The concept of privacy has come to prominence in the United States with breathtaking speed.  As recently as ten years ago or less, data privacy laws rarely, if ever, raised as a concern in information governance circles, and information governance policies rarely contained a significant privacy law component, with the sole exception of HIPAA compliance.

But oh my! How the world has changed – privacy law is everywhere now. And given that sudden rise to prominence, you might be forgiven for thinking that as a legal concept, it’s newly minted, a product of some sort of new-fangled legal doctrine concocted in some think tank.

If you thought that, you wouldn’t be entirely off the mark.  There are certainly plenty of think tanks thinking hard about privacy these days. But they’re not pondering upon a new concept. On the contrary, they’re trying to turn what is a very old concept into enforceable law and achievable doctrine in a world that is very different from the one that faced the old thinkers on the subject.

“A Brief History of Privacy Law”

In the United States, the first inklings of privacy law turned up in the Constitution and Bill of Rights, and in subsequent amendments.  The Third Amendment prevents the government from parking soldiers in your house – certainly a privacy matter – but perhaps most importantly, the Ninth Amendment reserves a broad swath of rights – basically everything not explicitly granted to the government – to the people (that concept is taken straight from the Magna Carta, all the way back in 1215).

US case law supporting privacy rights

That basket of rights turns out to have a lot of privacy in it. The Fourteenth Amendment, through Supreme Court decisions from as early as 1923, grants a broad right of privacy and freedom from government intervention in several areas central to privacy.  And since then the courts have done a lot of looking at the matter, and have used the Constitution as a basis for finding a number of privacy rights.  So over the years, a large body of privacy law cases have built up.

Statutory privacy rights in the US

Statutory privacy law is older than you might think as well.  The state of California has an anti-wiretapping law that dates from 1862 – yes, you read that right – that prohibits people from intercepting telegraph communications not intended for them – literally, tapping the wires to eavesdrop.  And sure enough, they had their first conviction for a privacy law violation within a couple of years, when someone tapped the wires to gain inside information for purposes of stock trades. So it might well have been the first insider trading case as well.

But how did all of this get to the rest of the world?  In particular, how did it get to places like Europe, where England aside, there hasn’t historically been a strong tradition of the protection of individual rights?  Through Canada, of course.

Privacy Law goes north

The Canadians have been early and active proponents of privacy rights as a legal concept. The Canadian Human Rights Act dates from 1977, the Canadian Charter of Freedoms dates from 1982, and the Privacy Act from 1983.  And in a very real way, these are the cornerstones of all subsequent general privacy laws. Privacy had come in dribs and drabs before that time – for example, the Fair Credit Reporting Act in 1970 – but such as it was, it was a here-and-there thing about specific topics, not at all an acknowledgment of a general right of privacy. It’s the Canadians who gave form and expression to a concept that heretofore had mostly been alluded to.  And they have been forward-thinkers on the topic ever since.

The Canadian mode crosses the Atlantic

The collapse of the Soviet Union stimulated a good deal of interest in privacy in Europe and the European Union.  The East German Stasi was particularly well-known for having informants everywhere – and this coming on the heels of Nazi Germany and the Gestapo, the people of Europe were highly receptive to the concept of Privacy as a Right, and of formal legal protections for it. So they quickly followed the Canadian model – first, high-level statements of concept – the Data Protection Convention of 1980 – then an increasingly detailed and strict series of laws culminating in the current regime of the General Data Protection Regulation and its many implementing instruments.  And in the course of this, the European Union has become the leader in data privacy laws. By a wide margin, the requirements and enforcement of privacy law in the E.U. are the most comprehensive and stringent in the world.

A global standard for privacy law?

An important corollary of this is the spread of what is now the E.U. model of privacy law and privacy law enforcement.  A large part of the rest of the world has adopted privacy laws modeled after E.U. law and the GDPR.  A look at the privacy law map reveals GDPR-style lawfully developed in places as far-flung as Argentina, South Korea, and Japan, with places like Australia and New Zealand close behind on the Canadian model.  And it’s been developing in some places you might not expect for a while now: the Community of West African States has had a data protection act in place since 2010.  There’s a trend here, and it’s worth looking at where that trend is leading because it finally just arrived in the United States in the form of the California Consumer Protection Act, the CCPA.

A look at the U.S. privacy map reveals that the CCPA is not alone and that about half of the states currently have a general privacy law either on the books or in the works.  So how this plays out matters to all of us.  Here are some key attributes of this that are likely to be nearly universal at some point, and that you need to consider:

  1. Newer privacy laws are general laws, not the topic-specific thing we’re used to in the U.S. Whereas we have things like the Fair Credit Reporting Act covering a single narrow topic, laws like the GDPR cover all personal information, in any form, collected for any purpose. That’s not yet true in the U.S., but the CCPA and its U.S. progeny are inching in that direction.  Expect it.
  2. There is a dedicated government bureaucracy to write regulations and enforce the laws and regulations. That’s already a powerful phenomenon in the E.U., where data privacy laws are enforced by authorities with a great deal of power.  And it’s coming to the U.S.  There’s a ballot initiative in California for this coming election to create just such an authority, and you can count on it passing.  It’s a big development when it happens because it means that there’s a whole government entity whose sole purpose in life is to enforce privacy laws, a far cry from what it currently is in the U.S., a scrap time job for a lawyer or two in the Secretary of State’s or Attorney General’s office.
  3. The Data Privacy Authority is equipped with a very big stick with which to enforce the law. That means the power to force change when needed, and to hand out big fines and other sanctions when necessary.
  4. The Data Privacy Authority will use that stick liberally to achieve its mandated outcomes. The E.U. Data Privacy Authorities routinely hand out large fines and other sanctions, and no one is exempt – the large and the small, the rich and the poor, for-profits and non-profits, even other government agencies – everybody gets whacked when the Data Privacy Authority finds a violation.

And friend, it’s coming to you soon.  The trend is inevitable – the Europeans forced privacy law compliance on many non-European organizations because they do business in Europe, and they provided a comprehensive model for other countries to follow.  The more countries that adopt the same model, the more pressure there is on other countries, and businesses and other organizations to likewise adapt.  And now it’s arrived in the U.S., and states are looking at it and adopting the same model – ergo, the CCPA.  And because it’s here, and because one by one the states are following suit like a row of dominoes falling, you’ll eventually be forced to adopt the same compliance model in your business practices, no matter how much you resist.

It’s not a matter of if, it’s a matter of when privacy laws become essential.  Even if your state is a lone holdout, eventually you’ll be landlocked and find that everybody else is there, and if you want to transact business anyplace else, you’ll need to comply.

Privacy never sleeps

So, don’t be like so many U.S. companies who ignored the five years’ worth of warnings before the GDPR was adopted, and the nearly 2 year grace period before enforcement became serious, who now face – or have already had to pay – multi-million dollar fines.  Get up to speed on privacy and begin the development of a serious compliance program.  Time’s a’wastin’!

For more on privacy laws in business and how to ensure ongoing compliance with the evolving regulatory landscape, check out this eBook: Risks and Opportunities of Managing Information Chaos