Especially in these partisan times, it is no secret that the legal world has been slow to keep up with the ever-changing technological landscape. Despite the slow pace, however, the improvement of data security is (happily) one of the few legislative areas not facing gridlock in today’s Congress. In fact, regular hacks leaking millions of users’ data, consistent disputes weighing national security interests and individual freedoms, and the threats of cyberwars and identity theft (to name a few), drive data privacy to be one of the most active legal fields.
The sheer application to all aspects of our lives means data privacy also cuts across a spectrum of legal specialties and applications. However, no comprehensive act exists in the United States, so any reform must be piecemeal. In such a climate, it seems safe to say we can expect the future to be a patchwork much like the present: small Fourth Amendment expansions, public-private partnerships to increase network security and responsiveness to large-scale attacks, influence on trade agreements, and above all, national security concerns.
Privacy and Criminal Law
Updating the application of the Fourth Amendment may be seen as court-driven in criminal procedure, but there is plenty of room for legislative action, too. Currently, for example, the government only needs a subpoena to force companies to turn over electronic communications more than 180 days old. H.R. 699, the Email Privacy Act, would force law enforcement to use a warrant when requesting electronic communications, regardless of how long the information was stored. Originally introduced in May 2013, the Email Privacy Act finally passed the House 419-0 in late April, but Senate Judiciary Committee Chairman Chuck Grassley expressed reservations as to the bill’s prospects in the upper chamber.
Increasing Network Security
To protect against large-scale attacks, the federal government and private sector seem to need each other. The Cybersecurity Information Sharing Act (2015), signed into law in December 2015, encourages private firms to share Internet traffic information among companies and the federal government to prevent attacks, by giving entities legal immunity from antitrust and privacy lawsuits.
The Obama Administration has also co-opted industry voices and ideas in its Cybersecurity National Action Plan, which calls for reform and modernization across the federal government, and government and private businesses’ use of multifactor authentication, encouraging the increased practice of fingerprint and single-use codes. The plan even seems to heed calls for a reduced reliance on Social Security numbers, which were never intended to be used as the individual identifiers they are today.
National Security Is Still a Trump Card
Data privacy shows up more and more in international agreements, such as the Trans Pacific Partnership, where the United States likely took the role of negotiating for more data security and the establishment of laws in member states’ without them to protect American consumers. However, with this expansion, the United States continues to assert the primacy of its national security interests.
For example, the Judicial Redress Act (2016), signed into law in February, creates a private cause of action for alleged privacy violations that occur in the United States for noncitizens. However, the right to sue is limited to citizens of countries that (1) permit the “transfer of personal data for commercial purposes” to the United States; and (2) do not impose transfer policies on personal data that “materially impede” American national security interests.