The US Federal Privacy Law Picks Up Steam
As the adoption of the EU General Data Protection Regulation (GDPR) created a domino effect across the world, leading to more and more countries adopting data protection legislations, the US, that was, until recently, strongly in favor of self-regulation, is now debating the idea of a federal privacy law that will regulate data protection nationwide, rather than leaving the issue of privacy to be settled at state level.
What triggered this change of heart? A string of high-profile data breaches and, most of all, the Cambridge Analytica scandal which saw a consulting firm harvesting the data of millions of Facebook users and using it to influence their political views, raised public awareness on the dangers of unchecked data collection and use. A survey conducted by the Pew Research Center showed that roughly half of Americans believe their data is less secure now than it was five years ago.
Growing concern over data privacy and the entry into force of the GDPR, lead to legislation initiatives appearing at state level across the US. In 2018, California passed the Consumer Privacy Act, the most exhaustive and consumer-friendly privacy law in the US, setting an example other states are now looking to follow.
The tech industry rallies behind a nationwide privacy law
Last week, networking giant CISCO joined the chorus of tech industry voices calling for a US Federal Privacy legislation. In a blog post published by its top lawyer, Mark Chandler, CISCO called for “a comprehensive US federal data protection legislation anchored to core principles of transparency, fairness, and accountability because the right to privacy is a fundamental right.”
The statement comes only three months after Apple CEO Tim Cook’s headline-grabbing speech at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels in which he spoke of the dangers posed by uncontrolled data collection and use that allows for private and everyday information to be “weaponized against us with military efficiency.”
While Apple, whose main source of income comes from the sale of hardware such as iPhones and Macs and cloud services rather than user-targeted online advertisements, has always advocated for strong standards in data privacy, it was the first time it explicitly called for the adoption of a federal privacy law.
Intel went one step further and not only did it show support for a potential legislation, but drafted its own model for a federal privacy law with the aim to inform policymakers and spark a discussion on personal data privacy.
While their public statements emphasize the dangers of unregulated data collection, a concern for individuals’ privacy and the advantages of one all-encompassing data protection law instead of 50 distinct state laws, privacy advocates are skeptical of big tech’s intentions.
Alastair MacTaggart, the U.S. privacy campaigner who spearheaded the California Consumer Privacy Act (CCPA), claims that tech giants’ priorities changed in the wake of the CCPA’s adoption and that their new-found enthusiasm for federal legislation is linked to their hopes of influencing the passing of lax federal rules.
Federal Privacy Law Proposals
The debate surrounding the legislation however is not a purely theoretical one. Several data privacy bills have been introduced in the current session of the US Congress. The most notable of these, the so-called Consumer Data Protection Act (CDPA) was proposed by Senator Ron Wyden of Oregon in November 2018 and is the most comprehensive privacy bill to date. Like the CCPA it sets a clear application threshold: only companies that generate $50 million or more in annual revenue and collect personal information on more than one million consumers would fall under its incidence. It assigns the Federal Trade Commission (FTC) the responsibilities of a data protection authority, including the power to issue cease and desist orders and fines similar to those enforced under the GDPR of up to 4% of a company’s gross annual revenue for noncompliance.
The National Telecommunications and Information Administration (NTIA) started a discussion on a national approach to consumer privacy by requesting comments on a set of privacy outcomes proposed by the Trump Administration that any national privacy framework should contain. These included, among others, transparency, security safeguards and reasonable user access to data.
The US Chamber of Commerce that previously advocated for self-regulation, announced its support for a national privacy framework and released a set of privacy principles policymakers should consider when drafting a privacy bill. While it considers transparency and the need for data breach notifications essential, it also argues for harm-focused enforcement that promotes efficient and collaborative compliance rather than an adversarial enforcement system, in effect suggesting that a federal privacy framework should not create a private right of action for privacy enforcement.
At the other end of the spectrum, a group of consumer and privacy organizations that include the Center for Digital Democracy, the Consumer Federation of America and the Electronic Privacy Information Center, made a framework proposal that calls not only for the granting of private rights of action, but the creation of a federal data protection agency independent of the FTC and a broad definition of personal data.
Towards a US Federal Privacy Law
As debates around a nationwide privacy framework intensify, 2019 might be the year when the US proposes and passes its answer to the GDPR. With the democrats now controlling the House, the bill is likely to be a priority as its passing is sure to be considered a political win given prevailing public anger over data vulnerability and the increasing number of data breaches.
The tech industry’s own change of tune is a sign of the law’s inevitability: big companies have given up fighting against it and have instead turned to lobbying to ensure a federal privacy law will not have catastrophic consequences on their bottom lines when it will be adopted.
While the final provisions of the bill are likely to come to light only at the end of a bitter fight between legislators, lobbyists and advocates, companies can prepare by taking measures to ensure that the data they collect is secure, used only for the purposes it was collected and consumer consent is well documented.