Will This New Congress be the One to Pass Data Privacy Legislation?
A Congress that begins with a government shutdown carrying over and a raft of subpoenas to the executive branch issued by incoming House committee chairs promises to be at least as polarized and partisan as its predecessor. Even so, legislators want to legislate, and will seek some opportunities for bipartisan agreement. One area where this may happen is federal legislation to protect personal information privacy.
Congressional leaders in both parties have expressed an interest taking up privacy legislation and are doing serious work to that end. Republican Senator John Thune of South Dakota, who chaired the Senate Commerce Committee and now becomes the majority whip, led a pair of privacy hearings last fall which he opened by saying developing a privacy law “enjoys strong bipartisan support” and “the question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape it should take.” His view was echoed by committee members on both sides.
His successor as committee chair, Republican Roger Wicker of Mississippi, has expressed support for “a federal law on the books by the end of 2019.” His incoming House counterpart, Democrat Frank Pallone of New Jersey, endorsed “comprehensive legislation” earlier in the year and, shortly after the election in November, announced that proposals for privacy and security will be part of the Democratic agenda.
So far the Senate has done the most visible work. Wicker along with Republican Jerry Moran of Kansas and Democrats Richard Blumenthal of Connecticut and Brian Schatz of Hawaii, all chairs or ranking member of relevant Commerce Committee subcommittees who are working on legislation, sent a joint letter to Commerce Secretary Wilbur Ross urging the administration to collaborate with Congress on privacy because national standards require congressional action.
Two senators have released drafts of bills intended to provoke discussion. Oregon Democrat Ron Wyden got an early jump with a draft Consumer Data Protection Act that caught attention with high-level corporate disclosure requirements similar to those in the Sarbanes-Oxley law, carrying a risk of criminal charges. Senator Schatz (joined by 15 Democrats) released a draft Data Care Act that would establish duties of “care, loyalty, and confidentiality” for online providers that handle personal data.
A broad array of stakeholders have been framing positions in anticipation of this discussion. Over the past several months, Access Now, the Business Roundtable, BSA | The Software Alliance, the Electronic Privacy Information Center, Google, the Internet Association, the Information Technology Industry Council, and the U.S. Chamber of Commerce all issued principles or frameworks outlining what legislation should address. Many more submitted comments in the National Telecommunications and Information Administration inquiry on national privacy standards.
Two stakeholders have contributed their own draft bills to the discussion. Intel Corporation put out a draft on an interactive website featuring comments from privacy experts, based on codifying fair information practice principles. A Center for Democracy and Technology draft—developed after several months of input from academics, privacy groups, and businesses—spells out limits on data collection and use.
I’ll have more comments on these various draft bills and the substance of the emerging debate in the coming weeks. But, having led the Obama administration’s drafting of legislation based on its Consumer Privacy Bill of a Rights, I have great respect for any effort to put privacy into law. While there is a lot of agreement on the essential principles, it is a challenge to articulate these in ways that are concrete without being too prescriptive or too narrow.
What is striking to me is how far the discussion has come over the past couple of years. I have written about how the existing paradigm of U.S. privacy laws has become a losing game because it relies on consumer choice that puts the burden on individuals to manage their privacy and data. Emerging bills and the various frameworks and comments reflect a clear move toward shifting the burden onto companies to handle data fairly. After I left the government, draft Obama administration legislation was diluted in an unsuccessful effort to broaden business support, lost civil society support in the process, and so fell flat when it was released publicly. But now the Business Roundtable, Chamber of Commerce, and many other business interests are supporting consumer rights like access, correction, and deletion—levels of regulation that would have been dealbreakers when I was trying to broker legislation.
This reflects a climate that has changed in response to data breaches and concerns about data collection, the new European Union data protection regulation, and the California initiative drive that culminated in California’s broad new privacy law. This change got a boost from the Cambridge Analytica stories and growing concern about social media that has put privacy onto the congressional agenda for 2019.
Will this be enough to bring about passage? Any legislation is difficult, and big legislation that cuts across many different and powerful interests often takes several Congresses. But, as a committed optimist, it’s my belief that there is a sweet spot where business interests and privacy advocates can converge. There is a brief window for this to happen, because once California’s new privacy law takes effect at the beginning of 2020 and the next federal election takes shape, agreement is likely to become more difficult.
Privacy and consumer legislation have fared well in divided government. The cornerstones of federal privacy law, the Fair Credit Reporting Act and the Privacy Act, were enacted in 1974 when Republicans held the White House and Democrats the Congress. Another wave of privacy laws—the Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley Act of 1999 on financial privacy—was passed under the Clinton administration with Republicans in control of Congress. Whether privacy legislation can follow this pattern in 2019 will test whether this Congress seeks to pass legislation—or to build political brands.
This piece is crossposted on Brookings Tech Tank.