Federal Privacy Legislation for the 21st Century: A Possibility With A Democratic Majority
National scandals involving privacy violations and leaks have become a staple of news coverage. From Cambridge Analytica using Facebook to manipulate the 2016 election to the surveillance of location information, as well as countless data breaches in companies ranging from Estée Lauder to Wattpad, it is difficult to miss these stories. As technology infiltrates every aspect of a COVID-19 society, the amount and types of information that companies are collecting continue to expand. According to the Harvard Business Review, the growth of technology has given companies greater access to and control of their customers' material, to the point where 90 percent of the world’s data has been compiled within the last two years. This technological expansion gave Cambridge Analytica, a political consulting firm, the ability to gather information from Facebook and use it to micro-target users in the 2016 Presidential Election, raising questions around data collection and its role in undermining democratic processes. As a result, a Pew Research Center study found that 69 percent of the testing population has a lack of faith that companies and other data collecting entities will use their personal information in ways they would be comfortable with.
Events such as the Cambridge Analytica scandal, in conjunction with the exponential growth of digital surveillance and technological changes, have shaken the world and prompted some governments to employ strong legislative regulations on data collection. One such example is the European Union’s General Data Protection Regulation (G.D.P.R.). The G.D.P.R. limits data collection and storage, keeping data protected and holding companies accountable for their actions. The protections extend to all 28 E.U. states, even if the companies and data processors are located in other countries. The United States has fallen behind in creating similar legislation. While some states like California have begun to implement their own standards, there is still no federal law regulating privacy. The lack of such regulation has the potential to seriously impact the economy. In fact, as a result of the United States' inadequate privacy standards, The European Union’s Court of Justice, has invalidated the E.U.-U.S. Privacy Shield, a framework designed to facilitate transatlantic data transfer. This decision prohibits data transfers between the E.U. and the U.S., jeopardizing companies’ ability to adequately comply with E.U. regulations and conduct business unless they adopt Standard Contractual Clauses (S.C.C.s), which are predicted to be painstakingly difficult to implement. For some countries, like Germany, S.C.C.s require additional protection to competently secure personal data. As a result, the Ranking Member of the Senate Commerce Committee, Democrat Maria Cantwell of Washington, has expressed that “it must be a top priority” for the Biden Administration to reach an agreement with the EU. A combination of Democrats and Republicans introduced four privacy legislation bills and two proposals in 2019 and 2020, but due to disagreements on COVID-19 measures, there was insufficient action on those proposals. The 117th Congress will need to reintroduce them.
The invalidation of the EU-US Privacy Shield brings a new sense of urgency for lawmakers to pass federal privacy legislation. The key debates preventing the passage of enhanced privacy legislation are primarily focused on deciding whether the federal privacy bill should preempt state privacy laws and if individuals should have a private right of action to enforce the law. Based on the Democratic control of Congress and the presidency, a form of privacy legislation that favors the private right of action while preempting state laws in direct conflicts will likely pass, although it will also include pathways for state laws to expand on existing legislation.
Existing U.S. privacy laws began with the United States Privacy Act of 1974 when Congress outlined important rights and limitations on data information held by US government agencies, such as the right to access the data, and the restricted sharing of data between different departments. In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) which regulates who gets to see protected health information. HIPAA also limits the marketing and selling of confidential health data. In the 1990s, Congress passed the Gramm-Leach-Bliley Act, which was intended to protect non-public personal information. Customers have the right to opt-out of banks sharing information with a “non-affiliated” third party. One caveat is that it does not extend to companies affiliated with the bank or insurance company, therefore opening a loophole for information sharing. Privacy legislation was also extended to children in the Children’s Online Privacy Protection Act, which regulates personal information collected from minors and prohibits companies from asking for personal identifiable information from children younger than 12 unless consented to by a parent. Nevertheless, as the dispute with the European Union makes apparent, United States privacy legislation has fallen far behind 21st century standards and technologies, particularly with regards to social media, the Internet, and data collection.
Unlike the E.U.’s G.D.P.R., which has evolved to modern standards and allows users to know, understand, and consent to the data collected about them, the United States relies solely on the Federal Trade Commission’s enforcement mechanism. The United States isn’t standing in opposition to privacy reform; states across the Union have begun to implement their own policies. California’s Consumer Privacy Act (C.C.P.A.) revolves around the individual’s right to be informed when their personal data is collected, to request to not have data collected, to delete information, and to opt-out of the sale of information. Though this policy is more extensive than those in other states, California still doesn’t go as far as the G.D.P.R. in allowing the user to correct false information. In addition, the C.C.P.A. only requires the inclusion of a notice of the right to opt-out of data collection while the G.D.P.R. needs explicit consent to collect personal data. Other states like Maine and Nevada have recently passed similar, but not as strong, privacy laws, while New York, Massachusetts, Hawaii, and Maryland, among others, are still pending.
While state coverage is a good first step into Internet-age regulations, Congress must pass a federal law mandating universal coverage for states that are yet to enact their own policies. Such a law would also establish clear guidance for businesses to follow while helping to repair trade relations with the European Union. The Congressional Research Services conducted a study of the proposed privacy legislation in 2020 and found that many contained the same components. Five out of the six proposals stipulated that regulation should allow individuals the right to control their personal information, that “defined class of entities”, meaning the person collecting the data, should take steps to respect those rights, and that legislation should create procedures to enforce those requirements. Lawmakers now wrestle over several questions: whether an existing federal agency would have the power of enforcement or if a new one should be created, whether individuals should have a private right of action, and whether this law would preempt state privacy laws.
The two competing bills in the previous Congress were the Consumer Online Privacy Rights Act (COPRA), led by Democrats, and the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA), introduced by Republicans. These proposals differ in the basis of a private right of action and its place in regard to state laws. Democrats argue that a private right of action allows individuals the right to obtain monetary compensation for mistreatment of data aside from federal agency protection; Republicans argue that private right of action will lead to an increase in frivolous lawsuits and a stifling of small businesses who would not be able to fight the litigation, as well as already being covered by F.T.C. and appropriate agencies. On the topic of federal supremacy, those in favor argue that the federal law would sufficiently protect consumers and the absence of this clause would create problems for companies trying to follow a patchwork of laws. On the other hand, many are concerned that a supreme federal law would negate the work done by states. Ideally, it would act as a floor rather than a ceiling.
Democrats have taken control of both Congress and the White House. Both President Joe Biden and Vice-President Kamala Harris have expressed interest in strong federal privacy legislation. The current administration is likely to favor a COPRA-like bill – strong private right of action would allow individuals to seek damages or sue companies that violate their privacy rights and state laws, but only in cases where they overlap. This would allow states to create additional protections on top of the federal law. While there may be technical compromises, Democrats have more power at the negotiating table. It may be enough to finally pass modern privacy legislation.
Democrats and Republicans agree that the privacy bill should include fundamental protections like the right of correction, which would give customers the ability to correct false information, the right of portability, which would allow customers a copy of their data, and the right of information, which would allow a customer to know the entity’s privacy policy. They also agree on clauses about notice and consent, which are requirements on how companies could use the information as well as allow users to opt-out of data transfers and sales. The proposals include rules on ways entities could collect and protect data, stressing that it must be “no more than it reasonably needs to provide the product or service that an individual requested”.
The path to federal privacy legislation has been made clear by recent political shifts and near-consensus in both parties. However, it is the actions of the European Union that have finally brought this issue to a tipping point. Although Democrat and Republican camps cannot agree on right of action and state versus federal supremacy questions, the control of Congress and the presidency will sway the legislation in the direction of including both. Despite the debate, the fact that both parties have agreed to major data privacy protections, both to protect American citizens and resurrect data transfers with Europe, is a positive sign that the United States will soon, finally, enter the age of the Internet.
Katerina Kaganovich is a junior editor at CPR and a freshman at Barnard College studying political science and economics. She is an intern with the New Jersey Attorney General’s Division on Civil Rights interested in American government and jurisprudence.