Over the last few years, data privacy has been a concern among legal practitioners and citizens worldwide. The widespread use of the internet and the advancement of technology have inevitably raised issued regarding data privacy. We have all heard about doxxing, which is when people intentionally publish private information about others on the internet without their consent. Worse, we have been warned about how tech behemoths collaborate with powerful governments that are supposed to protect us, allowing them to effortlessly and legally access and exploit our private information without us even realizing. Despite a general trust in these valued modern tools, particularly among younger generations who are unaware of any alternative, these stories have woken up some of us.

Because we live in such a globalized environment, no one is immune to the risks associated with sharing (or simply storing) information online. Everyone should be worried that their personal information is secure at this time. However, citizens of powerful and globalized countries, such as the United States, may be a more attractive target for so-called data thieves or their own governments. We have all read about US government using the pretext of “national security” to violate nearly any law, national or international, with no repercussions and impose authority not just over other countries but even on their own population. Many of us wonder how they manage do it. It raises the question of whether there is indeed any data privacy law in the United States that protects us.

Those who decide to dig in a little deeper will discover that there is no single general data protection law in the United States, but rather hundreds of laws adopted by federal and state governments that purport to protect the personal data of (and only) U.S. individuals. It is important to note that any person temporarily in the United States (legally or illegally) or communicating with U.S. persons via the internet will most likely be excluded from this protection, regardless of whether their information is used. In fact, we will find that at the federal level, the Federal Trade Commission Act (FTC Act) is mostly general and vague about the government’s own limitations on the use of personal information, providing the US Federal Trade Commission broad authority to enforce general privacy and data protection regulations. This allows the government a lot of discretion to breach privacy standards under the guise of upholding such rules or, as is frequently the case, safeguarding national security. This is especially significant given that there is no plenary data preserving regulator in the United States, with the FTC typically setting the tone on federal privacy policies.

We will further realize that all other federal data protection laws apply to private specific sectors leaving unregulated many other sectors, or in general, personal information of the public in situations relating federal government. For instance, the Gramm Leach Bliley Act, the Fair Credit Reporting Act, and the Health Information Portability and Accountability Act, all pertain to the financial and health sectors, respectively. Similarly, the Driver’s Privacy Protection Act (DPPA) governs the privacy and dissemination of personal information gathered by state departments of motor vehicles. The Children’s Online Privacy Protection Act (COPPA) prohibits the collection of any information from children via the internet or digitally connected devices. The Video Privacy Protection Act (VPPA) bans the disclosure of video rental or sale records, as well as online streaming. In addition, the Cable Communications Policy Act safeguards subscriber information.

Instead, data privacy concerns are largely regarded as state responsibilities. As such, states are seen as the primary regulators of data privacy within their territory. This means that Congress will generally not intervene or influence the data privacy policies of each state. Thus, states are mostly allowed to regulate data privacy issues as they see proper. Naturally, state statutes vary greatly from one state to another. Some are thorough, addressing issues ranging from protecting library records to drone surveillance, while others fail to satisfy residents’ basic privacy rights. Some states are also more active than others in terms of data protection and raising public awareness about privacy issues. One obvious issue with the foregoing is that there is no standard definition of what personal information is or how it should be treated on online platforms with national or worldwide reach. Obviously, this not only gives the government a great opportunity to abuse its power in its relationship with citizens and their personal information, but it also leaves citizens unable to challenge a federal government that constantly collect, copies, and uses their information without informed consent or knowledge.

We wonder if there is indeed a constitutional reason for the federal government to fully refrain from regulating data privacy issues, or if it is merely an intentional decision, an excuse to continue listening to us and utilizing our information without restriction. It appears convenient that in certain cases, federal governments have fought and succeeded to heavily regulating activities that may represent a threat to national security but have not made the same effort for data protection because it does not serve their own interests. Take the press or media industry as an example. It has been regulated for years, with a particular license required to carry out this activity due to the potential of public misinformation. Again, we ask how data protection cannot be as relevant to federal government when it comes to people’s right to privacy, which is guaranteed by the Fourth and First Amendments of US Constitution and should be protected at all times. Indeed, according to Supreme Court Justice Louis Brandeis’ famous dissent in Olmstead v. United States, even before modern technology threats, “the makers of our Constitution (…) conferred, as against the government, THE RIGHT TO BE LET ALONE – the most comprehensive of rights and the right most valued by civilized men”.

This draft does what a first draft must: it explains the issue on which you are trying to write and it gets the basics out on the page. Now it is mostly unnecessary: you have documented your learning of what we all know, So it is time to ask real questions. The questions the current draft asks aren't real. They descend in one form or another from the question "why does a law of type X (called data protection) not exist?" But it isn't that federal data protection law doesn't exist: it's that a "no-law" zone exists, equally carefully tailored to provide a form of legal repulsion, an "immunity" in the most general sense. That immunity is a form of subsidy, a removal of legal costs and exposures, Most widely-recognized in section 230 of the Communications Decency Act, this system of no-law has been tailored by Congress, the Administrations and the independent agencies for decades. As a result, the US platform industries have altered the world in the US geopolitical interest and made utterly immense fortunes for themselves and entire sectors of the US economy. Writing about the presence of this extraordinary legal and administrative engineering as though it were an absence makes no sense whatever.

The next draft can improve, therefore by leaving out the basics and applying itself to the questions you have generated out of a closer contact with the realities.

Sources: Pittman, F.P., Hafiz, A. and Hamm, A. (2023). ‘Relevant Legislation and Competent Authorities’, in Data Protection Laws and Regulations USA 2023-2024. Global Legal Group. Available at: https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa (Accessed: 27 February 2024).

Class discussions on February 28, 2024 at professor’s Eben Moglen course “Computers, Privacy and the Law”.

Constitutional Origin of the Right to Privacy (2009). American Library Association. Available at: https://www.ala.org/ala/washoff/contactwo/oitp/emailtutorials/privacya/05.htm (Accessed February 29, 2024).

Why aren't these links anchored in the text? Why make it hard for the reader?