Law and Policy

Likely the most familiar mechanism, this includes laws such as HIPAA for medical information, FERPA for student information, the EU Data Protection Directive, the UK Data Protection Act, the US Privacy Act of 1974, and other formal legal instruments. It includes torts, court decisions, administrative policy, government contracting rules, and rules laid down by regulatory agencies. Two elements to keep in mind are voluntary compliance and enforcement. That is, some policies encourage voluntary behavior in line with the policies’ goals, whereas others require it and use coercive sanctions to achieve conformance. Voluntary compliance might be encouraged by soft law or aspirational policy—formal laws or policies that do not contain a sanction mechanism. One example is the aforementioned Consumer Privacy Bill of Rights. Released within a report called Consumer Data Privacy in a Networked World,⁶¹ the Consumer Privacy Bill of Rights was policy in the sense that it expressed the wishes of the Obama Administration, but it was not a required practice within the commercial world. In 2015, however, the Administration attempted to turn this soft law into hard law by promoting a draft of the Consumer ...