The concept of privacy has come to prominence in the United States with breathtaking speed. As recently as ten years ago or less, it was rarely, if ever, raised as a concern in information governance circles, and information governance policies rarely contained a significant privacy component, with the sole exception of HIPAA compliance.
But oh my! How the world has changed – it’s everywhere now. And given that sudden rise to prominence, you might be forgiven in thinking that as a legal concept, it’s newly-minted, a product of some sort of new-fangled legal doctrine concocted in some think tank.
If you thought that, you wouldn’t be entirely off the mark. There are certainly plenty of think tanks thinking real hard about privacy these days. But they’re not really pondering upon a new concept. To the contrary, they’re trying to turn what is in fact a very old concept into enforceable law and achievable doctrine in a world that is very much different from the one that faced the old thinkers on the subject.
“A Brief History of Privacy Law”
In the United States, the first inklings of the concept turn up in the Constitution and Bill of Rights, and in subsequent amendments. The Third Amendment prevents the government from parking soldiers in your house – certainly a privacy matter – but perhaps most importantly, the Ninth Amendment reserves a broad swath of rights – basically everything not explicitly granted to the government – to the people (that concept is taken straight from the Magna Carta, all the way back in 1215).
US case law supporting privacy rights
That basket of rights turns out to have a lot of privacy in it. The Fourteenth Amendment, through Supreme Court decisions from as early as 1923, grants a broad right of privacy and freedom from government intervention in a number of areas central to privacy. And since then the courts have done a lot of looking at the matter, and have used the Constitution as a basis for finding a number of privacy rights. So over the years, a large body of case law on privacy has built up.
Statutory privacy rights in the US
Statutory privacy law is older than you might think as well. The state of California has an anti-wiretapping law that dates from 1862 – yes, you read that right – that prohibits people from intercepting telegraph communications not intended for them – literally, tapping the wires to eavesdrop. And sure enough, they had their first conviction for a privacy violation within a couple of years, when someone tapped the wires to gain inside information for purposes of stock trades. So it might well have been the first insider trading case as well.
But how did all of this get to the rest of the world? In particular, how did it get to places like Europe, where England aside, there hasn’t historically been strong tradition of the protection of individual rights? Through Canada, of course.
Privacy goes north
The Canadians have been early and active proponents of privacy rights as a legal concept. The Canadian Human Rights Act dates from 1977, the Canadian Charter of Freedoms dates from 1982 and the Privacy Act from 1983. And in a very real way, these are the cornerstones of all subsequent general privacy law. Privacy had come in dribs and drabs before that time – for example, the Fair Credit Reporting Act in 1970 – but such as it was, it was a here-and-there thing about specific topics, not at all an acknowledgement of a general right of privacy. It’s the Canadians who gave form and expression to a concept that heretofore had mostly been alluded to. And they have been forward thinkers on the topic ever since.
The Canadian mode crosses the Atlantic
The collapse of the Soviet Union stimulated a good deal of interest in privacy in Europe and the European Union. The East German Stasi was particularly well-known for having informants everywhere – and this coming on the heels of Nazi Germany and the Gestapo, the people of Europe were highly receptive to the concept of Privacy as a Right, and of formal legal protections for it. So they quickly followed the Canadian model – first, high-level statements of concept – the Data Protection Convention of 1980 – then an increasing detailed and strict series of laws culminating the current regime of the General Data Protection Regulation and its many implementing instruments. And in the course of this, the European Union has become the leader in the Privacy field. By a wide margin, the requirements and enforcement of privacy law in the E.U. are the most comprehensive and stringent in the world.
A global standard for privacy law?
An important corollary of this is the spread of what is now the E.U. model of privacy law and privacy law enforcement. A large part of the rest of the world has adopted privacy laws modeled after E.U. law and the GDPR. A look at the privacy map reveals GDPR-style law fully developed in places as far-flung as Argentina, South Korea and Japan, with places like Australia and New Zealand close behind on the Canadian model. And it’s been developing in some places you might not expect for a while now: the Community of West African States has had a data protection act in place since 2010. Clearly, there’s a trend here, and it’s worth looking at where that trend is leading, because it finally just arrived in the United States in the form of the California Consumer Protection Act, the CCPA.
A look at the U.S. privacy map reveals that the CCPA is not alone, and that about half of the states currently have a general privacy law either on the books or in the works. So how this plays out matters to all of us. Here are some key attributes of this that are likely to be nearly universal at some point, and that you need to consider:
- Newer privacy laws are general laws, not the topic-specific thing we’re used to in the U.S. Whereas we have things like the Fair Credit Reporting Act covering a single narrow topic, laws like the GDPR cover all personal information, in any form, collected for any purpose. That’s not yet true in the U.S., but the CCPA and its U.S. progeny are inching in that direction. Expect it.
- There is a dedicated government bureaucracy to write regulations and to enforce the law and regulations. That’s already a powerful phenomenon in the E.U., where Data Privacy Authorities with a great deal of power enforce privacy laws very strictly. And it’s coming to the U.S. There’s a ballot initiative in California for this coming election to create just such an authority, and you can count on it passing. It’s a big development when it happens, because it means that there’s a whole government entity whose sole purpose in life is to enforce privacy laws, a far cry from what it currently is in the U.S., a scrap time job for a lawyer or two in the Secretary of State’s or Attorney General’s office.
- The Data Privacy Authority is equipped with a very big stick with which to enforce the law. That means the power to force change when needed, and to hand out big fines and other sanctions when necessary.
- The Data Privacy Authority will use that stick liberally to achieve its mandated outcomes. The E.U. Data Privacy Authorities routinely hand out large fines and other sanctions, and no one is exempt – the large and the small, the rich and the poor, for-profits and non-profits, even other government agencies – everybody gets whacked when the Data Privacy Authority finds a violation.
And friend, it’s coming to you soon. There’s an inevitability to the trend – the Europeans forced compliance on many non-European organizations because they do business in Europe, and they provided a comprehensive model for other countries to follow. The more countries that adopt the same model, the more pressure there is on other countries, and on businesses and other organizations to likewise adapt. And now it’s arrived in the U.S., and states are looking at it and adopting the same model – ergo, the CCPA. And because it’s here, and because one by one the states are following suite like a row of dominoes falling, you’ll eventually be forced to adopt the same compliance model in your own business practices, no matter how much you resist.
It’s not a matter of if, it’s a matter of when. Even if your state is a lone holdout, eventually you’ll be landlocked and find that everybody else is there, and if you want to transact business anyplace else, you’ll need to comply.
Privacy never sleeps
So, don’t be like so many U.S. companies who ignored the five years’ worth of warnings before the GDPR was adopted, and the nearly 2 year grace period before enforcement became serious, who now face – or have already had to pay – multi-million dollar fines. Get up to speed on privacy and begin development of a serious compliance program. Time’s a’wastin’!
For more on how to ensure ongoing compliance with the evolving regulatory landscape, check out this eBook: Risks and Opportunities of Managing Information Chaos