SPEAKER_01 0:14

Welcome back to Privacy Engines podcast series that looks at international data protection legislation. The podcast where we break down the world of data privacy law so you don't have to. I'm your host, Maria, and I'm joined as always by my co-host and data privacy expert, Katie. Good to have you back, Katie.

SPEAKER_00 0:35

Thanks, Maria. It's good to be back. Today's episode is the first of a three-part series on the United States, because the United States has quite a multi-layered landscape when it comes to data protection, and it really does it really needs a bit more deep treatment, quite like the UAE. When people think about data protection law globally, the GDPR often comes to mind. The Indian DPDP Act is also quite quite to the forefront right now, because as we discussed in previous episodes, it is quite unique in the global landscape. But the US is an interesting one because it's quite fragmented in comparison to the GDPR and the DPDP. The GDPR which governs Europe and the GPDP which governs India, which is one of the most populous countries in the world. So because again, of the population of the US and its technological reach, their data protection landscape has practical implications for many organizations who operate across borders.

SPEAKER_01 1:49

Exactly, yeah. And I think a lot of our listeners, whether they're based in the EU, in India, the UAE, like we've looked at before, um, will have US operations. So this hopefully will be relevant to them. They either have you know data transfers to the US or they have US customers. But you know, definitely it's definitely worth um having a deeper dive into the US because it has quite a rich history, I think, in terms of um privacy. They don't really call it data protection, they call it more privacy over there. So I think it's warranted, a three-part series is warranted, and it's designed to give you a cur like to give our listeners a thorough grounding in uh the current you know landscape of privacy in the US. In part one today, we're going to cover the history of US privacy law, and I think it's riveting. I I'm really looking forward to jumping into it. Why there is no comprehensive federal law and the key federal sector-specific statutes that practitioners encounter on a day-to-day basis. So just because they don't have a federal privacy law doesn't actually mean to say that they don't have any privacy obligations uh in the US. Then in part two, we'll turn to the state-specific laws landscape. Uh, California is the is the most significant state there in terms of their data protection or their privacy laws. Um, and then there's a growing patchwork of state privacy laws, individual rights, children's data, and how the FTC or the Federal Trade Commission operates as America's de facto privacy regulator since the 1990s, really. Um, and then part three, probably our most internationally focused episode, will go deep into the transatlantic transfer story. And I love this story. I've been following it for like 20 years. The EU-US relationship, it started with Safe Harbor back in the Clinton era, the Shrem's decisions, and then the privacy shield, where and exactly where where we are today with regard to the data privacy framework. There's an awful lot of history there and a lot of interesting discussion as well. So I can't wait to jump in.

SPEAKER_00 4:06

It is, yeah, I agree.

SPEAKER_01 4:10

Okay, so the first question we're going to look at today is the state of data privacy law in the United States. Why is it so different from the wet from the rest of the world? So, Katie, let's start with the big picture. For our listeners coming to the US privacy law for the first time, what is the single most important thing they need to understand?

SPEAKER_00 4:34

Uh thanks, Maria. So the single most important thing is that the United States do not have a single comprehensive federal data privacy law, unlike the EU's GDPR and the Indians DPDP Act, even Brazil's LGPD and Canada's PIPITA. The US is a bit more of a patchwork, as you said before. The federal statutes are sector specific. They have a growing number of state laws. As you said, the Federal Trade Commission does the enforcement in the privacy sphere under general consumer protection powers, which I mean data protection is consumer protection as well, but it is more than that at the same time. Out of all the jurisdictions we've covered so far, it reminds me of the UAE landscape the most, because both of these countries are federal nations with internal states or Emirates, so I think it's a good comparison to draw. So what you have with the with the federal level is a collection of laws that target specific sectors or specific types of data. We'll talk about a few of them later, but some of the important ones is the Health Insurance, Portability and Accountability Act. It covers health information, the Children's Online Privacy Protection Act for Children's Data, and the Graham Leach Bliley Act for financial data. So those are those are the three main federal ones. Outside those specific sectors, there is no floor of privacy rights for individuals. There's no baseline rights for individuals, no comprehensive obligations on companies who process any type of general consumer data. If even not all company, well I'll touch on that later, but there isn't even an obligation on all companies that deal with health data.

SPEAKER_01 6:42

But HIPAA, I would say HIPAA is the most known. So you you mentioned HIPAA there. I think a lot of people have heard of HIPAA, you know.

SPEAKER_00 6:51

Yeah, for it is. I mean, even I had her I had heard of it here and there before uh before coming into the data privacy sphere, but and it's quite strict in certain areas.

SPEAKER_01 7:08

It can be very strict in terms of protecting health personal data.

SPEAKER_00 7:12

It can be, yeah. It can be. I also like the Graham Leach Bliley Act. They they both have some controls and familiar obligations that we've seen before.

SPEAKER_01 7:26

Yeah. So um and so why has the US taken such a different path compared to basically the rest of the world? Like, is it purely political or is there something more structural going on, do you think?

SPEAKER_00 7:41

I mean I'd say both, because like structurally, the US has a strong tradition of sector-specific regulation. They they seem to respond more to kind of harms in the moment rather than a proactive approach. So it's more of a reactive model that kind of has produced protections in place for certain kind of sore spots, a bit like kind of whack-a-ole.

SPEAKER_01 8:06

Yeah, yeah. Um but like the GDPR, which is a horizontal act, you know, a horizontal regulation.

SPEAKER_00 8:13

Yeah. It's the uh opposite approach there. Um each side of the Atlantic. There there also is political pressure. I mean, we've kind of talked about it here and there, but there is powerful companies in America that you can't ignore. There's a lot of presence from technology and data-intensive industries that resist comprehensive federal legislation. Um, and you can see that these companies have so much strength and influence, even in Europe and other countries. Like, imagine the pressure that's in the USA.

SPEAKER_01 8:51

US, yeah, because they're usually US-based or they're you know, they're US-owned organizations, these big companies, these big tech companies like Google and Meta and Amazon, you know.

SPEAKER_00 9:06

So there there's also the fact that it is a federal nation, there's kind of a bit of a give and take between the federal and state governments, you know, in well, what should be given to the states to rule and what should be within the remit of you know, within purely federal remit remit, which, you know, we might not be that well versed in that particular type of politics.

SPEAKER_01 9:33

I agree, because it's very different in Europe. You know, we get um directives from Europe, but we have our own body of law in each nation as well. Do you know what I mean? So even though Europe oversees all the member states, there's not that kind of competition between the federal and the state level, you know.

SPEAKER_00 9:54

Yeah. And I'd say there's so there's so many dimensions to it, in my opinion. And like another thing to consider is also what we have said before is the cultural element of the United States, like they're very free speech-centered, like they really value free speech and the free flow of information and commercial innovation, like that's values that they hold close to their heart. I agree. Yeah.

SPEAKER_01 10:25

Whereas I think that's where the fundamental difference between Europe, I think it's even ideological. Do you know what I mean? So Europe, because of the Second World War, because of you know how pr personal data was used in the Second World War to identify people's religion, you know, it's very close to our heart data protection, so that that will never happen again, kind of thing. Whereas in America, it's all about freedom of speech and innovation, like you say, and you know, freedoms uh and in ensuring freedoms as opposed to protections, you know.

SPEAKER_00 11:00

And that that kind of culture also bleeds into their constitution. So in their constitution, they do not have a direct right to privacy the way that we would. So yeah, it comes through, you know, it's a bit political, it's a bit structural, it's a bit cultural, but it I mean it makes sense for them.

SPEAKER_01 11:24

I agree, and I think in in the third episode we'll dive deeper into those kind of differences between Europe and the states. You know, there's a long history there of like the differences.

SPEAKER_00 11:38

So I think that's kind of an overview of what the data privacy landscape looks like and why it is so different. Um I think I'll move on to your question, Maria, which is what is the history of US privacy law and how did they get to where they are today?

SPEAKER_01 12:04

So I love this part because I studied this for my PhD. So I looked into the whole history of where privacy came from, and you could argue that it started in the 1970s, but in my opinion, it really started back in 1890 with Lewis Brandeis and Samuel Warren's published landmark Harvard Law Review article, The Right to Be Let Alone. It was all about when photography became kind of mainstream back in the late uh 19th century. They were worried about the press actually taking photographs and it invading people's personal life, private life, you know. And so, you know, that was the first kind of real argument for privacy in the United States, and and it has existed and is lasted since because I remember I studied in my in my PhD as well, the you know, the right to privacy. Uh, then you had in 1914 as well the establishment of the Federal Trade Commission in the United States, and that became in the 1990s, that became very instrumental when you know protecting the rights of individuals' privacy because there was no kind of law to protect it. So the the reason why the FTC was initially established was to outlaw unfair or deceptive commercial practices, and it laid the groundwork for uh the agency that would eventually become the closest thing to the US that the US has to a privacy regulator. Then you move forward to the 1970s, and the right to privacy in the US begins with not necessarily a legislation, but it began with ideas. So in 1973, the US Department of Health, Education and Welfare published another landmark report called Records, Computers and the Rights of Citizens. That report gave the world the first instance of the fair information practice principles, or what we now call FIPS. Um, and these were a core set of principles about how personal data should be collected, used, shared, secured, um, and subject to individual access and correction. So they kind of make the foundation for many laws now in our modern day, especially the GDPR. So the initial principles were one, no secret record keeping systems. So that should be outlawed. Everybody has the right to know what data is being processed about them. They have the right to limit the use of their data, they have the right to correct, and they have the right to security and reliability. So they were the five for the first five FIPS. And, you know, as you can see, these principles have influenced virtually every every US privacy law ever since. And they have echoed internationally as well, because if you look at the OECD's 1980 privacy guidelines, and decades later, you know, the GDPR, you know, that you can see there's a there's the basis there uh on which you know uh legislatures have built. And then in then in 1974 uh came along the Privacy Act, uh, which which was the direct legislative product of the moment. Uh it was passed in the shadow of the Watergate scandal. So the Watergate scandal caused Richard Nixon to resign. In 1972, operatives linked to Nixon's re-election campaign broke into the headquarters of the Democratic National Committee. And it wasn't necessarily the it the break-in that caused the scandal, it was the cover-up that followed that caused the scandal. So, you know, they they tried to cover it up so much that um it brought down the the presidency. So after that cover-up, uh the Nixon administration became synonymous with the abuse of government databases and surveillance of political opponents. So as a result, the Privacy Act was established and it established a code of fair information practices for how federal agencies handle personal data. It was first, when it was first published, it was seen to be the American Bill of Rights on Data, but it applied only to federal government agencies and not to the private sector, and it had a significant it had significant structural weaknesses. Um there were broad exceptions for national security and law enforcement, you know, what we have now FISA today, you know, it still existed back then, you know, the CIA and so on still wanted to gather as much data as possible, you know, in terms of like protecting national security and so on. So it it kind of weakened the law as a result, and it had the the law, the act had no meaningful enforcement mechanism and required uh and a requirement that violations be intentional and willful. And how do you how do you interpret that or how do you even prove that violations are intentional and willful? So, in the words of the 1976 law review, the act became practically unenforceable, and so a commission created by the act itself concluded in 1977 that it had no it had not delivered its intended benefits. Then through the 1980s and the 1990s, Congress continued to you know put put into force reactive and sector-specific laws and acts. The like, for example, this is quite a funny one, the Video Privacy Protection Act of 1988 was famously triggered after a reporter obtained um the Supreme Court nominees Robert Bork's video rental records during his confirmation hearings. And they published it in um the Washington, a Washington newspaper. Now it wasn't the fact that he had had been watching anything, you know, all his videos were mundane and kind of mainstream, but what caused outrage was the fact that you know his records were so easily accessible and so easily published that they came up with a law called the Video Privacy Protection Act. So it's a specific it's a remarkably specific law for a remarkably specific scandal. So you can see, like you said, Katie, you know, they come up with laws in the states for for basically on the back of scandals, you know. So if if something reaches national news, then they feel like they have to act and put something in place to protect from that scandal, you know. So the Electronic Communications Privacy Act of 1986 extended the wiretap restrictions that we saw from the Nixon scandal and it extended them to electronic data. And then, like you said, um in 1996, we have the HIPAA law that governs health information, and then along came in 1998, along came COPA for children's uh protection, the protection of children's uh data. So then alongside this patchwork, you have the FTC, the Federal Trade Uh Commission, which quietly stepped into the vacuum when the internet came along and it became obvious that you know somebody needed to protect personal data online. Although since the late 1990s, the FTC has used its what it calls Section 5 authority to prohibit unfair or deceptive acts and practices in commerce. So under that umbrella, they can stop organizations from invading privacy as well. So they're allowed to bring enforcement actions against companies that mishandle consumer data or violate their own stated privacy policies. And the result of this has been a growing body of consent decrees and settlements that functions almost like a regulatory framework, even though Congress never designed it to be one. The FTC has extracted major penalties from companies like Facebook, Google, Twitter, Amazon. For instance, the Cambridge Analytica Scandal, and I'm sure you know about I think a lot most people have heard about the Cambridge Analytica Scandal in 2019 when Facebook's you know mishandled um uh political data and it influenced the the elections um in the U in the US. The Federal Trade Commission then stepped in and won a settlement against Facebook for five billion dollars. Um so that was the most significant settlement at uh up to that time for misuse of personal data.

SPEAKER_00 21:02

Okay, yeah.

SPEAKER_01 21:05

And there was there was another one as well with Amazon Prime, which was in 2023. So the Federal Trade Commission took Amazon uh prior took Amazon to court because they were using dark patterns to try and get people to sign up to Amazon Prime, and they proved that was true, and then as as well as using dark patterns to get them to sign up, they were making it extremely difficult for people to unsubscribe. And that was um that was proved the FTFTC proved that in 2023, and I think that was 175 million dollars of a settlement as well. So so you can see, you know, it's very patchwork and it's very reactive, like you said, um, to to scandals and to specific situations, you know.

SPEAKER_00 21:55

Well, they they haven't changed anything because I signed up to Amazon. Prime. Really? Because I I wanted to buy something, and the discount or delivery was so much better with Prime. And I thought, well, you know, I will use this. And then a couple of months went by and I realized I'm not using this. Like, I don't need I need to cancel it. And it was so difficult to cancel. It was so difficult. It was actually the vein of my life for a while. Really? It was probably it could have it could have it could have been me. I mean, that was in 2023 that they made that decision, but I found it I you had to um you had to search to unsubscribe. You had to go through a couple of hoops.

SPEAKER_01 22:54

Yeah, yeah. And when was that? Was that later than 2023?

SPEAKER_00 22:59

It was recently. Maybe it was last year.

SPEAKER_01 23:02

Okay. Yeah, so they haven't really learned anything.

SPEAKER_00 23:05

Yeah, so it's just funny that you say that because I I got caught.

SPEAKER_01 23:13

Interesting.

SPEAKER_00 23:14

Yeah. Yeah. Um, so did people ever begin to kind of push for a federal privacy law that actually covered everything? And if they did, why is it still not the case?

SPEAKER_01 23:35

Yeah, I think they've been pushing for a while, you know. Um the push for a comprehensive law has been recurring since at least the mid-1990s, like like we said, since the advent of the internet. But again, you know, there I don't think there was ever a real appetite for it. All the ser more all the more serious attempts have been blocked by the same kind of cluster of structural and political obstacles. And I think a lot of people think it's just bureaucratic red tape, but the truth is Congress has been deadlocked on this for decades. There are major disagreements in across the political parties about privacy. So I think the the most the most important one is the private right of action. So basically, this boils down to one question: if a company mishandles your data, do you are you allowed to take them to court? Are you personally allowed to take them to court? The Democrats and consumer advocates believe that this should be the case. You should be able to take them to court and hold them accountable. On the other side, the Republicans and many business groups say no, and they're worried that if a law comes into place, there'll be an avalanche of frivolous litigation that hurts businesses. And then you have the whole uh issue around federal preemption, which is about all about, like we said, the state versus uh federal power. Um businesses are pushing for a single national rule because it's easier for them. Because, like you say, we see a patchwork now coming up um across the states. But then there are state there are states like California, which already have really strong privacy protections, um, and they're worried that if a federal law comes into place, then it will war water down their existing state law. So you see that kind of tug of war going on between you know state and federal requirements or obligations. Um and then the whole thing of a commissioner, you know, who who becomes the data protection or the privacy commissioner? So you we have, you know, we all we have the Federal Trade Commission, um, but they don't have enough powers like like you like a DPC in in Europe would have. So do you make them more powerful or do you create an indiv, you know, an independent privacy commissioner? You know, so all these kind of questions have to be uh looked at. And then added to this complexity, for the last 20 years, tech and data heavy industries have been incredibly effective at using the sheer complexity of these issues to slow everything down when it when it gets to you know to federal level. And then with the lobbying, they manage to water things down as well, so or even just simply bury the legislation and make it so slow and make it so difficult to get it passed that it just gets lost somewhere, you know. Um and it's not just the tech giants, it's small businesses as well that that don't want these types of laws to come into place because they're worried about a whole new set of federal rules uh making making business too expensive for them. Um and then you know, the politics on top of that, you it's not simply about left versus right. Um the whole landscape of privacy is quite quite messy. You've got some conservatives who want strong personal property rights for data, then you have some Democrat Democrats who are legitimately worried about new regulations crushing small businesses, and so so yeah, it just it just seems very kind of um complex. I think that the best example was um in 2024, um there were there was uh an act called the American Privacy Rights Act, or what we call APRA. Um, and I think that was probably the most serious attempt we've seen in years. Um and it did have bipartisan support, and it actually got passed by the Committee on Energy and Commerce, but it actually then, once it was supposed to go from that committee to uh the House of Representatives, it got lost. So, you know, it was blocked on the way, and it just it never got it never got a vote. It never got to actually be voted on by the House of Representatives. So, anyway, let's move on, Katie, and uh let's look at uh what are the federal sector-specific privacy laws and what do practitioners need to do in order to you know to comply with all of these.

SPEAKER_00 28:21

Thanks, Maria. Um I'll I'll just go through a coup a couple of them of the most important, most pivotal ones to be aware of. Um and I'll I'll start with the HIPAA, the HIPPA, the Health Insurance Portability and Accountability Act of 1996. It is the most widely known US privacy law, and it's for health information, specifically protected health information with the abbreviation PHI, and that's what that means is any individually identifiable information relating to a person's health condition, health care provision, or their payment for care. So they do interpret that broadly, they include billing records, appointment histories, and anything that can be linked to an identifiable individual. In relation to privacy, it kind of has three main aims. First of all, to protect and enhance the rights of consumers, because people who receive healthcare in the United States are also consumers, by providing them access to their health information and controlling the inappropriate use of that information. Secondly, to improve the quality of healthcare by restoring trust in the healthcare system among consumers, healthcare professionals, and organizations that are involved in the delivery of the care. And thirdly, to improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on state efforts and the efforts of individual organizations. Those who are subject to HIPAA need to disclose the minimum, so it's data minimization, basically, and they need to consider the minimum amount of PHI necessary to fulfill their purpose of processing, and they also need to implement certain safeguards in relation to the data that includes training staff and designating a member of staff who has ownership of the privacy of health data. So who does it apply to? So that's the vendors and the contractors who would handle health data on their behalf. But it's quite interesting because it doesn't apply to all health data, it just applies to the health data processed by these and covered entities and their business associates. So it doesn't apply to employers receiving health information in their capacity as employers, it doesn't apply to life insurers, it doesn't apply to consumer health products like wearable devices, like you know, Apple Health or all that kind of health data that an Apple Watch or a Fitbit might record, you know? So there's a lot of health data out there that is not regulated.

SPEAKER_01 32:00

And it's not protected. Yeah. Under any law. In the States.

SPEAKER_00 32:06

Well, not by HIPAA anyway.

SPEAKER_01 32:08

Yeah. And um insurance companies, that like life insurance, that surprised me actually. Me too.

SPEAKER_00 32:15

Yeah. I think it's it's one of the shortcomings of the HIPAA act.

SPEAKER_01 32:23

And as well, like you say, with all these Fitbits now and everything like that, I mean they're very recent and they're very, very sensitive data as well. You know, it's very precise about tracking your physical, you know, health on a daily basis, and that's not protected. Even location as well, yeah.

SPEAKER_00 32:43

Like it's a lot of it's a lot of uh data that does be in those devices. Yeah. Um so it's a big it's a it's not protected. Yeah, yeah. So that that act is enforced by the Office for Civil Rights, and for their penalties, it's in four tiers. And there's a word here, there's a one of the tiers, the words will remind you of what you were talking about earlier. So the first tier is an unknown breach, which seems to be like a purely innocent or ignorant breach. The second tier of breach is where there's reasonable cause. The third tier is willful neglect that has been efforts have been made to correct it, and the fourth tier is willful neglect that has not been corrected. Um their minimum fine on the the unknowing tier is minimum fines of$100, maximum for a single fine on the highest on the highest tier, they have an annual cap of$2 million. So throughout the tiers, that's the range of of fines you could get.

SPEAKER_01 34:04

And they they take it very seriously as well, because I remember I worked with a one of my clients was in American hospital, and one of their nurses accessed um a uh a medical health record of somebody that was famous, and she had no reason to access that because she wasn't assigned to that individual, and they actually dismissed her as a result because she had violated HIPAA.

SPEAKER_00 34:31

That's so interesting that you mentioned that because I actually had seen had noted down as my final point on HIPAA was that that is one of the main breaches and common causes for fines, which is accessing records that it was not necessary to access or within the you know description of the job function to access.

SPEAKER_01 34:56

Yeah. And that nurse actually lost her job. So it went to a committee within within the hospital, and and I think maybe there was a review, there was you know an investigation, and the decision was that the the individual would be dismissed, so they take it very seriously, yeah. Yeah.

SPEAKER_00 35:16

So then for that's for health data, then there's for children's data, which is the COPA, the Children's Online or the COPA, I'm not sure how to say that out loud, but the Children's Online Privacy Protection Act, it's from 1998 and it went into effect in 2000. So it requires parental consent when processing data from children under 13 online. It applies to operators of websites and online services directed at children or those with actual knowledge they are collecting children's data, and this even applies to children outside the US, so long as they're a US company. So that's kind of nice.

SPEAKER_01 36:07

Yeah. It's so how do the social media platforms get away with it?

SPEAKER_00 36:14

Yes, good, very good question, Maria. My next platforms they don't want that burden, they do not want that uh burden, so they simply declare themselves as not directed at children, and you know that confirm that you are over 18. That's why they require people to say I'm over a certain age. Yeah, because then they're 13.

SPEAKER_01 36:43

I think it's 13.

SPEAKER_00 36:45

So the the line from COPA was actual knowledge that they are collecting children's data, so then you know, effectually they can say, Well, we had no actual knowledge, you know, because we asked them what age they were.

SPEAKER_01 37:01

And you know, and they checked the box.

SPEAKER_00 37:04

Everyone's completely honest, so it's class.

SPEAKER_01 37:07

Yeah, yeah. But I think they are thinking about raising that to 16, aren't they? I think there's been discussions.

SPEAKER_00 37:14

Okay, well, that would that would be good.

SPEAKER_01 37:18

That would make it much eas much better, yeah.

SPEAKER_00 37:21

They're you're still very young.

SPEAKER_01 37:23

Those three years, yeah, are make a big difference, I think.

SPEAKER_00 37:27

It's a vulnerable vulnerable years too.

SPEAKER_01 37:29

Yeah, absolutely, yeah.

SPEAKER_00 37:32

So, yeah, the they kind of have a bit of a workaround, but the enforcement again, the FTC, they're doing all the legwork here. The enforcement has been significant. Um YouTube, YouTube uh had a 170 million settlement um in 2019, which I mean that was a long time ago now.

SPEAKER_01 38:01

Yeah, yeah, seven years ago, yeah.

SPEAKER_00 38:03

But people there has been critiques that it's inconsistent enforcement and you know it's not it's not that robust for children.

SPEAKER_01 38:16

Yeah. And I think I think I may be wrong, but I think there is kind of con con congressional interest in strengthening COPA. And and I know that if some proposals have been introduced um to increase the age of um from 13 to 16, but nothing has really been enacted yet. But you never know. Watch this space, hopefully they will get that past the line.

SPEAKER_00 38:44

Hopefully, I mean I think protecting children and young people is something that shouldn't shouldn't have. Like nobody should be I don't understand why anyone would argue against it.

SPEAKER_01 38:57

Absolutely, only for money, you know. I think basically that would be the argument, you know. It's too profitable, but hopefully the tide is turning.

SPEAKER_00 39:09

So I move on again to the GLBA. The which I actually didn't know that much about this before I done my research, but I kind of liked this one a bit, the Graham Leach Bliley Act of 1999. It was pri it seemed to have been privacy by accident. It wasn't like the main idea of this act. It the idea was to repeal certain restrictions that came in in the depression in America and to allow banks, investment firms, and insurance companies to merge. So it was kind of in recognition of what this would allow financial institutions to do, that you know, they would have kind of a look, a window into so many as different aspects of people's lives that they put in the privacy provisions into it again, like the this to avoid profiling, basically, financial financial pro profiling almost, yeah. They've they they didn't just react to a scandal this time, they actually foresaw it. So good.

SPEAKER_01 40:22

That's good.

SPEAKER_00 40:23

Yeah, that's why I like I like this one. Um I feel like you don't hear about it that much.

SPEAKER_01 40:29

Yeah, yeah. I hadn't heard of it before we we did our research, like you say.

SPEAKER_00 40:34

Um it applies to financial institutions and it's very broad. It's not just banks and mature and insurers, also mortgage brokers, payday landers, um, financial advisors, declefters, even pawn shops.

unknown 40:51

Okay.

SPEAKER_01 40:53

It sorry. Do you know what I mean? So that's interesting.

SPEAKER_00 41:11

Yeah, it's it really covers all bases, well, all you know, angles of social financial profile.

SPEAKER_01 41:19

And you know how we mentioned insurance companies not being covered by HIPAA, but they are covered by by this law, so maybe that gives some sort of protection to the individual in terms of privacy.

SPEAKER_00 41:33

For sure. And uh it also is a good representation, again, of the culture element that the financial information has more protection than the health information, yeah, broadly speaking. So true. Um there's three main, I won't go into that much detail, um, but there's three main components. They have the financial privacy rule, safeguards rule, and pretexting rule, which is about social engineering. Um but I'll just touch on the privacy one. So there's five kind of aspects of it. They have to designate a privacy coordinator to ensure that controls are in place to safeguard data. They have to complete a risk assessment to areas that could compromise privacy of personal data. They have to implement logical and proportionate controls based on the risk assessment. They have to perform robust vendor management. Um, vendors need to have contracts, adequate certifications, and assurances that they have appropriate controls and record any breaches or security incidents. So bit of article 28 there.

SPEAKER_01 42:56

Um it's very similar to like a DPIA, you know, uh risk assessment and then vendor assessments that we see in the GDPR.

SPEAKER_00 43:06

Yeah, and they also need to have an ongoing process for reviewing and updating security controls.

SPEAKER_01 43:14

Okay. So very similar.

SPEAKER_00 43:16

I like that act, like it's very familiar. Though going through those five, it's like, well, I've heard that before.

SPEAKER_01 43:23

Yeah, absolutely. Yeah, very good.

SPEAKER_00 43:26

Um, so that's the three main ones. There's a couple other ones I'll just touch on really quickly because you could you, you know, you could talk about them all day and we're trying to do everything. Um but so they have the Family Educational Rights and Privacy Act. Uh it's one of the oldest federal acts they have, uh, and it's related to education records of those under eighteen.

SPEAKER_01 43:53

That's more protection of children's rights, children's privacy rights than Yeah.

SPEAKER_00 43:58

So it's basically the Right to access, request, correction, and you know, disclosure of educational records to third parties. I think the disclosure of education records to third parties was the main aim of this act that they wanted to capture that, you know, at the end of the day, it's the parent who has that right to consent to disclosure of their children's education records. So it's an old act.

SPEAKER_01 44:30

It came in in 1974, so it is quite old, isn't it? Yeah.

SPEAKER_00 44:34

It was it was when everyone had paper records. So in the modern time enforcement has been strained. But it's one to note. I mean, it's a it's quite a unique one. Then they also have the Electronic Communications Privacy Act of 1986, which uh governs the government's access to electronic communication.

SPEAKER_01 45:01

The wiretrap, I think you mentioned earlier, the so we know about it already, but yeah, the it was a follow-on from the Nixon scandal, wasn't it? Yeah.

SPEAKER_00 45:12

Yeah. So yeah, there's there's even more than this. I mean, you could probably uh go on for a long time talking about all the random sector specific federal laws, they've cable communications policy act, they've video privacy protection act, as you said, drivers privacy protection act, after a stalker obtained a victim's address from the DMV.

SPEAKER_01 45:46

Oh wow.

SPEAKER_00 45:47

It's so reactive. It's it's it's you know.

SPEAKER_01 45:53

Yeah, if it was more general, it would protect more kind of records, do you know what I mean? People's more personal records, yeah. Not just the driving record, you know.

SPEAKER_00 46:02

Yeah, and it it the result, end result is it's quite a complex privacy landscape because you have to be very careful thinking about what what type of data am I processing, what type of entity am I? Like you might think that the HIPAA act applies to all health data, but it actually just applies to covered entities and their vendors, you know? Yeah, it's stuff like that.

SPEAKER_01 46:31

It's yeah, yeah, so it's complex and yeah, industry specific and state specific, you know, and sometimes even federal, you know, uh federal specific. So yeah. But I think we have kind of a very good grounding now. So um we we've done kind of the history and the structure of the US privacy law. I think what strikes me is how much of a patchwork it genuinely is. Um because and I think it's been it's not been done deliberately, but it's been it's it was a it's been a consistent sequence of choices uh that's been made to create this patchwork because of you know the the way Americans live, that their you know, their principles, their ideology, and so on. I don't think it's just a historical accident. Um because you know, we look at 1974, 1973, we had, you know, they started off with uh um fair information practic practice principles, you know, so they had these ideas, but I think it's it's been an active choice just to kind of be industry specific as opposed to like a blanket um protection act like we see in Europe.

SPEAKER_00 47:57

So I think uh another takeaway from this episode is that just because there is no comprehensive federal law doesn't mean there are no laws or obligations. You still are gonna have to pay attention to what the nature of your organization is, who you target, and what kind of information that you process, because the obligations are there, they're just fragmented, and as we highlighted, you know, some individuals have can lose you can have fines, there's some criminal penalties, and even from your story, that lit that um individual who lost their job.

SPEAKER_01 48:46

Yeah, exactly, yeah, yeah. So so, like you say, just because there's not like a uh an industry agnostic law cutting across you know all of the various different industries, it doesn't mean to say that you you don't have obligations, you definitely do. Um so in our next episode, part two, we'll turn to the state law landscape. And that's again, it's quite a patchwork, especially in the last five years, I think. Uh California, with its CCPA, kind of started it off, and now they have the CPRA that we'll get into in more detail as well. And then there's a growing list of state comprehensive privacy laws that we'll have to look at as well. So how individual rights compare to the GDPR, you know, that'll be an interesting discussion. How children's data is being regulated at a state level, and what are the FTC, what is the Federal Trade Commission actually does in practice? Like it's America's de facto privacy regulator, but you know, we'll get into more details about what it actually does. So make sure to join us for that.

SPEAKER_00 49:55

And for our third part, also, where we'll be covering the transatlantic data transfer story, which has a bit of conflict. Um the Safe Harbor Agreement, the Shrem's decisions, the privacy shield, and the current data privacy framework. It's a very interesting story, and it's important for anyone who's moving data between Europe and the US.

SPEAKER_01 50:22

Yeah, I'm really looking forward to that one as well because it's a really interesting story, I think. And again, it it it involves a lot of of you know uh conflicts really, but you know, at a kind of a very high level. So yeah, it'll be interesting to get into it. So um thanks for that, Katie. Thanks for your time, and until next time, take care of your data, everybody. And each other.