Could a Federal Data Privacy Law be a Reality in 2019?
From the continual evolution of the California Consumer Protection Act (CCPA) to the potential ramifications of a Brexit “no-deal” on data transfers, 2019 may be a defining point in data privacy and cybersecurity. Nowhere is this increased attention more pronounced than the growing support for US federal data privacy legislation.
With growing public concern regarding the protection of personal data, primarily related to recent massive data breaches and the emergence of increasingly sophisticated technologies, but also spurred on by regulators in other jurisdictions, most notably the European Union, it is quite possible the United States Congress will pursue federal data privacy Legislation in the 116th Congress. Proponents argue the current system of US data privacy laws, with each state having its own data privacy laws (a sectoral approach), is confusing and yields inconsistent application. For example, under the same set of circumstances pertaining to a data breach, some states’ laws may trigger breach notification obligations whereas other states’ laws would not require notification. Accordingly, any company contending with a nationwide data breach event must review, confirm and attend to compliance obligations for all 50 states, with potentially many different compliance obligations. Proponents believe a federal policy designating a single standard would simplify compliance and lessen confusion. As evidence that a uniform data protection law can support needed certainty, supporters point to the European Union’s General Data Protection Regulation (GDPR).
Recognizing public attention and concern over data privacy, the House and Senate Commerce and Judiciary Committees have held hearings on topics related to consumer data privacy and requested input from industry experts. In September and October of 2018, Senator John Thune (R-SD), the then-chairman of the Senate Committee on Commerce, Science, and Transportation, held hearings on safeguards related to consumer data privacy.
In November 2018, Senator Ron Wyden (D-OR) released a draft Consumer Data Protection Act, which was drafted to expand the Federal Trade Commission’s (FTC) regulatory and enforcement powers to, among other things, establish minimum national data privacy and cybersecurity standards. The draft would also create a system that would allow consumers stop third parties from tracking online activity and sharing data. Notably, Sen. Wyden’s legislation included provisions that would allow criminal penalties for senior executives whose companies ran afoul of the law.
Shortly thereafter, Senator Brian Schatz (D-HI) released the draft Data Care Act, which would require website, applications, and other online providers to establish practices to reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information. Pursuant to the proposed Act, these online providers would be subject to duties of “care, loyalty, and confidentiality” in the handling of personal data. The proposed Act would also grant the FTC enhanced power, including rule-making power, to implement the Act as a violation of the Act would be treated as a violation of an FTC rule with fine authority.
Recently, on January 16, 2019, Senator Marco Rubio (R-FL) announced a new privacy bill, the American Data Dissemination Act (ADDA). In contrast to the Consumer Data Protection Act and the Data Care Act, ADDA does not expand FTC authority to create and implement laws. Instead, ADDA would require Congress to pass applicable laws presented by the FTC, with the FTC ultimately gaining rule-making power if Congress is unable to pass a law within two years of ADDA going into effect. Most notably, the Act would supersede state privacy regulations, which could result in a greater emphasis on privacy rights at the federal level.
Not only are members of Congress increasingly interested in monitoring and proposing federal data privacy legislation, members of the private sector are interested as well. For example, on January 14, the Information Technology & Innovation Foundation (ITIF), a technology think-tank (supported by Amazon and Google) proposed a “grand bargain” proposal on federal data privacy legislation. This plan supports a single breach standard and would preempt and state laws. Further evidencing private sector support, Intel also disseminated a draft of a data privacy bill.
On February 27, 2019, the Senate Commerce Committee held a hearing, titled “Policy Principles for a Federal Data Privacy Framework,” to examine what Congress should do to address risks to consumers and implement data protections for all Americans. The hearing included robust debates surrounding transparency pertaining to the use of consumers’ personal information and the ability of consumers to control how companies use their personal information. We discussed this hearing in an earlier blog post.
With the House controlled by Democrats and the Senate under Republican control, it is difficult to determine what shape federal data privacy legislation will take in the in the 116th Congress, and indeed whether any progress will be made. Nonetheless, it appears this will be a very active area in the coming months, and with our sophisticated Data Privacy and Cybersecurity Practice and leading Public Policy practice, Squire Patton Boggs is situated to monitor and advise on this developing and all-important area of legislation.