access to data to ensure accuracy;
- Focused collection to ensure reasonable limits on the data collected and retained; and
- Accountability for companies handling that data.
Although each of those laudable notions is reflected in the Bill, in the view of the FTC and many privacy advocates, the draft Consumer Privacy Bill of Rights Act of 2015 (the “Bill” or “Act”) comes up short of the consumer protection–minded goals of the 2012 framework. We see other problems as well.
Ostensibly, the Bill is intended to “establish baseline protections for individual privacy in the commercial arena and to foster timely, flexible implementations of these protections through enforceable codes of conduct developed by diverse stakeholders.” Act, § 1. In other words, those subject to the Act would be permitted a safe harbor by establishing (and adhering to) their own codes of conduct. See generally Act, § 301 (Safe Harbor Through Enforceable Codes of Conduct).
For its part, the FTC would enforce the Act via civil fines; however, those fines are contingent on the number of days over which a violation occurs – not the number of affected individuals or monetary impact. A one-day violation could not exceed $35,000 in fines, regardless of whether the violation affected ten, 10,000, or 10,000,000 individuals. See Act, § 203(a)(1). A compounding issue is that the Act would apply to non-profit entities, Act, § 4(b), however, the FTC can only bring an action against a for-profit enterprise.
Of particular concern, the draft raises a number of issues given HHS’s Office for Civil Rights’ (OCR) recent and ongoing implementation of the HITECH Act and regulation of medical privacy under the HIPAA Privacy Rule. Following are a smattering of the issues that we see.
First and foremost, the Bill’s preemption language is confusing in the context of HIPAA. It provides that “[t]his Act preempts any provision of a statute, regulation, or rule of a State or local government, with respect to those entities covered pursuant to this Act, to the extent that the provision imposes requirements on covered entities with respect to personal data processing.” Act, § 401(a) (emphasis added). It goes on to state, however, that “[n]othing in this Act may be construed to modify, limit, or supersede the operation of privacy or security provisions in Federal laws . . . .” Act, § 404(d)(1). The federal HIPAA Privacy Rule does not preempt more stringent state laws and regulations that are otherwise consistent with the federal rule. Accordingly, it appears that the Act would preempt an otherwise permissible (and arguably “stronger”) state medical privacy law – yet leave HIPAA alone. Such a result would seemingly be at odds with the underlying intent of the federal Privacy Rule.
In certain respects, the draft Bill appears incredibly broad. As alluded to above, it applies to a “covered entity” – i.e., anyone who “collects, creates, processes, retains, uses, or discloses ‘personal data’.” Act, § 4(b). That suggests that both HIPAA Covered Entities and Business Associates would be subject to the Act.
“Personal data” includes, but is not limited to: a first name (or initial) and last name; a postal or email address; a telephone or fax number; a social security number; any biometric identifier; or any other “unique persistent identifier.” Act, § 4(a)(1). It specifically excepts, however, “de-identified data” from the definition of personal data, but fails to square the concept of de-identified data with HIPAA. Whereas the Privacy Rule sets forth two very specific methods by which to de-identify data (see Statistical and Safe Harbor methods), the Bill simply allows a covered entity to “alter . . . personal data . . . such that there is a reasonable basis for expecting that the data could not be linked as a practical matter to a specific individual or device . . . .” Act, § 4(a)(2)(A)(i). It is unclear how such a standard would be consistently and reliably implemented.
The Act also introduces a similarly amorphous concept in “Respect for Context.” In a rather confusing bit of draftsmanship, the Bill calls for a covered entity to perform a risk analysis when it “processes personal data in a manner that is not reasonable in light of context . . . .” Act, § 103. If it determines that the manner is not reasonable in the particular context, it would appear to contemplate affirmative consumer opt-in – as opposed to opt-out – for such processes. Such provisions could be read to stand at odds with HIPAA’s authorization requirements and broad exceptions for face-to-face communications and refill reminders (an exception to the definition of “marketing”).
By way of further example, and particularly with respect to reconciling the Act with HIPAA, a covered entity would not include one that collects, creates, processes, retains, uses, or discloses the personal data of fewer than 10,000 individuals in a 12-month period, or has fewer than 5 employees. That exception alone would likely sever the world the HIPAA Covered Entities in two.
The Bill also exempts seemingly broad categories of data (e.g., “customary business records”) from certain requirements such as data minimization and individual control. “Customary business records” include data “typically collected in the ordinary course of conducting business and that is retained for generally accepted purposes for that business . . . .” Act, § 4(j). Put bluntly, it is difficult to conjure categories of data that would not fit comfortably into that exemption.
Furthermore, in somewhat striking contrast to HIPAA’s concept of Breach, the Bill defines “privacy risk” in subjective fashion – i.e., as that which could “cause emotional distress, or physical, financial, professional or other harm to an individual.” Act, § 4(g). OCR did away in 2013 with its similar subjective “risk of harm” standard in favor of a more objective risk assessment: “[a]n impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a [formal] risk assessment . . . .” 45 C.F.R. § 164.402 (emphasis added).
Finally, there is no provision in the Bill that would require FTC rulemaking. As written, and without agency regulation and guidance, the Bill will almost assuredly spawn significant consumer and stakeholder confusion.
In our view, which appears largely consistent with various media reports and fellow bloggers, the current Bill is unlikely to go anywhere in Congress.