Privacy Is the New Black

It seems to have all started with the Health Insurance Portability and Accountability Act (HIPAA), which was passed in 1996 and signed into law by President Bill Clinton. Then, after stumbling around for almost a decade, in 2009 the HITECH Act was signed by President Barack Obama which gave the necessary teeth to the privacy and security obligations. So, basically, individuals have a right to privacy in their health care records. Hardly a novel concept. Or is it?

The idea of having a right to privacy is not embedded in the fabric of our country. Far from it. Unlike the “good ol’ days”, where Americans zealously guarded their right to privacy, there has been a dramatic shift. With the birth of Facebook, Instagram, Snapchat, [insert newest platform here], we see that everyday individuals give away intimate details of their personal life. Social media forever changed the way in which our society viewed privacy and now it seems that social media may be changing the way we view our right to privacy. But first, let’s examine how privacy is perceived on a global scale.

In Europe, individuals have a fundamental right to privacy. The domestic equivalent of the First Amendment. The EU’s Charter of Fundamental Rights includes the right to privacy and the right to data protection. And, in case you have been living under a rock for the past 2 years, you have heard about the European Union’s General Data Protection Regulation (GDPR).

While we have covered components of the GDPR in the last few months in our blog, the GDPR is a legal framework that sets guidelines for the collection and processing of personal information. Originally considered a problem just for our friends and colleagues across the pond, most domestic organizations now realize that the GDPR’s robust extraterritorial effect encompasses any company that deals with the data of EU natural persons. The GDPR was the regulatory equivalent of the boogy-man of our nightmares come to life with incredibly granular administrative, legal and technological requirements. It is literally changing the face of the way companies across the globe address privacy. And, while everyone has been busy watching the GDPR to see how and to what impact it would have domestically, the GDPR is not the only game in town.

In the United States, aside from the aforementioned HIPAA, many states have been proactively addressing privacy at the state-level. The Illinois Biometric Information Privacy Act (“BIPA”) was passed over a decade ago, in 2008. BIPA was designed to address the growing use of biometric identification technology, such as retina scans, fingerprint identification and facial recognition technology.

BIPA does not prohibit the collection or use of biometric data; but,, similar to the GDPR, it governs the way the data is collected and stored. Unlike other domestic privacy and security regulations, BIPA prohibits a company from collecting “biometric identifiers or biometric information” unless the company first obtains the individual’s opt-in consent. It is the opt-in that is unusual, requiring an affirmative act on the data subject’s part in order to be compliant. Also interesting is the fact that BIPA allows a private citizen to bring a cause of action to enforce the Act, rather than relying solely on the state’s attorney general’s office for enforcement.

With BIPA on the books for a decade, and the GDPR being on the horizon for the past two (2) years, why is it that mainstream media has only just started to highlight the issue of privacy? Three words: Facebook and Cambridge Analytica. Cambridge Analytica (which denies any wrongdoing) is the data firm at the centre of this year’s Facebook privacy fracasis. It is a scandal that centers around data collected from Facebook users via a personality app developed by the Cambridge University researcher Aleksandr Kogan. The data was collected via Facebook’s permissive “Graph API”. This allowed the collection of data about users and their friends, including likes, activities, check-ins, location, photos, religion, politics and relationship details. The information was then passed to Cambridge Analytica, in breach of Facebook’s policies. And then….Woops! A huge scandal that launched the Facebook-Mark Zuckerberg Apology Tour 2018. But what did the Cambridge Analytica scandal really start? The realization by US citizens that we are literally giving away our private information and we have ABSOLUTELY NO RECOURSE.

With BIPA, as really the only way to measure how the American public feels about giving away so much of its personal data (contrary to popular opinion, there is not private cause of action for a violation of HIPAA), we look to how many lawsuits have been filed claiming a violation of BIPA. Here we find our answer: we see a spike in the number of companies being forced to defend a lawsuit based on BIPA. Now, one could argue that we can also attribute this increase to the number of devices that require biometrics for access. However, I would propose a different explanation. A realization by individuals that privacy is something to be protected.

What is interesting and clear is that this scandal has shown the need for federal regulations when it comes to data privacy. Not just in healthcare (HIPAA) or for biometrics in Illinois (BIPA), but comprehensive data privacy regulations. Other states like Texas and Washington are considering similar biometrics laws, but none of them provide a private cause of action and they are certainly not comprehensive. Another state that is getting into the privacy mix is California, with its Consumer Protection Act of 2018 (CCPA)- but again, we are faced with state by state regulations in an area that transcends borders.

Data moves, nearly instantaneously across state (and national) borders. Yet our laws do not appreciate or contemplate the transparency of these borders when it comes to data transfer. To change data privacy laws is to understand how this all works and to appreciate how data is created, transferred, processed, stored and used. It is also to appreciate that individuals have a right to protect their data in this ever changing digital world. The CCPA is an important step in that direction, signaling a potential shift in the way Americans perceive data privacy. However, questions still remain- is it far enough? And, why hasn’t the federal government stepped in in an area that clearly implicates interstate commerce?

For now, we wait and watch to see how the GDPR and the CCPA, and other evolving privacy regulations, will be interpreted and applied. And just as trends and popular zeitgeists change and resurface, with the old becoming new and the unpopular turning popular- everything comes full circle, we see that data privacy is the new black.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.