When it comes to regulating privacy, the United States is often considered an outlier in the international community.
First, we take a sector-specific approach to privacy. Other countries typically have one blanket policy that covers all aspects of life. We have numerous specific privacy regulations that cover everything from criminal law to credit histories to video rental records and health care information.
As a result of our disparate approach to privacy, unlike most other modern nations, we’ve never had an agency or individual whose sole duty is to protect privacy. We have no “Data Protection Authorities.”
However, we’ve been fortunate. In the past decade, the Federal Trade Commission (FTC) has stepped up to play an active role in regulating and enforcing consumer privacy in the U.S. But the FTC typically addresses privacy issues within the context of consumer protection. The FTC has the authority to go after “unfair or deceptive acts or practices in or affecting commerce.” Data protection isn’t the agency’s sole duty. It doesn’t enforce privacy for privacy’s sake.
But is our lack of a designated Privacy or Data Protection Authority that exceptional? Look at it this way: Every European Union member nation (all 27 countries) has a designated data protection authority. Canada and Mexico both have dedicated data protection authorities. Argentina? Dubai? Israel? Russia? Check, check and check. And while China, to my knowledge, does not have a data protection authority per se, Hong Kong does. In fact,it's difficult to think of countries without a privacy commissioner.
So until recently our lack of a privacy post has made it difficult for the U.S. to sit at the table and present our take on emerging issues in international privacy. That's why I was so pleased to find out that at the recent 32nd International Conference of Data Protection and Privacy Commissioners held this past October in Israel, the FTC’s application for membership was finally accepted. (Previous attempts at membership were flatly rejected.)
So what does this mean? First, the FTC now officially represents U.S. privacy interests to the international privacy community—not the Department of Commerce or the Department of State. Second,it's a tacit recognition by European countries that, like it or not, the U.S. takes a different approach to enforcing privacy.
My hope is that this recognition from other countries means they acknowledge that different isn’t better and different isn’t worse. Different is just different, especially since when it comes to privacy, no country has managed to get it quite right anyway.