Which level is better placed to provide efficient data protection – the federal or the state level? This question is topical both in the United States and in the European Union. In the US, there are concerns regarding the increased fragmentation of American data privacy law and the lack of relevant federal consolidation. In the EU, the proposed General Data Protection Regulation (GDPR) supposed to replace the Directive of 1995 was met with opposition regarding the “over-centralization of powers” in the European institutions.
Where do we stand with data protection in the EU and in the US now? We are five years in after the EU Commission first announced its initiative to work toward updating the framework European data protection law, and over 207 amendments to the Commission’s proposal later (introduced only in the version of the European Parliament; if we add the ones tabled by the different Presidencies of the Council, the count would reach several thousands). In an unprecedented move, at the end of July the European Data Protection Supervisor issued his own amended version of the Regulation ahead of the upcoming institutional trialogue…
In the meantime, the US has been drifting further away from a comprehensive statutory scheme after a federal proposal for a Consumer Bill of Rights failed to muster agreement twice, first in 2012 and then in 2015. Current attempts to regulate student privacy and to consolidate state data breach notification laws on the federal level remain uncertain.
In short, the GDPR and US federal initiatives are seemingly not winning hearts and minds. But they should have at least provoked your curiosity by now. Here is how federal or EU regulation has the potential of bringing a level of legal certainty beneficial to individuals and businesses alike:
The Evils of Centralizing Data Protection: Myth or Reality?
Myth 1: The procedure for enacting US federal or European law is slow and burdensome. Hence, the main fear of centralizing data protection law is that it would bring regulatory ossification that stymies innovation.
Myth 2: Industry lobbies mobilize better on the federal or the EU level. They push Congress or the EU institutions toward the establishment of weak centralized legislation vis-à-vis private sector regulation. The phenomenon, dubbed “defensive preemption”, has been described regarding policy developments in the US environmental field back in the 1980s. Strong lobbies tried to preempt environmental-friendly US state laws by institutionalizing a low bar of federal protection.
The conventional wisdom is not entirely wrong. But it is simplified and too often incomplete. Precisely because of the checks and balances that slow down US federal or EU lawmaking, state regulation is a necessary backstop for data protection law. The state legislatures can react promptly to what are perceived by their constituents as digital threats. Some of the state laws will provide imperfect protection and will possibly be too inflexible. Federal or EU law oversight can evaluate and fix such regulatory failures.
In turn, centralized oversight does not need to translate into weakening of the privacy protections. Federal or EU law can introduce mechanisms that allow the law to respond to ongoing challenges. For example, the GDPR establishes a one-stop-shop mechanism that aims to avoid forum shopping. According to the one-stop shop principle, only one national Data Protection Authority (DPA) is responsible for taking legally binding decisions against a company (the responsible DPA is determined by the company’s main establishment in the EU). However, some were concerned that businesses would locate their main establishment in countries with a less onerous enforcement approach. Despite question marks about the practical implementation of this principle, the GDPR introduces a requirement for co-operation between the national DPAs that significantly minimizes the risk of a “race to the bottom”.
One way to avoid ossification is therefore by relying on state standards and institutions to act as catalysts. An often-quoted example is the first Californian law on breach notifications, now adopted under one form or another in 47 of the US states. A similar case is the French idea of a “droit à l’oubli” that now forms part of the case law of the European Court of Justice and is a feature of the GDPR. If the federal government or the EU legislator refrain from preempting state law for a period of time, at least some of the higher standards of consumer or fundamental rights protection introduced in at least some of the states are likely to be voluntarily taken up by other states but also by the industry. Privacy federalism can offer protections in the long run.