20 October 2023

On data privacy, look to the states and not to Europe for solutions

LOGAN KOLAS

For the better part of two decades, Congress and bureaucrats in Washington quietly debated comprehensive federal data privacy legislation but decided against it. Instead, states have been left to cobble together their own patchwork of rules.

The U.S. has long prioritized protecting markets and consumers by regulating different markets differently. Healthcare in America is not regulated like Wall Street, nor is Wall Street regulated like education.

This varied, more tailored consumer protection has spurred technological experimentation and dominance by preserving relatively free markets. Europe takes a different tack, favoring a once-size-fits-all regulatory approach to data privacy that treats all different types of data the same. And as part of that regime, Europe grants consumers broad access rights to correct and delete data.

As a Buckeye Institute report explains, the European data privacy model has been disastrous. Europe’s General Data Protection Regulation (GDPR) has 99 intentionally vague and complex articles that make compliance difficult and expensive. And for all its expense and difficulty, the protection GDPR provides has been counterproductive. It has routinely and mistakenly knocked thousands of websites offline, unintentionally dug protective economic moats around technological targets, disproportionately harmed small businesses trying to make it in an e-commerce world, all the while failing to keep consumers and families safe from harm.

In 2018, California ignored the hazard warnings emanating from Europe and passed a Euro-style data privacy law, inspiring other states to follow. Thirteen states have passed their own comprehensive data privacy legislation, with five of them effective by the end of 2023. European resemblance varies, but the U.S. now faces a tangled mess of competing, conflicting laws that will bleed small businesses as they try to comply.

Ideally, Congress would pass a narrowly tailored, comprehensive data privacy framework that preempts state law and regulates data sector-by-sector. But that seems unlikely. In the absence of federal leadership, and to avoid a mish-mash of state laws, states should adopt identical data privacy rules through data privacy compacts that would simplify compliance and show Washington what really matters to businesses and consumers.

States have formed similar compacts for regulating healthcare, agriculture, taxation, resource conservation, mining, transportation, and occupational licensing. Data privacy rules should be no different.

Such a collaborative approach should start by ensuring that all state laws include an affirmative defense for businesses that comply with the data protection protocols recommended by the National Institute of Standards and Technology (NIST). Critics who smear this idea as some kind of giveaway to businesses miss the point. Offering an affirmative defense for NIST compliance creates a strong incentive for companies to protect data privacy, making adoption more attractive and widespread.

And unlike statutes, NIST recommendations are regularly updated to keep pace with burgeoning technology and evolving practices. That means businesses will have to keep pace, too, in order to avoid liability. After all, even worse than a web of confusing and expensive data privacy laws is a confusing and expensive web that doesn’t protect privacy. Offering NIST compliance as an affirmative defense against state regulators helps prevent that.

Action and inaction speak louder than words. More than two decades of Washington’s inaction on data privacy prove that whatever Congress may say about the subject, it cannot be trusted to pass responsible, comprehensive data privacy rules. And certainly not in time to save the country from a patchwork of ham-fisted European-style laws.

So it falls to states to act responsibly and collaboratively, to avert that messy patchwork by adopting straightforward, virtually identical data privacy laws with an affirmative defense provision that protects businesses as they try to protect consumers.

No comments: