Lawmakers want to pass a federal data privacy bill before 2020 to put Washington on par with Europe and ahead of several U.S. states. But those efforts could be delayed because of differences between technology companies and Congress over how powerful the law should be and how it should be structured.
A delay in enacting a uniform federal law could leave technology giants and startup app makers trying to meet a latticework of standards set by multiple regulations passed by many states as well as a growing international set of rules being modeled after the European Union’s General Data Protection Regulation, or GDPR. Companies also could be liable for fines and face consumer lawsuits allowed by state laws.
The cost and complexity of complying with such a regulatory system was one of the hot topics at the annual RSA Conference in San Francisco last week, which brought together more than 40,000 security and privacy experts. While hundreds of vendor booths filled a cavernous hall in the Moscone Center, venue speakers discussed minutiae of GDPR compliance and preparing for California’s Consumer Privacy Act, or CCPA, which becomes effective in January 2020.
Although most technology companies agree that a strong federal law governing the collection and use of consumers’ data is essential, how to get there is still being debated.
At a hearing before the Senate Commerce, Science and Transportation committee last month, trade groups representing technology companies strongly backed a federal law that would pre-empt or override state privacy laws like CCPA. Chairman Roger Wicker, R-Miss., told reporters he would like the legislation to pass before the end of 2019.
But overruling state laws may not be easy. California’s Attorney General Xavier Becerra has warned that weak federal legislation should not be the basis for nullifying the state’s law.
Congressional inaction on a national privacy protection law has spurred other states to follow California’s example. A bill being considered by the Washington State Legislature would give consumers new rights and impose restrictions on companies using personal data for profiling and facial recognition.
Laws mimicking the California bill are making their way through 11 state legislatures, and some state regulatory agencies are planning privacy rules for specific industries, said Dominique Shelton Leipzig, a partner at the law firm of Perkins Coie LLP, specializing in data privacy and security.
Elsewhere, India, Singapore, Brazil, and Japan have or are writing laws that would comply with the EU’s GDPR.
Although technology companies want the federal law to pre-empt state laws, California’s 53-member congressional delegation “is unlikely to support pre-emption,” Shelton Leipzig said.
Sen. Maria Cantwell, D-Wash., the ranking member on the Commerce committee, told CQ that raising the issue of pre-emption at the outset of a discussion of what the federal bill should look like is an “attempt to shut down debate . . . We need solutions, so we should not try to stop states” from having a say in protecting the privacy of consumers, she said.
Which rights to protect?
The GDPR and California privacy laws offer affirmative rights to consumers with respect to data collected by online companies. These include: the right to know what is being collected; to access such data; to delete, correct, or erase data; to carry one’s data from one company to another; and in California’s case, the right to opt out of one’s information being sold to other entities.
While GDPR defines personal information as anything that relates to an identified or identifiable person either directly or indirectly, the California law is more expansive, covering not only an individual but also data belonging to a household. The CCPA also includes, under personal information, inferences that can be drawn from mining different data sets.
This is not the first time that tension between states, federal laws and technology companies is threatening to slow down legislation. In the past 15 years, such differences stymied federal legislation on data breach notification that could have set national standards on how companies should alert consumers and regulators about loss of data.
California passed the first data breach notification law in 2003. And as Congress debated but did not pass a federal law, state after state passed their own laws, with Alabama being the latest one to approve a bill in 2018.
Julie Brill, corporate vice president and deputy general counsel at Microsoft for global privacy and regulatory affairs, advises that technology companies should coalesce around a federal data privacy law that includes three important elements. Users should have a strong control over what data is being collected, companies should be transparent in their data collection and usage, and a strong enforcement mechanism should be in place to hold companies accountable, she said.
“I think one of the problems with the conversation on pre-emption is it’s too monolithic,” Brill told CQ.
Instead of taking a rigid view that federal law should override state privacy laws, companies could consider the approach taken by the Truth in Lending Act (PL 90-321), for example, said Brill, who previously served as a commissioner at the Federal Trade Commission. That law sets federal standards for lending that financial institutions must comply with, but allows states leeway to set different standards of notification for their citizens.
“But when it comes to technical infrastructure like a security system, or infrastructure to surface information, that’s deeply technical, and you can't have two different systems. And that’s where you need harmonization,” Brill said.
Examining FTC authorities
Sarah Holland, Google’s public policy manager, said the federal law should set an objective or a goal of privacy without prescribing how to get there. The law should allow users to choose to exercise as much privacy control as they want, which may lead to some taking greater control while others may be lax in their vigilance, Holland said at a panel discussion at the RSA Conference.
A law that gives the FTC greater authority also could change companies’ calculus, Victoria Espinel, CEO of BSA, a trade group that represents software companies, told the Senate Commerce committee last month.
Giving the agency authority to use Section 5 of the FTC Act governing consumer privacy to impose fines on first-time offenders could steer technology companies into taking consumer privacy more seriously, Espinel said.
While countries that handle European citizens’ data are trying to comply with requirements of the GDPR, the law is not the one-stop shop it promised to be, said Harvey Jang, Cisco’s senior director for global data protection and privacy.
The GDPR law allows EU member states the latitude to pass legislation in as many as 50 different areas, Jang said.
As technology companies and U.S. states tangle with each other on an emerging privacy bill, they must also consider the advent of internet-connected devices — the so-called "internet of things" — that are collecting not only personal information but also behavioral data, said Sean Peasley, partner at the consulting firm Deloitte.
Internet-connected health trackers, self-driving cars and other devices that are beginning to populate homes are collecting terabytes of data on users’ behavior that could be combined with personally identifiable information leading to greater threats to privacy, Peasley said.
Despite the challenges of reaching consensus on thorny technical, legal, and policy issues, the odds of Congress passing a federal data privacy bill “are higher than they have ever been,” Brill said. “I personally give it a 30 percent chance,” she said, adding the caveat that such high odds are usually reserved for must-pass legislation such as defense appropriations bills.
Some Washington insiders, Brill said, put the realistic odds of a federal data privacy bill passing at about 3 percent.