America edges closer to a federal data privacy law, not that anyone can agree on it

What do we want? Safeguards on information! How do we want it? Er, someone help!

American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

"Our privacy is something we each confront on a daily basis," said Rep. Pallone, Subcommittee Chair and one of the bill's co-sponsors, in a statement [PDF].

"Almost every company we interact with is conducting surveillance on us. When we visit a single website, many companies are tracking our actions on that site, and we all visit many sites every day. That’s why there is near universal agreement that a national data privacy and security law is urgently needed to protect consumers."

The European Union has the General Data Protection Regulation (GDPR). The UK has the Data Protection Act 2018, derived from GDPR. The US has a mix of narrowly focused federal privacy laws but no comprehensive nationwide framework. Among those testifying at Tuesday's hearing, everyone acknowledged that America needs reasonable privacy rules while differing on the definition of "reasonable."

"The United States now faces a data privacy crisis," said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, in prepared testimony [PDF].

"The lack of a comprehensive US privacy law has allowed abusive data practices to flourish, threatening our rights and institutions. Robust data protection standards are essential to ensure the preservation of human rights and dignity and the healthy functioning of our democracy."

One size doesn't fit all

The Electronic Frontier Foundation, which did not participate in the hearing, issued a similar statement echoing the need for strong privacy rules. But the EFF's missive also urged lawmakers to remove language in the bill that would preempt stronger state privacy laws that limit when private entities may disclose customer data to the government, how biometric and genetic data must be governed, and require companies to respect people's opt-out setting.

"While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws," said India McKinney, director of Federal Affairs at the EFF in a letter [PDF] to the Subcommittee.

The ADPPA covers a lot of ground: consumer awareness, transparency requirements, individual rights and control over stored data, consent and opt-out rights, data protections for children and minors, third-party data collector obligations, algorithmic transparency requirements, data security requirements, the extent of corporate responsibility, and how enforcement will be handled. And its current language doesn't suit everyone.

For example, the ADPPA as currently written includes a limited private right to action. Four years after the bill becomes law and takes effect, individuals would be able to file civil complaints against companies that violate the privacy rules. But first they'd need to notify the US Federal Trade Commission, in order to offer government prosecutors the right to pursue the case on behalf of the plaintiffs.

Even with the requirement that complaints would need to be run by the FTC, business groups like the Chamber of Commerce and NetChoice would prefer not to see individuals able to initiate privacy lawsuits. Meanwhile, David Brody, managing attorney for Digital Justice Initiative, argued for a broader ability to sue privacy-violating companies.

"We have concerns that without a stronger private right of action, it will be difficult for individuals to vindicate their own rights and address the harms we have documented," he said in prepared remarks [PDF].

Maureen Ohlhausen, a former FTC official and chair of the 21st Century Privacy Coalition, a trade group funded by the likes of Comcast, AT&T, and Verizon, sees the need for further revisions in the bill's language. In prepared testimony [PDF], she expressed concern that the bill's privacy language "far exceeds the requirements of the Cable Act and equivalent satellite protections," which she believes work just fine.

Everyone agrees we need a federal privacy bill to resolve the current chaos of conflicting state laws. But there's no consensus about what privacy actually looks like or how it might be enforced. ®

Broader topics

Other stories you might like

  • US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • US senators seek input on their cryptocurrency law via GitHub – and get some
    Those town hall meetings that go off the rails? That's the internet all day, every day

    The two US senators behind a proposed law to bring order to cryptocurrency finance have published their legislation to Microsoft's GitHub to obtain input from the unruly public.

    The bill, known as the Responsible Financial Innovation Act, was introduced by Senators Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-NY) on June 7 to create a regulatory framework governing digital assets, cryptocurrencies, and blockchain technology.

    It has been welcomed by the Stellar Development Foundation and cryptocurrency trade group the Chamber of Digital Commerce, a sign that the legislation doesn't ask much of those it would regulate.

    Continue reading

Biting the hand that feeds IT © 1998–2022