The future of privacy and cybersecurity under President-elect Trump – with a Republican-controlled House and Senate – is far from certain, but his campaign comments indicate an emphasis on robust cybersecurity, perhaps with more openness to both offensive as well as defensive initiatives.
Although few detailed policies have been revealed, the President-elect has called for an immediate review of cybersecurity vulnerabilities with an emphasis on critical infrastructure. No doubt reflecting a public-privacy partnership approach that will be seen elsewhere, this review is slated to include individuals from the military, law enforcement, and the private sector. From the context of his comment, it seems that this review would result in a focus on critical infrastructure and efforts to bolster its weaknesses.
At the same time, we can expect significant adjustments to regulations and regulatory enforcement discretion in the privacy sphere. Privacy at present is marked by a complex, intertwined and overlapping group of federal statutes and state prohibitions that form a patchwork across various sectors. For instance, more than 50 federal and state statutes mandate various different disclosures after a data breach. This area would seem ripe for elimination of overlapping statutes and regulations in the name of simplifying the burdens on business.
Trump may also be active on encryption as well if his previous statements are a guide. During the campaign, he called for a boycott when a company refused to provide a backdoor to its security features following the San Bernardino attack. He may as President seek legislation requiring private corporations to provide encryption keys or otherwise reduce information security protections on private devices.
Change may also come to the Federal Communications Commission. In 2015, the FCC promulgated the Open Internet Order, which reclassified broadband access under Title II of the Communications Act. Trump has called this an “attack on the internet.” An FCC staffed by Trump appointees will more than likely return to forbearance or at least restrain the Open Internet Order. Similarly, the recent report and order regarding broadband privacy, which imposed various requirements on broadband providers aimed at protecting consumer privacy, could be in line for reexamination. These rules were passed by a 3-2 vote along party lines.
Finally, the state of EU-U.S. data exchange, which was already a delicate topic, may require further examination. The President-elect could seek legislation repealing the USA FREEDOM Act or, on his own action, rescind Presidential Policy Directive 28, in the name of loosening restrictions on US signals intelligence activities in support of securing the homeland. The European Union’s willingness to create a data-sharing framework after the invalidation of Safe Harbor hinges largely on the existence of these limitations, and substantial changes in these laws could create questions about the viability of the EU-US Privacy Shield.
Nothing, however, appears to be set in stone, and so this will surely continue to evolve after January 20.