The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the Europe Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there are states, with various federal laws and regulations filling in various gaps or providing additional compliance issues. I have elsewhere referred to this as a “patchwork” system (although some might prefer the term “crazy quilt”).
It is for this reason that the Third Circuit’s decision in FTC v. Wyndham is fertile ground for thinking about what the future holds for data privacy regulation. Up until now, there has been no single data privacy “Sheriff” in the U.S. If your business suffers a data breach, you must look to the relevant state law (or relevant states, depending on where your businesses and customers with potentially compromised data are located) to understand (a) what kind of data matters, (b) whether the breach of that data triggers notification obligations, and (c) what the scope and range of those obligations are. Sometimes, federal laws apply: if your business is a financial institution, it must look to the Gramm Leach Bliley Act (GLBA). If you traffic in health care information, you must look to HIPAA. But up until now, there has not been a single authority with broad powers to take actions when a data breach affects a business and its customers.