On July 13, Maine Attorney General Aaron Frey sent a letter to U.S. Reps. Frank Pallone Jr. and Cathy McMorris Rodgers, voicing concerns that passage of the American Data Privacy and Protection Act would “eliminate every state’s ability to adjust to novel and unanticipated threats to consume privacy in an ever-changing internet ecosystem.”

This concern stems from this law’s preemption clause, which prevents states from passing stronger privacy protections. Other federal legislation has revealed that the federal government has been sluggish to respond to “novel and unanticipated threats.” The concern with preemption is that if states cannot act in the face of a sluggish federal response to changes in the privacy landscape, as renowned privacy expert Daniel Solove put it, the “law ossifies (and) weakens considerably.”

One example of how the federal government has been sluggish to respond is the Health Insurance Portability and Accountability Act of 1996, drafted before the advent of Facebook and the iPhone, and a relic in need of an overhaul. Since the implementation of its two major rules in 2003 and 2005, HIPAA has undergone just one substantive change (the 2013 Omnibus Rule) with another rule change on the horizon. In the face of “the ever-changing internet ecosystem,” HIPAA has begun to ossify as neither of the changes substantively address that changing ecosystem; specifically the digitization of health information.

Although a positive step forward for privacy, federal preemption runs the risk of turning the American Data Privacy and Protection Act into a relic before Congress is willing to act.

John Haskell
Topsham