Senator Brown Blazes a New Path to Privacy
U.S. Sen. Sherrod Brown (D-OH) may have just shown us the future – a new all-encompassing method of regulating the privacy of personal information.
On June 18, 2020, Senator Brown, the ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, released the Data Accountability and Transparency Act of 2020 in discussion draft form. The bill rejects the existing models of privacy laws and proposes to severely limit the collection, use, and sharing of personal data. The proposal would also establish a new independent agency dedicated to privacy protections. Senator Brown compared privacy policies to fine print, and called on his colleagues in government to move away from the “consent model’ of privacy, because consumers “end up giving far too much data” away.
In an attempt to shift the burden from consumers to businesses, the proposal prohibits a data aggregator from collecting, using, or sharing any personal data unless the “data aggregator can demonstrate that personal data is strictly necessary to carry out a permissible purpose.” Data aggregator does not refer to a data broker, but is defined to include “any person that collects, uses, or shares an amount of personal data that is not de minimis.”
The bill also would create a “duty of care” to the data aggregator to “maintain reasonable security procedures and practices, including administrative, physical, and technical safeguards, appropriate to the nature of the personal data.” When data is collected under a permissible purpose, it is only allowed to be retained for the period “strictly necessary to carry out a permissible purpose.” Further, there would be a restriction on sharing personal data to service providers and affiliates.
Permissible purposes include providing a good, service, or specific feature requested by an individual in an intentional interaction, compliance with applicable law, conducting research (but only to the extent that anonymized data would not suffice), employment administration and for journalism. Permissible purposes also include the development and delivery of advertisements, but the data aggregator is prohibited from advertising “based on the use of any personal data collected or stored from previous interactions with the individual.” Senator Brown’s bill would also establish within the executive branch an independent agency which would be known as the ‘‘Data Accountability and Transparency Agency’’ which would regulate the collection, use, and sharing of personal data.
The Data Accountability and Transparency Act is unlikely to pass in a Republican-controlled Senate, and even if there was a change in majorities, there are not any other members of the Democratic delegation signed on to the proposal. The bill did, however, garner enthusiasm from privacy activists and thought leaders. Frank Pasquale, a law professor at the University of Maryland Carey School of Law referred to this bill as the gold standard for privacy reform. The Interim Associate Director and Policy Director, Electronic Privacy Information Center, Caitriona Fitzgerald touted the formation of an independent privacy agency in expressing EPIC’s strong support for the proposal. Ed Mierzwinski, Senior Director of the Federal Consumer Program at U.S. PIRG lambasted the “notice and consent regime that serves data collectors well, but fails consumers” and emphasized the burden shift that Senator Brown’s bill proposes.
There is no indication that the Data Accountability and Transparency Act of 2020 has any momentum, beyond the potential of pushing the Overton Window of acceptable discourse but it is significant that the ranking member the U.S. Senate Committee on Banking, Housing, and Urban Affairs is pursuing this action. A Pew Research study indicated that 75% of adults say there should be more regulation than there is now. Going from not having a comprehensive federal privacy law to the near repeal of big data would create whiplash, and would mean system-wide changes for many companies. But by mere proposal, we may be sniffing the next era of privacy regulation.