Dec 272018

Debate Continues on the Future of U.S. Privacy Regulation from California to Capitol Hill

Cameron F. Kerry, Colleen Theresa Brown and Sheri Porath Rockwell
, , , , , , ,

With the midterm election out of the way, legislators on Capitol Hill and in state capitols are getting ready to consider the future of data privacy regulation in 2019 and consumer and industry groups continue to weigh in on the ongoing debate.  The debate has begun to move from principles and frameworks to drafting of legislative language.

In Washington, key leaders of congressional committees from both parties indicated that privacy legislation will be on their agendas in the next Congress.  Senator Roger Wicker (R-MI), who will take over the chair of the Senate Commerce Committee included it on his list of priorities, and Congressman Frank Pallone (D-NJ), the incoming chair of the House counterpart, announced plans to work with committee leaders in both parties toward comprehensive legislation.  In anticipation of hearings and debates, members have begun proposing bills.  On December 12,  a group of 16 Democratic Senators  released a discussion draft of the “Data Care Act” (S. 3744), which would establish duties of “care, loyalty, and confidentiality” for online providers that handle personal data.  Senator Wyden (D-OR), who has been influential on technology issues, introduced another “discussion draft” enabling consumers to opt out of data tracking that includes enforceable corporate disclosure obligations similar to those of the Sarbanes-Oxley Act.

Meanwhile, a parade of proposals from industry groups and civil society continues.  On December 6, the Business Roundtable – a group of over 200 retailers, banks and technology companies – released its own recommendations for privacy legislation, calling for a federal law that would preempt state data privacy laws like the new California Consumer Privacy Act and eliminate the patchwork of state and local data privacy laws.  On December 13, the Center for Democracy and Technology took things to a greater level of detail with a complete draft of legislation that also included preemption along with limits on data collection.

Both groups agree there should comprehensive baselines giving consumers a measure of control over the collection, use and sharing of personal data, including the right to direct that their data not be sold to third parties.  They also agree that consumers should have the right to access their personal data, albeit to varying degrees.  However, many important differences and open issues remain.

In California, a coalition of consumer and digital privacy groups (including the plaintiffs’ bar) issued an open letter on December 3 to members of the California legislature, urging them to strengthen the already far-reaching California Consumer Privacy Act scheduled to go into effect in January 2020.  In particular, the letter not only asks that “rights and protections for Californians that are already enshrined in law” not be “take[n] away”, but that the legislature amend the law to further limit companies’ internal uses of information, require additional security measures “for all personal information covered by the statute,” and expand the private right of action to ensure more privacy litigation.  Further, the letter characterizes the 30 day opportunity to “cure” noncompliance as a way for companies to “completely evade accountability.”

The California coalition seeks to expand the data privacy protections already in the California law:  New regulations should prevent businesses from “unexpected and unwanted” internal uses of consumers’ data, such as using information from a fitness app to sell advertisements about food or clothing.  The Coalition letter resists any efforts to clarify the law in a way they view as restrictive, especially with regard to consumers’ right to access and download their data.  Given the involvement of the California plaintiff’s bar as a signatory to the letter, it is no surprise that the coalition also seeks to do away with existing limits on the availability of a private right of action (currently only available for data breaches) to allow consumers to sue for violations of any aspect of the law.  Moreover, the coalition criticizes the law’s current requirement that a consumer first provide notice and an opportunity to cure prior to filing a claim.

Business Roundtable’s recommendations make the case for a federal data privacy law that preempts state laws like the California Consumer Privacy Act and applies across all industries.  Like other industry positions, as well as comments submitted in the National Telecommunications and Information Administration (NTIA) inquiry on consumer privacy, the proposal seeks to eliminate fragmentation of regulations and conflicting standards, whether at the state level (as in the California data privacy act) or across federal agencies.  The Business Roundtable is notable in proposing – with support from a spectrum of industry players including from financial services — that current sector-specific regulations should be harmonized with a national privacy law.  Under many proposals including the Business Roundtable’s and the draft Data Care Act, enforcement should be centralized in one agency – the FTC – to avoid cross-agency duplication.  Data breach responses should also be streamlined, with a national breach notification standard replacing the patchwork of state requirements.

Industry groups continue to eschew prescriptive regulations that dictate how data should be secured in favor of flexible “risk-based privacy practices” that can provide different levels of protection to different types of data and give businesses flexibility to address emerging risks as technologies evolve.   The “personal data” that would be regulated under the Business Roundtable proposal would be defined as data that “reasonably” could be used to identify an individual, rather than broader definitions such as California’s “capable of being associated with” a consumer language.  While consumers should be able to know the types of data being collected by a business and have rights to request their data not be sold and that it be deleted when no longer necessary, the Business Roundtable emphasizes that there should be no one-size-fits-all mechanism to facilitate consumer control.  As with data security measures, the Roundtable argues that businesses need to have flexibility to institute different methods of effecting consumer choice, depending on the circumstances.  The Data Care Act and CDT proposals would give the FTC rulemaking to flesh out such mechanisms.

We expect additional proposals in the months ahead as legislative hearings continue and regulatory proposals solidify both in Washington, DC and in California.  Although the Data Care Act was introduced without any Senate Republican sponsors, there appears to be room for bipartisan support for national privacy legislation. Given the divided nature of the government, though, there is no assurance that legislation will be enacted before January 2020 when California’s game-changing law is slated to go into effect.  But the impending effect of that law and onset of the next election give impetus to the debate.

Cameron F. Kerry

ckerry@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).