Mar 182019

The New Congress Turns to an Old Issue – The Possibility of Comprehensive Federal Privacy Legislation

Christopher Fonzone and Kristen Bartolotta
, , , ,

Even a few short years ago, it seemed unlikely that Congress would enact comprehensive privacy legislation. But a series of high profile data breaches; increasing concerns about data practices, particularly when connected to political micro-targeting; fears about the rise of autonomous, and potentially invisible, decision-making; and the passage of far-reaching foreign and now State privacy laws have all changed the zeitgeist. Congress has taken notice, and, for the past year, Data Matters has been closely following the Legislative Branch’s moves as it a federal privacy bill looks more likely than it has in a generation.

Against this backdrop, the new, 116th Congress has recently dipped its toe into the privacy waters for the first time.  On February 26, 2019, the Consumer Protection and Commerce Subcommittee of the House Energy and Commerce Committee held a hearing titled “Protecting Consumer Privacy in the Era of Big Data.” Then, the next day, the Senate Committee on Commerce, Science, and Transportation held a hearing on “Policy Principles for a Federal Data Privacy Framework in the United States.” Two weeks later, the Senate Committee on the Judiciary held a hearing titled “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and Innovation.” As laid out below, the hearings demonstrated that there is deep and bipartisan agreement that action is needed.  All three hearings also demonstrated, however, that there are tensions as to what that actions should be and why it is necessary. A consensus to do something may thus not equate to a consensus behind a specific bill or the enactment of legislation.

Broad Agreement That Action is Necessary

In our deeply divided political age, Republicans and Democrats seems to agree on one thing – the need for federal privacy legislation. Indeed, that fact was echoed over and over again during both hearings. Consider what we heard from the leadership of the relevant committees:

  • Jan Schakowsky (D-IL), who chairs the Consumer Protection and Commerce Subcommittee that held the February 26 hearing, said the following in her opening statement:  “Reports of the abuse of personal information undoubtedly give Americans the creeps. . . .  Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves. This must end.”
  • During the hearing, both the Chair and Ranking Member of the full House Energy and Commerce Committee, Reps. Frank Pallone (D-NJ) and Greg Walden (R-OR), expressed the view that legislation was necessary, with Rep. Walden, the former Chair, noting that the new Democratic leadership was simply “picking up on” an issue that had been the focus of the previous Republican leadership
  • On the Senate side, Senator Roger Wicker (R-MS) opened the hearing by saying the following:  “It is clear to me that we need a strong, national privacy law that provides baseline data protections, applies equally to business entities – both online and offline – and is enforced by the nation’s top privacy enforcement authority, the Federal Trade Commission.”
  • The Ranking Member, Senator Maria Cantwell (D-WA), said she “hope[s] that Congress does grapple with privacy data legislation.”
  • Lindsey Graham (R-SC), the Chair of the Senate Judiciary Committee, also spoke about how Congress needed to learn more about these issues and how he believed there was bipartisan support for doing something constructive.
  • Finally, Dianne Feinstein (D-CA), the Ranking Member of the Senate Judiciary Committee, spoke in her opening remarks about what in particular needed to be in any federal legislation.

This bipartisan and bicameral leadership consensus was generally echoed by the other Members at the hearings, as well as the hearings’ witnesses, which, across the three hearings, ranged from civil rights and privacy advocacy groups (Color of Change, Center for Democracy and Technology) to academics to think tanks (American Enterprise Institute) to numerous companies and business groups (e.g., Business Roundtable, Interactive Advertising Bureau, Internet Association, Retail Industry Leaders Association).  In short, the consensus was that the current regime for protecting consumer privacy wasn’t really working and that consumers thus must be given more control over the collection and use of their information.

But No Clear Consensus on Precisely What Action

A public hearing is not the place where Members are going to work out the difficult drafting issues and compromises required to finalize legislation as complex as federal privacy legislation.  This is particularly the case at an initial hearing before there is even a leading bill for everyone to consider. But even if they did not get into details, the recent hearings did suggest that the broad consensus on legislation may be driven by different motivations and with a different sense of precisely what sort of federal action is needed.

The discussion over preemption demonstrated this point most clearly.  In views reflective of a broad divide heard during the hearing, Chairman Wicker’s opening statement explicitly called for a “preemptive” framework that “provides consumers with certainty that they will have the same set of robust data protections no matter where they are in the United States,” while Ranking Member Cantwell’s noted that “[w]hat is clear to me is we cannot pass a weaker federal law at the expense of states.”  Returning to this theme later, Senator Cantwell asked: “Are we here just because we don’t like the California law and we just want a federal preemption law to shut it down? I find this effort somewhat disturbing.”  Likewise, Senator Feinstein explicitly stated that she “would not support any federal privacy bill that weakens” her home state’s standard.

Even beyond preemption, difficult issues lurk. The Hearings featured high-level discussion and general agreement on some issues such as transparency and certain data rights for consumers.  There was even moderate consensus on more enforcement powers and resources for the Federal Trade Commission—although there were differences expressed on the extent to which the Commission should have rulemaking authority in this space.  But, with a few exceptions, such as the Senate Judiciary’s discussion of opt-in vs. opt-out privacy rights, the hearings did not really get into where the difficulties will arise – the details of what rights consumers would have; what obligations businesses would face; and how the scheme would be enforced.  As Senator Coons (D-DE) noted during the Judiciary hearing, the “consequences of our legislating will be significant,” such that it will be important for the Congress to arrive at a solution that not only increases data privacy and protection, but that also the United States to maintain its leadership role in the Information Age economy.

To strike this balance, if Congress does decide to pursue legislative action, it will need to come to ground on issues like: What categories of data get which protections?  For what data uses will customer have opt out rights?  Opt in rights?  Will there be a private right of action?

The hearings didn’t provide answers to these questions, and the fact that many Members were eager to criticize the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as too prescriptive and potentially innovation-sapping, while others have repeatedly praised the same developments, indicate that there may be a significant divergence of views.  As Senator Blumenthal (D-CT) put it during the Senate Judiciary Committee hearing, the devil will be in the details.  And whether Congress can agree on those details remains to be seen.

* * * * *

So what’s next?  Members in both chambers have expressed the view that the impending entry into force of the CCPA on January 1, 2020, is forcing their hands:  Chairman Wicker has noted that it “would be nice to have [legislation] on the President’s desk this year,” and Rep. Robert Latta (R-OH) stated that “time was of the essence” for Congress to act.  To that end, both the House Subcommittee on Consumer Protection and Commerce and the Senate Commerce Committee have made clear that their recent hearings were not going to be one-off affairs.  So expect more action in this space, as Congress struggles to turn the broad perceived need for legislation into something specific a sufficient number of Members can get behind.

Christopher Fonzone

cfonzone@sidley.com

Kristen Bartolotta

kbartolotta@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).