U.S. House and Senate Debate New American Data Privacy Laws

May 1, 2019

 

U.S. House and Senate Debate New American Data Privacy Laws

In a country where 91% of citizens feel they’ve lost control of their data, U.S. lawmakers recently held hearings to discuss new national data privacy laws.

The U.S. House and Senate hearings focused on privacy legislation, transparency, and data management, looking at ways to address constituents’ demands for privacy and security. As part of the effort to increase privacy, committees discussed federal data privacy legislation and creating harsher penalties for data-handling violations.

The U.S. House’s “Protecting Consumer Privacy in the Era of Big Data” hearing

The House hearing discussed America’s lack of comprehensive privacy legislation, made even more clear by foreign federal laws, such as PIPEDA in Canada and GDPR in the EU.

The meeting opened with Rep. Jan Schakowsky emphasizing the committee’s intentions: “protecting consumers over corporate interests” and “putting consumers first.” According to Schakowsky, more than 80% of American adults are “not very confident” in the security of personal information held by social media, retail, and travel companies. And 67% of the population wants the government to step in to protect their information. As analyzing, sharing, and selling personal information has become more prevalent among companies, so, too, has the need for robust legislation that protects consumers.

So why is the hearing so long overdue, compared with other nations that already have federal privacy laws in place? The matter is complicated, according to the House committee, by the American devotion to promoting competitive markets. The U.S. government has the unique challenge of developing a consumer-focused law that provides meaningful protection for citizens and restoring Americans’ faith in business and the government, while encouraging market competition.

The Consumer Protection and Commerce committee agreed on the need for a single, preempting federal privacy law, especially given the patchwork of current and proposed state laws and proposed federal laws.

“Reports of the abuse of personal information undoubtedly give Americans the creeps. Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves, and this has to end.”
– Rep. Jan Schakowsky

House Energy and Commerce Chairman Frank Pallone, Jr. submitted a report to Congress, urging them to create a comprehensive data privacy and consumer protection law. The Government Accountability Office is also encouraging Congress to proceed with a GDPR-like law. Although GDPR may seem like a natural inspiration for American data privacy laws, the House balked at the idea of using GDPR, or the similar California Consumer Privacy Act (CCPA), as models.

“Millions of dollars in compliance costs aren’t doable for startups and small businesses, and we have already seen this in Europe, where GDPR has helped increase the market share of tech companies while forcing smaller companies offline,” argued Rep. Cathy McMorris-Rodgers. Many others agreed, adding that GDPR deluged consumers with “required” notices and privacy policies that few actually read.

Chairman Pallone spoke more on privacy policies in the wake of GDPR, adding that, “It would take 76 years to read all the privacy policies for every website the average consumer visits every year.” And even if the user reads and understands the policy, they only have two options: accept the terms and conditions or don’t use the service. In the end, representatives argued, users are forced to forfeit their personal data to companies that aren’t protecting or securing that information.

On CCPA, Roslyn Slayton, a visiting scholar from American Enterprise Institute, commented that, “It’s not fair that one state gets to dictate [privacy] for everyone else.”

And Dave Grimaldi, Executive VP for Public Policy at Interactive Advertising Bureau, expressed concerns for small businesses, noting that CCPA-type fines could get out of hand: “The litigation risk could mean that if a consumer requests their data from a company, […]the company has to be able to provide that in a certain timeframe and if it doesn’t, it is in violation of the law. That litigation risk you can compound into the thousands or hundreds of thousands of requests that will multiply into the millions and billions of dollars. And that is something that smaller companies would not be able to deal with.”

Beyond GDPR and CCPA – What does an American federal privacy law look like?

During her introduction, Rep. McMorris-Rodgers outlined four principles to follow on the bipartisan path to American privacy:

1. One national standard

According to Rep. McMorris-Rodgers, there’s a strong precedent for a federal privacy law that sets the standard for consumer protection. She noted that many are aware of the burden that multiple state-level laws would create, posing the question: “But what would it mean for someone in Washington State who buys something online from a small business in Oregon to ship to their family in Idaho?” She continued, adding that, “This is a regulatory minefield that will force businesses to raise prices on their customers. Setting one national standard makes common sense, and it’s the right approach to give people certainty.”

A single standard is a lofty goal – one that will take diligence and honing to achieve.

2. Transparency and accountability

Companies need to be transparent when explaining their practices, particularly when potentially unfair or deceptive practices are involved that create severe security risks. As an example, Rep. McMorris-Rodgers brought up Google, which recently landed in hot water for including microphones in their Nest devices without disclosing that information to consumers. By implementing regulations that require increased transparency and accountability from companies, it may be possible to avoid similar privacy violations.

3. Improving data security

“Perfect security doesn’t exist online.” This statement from Rep. McMorris-Rodgers demonstrated the vast room for improvement in online data security measures. One way to improve results and performance in this area is to increase awareness – in particular, awareness of how businesses are collecting and using information, how companies are protecting information, and how people can protect themselves.

4. Small businesses

During her opening statement, Rep. McMorris-Rodgers emphasized that we must not lose sight of small to medium enterprises and the ways that heavy-handed regulations can cause them harm. Rather than introducing a law that increases privacy at the expense of innovation, stakeholders should strive for a harmonious balance of market growth and confidentiality.

The committee emphasized that this was the first of many hearings centered around American data privacy laws and comprehensive federal privacy legislation. This kickoff set the groundwork for future meetings where, hopefully, they can develop a balanced law that considers the privacy of citizens while allowing for innovation and market growth.

The U.S. Senate’s “Policy Principles for a Federal Data Privacy Framework in the United States” hearing

The second hearing, held by the Senate Committee on Commerce, Science, and Transportation, addressed how the government should handle consumer risk and data privacy protection. With jurisdiction over the FTC – the main enforcer of U.S. consumer privacy and information security protections – the Commerce Committee holds the power to make waves in the world of consumer protection legislation. The hearing set the stage for the future of “meaningful bipartisan legislation,” according to Committee Chairman U.S. Sen. Roger Wicker.

“In an age of rapid innovation in technology, consumers need transparency in how their data is collected and used,” said Sen. Wicker. “It is this committee’s responsibility and obligation to develop a federal privacy standard to protect consumers without stifling innovation, investment, or competition.”

By the end of the hearing, the Senate established a list of items to accomplish, including:

  • Empowering consumers with a higher degree of autonomy over their personal data (and how companies handle their data)
  • Preempting state legislation in favor of a federal law to regulate compliance standards
  • Permitting state attorneys general to enforce the federal law
  • Situating the FTC as the primary regulation enforcement body

Takeaways from the U.S. House and Senate hearings

U.S. consumers have expressed concerns over personal privacy and data security, but the government has yet to enact a single, comprehensive federal law that addresses these concerns. Notably, large tech companies made up most of the audience at both hearings, rather than the consumers who would be directly affected by the legislation. In the past, committees have been similarly criticized for poor representation of constituents who are affected every day by serious data breaches and information leaks caused by the lax security policies of tech companies.

What does this mean for the future of data privacy laws in the United States?

While the government has not enacted a comprehensive American data privacy law, plans are in motion. Many sources predict that 2019 may be the year for a new federal law that covers consumer data privacy, particularly as reliance on the internet and cloud computing continues to expand. Michael Beckerman, president of the Internet Association, wants a national data privacy bill signed this year. However, indications from Sen. John Thune, former chairman of the Committee, contradict that, and suggest that policy concerns for federal data privacy framework will come “in the next couple years.”

While no new laws or statutes arose from either hearing, what is important is that both the U.S. House and the Senate seem to agree: a single federal data privacy law is necessary – and in time, a data privacy law is coming. Right now, companies can prepare for future legislation by:

  • Aligning with security frameworks like NIST, ISO 27001, or COBIT 5
  • Implementing a defense-in-depth approach with user activity monitoring to secure sensitive data in cloud applications such as Salesforce or Office 365
  • Performing a comprehensive privacy and security audit

Being proactive now can put you ahead of the curve when it comes to complying with future American data privacy laws when the time comes.