America edges closer to a federal data privacy law, not that anyone can agree on it
What do we want? Safeguards on information! How do we want it? Er, someone help!
American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.
The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.
Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).
"Our privacy is something we each confront on a daily basis," said Rep. Pallone, Subcommittee Chair and one of the bill's co-sponsors, in a statement [PDF].
"Almost every company we interact with is conducting surveillance on us. When we visit a single website, many companies are tracking our actions on that site, and we all visit many sites every day. That’s why there is near universal agreement that a national data privacy and security law is urgently needed to protect consumers."
The European Union has the General Data Protection Regulation (GDPR). The UK has the Data Protection Act 2018, derived from GDPR. The US has a mix of narrowly focused federal privacy laws but no comprehensive nationwide framework. Among those testifying at Tuesday's hearing, everyone acknowledged that America needs reasonable privacy rules while differing on the definition of "reasonable."
"The United States now faces a data privacy crisis," said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, in prepared testimony [PDF].
"The lack of a comprehensive US privacy law has allowed abusive data practices to flourish, threatening our rights and institutions. Robust data protection standards are essential to ensure the preservation of human rights and dignity and the healthy functioning of our democracy."
One size doesn't fit all
The Electronic Frontier Foundation, which did not participate in the hearing, issued a similar statement echoing the need for strong privacy rules. But the EFF's missive also urged lawmakers to remove language in the bill that would preempt stronger state privacy laws that limit when private entities may disclose customer data to the government, how biometric and genetic data must be governed, and require companies to respect people's opt-out setting.
"While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws," said India McKinney, director of Federal Affairs at the EFF in a letter [PDF] to the Subcommittee.
The ADPPA covers a lot of ground: consumer awareness, transparency requirements, individual rights and control over stored data, consent and opt-out rights, data protections for children and minors, third-party data collector obligations, algorithmic transparency requirements, data security requirements, the extent of corporate responsibility, and how enforcement will be handled. And its current language doesn't suit everyone.
- Big Tech loves talking up privacy – while trying to kill privacy legislation
- Behind Big Tech's big privacy heist: Deliberate obfuscation
- Campaigners warn of legal challenge against Privacy Shield enhancements
- UK health privacy watchdog still in talks over who is accessing country's COVID data store
For example, the ADPPA as currently written includes a limited private right to action. Four years after the bill becomes law and takes effect, individuals would be able to file civil complaints against companies that violate the privacy rules. But first they'd need to notify the US Federal Trade Commission, in order to offer government prosecutors the right to pursue the case on behalf of the plaintiffs.
Even with the requirement that complaints would need to be run by the FTC, business groups like the Chamber of Commerce and NetChoice would prefer not to see individuals able to initiate privacy lawsuits. Meanwhile, David Brody, managing attorney for Digital Justice Initiative, argued for a broader ability to sue privacy-violating companies.
"We have concerns that without a stronger private right of action, it will be difficult for individuals to vindicate their own rights and address the harms we have documented," he said in prepared remarks [PDF].
Maureen Ohlhausen, a former FTC official and chair of the 21st Century Privacy Coalition, a trade group funded by the likes of Comcast, AT&T, and Verizon, sees the need for further revisions in the bill's language. In prepared testimony [PDF], she expressed concern that the bill's privacy language "far exceeds the requirements of the Cable Act and equivalent satellite protections," which she believes work just fine.
Everyone agrees we need a federal privacy bill to resolve the current chaos of conflicting state laws. But there's no consensus about what privacy actually looks like or how it might be enforced. ®