February 9, 2023

Volume XIII, Number 40


February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

Election 2020: Looking Forward to What a Biden Presidency May Mean for Data Privacy and Data Privacy Litigation

The United States is in the process of completing its 59th presidential election and electing its 46th president.  A change in administrations is inevitably accompanied by a change in executive priorities.  Assuming that Vice President Biden is sworn in as President on January 20, 2021, the area of data privacy will likely be of particular focus under the Biden Administration, with consequences for data privacy litigation.  Some top of mind questions regarding the anticipated impact a Biden presidency may have in this area are addressed below.  Specifically, we anticipate that a Biden Administration will likely focus on the passage of federal data privacy legislation, renegotiate conditions for EU data transfers to the US, reintroduce a cybersecurity coordinator to the White House, and increase FTC enforcement activity.  Of course, several of these issues are contingent upon which party will come to control the Senate, a question that will not be answered until the two runoff elections in Georgia are completed in early January 2021.

Will a Biden Administration be interested in pursuing privacy legislation?

It is anticipated that the Biden Administration will likely see pursuing privacy legislation as a high priority.  This is consistent with Vice President-elect Kamala Harris’ track record and interest in privacy-related topics during her career as California Attorney General and US Senator.

As Attorney General, Harris was very active in the privacy space.  During her tenure, privacy issues related to the rise of mobile devices were of particular concern.  In January 2013, her office issued a report (Privacy on the Go: Recommendations for the Mobile Ecosystem) and pushed tech giants to agree to certain principles to provide creative and forward-looking solutions that give consumers greater transparency and control (Joint Statement on Principles).  It was also during Harris’ tenure that the Privacy Enforcement and Protection Unit of the California Attorney General’s Office was created to enforce laws related to cyber privacy, identity theft and data breaches.  That office is currently responsible for enforcement of the California Consumer Privacy Act.  Additionally, in 2015, Harris also secured settlements with several large companies related to their privacy practices.  Notably, one of these settlements required the company at issue to hire a Chief Privacy Officer, the first time such a provision has been included in a settlement with the California Department of Justice.

What might be expected for the Biden Administration’s priorities?

For obvious reasons, one of the main priorities of the Biden Administration will be to revitalize the US economy.  This priority will run up against global data privacy considerations, however, in light of developments this past summer.  In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield, a framework designed to facilitate transatlantic data transfers (you can see our webinar on the topic here).  In the aftermath of this decision, the regulatory burden and associated risks have significantly increased for companies transferring EU personal data to the US in line with the EU General Data Protection Regulation.  The legal issues involved include US surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (‘Section 702’), Executive Order 12333 (‘E.O. 12333’), and Presidential Policy Directive 28 (PPD-28).  A Biden Administration opens the door to potential reconsideration of, or modifications to, both E.O. 12333 and PPD-28, which could pave the way for agreement on a new transatlantic framework for the transfer of EU personal data to the US.

Many observers have also predicted that the Biden Administration will re-establish a cybersecurity coordinator position within the White House.  The White House Office of Cybersecurity, established in 2009, was eliminated under the Trump Administration and the position’s responsibilities were largely shifted to the new Cybersecurity and Infrastructure Security Agency.  The Biden Administration will likely reinstate many of these responsibilities at the White House level.

Will we finally see federal privacy legislation and what impact would this development have in the area of litigation?

In terms of immediate priorities, dealing with the public health and economic crises brought about by the COVID pandemic is likely to dominate the initial years of the Biden Administration, but the resolution of these issues may lead to the enactment of related privacy legislation.

Efficiently controlling the spread of the virus has involved and will continue to involve tracking and tracing cases, which require data collection and processing activities that involve privacy risks.  During 2020, these risks caught the attention of Republicans and Democrats alike, which led a bill introduced by Republicans in the Senate (S. 3663 – The COVID-19 Consumer Data Protection Act of 2020) and a bill introduced by Democrats in the House (H.R. 6866 – The Public Health Emergency Privacy Act).  Although both bills remain pending, should control of the Senate switch during the next Congress, it is plausible that the bill introduced by the Democrats will receive renewed attention.  The interest in enacting privacy legislation as to COVID-related information is likely to resurface in 2021 and may lead to new requirements for both government entities and organizations in the private sector, including companies collecting employee health data and guest or visitor screening data.

Interest in privacy legislation has been steadily increasing at the federal level over the past few years.

In April 2020, the Congressional Research Service released a report that compared various consumer privacy bills introduced in Congress.  The report concluded that most of the bills follow similar approaches by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements.  The three key differences focus on: (1) which federal agency would have enforcement power; (2) whether the federal legislation should preempt state privacy laws; and (3) whether the bills should provide a private right of action.

Following the April 2020 report and as the current Congress comes to a close, the Senate has taken steps that should put fresh privacy legislation on the agenda of the next Congress.  On September 23, 2020, the Committee on Commerce, Science and Transportation held a hearing entitled Revisiting the Need for Federal Data Privacy Legislation.  In anticipation of that meeting, on September 17, 2020, Republican senators introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (“SAFE DATA”) Act.  In parallel, the Democrats have introduced the Consumer Online Privacy Rights Act (“COPRA”).

Depending on which party will take control of the Senate, the data privacy litigation landscape could be upended by preemption issues raised by federal data privacy legislation.  In the absence of comprehensive federal legislation, privacy law has proliferated at the state level.  Three states—California, Nevada, and Maine—have signed data privacy legislation, while similar legislation has been introduced in at least seventeen states, with the majority of bills pending in committee.  Additionally, at least six states have assembled joint task forces to consider data privacy issues.  Based on the number of state privacy bills that are currently pending, it is conceivable that more than half of the states could enact divergent privacy laws over the next few years.  With a potential statutory hodgepodge looming, preemption becomes a serious issue.

The proposed SAFE DATA Act would broadly preempt state privacy laws (with significant impacts, to say the least, on privacy litigation).  By contrast, COPRA views federal privacy legislation as a “floor,” and would allow states to enact stricter privacy standards if they elect to do so.  Should the Democrats gain control of the Senate, the Biden Administration will likely be inclined to sign off on COPRA, thus minimizing the impact of federal preemption.  Should Republicans maintain control, several outcomes are possible.  As one example, the Biden Administration and Democrats may compromise on the preemption provision, sacrificing it to move the legislation forward.  And, of course, it is possible that federal privacy legislation will continue to remain in limbo.

The ability of the Biden Administration to work with the Congress to find a path for resolving these differences will be a key factor in determining whether comprehensive privacy legislation can be enacted at the federal level.

What impact will the Biden Administration have on the FTC?

The Biden Administration will also likely have a significant impact on the FTC’s enforcement priorities, as it is anticipated there will be increased FTC enforcement activity.  This increased enforcement may have ripple effects in privacy litigation.  One example concerns litigation alleging negligence per se under state law.  Generally, negligence per se is a theory whereby an act is negligent as a matter of law solely on the basis that it violates a statute or regulation.  To put it otherwise, negligence per se bypasses the traditional “reasonable person” standard by focusing upon three issues, which are whether:  (1) the defendant violated a statute or regulation that sets forth a standard of care; (2) the plaintiff is a member of the class that the statute or regulation is designed to protect; and (3) the plaintiff suffered an injury that the statute or regulation was designed to prevent.  Some courts have already expressly held that a violation of Section 5 may serve as the basis of a negligence per se claim.  Perdue v. Hy-Vee, Inc., 455 F. Supp. 3d 749, 760-61 (C.D. Ill. 2020).  Accordingly, with an increase in enforcement, the data privacy landscape for suits involving private parties may also shift.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 317

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

Aaron Garavaglia Insurance Litigation Attorney Squire Patton Boggs Washington DC

Aaron Garavaglia focuses his practice on litigation, including insurance-related matters. As a litigator, he has worked with and addressed employment practices liability insurance policies, mass tort claims, insolvent insurers, captives and complex commercial litigation matters.

While in law school, Aaron interned at the US Department of Justice, US House of Representatives and US Court of Appeals for the Federal Circuit. Additionally, he was Senior Federal Circuit Editor for the American University Law Review.

Prior to law school, Aaron was a paralegal for an...