Recent trends in privacy legislation, including the passage of California Consumer Privacy Act, more commonly referred to as the CCPA, as well as copycat laws in at least nine other states, make clear the intention of state legislators to regulate and govern the processing of personal information. Whether these laws apply in Indian Country is fast becoming a question at the table. All tribes should assess their unique position in this new and evolving privacy law landscape and consider actively embracing privacy self-governance by enacting a privacy code.
Tribal Law and Relationship with State Law Application
Breach notification and privacy governance are emerging areas of law, often raising more questions than answers on issues of applicability and enforceability for businesses seeking to be compliant. For federally recognized tribes and their businesses, those issues are even more complex, as whether state law even applies is a highly nuanced determination.
As a general rule, whether state law applies turns first on whether the state is a “Public Law 280” state and, if so, whether the law is prohibitory or regulatory in nature. Public Law 83-280 (Public Law 280), enacted in 1953, is a federal statute that grants specific states criminal jurisdiction over Native Americans on reservations and grants Native Americans access to state court forums to resolve certain civil disputes. An area of complex jurisprudence in its own right, Public Law 280 confers jurisdiction to some states outright, while some states have retroceded some/all jurisdiction, and some states have never been mandatorily subject to the powers granted by Public Law 280 or have a similar enabling statute.
Should states seek to impose breach notification and privacy laws on tribes under the jurisdictional powers granted by Public Law 280 or something similar, the outcome will likely depend on whether the state law is prohibitory or regulatory in nature. Forecasting into the future, we suspect that courts will interpret laws governing the sharing, collecting, and utilization of personal information as regulatory rather than prohibitory—they do not ban data use, but instead impose safeguards and parameters around that use. However, tribes should not discount the possibility that these laws could be deemed prohibitory in nature. For example, certain privacy laws prohibit the collection or use of personal information, unless individuals receive formal notice or give affirmative consent.
Where the prohibitory or regulatory nature of a state law is not clear, courts weigh the state’s interest versus the tribe’s interest. Tribes should anticipate these challenges and bolster their position of sovereignty by demonstrating self-governance and a tribal interest in protecting data. All tribes should consider what some are already doing: enacting a tribal privacy code and data governance program.
What About Federal Law Application in Tribal Jurisdictions?
Federal lawmakers continue to propose privacy bills addressing issues already regulated by state privacy laws. To the extent a federal privacy law passes, and state preemption issues are resolved, it is possible that tribal sovereignty will become vulnerable to a federal interest to protect privacy if the federal law opts in tribes. A tribe with an existing data governance law would be better prepared to comply with the federal law, minimizing the need for changes to their practices.
If a federal law does not opt in tribes, the privacy program would be essential for tribes seeking to challenge jurisdiction, especially in the Ninth Circuit, which adheres to the doctrine of general applicability.
Whether tribes can stave off federal law applicability or whether tribes seek to be better prepared for it, a tribal privacy code would serve a key purpose.
Tribal Privacy Code: Sovereign Immunity and Self-Governance
With the addition of new state comprehensive privacy laws enacted seemingly every month, how should a tribe begin to implement a privacy program?
We believe that the contents of any privacy code are highly dependent on the state in which the tribe is located, as well the nature of data processed, such as tribal member information, consumer or guest information or other business venture customers. Tribes should also consider whether they attract business from out of state.
Privacy codes could include, but not be limited to:
- Defined terms, such as what constitutes “personal information.”
- Special processing requirements for sensitive personal information.
- Privacy rights, such as the right to access, correct and delete.
- Data minimization standards.
- Data retention requirements.
- Which types of disclosures to third parties require contractual obligations to protect personal information.
- Tribal leadership privacy training requirements.
- Data protection impact assessments and/or audit requirements.
- Breach notification requirements.
There is no “one-size-fits-all” privacy code, and some requirements may be too onerous for smaller tribes to satisfy. For these tribes and businesses, an option may be to integrate the requirement with lower thresholds, since not implementing the requirement at all may lead to an argument that the tribe simply cannot self-govern in this area. Additionally, tribes should consider that drafting a privacy code is only one step of many. Contracting with vendors and partners will have its own challenges; for example, service providers subject to these state privacy laws may push certain contractual privacy provisions in agreements that tribes are unprepared to negotiate or implement.
The changing landscape means tribes should be encouraged to engage in self-governance related to privacy, taking proactive steps to establish comprehensive privacy frameworks that prioritize data protection, maintain cultural integrity, and ensure the well-being and autonomy of their tribal members.