Council of Foreign Relations Wants US Baseline Data Protection Law

Council of Foreign Relations Wants US Baseline Data Protection Law

The Council of Foreign Relations (CFR) recently released a report titled “Reforming the U.S. Approach to Data Protection and Privacy” that argues for a U.S. baseline data protection law. According to the report, even a national data breach notification law would not appropriately punish companies, clarify rules enough, or provide incentives for companies to strengthen cybersecurity. Instead, the CFR believes that a baseline data protection law would cover all industries, remove inconsistencies from patchwork state and industry laws, emphasize prevention instead of disclosure, and address policy violation harms.

Here are some quotes from the report:

  • “…the United States—home to some of the most advanced, and largest, technology and data companies in the world—continues to lumber forward with a patchwork of sector-specific laws and regulations that fail to adequately protect data. U.S. citizens and companies suffer from this uneven approach—citizens because their data is not adequately protected, and companies because they are saddled with contradictory and sometimes competing requirements. It is past time for Congress to create a single legislative data-protection mandate to protect individuals’ privacy and reconcile the differences between state and federal requirements.”
  • “State laws add to this patchwork, particularly with respect to data breaches. Many states recognize that widespread collection of personal information puts their residents’ privacy and security at risk. Starting with California, which enacted the first data-breach notification law in 2003, forty-eight states have passed laws that require individuals to be notified if their information is compromised. These laws have different and sometimes incompatible provisions regarding what categories and types of personal information warrant protection, which entities are covered, and even what constitutes a breach. Notification requirements also vary: New Jersey requires that the state police cybercrime unit be notified, while Maryland requires that the state attorney general be notified before any affected individual is.”
  • “The U.S. Congress should join other advanced economies in their approach to data protection by creating a single comprehensive data-protection framework. Meaningful federal laws and regulations should seek to resolve the differences among the existing federal and state legal rights and responsibilities. This would not only simplify compliance for U.S. companies, but would also strengthen and bring the United States in line with emerging data-protection norms. Congress could implement an effective baseline privacy regime with at least the following four qualities.”

Read the full report.