Sen. Clinton Introduces Bill That Mixes
Trade Protectionism and Data Privacy
April 8, 2004. Sen. Hillary Clinton (D-NY) and Sen. Mark Dayton (D-MN) introduced S 2312, the "SAFE-ID Act". The bill bears some attributes of a data privacy protection proposal, and some attributes of a proposal to impose protectionist barriers to trade in services.
The bill was referred to the Senate Commerce Committee, which has jurisdiction over data privacy legislation, but not to the Senate Finance Committee, which has jurisdiction over trade bills.
The bill provides that "A business enterprise may transmit personally identifiable information regarding a citizen of the United States to any foreign affiliate or subcontractor located in a country that is a country with adequate privacy protection."
It further states that "A business enterprise may not transmit personally identifiable information regarding a citizen of the United States to any foreign affiliate or subcontractor located in a country that is a country without adequate privacy protection unless-- (1) the business enterprise discloses to the citizen that the country to which the information will be transmitted does not have adequate privacy protection; (2) the business enterprise obtains consent from the citizen, before a consumer relationship is established or before the effective date of this Act, to transmit such information to such foreign affiliate or subcontractor ..."
The bill then defines a "country with adequate privacy protection" as "a country that has been certified by the Federal Trade Commission as having a legal system that provides adequate privacy protection for personally identifiable information". The bill does not define "adequate privacy protection", although the term does have meaning under EU data privacy law.
The bill would require the FTC to write rules of general application regarding "adequate privacy protection". These rules would then have only extraterritorial effect.
A majority of the Commissioners of the FTC have expressed opposition to legislation setting general privacy standards. Also, the FTC has declined to engage in such a rule making proceeding based upon its existing unfair and deceptive trade practices authority.
Moreover, the FTC, both in its consumer protection efforts, and in its competition enforcement efforts, seeks cooperation from foreign governments, and increased international comity. Placing the FTC in the position of writing rules that impose trade barriers, and issuing nation specific determinations of non-compliance with those rules, could undermine its efforts in the areas of consumer protection and antitrust enforcement.
It is unlikely that FTC Chairman Timothy Muris would testify in support of this bill, if any Committee holds a hearing on this bill.
On the other hand, this bill, if enacted, might incent countries that do not have data privacy laws, and that seek trade in services with the U.S., to enact privacy laws.
This bill, in addition to giving the FTC general privacy authority, would give the Department of Health and Human Services industry specific rule making authority with respect to health information privacy.
This bill would also create a private right of action. The language of the bill is both broad and vague. There is no bar on class action lawsuits. The bill does not identify who has standing to sue. Nor is there a requirement that any individual actually be injured by a violation of the statute. Any "improper storage, duplication, sharing, or other misuse of personally identifiable information" would give rise to a private right of action. The bill does not define "improper storage", "duplication" or "misuse".
The bill provides that "A country that has comprehensive privacy laws that meet the requirements of the European Union Data Protection Directive shall be certified" by the FTC. However, the bill also provides an exception: "unless the Federal Trade Commission determines that such laws are not commonly enforced within such country". Hypothetically, this means that the FTC would could decertify an EU nation on the basis that it does not commonly enforce the EU directive.
This bill is a creative combination of privacy and trade issues, that may have been introduced for the purposes of political debate during an election year.
While the bill may receive support from privacy advocates, trade protectionists, trial lawyers, and advocates of exploiting outsourcing concerns during an election year, it may also encounter opposition from advocates of tort reform, advocates of free trade, advocates of rural telemedicine, advocates of lower health care costs, information technology companies, and a variety of industry sectors that have an interest in offshore outsourcing of services, including health care, banking and other financial services, retailers, and others.
Also, the bill would impose barriers to trade with service providers located in
other countries, while not also imposing the same restrictions upon transactions
with providers in the U.S.. Thus, if enacted into law, it would be vulnerable to
attack as a violation of U.S. treaty obligations.