U.S. privacy law often is criticized in comparison with international privacy regimes, particularly the European Union's General Data Protection Regulation. Parts of this criticism are fair, but, at the same time, U.S. privacy law provides meaningful protections in a substantial set of circumstances, and, on occasion, provides either “better” privacy protection than the GDPR or presents a more targeted approach to balancing appropriate privacy protections with other important public policy concerns. This balancing often is not a question of “consumers vs. industry” (although it certainly can be). In some situations—particularly in the health care settings that I will focus on—it often is a question of providing an appropriate balance between privacy interests and other policy interests that benefit both industry and consumers.
GDPR provides (in a grossly simplistic summary) consistent protection for all personal data across all industries. There are no meaningful exceptions; it encompasses all kinds of data, from small and large companies, across all relevant industries. Some of the details of privacy compliance may vary based on relationships and purposes for processing data, but the idea is that there will be a single set of rules.Footnote 12
The U.S. privacy model—as of this writing—is wildly different. U.S. privacy laws tend to fall into three categories. There are laws for specific industries.Footnote 13 There are laws dealing with specific data practices.Footnote 14 We also are seeing an increasing array of laws addressing particular data categories.Footnote 15 The result of this model is that we do not have one law in the United States, we have dozens. These laws provide tailored privacy protections in specific situations. Some of these protections are quite strong—at least if not more protective than the GDPR. Other areas provide lesser protection.
At the same time, with varying degrees of effectiveness, these laws are designed to provide privacy nuance, providing specific protections for specific activities. A positive of this approach is that privacy interests can be tailored to specific situations, rather than a generic “one size fits all” protection. At the same time, it is clear that this approach is extremely challenging for consumers to understand and increasingly difficult for businesses as well; the only short-term beneficiaries of this inconsistent, overlapping cornucopia are the growing number of privacy professionals across the country.
Let us explore this nuance. The best example stems from the privacy provisions of the HIPAA Privacy Rule. HIPAA's history is convoluted, and its privacy rule generates confusion. Contrary to common misperception, HIPAA is not an overall health information privacy law; instead, it protects certain information in certain contexts when that data is held by or otherwise connected to specific “covered entities” (primarily health plans/health insurers and health care providers), along with their service providers. Health information in other contexts simply is not covered by these rules.Footnote 16 You can certainly argue for a broader application of privacy protection for health information, but the drafters of the HIPAA Privacy Rule were stuck with their legislatively assigned scope.
With that scope, however, the regulatory drafters designed a privacy regime to provide very strong privacy protections for individual patients and insureds, while at the same time also allowing the health care system to work effectively and efficiently for the benefit of both individuals and the overall health care system. These policy choices have worked well (in my opinion), and can provide a model going forward for broader U.S. privacy law.
A few key choices in this policy debate. First, the drafters focused on the role of individual consent, navigating how best to allow for an individual role in the operation of the health care system and the protection of personal privacy. The regulatory choice is unusual (and perhaps unique) at this point in U.S. privacy law. The drafters defined certain “common” or “expected” uses and disclosures of health information and defined the rules to make these normal uses and disclosures essentially automatic, with no individual consent actually required.
The rules also specify certain national priority areas where individual consent may be defined in a small series of targeted mini-rules. For all other uses and disclosures an individual authorization is required, which is a meaningful form of individual permission, subject to very specific standards.
The result of this approach—coupled with other compliance obligations imposed on the covered entities—is that the normal elements of the health care system proceed automatically, and only additional items require specific patient permission. This approach takes out the need for a patient to consent to each individual use and disclosure of their health information (which would likely require either a constant barrage of permission requests or an “automatic and largely meaningless approval of everything through a generic privacy notice). It imposes obligations automatically on covered entities, allows the normal activities to proceed efficiently, and focuses individual attention on only those unusual uses that require individual authorization.Footnote 17
This model may be useful in debates over privacy law. An approach that would define appropriate uses and disclosures of personal could reduce the impact of unread and confusing privacy notices, while still creating substantive limitations on how personal data is being used.Footnote 18 At the same time, thinking about how to address health information in a national privacy law creates a broad array of challenges.Footnote 19
Moving forward, as we grapple with not only “traditional” data privacy issues but also the role of artificial intelligence and the “collective” privacy issues addressed in Salomé's presentation here, these nuanced privacy approaches need to be evaluated, along with the broader but more generic approaches laid out in the GDPR and (increasingly) in the various “comprehensive” state laws being implemented across the United States. We certainly can improve current privacy law in the United States, primarily by addressing the large current gaps that exist in our complicated structure, but we may sacrifice some of the nuance in the law that provides meaningful benefits if we move to a single overall approach.