*This article first appeared in the Hill.com on November 19, 2018
With the House having now flipped, policy consensus in Congress is not likely to get any easier. But there is one subject around which countries, companies, consumers and, yes, even Congress is increasingly converging. That issue is privacy. The new privacy zeitgeist follows years of data breaches as well as new concerns about invisible data collection, political micro-targeting and manipulation, the proliferation of internet-connected devices, and a potential lack of transparency in the decisions that machines increasingly make about us.
Europe and California have already been swept up in this new zeitgeist. The EU’s “General Data Protection Regulation” went into effect on May 25, and the California Consumer Privacy Act, which largely emulates the European model, was just adopted this summer. The extraterritorial impact of the highly detailed regulations demanded by these two huge economies will certainly be a factor in motivating Congress.
Citizens and consumers care about their privacy, and have now seen other legislative bodies take action to protect it. In the information age, our federal government should lead on internet privacy, data protection and related digital practices.
The EU rule-based model for privacy will not likely be adopted lock, stock and barrel in the United States. While the GDPR offers many important protections and rights that can be adapted here – including greater transparency and data access rights – we need a robust law that fits our legal system, one that targets abuses, encourages innovation, and permits reasonable flexibility.
We also know what happens when California legislates – the rest of the country will more-or-less follow suit.
That occurred with respect to state data breach laws. In 2003, California required notification for data breaches; then, over the ensuing 15 years, every other state, district and territory adopted its own law. But these the laws, even though enacted with similar intentions, are not the same. This policy proliferation has led to unnecessary complexity. Congress has an opportunity now to avoid balkanization of data protection in the digital realm. It can build on and reconcile the different approaches the early-adopting jurisdictions have taken to protect consumer privacy.
We deserve smart and effective regulation: Call it ‘Privacy 2.0.’
Before the recent election, Democratic and Republican Senators and Representatives had introduced scores of bipartisan privacy bills. For example, Republicans Senators Mike Lee (R-Utah) and John Kennedy (R-La.) have introduced email and online privacy measures, with Democrats like Patrick Leahy (D-Vt.) and Amy Klobuchar (D-Minn.). In the House, Congressmen Joe Barton (R-Texas) and Bobby Rush (D-Ill.) joined forces on children’s online privacy with Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.). And with regard to the developing and critical field of artificial intelligence, Congressmen John Delaney (D-Md.) and Pete Olson (R-Texas) joined with Republicans and Democrats in the Senate, Maria Cantwell (D-Wash.), Todd Young (R-Ind.), and Ed Markey (D-Mass.), to support legislation that would promote innovation and competitiveness in AI while also protecting the privacy rights of individuals.
Perhaps most tellingly, in a hearing on September 26, the Republican Chairman of the Senate Commerce Committee, Jon Thune (R-S.D.), told the companies appearing before him in a hearing entitled, “Examining Safeguards for Consumer Data Privacy,” that the development of a federal privacy law “enjoys strong bipartisan support.”
Every Democrat and Republican on the Committee lined up in support of a strong federal initiative. So did each of the six tech and telecom companies testifying that day.
Sen. Thune also noted that while Congress had not yet enacted a comprehensive national privacy law, it did have a long history of passing privacy laws to protect some of the most sensitive types of personal data, such as financial and medical information and data concerning children.
Sen. Thune precisely captured the changing spirit of times when he said: “We have arrived at a moment where, I believe, there is a strong desire by both Republicans and Democrats, and by both industry and public interest groups, to work in good faith to reach a consensus on a national consumer data privacy law that will help consumers, promote innovation, reward organizations with little to hide, and force shady practitioners to clean up their act.”
The Administration is also on this wavelength. On September 25, in a move prompted by the White House, the Commerce Department issued a public request for comments on a new federal privacy framework outlined in the Federal Register. The White House approach was developed in part by drawing from risk-based models for government regulation. They hope to promote policy standards that require protective outcomes for identified harms rather than focusing on bureaucratic compliance with detailed rules. Likewise, many leading companies and trade associations have also published sets of privacy principles they would like to see reflected in comprehensive new privacy legislation.
In short, both sides of the aisle, companies of all stripes, the White House, and of course, privacy advocacy groups, really do want to protect citizens and consumers on privacy and information practices. And in principle, at least, they all also want to do it without suffocating the technological innovation and economic growth that the digital revolution has helped enable.
We didn’t say this would be easy, only that there are a good many Democrats and Republicans who want to find a way to join forces on privacy legislation.
The resulting social benefits would be unifying not polarizing. Go ahead Congress, prove us right!
**The authors are members of different political parties and practice law with different firms in Washington, D.C. Mr. Wolf is Chairman, and Mr. Raul is a member, of the Board of Directors of the Future of Privacy Forum, which Mr. Wolf founded. Mr. Raul previously served as Vice Chairman of the federal Privacy and Civil Liberties Oversight Board. Mr. Raul is a partner at Sidley Austin LLP and Mr. Wolf is Senior Counsel at HoganLovells LLP. Both authors represent companies on privacy and cybersecurity matters. The views expressed here are those of the authors only, and not of any organization, law firm or law firm client.