The paper acknowledges the possibility that the U.S. may not implement a comprehensive federal privacy law in the near future, and that instead a growing patchwork of state laws will emerge. It proposes an interstate privacy interoperability code of conduct or certification as a solution to the possibility of inconsistent and disparate privacy requirements across the U.S. The paper outlines the benefits and key features of the code, as well as potential models and sources for its structure and substantive rules, such as the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (“APEC CBPR”), ISO standards, existing state privacy laws, the EU General Data Protection Regulation (“GDPR”) and key federal privacy proposals. It also discusses the process that could be used to develop the code.
In particular, the paper identifies the following key features and benefits of a code:
- It would create a set of common data privacy and security standards that organizations could implement for their business in the U.S;
- It would provide enhanced transparency, legal certainty and consistent privacy protections for all Americans;
- It could be recognized in states’ privacy laws, as well as in a future federal privacy law;
- It would provide cross-sectoral functionality both at the federal and state levels if the sectoral approach to privacy regulation continues in the U.S.;
- Participation would be voluntary and, as in the APEC CBPR, it could include third-party certification that an organization’s privacy practices align with the code;
- It could be used as a blueprint for future state laws and eventually for a comprehensive federal privacy law;
- It could provide a safe harbor for compliance with state (or federal) privacy laws;
- Third-party certifiers would provide frontline oversight, complaint-handling and enforcement functions vis-à-vis participating organizations, thereby easing the enforcement burdens on state attorneys general and other relevant enforcement authorities; and
- Compliance with the code could be leveraged to obtain certification under other similar international mechanisms for cross-border transfer or compliance purposes and might function as an “additional safeguard” for companies transferring data to the U.S. on the basis of standard contractual clauses in the wake of the Court of Justice of the European Union’s recent decision that invalidated the EU-U.S. Privacy Shield.