Who is covered by the law?

I am confused/concerned about some of the coverage issues.  I gather the general idea is to have broad coverage.  There are a small number of places where current FTC exemptions (e.g., non-profits) are over-ridden.  How would the insurance industry and financial services be covered, if at all?  Today they are largely outside of FTC coverage, but there does not seem to be any attempt to bring them in.  Is that intentional or an oversight?

I also am concerned about the approach towards HIPAA-regulated entities.  As I read it, they are covered by this new proposal, would remain covered by HIPAA, and would get no benefits from preemption.  This seems to be the worst of all worlds specifically for that industry (arguably the US industry with the overall toughest regulation today).

16 comments

  1. Michelle Richardson
    I am still processing this definition but one issue immediately jumps out at me: the exception for entities that have fewer than 15 employees or utilize the personal data of of fewer than 5,000 individuals. I assume this is motivated by concern for small businesses and we certainly need to make sure an overarching privacy framework works for them. But two changes are important here.

    First, an exception for small businesses in the context of a privacy bill should hinge solely on the amount of data an entity handles. It’s easy to imagine a tech startup that has only a few employees yet collects or uses data on millions of people. On the flip side, there must be large corporations that have minimal interaction with consumer data- B2Bs, professional services, or manufacturers, for example. To the extent that an exception is based on number of employees, it is at once over and under inclusive. In 2018, privacy risk just doesn’t correlate with employee numbers. (As an aside, other proposals include exceptions based on revenue and they are equally mismatched for the same reasons.)

    Second, small data processors may warrant different obligations or face different penalties, but they should not be outside of a privacy regime altogether. We are still thinking about where to draw those lines at CDT and it is especially hard to draw them in a framework like this one.

    I will flag that Congress needs to be on the lookout for a sleight of hand here. The small business conversation often starts with concern about compliance costs for dry cleaners and delis but quickly morphs into a debate about product development and competition issues. We certainly aren’t getting through the privacy debates of 2019 without talking about these latter two topics, but that’s what we should do: talk about them and deal with them thoughtfully.

    • David Hoffman
      Michelle, I agree this is something we need to improve in the draft, and am interested in what people think on how we can do that. We received similar thoughtful ful feedback on social media and I am inclined to agree that our current approach both includes entities that we do not want to include (the local butcher shop that has just that many employees, and has enough historical data on meat purchases to satisfy the data subject number), and may not include entities that should be covered (a company with only a few employees, who processes data on only a few thousand individuals, but the data is incredibly sensitive and impactful). Our approach currently relies heavily on risk assessment as a mechanism to determine the “consistent uses” and as a foundation of the accountability requirements. Could this be another area for an evaluation of risk, which would allow for more appreciation of context? For example, we could capture everyone, but then carve out entities that the FTC provides guidance do not create any “significant privacy risk”. That may require either definition of the term “significant privacy risk” or allowing the FTC latitude to define it in guidance and rules. I worry that such an approach will not provide enough clarity for organizations that need to understand whether they are covered under the bill or not. Another possibility would be to expand on the bills notion of “sensitive data uses” and use that as a carve out to the carve out. What I mean by that is that we could keep the numbers approach we have, but then list certain uses like to determine medical, racial, ethnic, sexual, religious or biometric qualities of the individual and then say that even a small entity that is using data in those ways would fall under the bill. We specifically stayed away from defining
      “sensitive data” as increasingly we see that any data, when combined with advanced analytics, may be used in sensitive ways (my grocery shopping history may say many things about my medical stats and religious beliefs). Thoughts?

      • Peter Swire
        In my view, a risk-based approach to who is covered is a bad idea. Who is in/out is perhaps the most important provision in the law – it tells an s an organization whether it has a ton of obligations, or none at all. We saw this with “covered entity” under HIPAA. The California Consumer Protection Act shows a way to address Michelle’s concerns – an entity is covered if it meets any of three threshold criteria. That’s a little strict, but likely the clearest way to address the issue.

        • Anne Klinefelter
          I agree with Peter that having multiple qualifying criteria, like the California law provides, would cover these concerns. But, I am not sure that risk-based carve-outs are going to provide g to provide clarity for any of the stakeholders, and it seems that clarity and predictability are some of the goals of this initiative.

          • Annie Anton

            As the non-lawyer, here, I also agree that risk-based carveouts are not predictable or clear. Instead, multiple qualifying criteria offer a much more consistent, and enforceable approach.

      • Michelle Richardson
        I’d avoid risk assessment here – for both determining who is covered and subsequent responsibilities. It’s too complicated for the limited data processing we are trying to encompass. Substantively, here’s s what CDT is calling for: (1) individual rights to access, correction, deletion and portability, (2) transparency and security, (3) clearer prohibitions on discrimination, and (4) ban on secondary uses of sensitive data. I believe small processors will be able to do most if not all of these if the requirements are clear.

        But in the format of this specific bill, it could look like a limited data processor safe harbor. How about a provision that requires entities that hold data on less than 5,000 subjects *and* do not collect, use, or share sensitive data do the following: provide access and deletion rights, implement reasonable security, post a public privacy policy, and abstain from sharing information with 3rd parties? These small data processors can choose to opt in to the larger system if they want to play in the data processing game.

    • Jules Polonetsky
      I wonder if GDPR which does exclude companies with under 250 employees from some of GDPR, but then includes them if they do certain activities based on risk and scale, ale, has some good logic. But I take note of Peter Swire’s point about the uncertainty the risk approach creates about who is in our out, given some subjectivity. It may be useful to work off the GDPR exclusion, but revise it in a way that provides more certainty. Clearly any entities with large amounts of risky data must be subject to the most important protections, no matter employee numbers. But I have in mind the early days of wikipedia or GEDMatch today…or similar businesses…maybe some excluded as a NFP, but many low profit hobbyist sites need to be considered. The idea that a small part time blogger would get captured because of ads or analytics code on site is perhaps a good use case to consider. ( the big ad tech partner certainly should be captured)..but a definition that would result in more pop-up cookie consent banners for every blog of any popularity should give us pause. Learn from the European experience…..for the good lessons and for where US should be interoperable, but provide more flexibility, when risks is low – if that low risk can be defined very clearly.

    • Danny Weitzner
      It strikes me as very hard to get certainty on scope by using either number of employees or number of data subjects. Instagram famously had 13 employees when it was was acquired by Facebook for $1Billion. Should they have been left uncovered by this bill — probably not. The original commercial transfer of data to Cambridge Analytica was done by an entity with fewer that 15 employees, too. At the other end of the spectrum, what about people who have >5000 followers on a social media platform or in a chat group? I have more than 5000 contacts stored locally on my smartphone. These examples show, I believe, that there is no way to chose bright-line coverage rules without missing big privacy risk or covering those whose behavior is bellow the level at which we would want to create compliance obligation such as having an accountability program.

      I’d observe that many laws rely on prosecutorial discretion or simple incentives regarding prioritization of enforcement resources as a means of avoiding unreasonable burdens on smaller entities. I believe guidance to enforcement authorities, rather than bright-line rules, is the better way to seek a balance of protection of important rights vs regulatory burdens.

  2. Marc Groman
    As I read the draft bill, the bill covers entities currently subject to FTC jurisdiction plus common carriers and non-profits. I fully support that approach in a federal privacy bill ill and I don’t think that approach is all that controversial given the nature of data collection and business practices today. If it is controversial, happy to engage in that discussion. Other entities outside the scope of FTC jurisdiction, including the business of insurance, do not appear to be covered by the draft federal bill. That appears to be left to the states, which is consistent with the historic approach to insurance and some other business practices.

    The more difficult issue raised by Kirk is not about the entities that are covered by the bill, but about how this draft bill or any proposed federal privacy law will interact with current federal privacy laws such as HIPAA. I’m not even addressing the even more complex issue of state preemption yet. Unfortunately, policymakers are not working from a clean slate and any new federal privacy law must contemplate the full range of existing federal laws that touch on the collection, use, and other processing of personally identifiable information. As I understand the draft, the FTC is required to submit a report to Congress to address this issue and make recommendations. How any proposed federal privacy law will interact with related requirements in current federal laws such as HIPAA, GLBA, FCRA, COPPA, VPPA, FERPA, CAN-SPAM, Cable Act, etc. is very complex. I have yet to see a proposal that threads the needle in a way that makes sense. I would argue that it’s not good for business or consumers (and not good for competition) if we have very different standards across sectors absent some compelling reason. GLBA, for example, often comes up in this context but in fact GLBA is not a privacy law. GLBA has minimal requirements regarding notice to consumers and some limited choice with respect to a narrow subset of data covered by the statute. Thus, it would not be logical or reasonable to exclude entities from a federal privacy law simply because they currently are subject to those minimal requirements set forth in GLBA. On the other hand, entities covered by GLBA should not be subject to inconsistent or overlapping standards. Thus, to the extent GLBA’s notice and opt out regime remains in place (and perhaps it shouldn’t), GLBA entities should not be subject to similar requirements in a new federal privacy law. But those entities should be required to comply with additional requirements, if any, that a new federal privacy law puts in place. Any other result strikes me as absurd, potentially leaving financial institutions and consumers’ sensitive financial data subject to the lowest privacy standards. Of course, this all depends on the requirements of a particular bill and this is all hypothetical.

    • Peter Swire
      Marc is correct to mention the numerous federal privacy statutes that would need to be addressed in an eventual bill. It’s not just GLBA and HIPAA, which the current draft raft bill tries to address. Each interaction has its own complexity, and those engaged in the process will need to take great care with each interaction.

      When we were writing the HIPAA Privacy Rule in 1999 and 2000, for instance, the intersection just with FERPA took a great deal of work. Huge numbers of organizations, such as school districts in that case, have relied on the other regulatory frameworks. There may be serious compliance challenges and unintended consequences unless there is intensive engagement and drafting with stakeholders affected by each of the other federal bills.

      I am adding to my preemption discussion tonight as well. Intersection with state laws are complex. To take one example, would the federal bill preempt the numerous state laws that set limits on what private entities may or may not do with Social Security numbers? Each of those interactions need to be considered by stakeholders and experts in the process before a final bill can be drafted.

  3. Dan Capiro
    Thanks for a comprehensive and thoughtful proposal. It’s a good starting point and more substantive than other proposals to date. However parts of it strike me as fighting the last last war by being heavy on process/compliance and light on valuing data/privacy as a strategic risk for senior management. Not clear what is gained by codifying the FIPPS or giving the FTC rule-making authority.

    • David Hoffman
      Dan, very interesting. What specific sections strike you as too heavy on process? If we do not start with the FIPPs or give the FTC rule-making authority, then what would uld you propose as an alternative? Do you think we should just stay with the status quo?

  4. Paula Bruening
    With respect to what entities are covered by this bill, I agree with Michelle’s observation that even small businesses can collect, store and process vast amounts of data. Basing coverage rage
    on the number of individuals an entities employs ignores the power technology places in the hands of these companies. I agree that what entities are covered should be based on the amount of data they manage and process. Further, I am concerned that completely excluding some small companies would introduce weaknesses in protections, given the interconnected nature of systems and businesses, and the fact that these companies can use vendors that provide powerful processing capabilities. I suggest that streamlined requirements for companies with smaller data holdings would help raise awareness across parts of industry that may still not be fully aware of privacy risks and best practices, while avoiding overly burdensome obligations that don’t necessarily promote privacy.

  5. Paula Bruening
    I agree with Intel’s approach to structure this bill using the FIPPs and FTC rule-making as a starting point. In doing so, it aligns U.S. law with international law and and frameworks but still allows for flexibility to reflect U.S. thinking about data governance and includes risk assessment and mitigation. I am still considering the specifics of the bill’s FIPPs based requirements, but I would note that overall the bill does not suggest a purely procedural application of the FIPPs. Rather, it recognizes discussions over the last 5-10 years that have considered interpretations of the FIPPs in ways that serve emerging technologies and data use without compromising the ability to innovate.

  6. Pam Dixon
    I would like to return to Kirk Nahra’s concerns about HIPAA: “I also am concerned about the approach towards HIPAA-regulated entities. As I read it, they are covered by this red by this new proposal, would remain covered by HIPAA, and would get no benefits from preemption. This seems to be the worst of all worlds specifically for that industry (arguably the US industry with the overall toughest regulation today).”

    Kirk’s concern has real merit. HIPAA is an extremely difficult statute to work with because HIPAA applies to the commercial sector *and* to the government sector. HIPAA also applies to some educational institutions. The draft bill does not apply to government. If a new law with different standards applies to only a portion of the entities regulated by HIPAA, this brings a nightmare of compliance and could create meaningful problems for information exchange.

    So— working this through to some of the end points, I have some questions to pose. What happens when government and commercial health care providers exchange health care records about a mutual patient? Commercial sector health care providers would have new and different requirements. What effect would differing standards have on the compliance and liability of a commercial entity in the scenario where a commercial entity shares records with a gov’t entity, which would have different and potentially lower standards? Will patients be less able to switch between gov’t providers and commercial providers because commercial providers incur liability from sharing with entities with lower standards? What happens to those entities that are formal Business Associates under HIPAA, and they serve both government and commercial entities?

    I doubt the intent of the bill was to create chaos in the health care system. But carving HIPAA-covered entities in half creates meaningful disruption that will likely have have far-reaching unintended consequences. I worry most about impacts on patients.

    How this would work with the FERPA-HIPAA intersection in the education environment is truly unfathomable, as that intersection is already fraught with complexity.

  7. Omer Tene
    Re: the “does size matter” issue, it’s interesting to look at the Israeli data security regulations from 2017. They implement a modular risk based approach, applying different obligations to organizations ons categorized as “basic” risk (residual category), “intermediate” (ie., processing various categories of sensitive data), or “high” (intermediate with more than 100,000 data subjects or more than 100 authorized employees). There is also a “sub basic” category to address Jules and Danny’s concern about essentially household use. See here: https://iapp.org/news/a/the-new-israeli-data-security-regulations-a-tutorial/