Blog

“Becoming reality: A Federal Data Privacy legislation in the United States”

By Carolin C. Brucker Cabe, LL.M., an Associate at XPAN Law Group, LLC.

It has been a week full of hearings in Washington, D.C. and the subject matter of these couldn’t be of any more interest to anyone working in the Data Privacy Industry. Both the House and Senate held hearings this past week setting in motion the legislative process for federal privacy legislation, something which has been highly anticipated by representatives of the industry, data privacy associations, and advocates alike for quite a while now. It is good to see that legislators from both parties voiced support for comprehensive and bipartisan legislation – something which had been a rather rare sight in Washington, D.C. in general lately.

First hearing of the week:

The Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce held a hearing on Tuesday, February 26, 2019, titled “Protecting Consumer Privacy in the Era of Big Data”. Energy and Commerce Chairman Frank Pallone, Jr. (D-NJ) said in his opening statement that this hearing would be “the beginning of a long overdue conversation” and that “[i]t is time that we move past the old model that protects the companies using the data, not the people”. Further, he stated that he “plan[s] to work with [his] colleagues on both sides of the aisle to craft strong, comprehensive privacy legislation that puts consumers first”.

The witnesses then heard during the hearing were a mix of industry representatives and privacy advocates (for a list of witnesses and their testimonies, please see here).

Central points of discussion, among others, included the extent to which the California Consumer Privacy Act (CCPA) (you can find a breakdown of the CCPA on our blog here) and the European Union’s General Data Protection Regulation (GDPR) (detailed information on the GDPR can be found on our blog as well) should serve or not serve as models; the scope of federal preemption of state privacy requirements; individual data subject rights in controlling activities related to their data; and expanded enforcement powers for the Federal Trade Commission (FTC). For the full content of the hearing, a live stream is available to watch here.

During the hearing, support for some form of federal privacy legislation was expressed. Witnesses and subcommittee members suggested that one goal should be to strengthen protections for consumers and provide uniform national standards. The witnesses and subcommittee members were also substantially in consensus that the CCPA and the GDPR would provide good points of reference for federal privacy standards, but would in some aspects potentially harm innovation and competition due to overly prescriptive approaches.

Furthermore, hearing participants universally called for expanded FTC enforcement powers due to the fact that the current notice-and-choice system of privacy protection would place substantial burdens on consumers. Rep. Jan Schakowsky (D-IL), chair of the subcommittee, highlighted in her opening statement that

“[w]hile many companies claim to provide notice and choice to consumers, the truth is this provides little real protection. Who has the time to wade through the dozens of privacy policies that impact them daily? How many people think about being tracked through their phones or by the overhead lights in a store? And often the only ‘choice’ they have to avoid data collection is not to go to the store or use an app”.

In her point of view, which was echoed by Frank Pallone, Jr. (D-NJ), “the burden has fallen completely on consumers to protect themselves” which must come to an end. Finally, she called for expanded FTC enforcement powers. She stated that “[i]t is important to equip regulators and enforcers with the tools and funding necessary to protect privacy” and at the same time described the need to understand why the FTC has not used its existing tools and authority.

Particularly Republicans highlighted the compliance problems caused when companies have to operate under a patchwork of state laws, thus emphasizing the importance of establishing national standards that would trump state requirements and that putting in place uniform federal standards would make more sense.

Second hearing of the week:

The patchwork of state laws, among others, also was a topic at the second hearing of the week, which took place on February 27. The Senate Committee on Commerce, Science, and Transportation held a hearing on Policy Principles for a Federal Data Privacy Framework in the United States that day. For the full content of the hearing, a live stream is available here.

The witnesses heard during the hearing were drawn from industry associations and academia (for a list of witnesses and their testimonies, please see here).

Sen. Roger Wicker, R-Miss., the committee’s chairman, stated in his opening statement that “[i]t is clear that we need a strong, national privacy law that provides baseline data protections, applies equally to business entities – both online and offline – and is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission”.

He further made clear that “Congress needs to develop a uniquely American data privacy framework that provides consumers with more transparency, choice, and control over their data. This must be done in a manner that provides for continued investment and innovation, and with the flexibility for U.S. businesses to compete domestically and abroad”. With a view to state laws he pointed out that “[i]t is important to note that a national framework does not mean a weaker framework than those that have already passed in the U.S. and overseas or being contemplated in the various states. Instead it means a pre-emptive framework that provides consumers with certainty that they will have the same set of robust data protections no matter where they are in the United States”.

In order to achieve this, a proposal was made to copy key parts of the GDPR which “sets data protection obligations for businesses”, “giving consumers choices over how their personal information is handled”, according to an article published in The Gazette.

Witnesses and lawmakers agreed that the FTC should have primary enforcement authority for any new data privacy legislation. In their point of view the FTC should be given civil penalty authority, rulemaking authority and additional resources for enforcement. Several witnesses suggested further that state attorneys general should have concurrent enforcement authority with the FTC.

Conclusion:

It will be interesting to see, where the legislative path will go in the future. Since witnesses and committee members alike already seem to be in agreement about the role the FTC should play in a unified privacy law setting, it can be expected that this point (among the many to find a solution for) might be targeted first. To what extent the GDPR or CCPA will indeed be used as the key role models for a federal privacy act might be a more discussed and controversial aspect of the hearings to follow. Because both regulations, in the opinion of some committee members, seem to also burden companies and businesses with a view to innovation and competition due to overly prescriptive approaches, it might be more difficult to agree on a path here. XPAN Law Group, LLC will continue to monitor the developments closely and provide periodic updates over the course of 2019.

***

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.