For years, experts have been predicting that Congress would act on national privacy and data protection law.
The status quo in the U.S. is a mishmash of laws and regulations across different states and an international environment where China, the European Union and others have already put their own comprehensive legal frameworks in place. That reality, as well the potential for losing ground in the race to influence international standards, would surely force lawmakers to do something.
While there are plenty of bills that have been introduced, it hasn’t worked out that way. Every day the U.S. falls further behind international consensus, while poor or nonexistent data protection standards lead to breaches and widespread abuse of consumer and user information. As nation-state hacking groups continue to target data-rich, security-poor private actors like Equifax or pilfer data from apps that over-collect from users, it can also impact national interests.
“For us, I think not only is privacy extremely important for consumers and for organizations across the country, but for us it really is a matter of national security,” said Tatyana Bolton, policy director for cybersecurity and emerging threats at the non-profit group R Street.
Now, Bolton and a number of top policy minds with experience developing and marshaling support in Congress and the federal government have sketched out a plan for the United States to achieve a long-held goal: uniform standards to protect the data and privacy of Americans.
In separate reports developed through research and 130 stakeholder interviews across the policy community, the authors lay out three main lines of effort: passing a national data privacy and protection law; strengthening the FTC with increased budget, staff and authorities; and carving out legitimate roles for states to diverge from those standards and allow attorneys general and private citizens to bring their own lawsuits.
Path to national privacy standards goes through FTC
Bolstering the FTC, which is already responsible for enforcing a number of existing privacy laws, is viewed as a critical component for putting an effective, nationalized data protection regime in place.
Congress, through a data privacy law, should give the agency “targeted” rulemaking authorities to develop data protection regulations that go after unfair and deceptive practices. The agency most recently used that same phrase last week when it got a court to secure a $150 million fine against Twitter for misusing user security data for advertising purposes between 2013 and 2019. The commission has also indicated that it could create additional rules “to curb lax security practices, limit surveillance abuses and ensure that algorithmic decision-making does not result in unlawful discrimination.”
The authors looked at four proposed comprehensive privacy laws that have been introduced in the Senate: the Consumer Online Privacy Act by Washington Democrat Maria Cantwell; the SAFE Data Act by Mississippi Republican Roger Wicker; DATA 2020 by Ohio Democrat Sherrod Brown; and the Consumer Data Privacy and Security Act by Kansas Republican Jerry Moran.
Through those bills, they identified specific areas where the FTC might focus on new regulations. They include ideas like making it easier for users to opt out of data collection practices or requiring their explicit consent, identifying “sensitive covered data” elements that would be subject to more stringent standards, requiring businesses to respond to user privacy complaints in a timely fashion and establish regulations for the collection of permanent and unchanging biometric data.
Their plan would also shower the FTC with $500 million in increased funding to create a new Bureau of Data Security and Privacy (something Congress is currently mulling) and hire technologists, lawyers and support staff to handle the increased volume of complaints and investigations.
While they recommend Congress make legal changes to make it easier for the FTC to initiate investigations and issue fines, the ultimate goal should be changing the behavior of companies and other organizations when it comes to securing data and reducing unnecessary collection.
“Really, we want to get to compliance. We don’t want this to just be paid collection of fines,” said Lauren Zabierek, executive director of the cyber project at the Harvard Kenney School’s Belfer Center and a contributor to the report. “Right now [the FTC] is completely under-resourced, but what we’re saying is give them $500 million for more people … we want more technologists, more privacy experts in addition to other lawyers and support personnel, [as well as] additional funding for infrastructure upgrades and tech.”
R Street also believes this would also require harmonization with or carve-outs to a range of existing federal laws that cover privacy and data protection, including major laws like the Health Insurance Portability and Accountability Act, the Child’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act and others.
The question of just how much leeway a federal law should give states and their own laws and policies is an age-old question in American policy. However, the authors argue it is not a choice between total dominance or capitulation.
“A balance can be achieved by having a uniform federal privacy law that can preempt states on substantive provisions covered at the federal level but also preserve existing privacy-related federal frameworks and carve out areas for traditional state authority and emerging areas,” one of the reports note.
Many of these ideas are known or have been debated before but Congress has declined to act on a national law thus far. Some of the authors, like Bolton and Cory Simpson, were part of the Cyberspace Solarium Commission, one of the most successful independent commissions ever when it came to translating policy ideas to legislative reality.
Simpson noted that proponents of a national privacy law shouldn’t lose sight of the fact that the idea remains extremely popular with the general public, or the cumulative effect of broader acknowledgement in Congress over the past decade that the nation’s data privacy policy is inextricably tied to its cybersecurity and national security policy.
"I do think you look at this and think ‘What’s different in the moment in which we stand that may actually be the weight on the scale that finally tips this?’ and I do think it’s [national security],” said Simpson, who served as a senior advisor at the Cyberspace Solarium. “I think when you look at it in the contexts of how much not having this at the federal level is hurting us internationally with our diplomatic relationships and in terms of our security, I think that may be sort of the thing that finally galvanizes the political will.”