By Elana Egri-Thomas
The data privacy landscape in the United States is ineffective and fragmented across state lines. There is no federal data privacy law or data protection administrative agency. The state data privacy laws that do exist are heavily influenced by the tech industry and ignore substantive harms to consumers. Privacy scholars argue that given the power imbalance and information asymmetry between consumers and companies, consumers cannot exercise meaningful control over their data while online.
Missing from the conversation surrounding potential solutions to the data privacy landscape is the National Institute of Standards and Technology (NIST) and the NIST Privacy Framework. Due to the lack of federal action, companies use the Privacy Framework as a baseline for their privacy programs, and at least one state privacy law incorporates it. But the process by which NIST created the Privacy Framework was limited, failing to consider structural harms or equity considerations resulting in an industry-friendly framework.
This Note argues that NIST should redevelop the Privacy Framework to address social harms and alleviate the need for federal action by engaging with all relevant stakeholders and considering critiques and potential alternatives to current data privacy laws. Part I of this Note addresses the current data privacy landscape. Part II surveys critiques of data privacy laws. Part III outlines the history and purpose of NIST, the creation of its Privacy Framework, and the role NIST could play in the data privacy realm. Part IV recommends a process NIST should engage in to reformulate the Privacy Framework.