Advertisement

Will the US Introduce a National Privacy Law Anytime Soon?

Probably not before the next election. But keep an eye on this Congress as legislators debate how to define personal data and what limits to place on how companies use it. As we approach the one-year anniversary of Europe's General Data Protection Regulation (GDPR), Congress is again considering whether the United States should join Europe (and most major economies) by adopting some form of national data privacy and security regulation. In February, the House and Senate each held hearings on data privacy, and for the first time in years there appears to be at least some interest among the different stakeholders for national legislation. Why Are We Talking About National Privacy Regulation Now? Until recently, one major factor preventing a serious discussion about a national privacy law was the almost uniform opposition of Silicon Valley and the large tech companies. These companies were concerned that data privacy regulation would inhibit their ability to monetize the data they collect and prevent further innovation in the information sector. Recently, however, the industry has started to rethink that view. As abuses of data by major tech companies have come to light, Silicon Valley leaders have come to fear that data privacy legislation may be inevitable and have moved from a posture of opposing all legislation to seeking to shape the new regime. At the same time, the nation's first state-level generally applicable data privacy law, the California Consumer Privacy Act (CCPA), is scheduled to take effect in 2020. Several other states have proposed similar data privacy laws, causing businesses to grapple with the fact that they may shortly need to comply with a patchwork of complicated and conflicting state-level regulations. Advertisement Consumer groups, meanwhile, have long wanted more stringent data privacy rules in the United States. Ironically, they recently have become less interested in a national standard because they worry that the large tech companies will shape national legislation to reduce the levels of protections now being granted or contemplated at the state level. Thus, one of the core issues that Congress will need to consider is whether any new national privacy legislation preempts state law — essentially wiping out any state-level protections (as the business lobbies desire), or if instead it sets a floor for the minimum amount of data protection allowed while still allowing states to create their own, more stringent protections (as advocated by consumer groups). What Might Be in a US Privacy Law? Though it is highly unlikely that Congress would model any US law after GDPR or even the CCPA, it is likely that the debate about such a law would force Congress to address some of the same issues. For example, GDPR defines a series of "rights" that individuals maintain in data about them, such as the right to know what data companies hold about them, to correct that data, and to erase it in certain circumstances. Though the United States is unlikely to elevate these kinds of protections to the level of a "fundamental human rights" (as GDPR describes them), Congress will need to consider whether to grant individuals any power to determine how or when their data is used by companies. Similarly, the United States has so far avoided mandating general security standards and does not have a national data breach notification statute; instead, each state has its own such statute. A new privacy law might well include such a national standard. Advertisement Marvel Stuff Probably the two biggest challenges facing legislators considering a national privacy law is how to define personal data and what limits ought to be placed on how companies can use such data. The US has generally adopted a fairly narrow definition of personal data — including certain health information as well as Social Security numbers and key financial information, but excluding more general information about a person, such as their political, ethnic, or sexual identity. The tech industry would prefer a narrow definition so that it can continue to monetize the vast amounts of data it collects about activities and consumer preferences — such as reading habits, hobbies, friend groups, political affiliations, and even location data — without further regulation. Consumer groups seek to broaden the definition of personal data to prevent the kinds of practices that led to the recent Facebook scandals. Similarly, consumer groups aim to set clear limits on when and how companies can use personal data. GDPR, for example, only allows the processing of personal data if the company has one of six enumerated legal bases for doing so. US law is unlikely to be quite so restrictive but will need to find some method of describing what companies are allowed to do (or at least what they are not allowed to do). How Would a National Privacy Law Be Enforced? Once the contours of the restrictions are determined, Congress will then need to determine how the new privacy law will be enforced. To date, regulation of data privacy and security issues have either fallen to special agencies enforcing industry-specific privacy regulations (such as Health and Human Services, which enforces HIPAA violations, or the bank regulators, which enforce Gramm-Leach-Bliley violations) or to other federal agencies using their preexisting regulatory authority. Thus, the Federal Trad Commission has brought privacy and security actions pursuant to its authority to promote consumer protection, and the Securities and Exchange Commission has brought enforcement actions against public companies pursuant to its regulatory authority over public companies. A new federal privacy law would create a much clearer regulatory regime and potentially a new regulator to enforce it. More controversially, consumer groups would like to guarantee that any privacy regulation allows for an individual right of action to ensure that individuals can force companies to abide by privacy regulations even in the absence of government action. It is probably unlikely that a new national privacy law will be passed before the next election, but it is worth keeping an eye on this Congress, as it may begin to shape the future of privacy and security law in the United States.

Cracking Down on Botnets

Although there is no silver bullet solution for mitigating the risk of botnets, there are a number of helpful best practices.

UK Govt. will fine websites with harmful content

The UK government has suggested new online safety laws that could see internet sites fined and their bossed held personally accountable if they fail to protect users from harmful content like terrorist propaganda and child abuse.

VMWare up their game in virtualisation security

In a drive to grab market position in virtualisation software, VMware is seeking to make inroads into the security market by supporting a new approach to security that focuses on applications and enabling developers and employees to work unimpeded by security.

Top Cyber News

Just under half of A.I. start-ups in Europe have almost nothing to do with A.I., research finds

Just under half of A.I. start-ups in Europe have almost nothing to do with A.I., research finds

05 March, 2019

Nearly half of the companies in Europe that call themselves AI start-ups don't in fact use artificial intelligence, a ne...

Nearly all Europes operators to offer 5G services to sport events’ organisers

Nearly all Europes operators to offer 5G services to sport events’ organisers

13 March, 2019

The study is based on a survey of C-level and other senior decision makers from 60 of the world’s 100 largest operator...

Fibre reacts autonomously for the first time to changing net conditions

Fibre reacts autonomously for the first time to changing net conditions

06 March, 2019

The live field trial showcased fibre optic transmission systems autonomously adapting to changing network conditions in ...

Cryptominers Still Top Threat but Coinhive's Shutdown Could Change That

Cryptominers Still Top Threat but Coinhive's Shutdown Could Change That

12 March, 2019

Coinhive has remained on top of Check Point Software's global threat index for the last 15 months. ...

Blockchain spending in Europe will be $800 million this year

Blockchain spending in Europe will be $800 million this year

01 April, 2019

The findings were published in IDC's latest Worldwide Semiannual Blockchain Spending Guide. ...

Cracking Down on Botnets

Cracking Down on Botnets

15 April, 2019

Although there is no silver bullet solution for mitigating the risk of botnets, there are a number of helpful best pract...

Categories

External Links

About Us

Follow Us