US privacy rules stir confusion

The United States has a uniquely convoluted way of regulating privacy.

In the European Union, for example, all private information is treated the same, whether it’s collected by Facebook or by a doctor in a hospital.

{mosads}But things are murkier in the U.S., thanks to an overlapping structure involving an alphabet soup of federal agencies.

The Federal Trade Commission (FTC) regulates privacy, but so does the Food and Drug Administration (FDA), the Federal Communications Commission (FCC) and the Department of Health and Human Services (HHS), just for starters.

“We are more or less the only country approaching privacy in a sectoral fashion,” said Sharon Klein, who heads the privacy, security and data protection practice at the law firm Pepper Klein. “And it’s getting harder to be sectoral.”

The number of federal agencies laying claim to digital privacy has boomed in recent years, baffling the business community.

“Agencies recognize the confusion and have tried to give out guidance to explain which agencies will be regulating what aspects of what products. But from the perspective of a company like Siemans, it’s still overwhelming, because now they have a primary regulator of a product that might not be the primary enforcer,” said Klein.

“HIPAA HITECH [the Health and Human Services-enforced health information technology rule] hasn’t been enforced as much as the FTC rules. They are thinking, ‘Well, is the FTC now the agency I need to be paying the most attention to?’ ”

While most of the laws protecting medical privacy fall under Health and Human Services, medical devices fall in part under FDA jurisdiction. That is, unless, misleading or business practices are involved. In that case, privacy is an FTC matter.

Students get additional protections under FERPA — the Family Educational Rights and Privacy Act — policed by the Department of Education. But children’s online activities are covered by COPPA — the Children’s Online Privacy Protection Act — which is FTC territory.

If a privacy action involves a data breach, that means more than just traversing HHS, the FDA, FTC and Department of Energy. The states and territories all have different breach-notification laws regulating how and when who gets notified for what type of private information. Three states have no laws requiring a company to notify consumers of a data breach at all.

And last year, the FCC stepped into the morass of agencies regulating privacy with its net neutrality order.

In order to pass rules guaranteeing net neutrality, or that all content on the internet is treated in the same way, FCC Chairman Tom Wheeler changed the way that broadband providers are classified under communications law. That, in turn, gave the FCC the authority to oversee how they handle privacy.

The agency introduced the rules earlier this year, and the commission approved them in October with changes that some business leaders considered insufficient.

Under the rules, broadband providers have to get users’ permission in order to use their web browsing or app usage. The same standard applies for geolocation and several other types of data the agency has deemed “sensitive.”

“Based on the extensive feedback we’ve received, we crafted today’s rules to provide consumers increased choice, transparency and security online,” Wheeler said when the rules passed.

The FCC’s action left companies like Facebook and Google, known as “edge providers,” under a different privacy regime than the companies that control the infrastructure of the internet. Providers say that disparity will cause problems.

“The FCC’s divergent approach will ultimately serve only to confuse consumers, who will continue to see ads based on their web browsing history generated by edge providers even after they have been told by their service provider that their consent is required for use of such information,” AT&T’s Joan Marsh said in a statement in October.

Critics of the net neutrality order might get their way.

President-elect Donald Trump has expressed concerns about the net neutrality rules. Jeffrey Eisenach, who is leading the Trump transition team’s review of the FCC, is a major critic of net neutrality, and FCC Commissioner Ajit Pai — a safe bet to become at least interim FCC chairman — told an audience in early December he wanted “to fire up the weed whacker” for net neutrality and other regulations.

The Trump administration will also likely change the FTC’s privacy enforcement priorities. Joshua Wright, the former commissioner leading the president-elect’s transition for the FTC, has said he feels that the commission should give more weight to economic impact when regulating the so-called internet of things. That could mean the agency will soon take a narrower view of what constitutes an unfair privacy practice.

But even if the agencies change direction under Trump, the confusing overlap in their jurisdictions will remain.

“It’s not really clear to most people who to complain to when you run into problems related to privacy and security. I’m not sure most Americans fully understand what the Federal Trade Commission specifically does,” said Michelle De Mooy, acting director of the Center for Democracy and Technology’s Privacy and Data Project.

She stresses that her solution is not less regulation, but more deliberate and visible partitioning of who does the regulating and better cooperation between agencies.

“It’s hard as a privacy advocate to say that there’s too much attention to privacy,” she said. “Technology has completely changed a lot of the regulatory approaches that have worked in the past when things weren’t in the big data world or always-on world.”

But eliminate or scale back the U.S.’s sectoral privacy approach, and things might get simpler.

“There are only two countries in the developed world with no baseline privacy standards,” said De Mooy. “One is the United States. The other is Turkey.”