Push for cyber privacy

In June, California passed the California Consumer Privacy Act, which gives consumers greater control over how their personal data is collected and used. These regulations, like the EU’s sweeping General Data Protection Regulation, apply to any company, anywhere, that handles the data of its respective citizens. In addition to California, New York and Massachusetts have their own data laws, also applying to companies throughout the country. This fact, along with the fact that the EU’s rules are also affecting American companies, has rankled lawmakers, spurring Democrats and Republicans — from very different perspectives — to call for a national privacy standard.

Calls increased during the just-expired 115th Congress to “do something” that would put a formal U.S. stamp on privacy policy, something incoming leaders of the new 116th Congress say ranks high on their priority lists. “It is the view of most that a privacy bill must be passed, because of the impending California law and GDPR issues,” said a former high-ranking administration cyber official. However, the source added, this has caused “everyone” to draft their own bill, which will increase the difficulty of passing one. “If there were one member in the House and one member in the Senate who was clearly in the lead and all stakeholders were working with those members, it would be much easier to pass. As it stands, I think the odds are 50/50, which is very high for a privacy bill but not high for ‘must pass’ legislation.”

A group of 15 Democratic senators, led by Hawaii’s Brian Schatz, introduced a privacy bill in December that would direct the Federal Trade Commission to write enforceable rules on what companies must do to protect consumers’ privacy, as well as to draft a standard for notifying people when their data has been breached. This measure sets a marker for where many Senate Democrats want to go on the issue, and potential presidential candidates Amy Klobuchar, D-Minn., Cory Booker, D-N.J., and Sherrod Brown, D-Ohio, are among those who signed on. But Sen. Mark Warner, D-Va., a leader on cyber issues, and a potential presidential contender himself, has said he’ll offer a different privacy bill next year that directly confronts challenges raised by social media platforms. Other White House hopefuls are eyeing the issue as well, including Sens. Bernie Sanders, I-Vt., and Elizabeth Warren, D-Mass.

But it holds bipartisan interest among congressional lawmakers, beyond simple 2020 gamesmanship. Incoming Senate Commerce Chairman Roger Wicker, R-Miss., marks it a priority, as does the new ranking member, Sen. Maria Cantwell, D-Wash. Incoming House Energy and Commerce Chairman Frank Pallone, D-N.J., cited consumer privacy and data security as one of his top issues right after Democrats won the House in November. The House and Senate commerce panels are likely to be center stage for the privacy debate, but the judiciary and other committees have jurisdictional claims as well: A congressional reality that usually reduces the odds of something actually getting passed.

Megan Brown, of the law firm Wiley Rein, said the shape of the upcoming debate is still “unpredictable” and noted that “some Senate Democrats have been out in front with draft bills, but they haven’t yet found a dance partner across the aisle for their more aggressive proposals.” She predicted debate will be “heavily shaped by the parts of the business community that have embraced uniform national federal privacy policy” and suggested proposals will coalesce around codifying the FTC’s role in setting privacy standards.

Meanwhile, senior Trump administration officials and the president’s appointees at the FTC have begun exploring the dimensions of proactive U.S. privacy policy. Commerce Department agencies, such as the National Institute of Standards and Technology and the National Telecommunications and Information Administration, have launched efforts to craft standards in concert with industry and online-privacy advocates. Major proposals have already been offered by groups, most prominently the pro-consumer Center for Democracy and Technology and the Business Roundtable. Business Roundtable maintains that a federal law must pre-empt all state privacy laws. In a bid for consensus, CDT’s proposal agrees on pre-emption of most state statutes, with the exception of data-breach notification laws; for this, they’re already weathering blowback from other digital rights groups that oppose any pre-empting whatsoever.

According to Ari Schwartz, a former White House cybersecurity director, concerns like data-breach notice “add another layer of complication to an already complicated issue” — particularly when considering the excessive number of proposals, including at the state and local levels. “That should and does concern responsible federal legislators, regulators and the private sector, who have to try and stay on top of each new idea,” Brown warned. “It should concern the privacy advocates, too, because state regulation in this area risks consumer confusion and inefficiency.”

But Olivia Rose, director of Global Executive Risk Solutions at the security firm Kudelski, warned pointedly that “California’s recent efforts around regulation and privacy demonstrate there’s an appetite for [this] kind of cybersecurity regulation … Whether it’s at the state level or national, we should expect both to begin to consider privacy and breach notification legislation, efforts that are already underway.” And, she said, “We can also expect industry lobbyists to try to push for a single, federal [privacy] standard that is watered down. Either way, these efforts need to be monitored closely because, depending on the final product, such legislation could create substantial new burdens on U.S. businesses.”