Sam Han, ‘Model Omnibus Privacy Statute’

One of today’s major concerns is how easily digital information can be copied and disseminated. Thus, when one’s private information becomes publicly available in digital format, that information can be readily duplicated and distributed across the globe within seconds. If the disseminated information includes credit card numbers or Social Security numbers, then there is a heightened exposure to identity theft and a host of other privacy-related crimes.

Given the existence of such a digital landmine, laws have been promulgated for various sectors (e.g., financial, healthcare, government, etc.) to protect personally-identifiable information. However, due to differing needs of the various sectors, each sector treats its data differently from other sectors.

Compounding to this sector-by-sector discrepancy, several states have enacted their own laws relating to personally-identifiable data. Thus, the treatment of personally-identifiable data can differ from state to state, as well as from sector to sector. This presents numerous compliance challenges to a business should it collect, use, and share personally-identifiable information as part of its business model. A company, even one of modest size with a small customer base, still faces questions as to which compliance structure it must follow: Must it comply with the laws of the state in which its customer resides? Is it governed by an overarching federal framework? Or, does it need to comply with a particular sector in which it does business, such as healthcare? A company can easily be paralyzed attempting to determine which laws govern the personally-identifiable information in its possession. This is to say nothing of the significant increase in its compliance burden should there be a transfer of information to and from a foreign country (or compliance regime), such as the European Union (EU) or countries in the Asia Pacific Economic Conference (APEC).

With these issues in mind, this paper examines whether an omnibus privacy statute can be crafted such that it adequately addresses each sector. While this paper takes no position either for or against an omnibus privacy statute, it shows the feasibility of crafting such a statute should such a privacy statute be deemed necessary.
Specifically, this paper presents a model omnibus privacy statute, which: (1) identifies categories of personally-identifiable data that are common across most sectors and across all states; (2) identifies particular data elements that fall within each of these categories; and (3) prescribes the treatment of these data elements (both in how to collect the data and in how to protect the data after collection) based on their respective categories. Briefly, this paper proposes three distinct categories, namely: (1) high-risk data elements (which, standing alone, can identify a particular individual or cause harm); (2) mid-risk data elements (which can identify a particular individual or cause harm when combined with other mid-risk data); and (3) low-risk data elements (which cannot identify a particular individual unless used in conjunction with high-risk or mid-risk data).

Lastly, in the spirit of creating solutions through such an omnibus privacy statute, we humbly suggest a model form which a compliant business organization can use in the collection, use, and sharing of personally-identifiable information. A practical privacy-enabling tool, such as a standard universal form for the collection of personally-identifiable information, not only meets the letter of the law, but provides an operational method by which employees and managers of any level of training can follow to ensure that the privacy protections of the statute truly follow the data from the point of collection and beyond.

Han, Sam, Model Omnibus Privacy Statute (September 9, 2010). University of Dayton Law Review, Vol. 35, No. 3, 2010.

First posted 2011-09-06 06:50:55

Leave a Reply