Probably not before the next election. But keep an eye on this Congress as legislators debate how to define personal data and what limits to place on how companies use it.
As we approach the one-year anniversary of Europe's General Data Protection Regulation (GDPR), Congress is again considering whether the United States should join Europe (and most major economies) by adopting some form of national data privacy and security regulation. In February, the House and Senate each held hearings on data privacy, and for the first time in years there appears to be at least some interest among the different stakeholders for national legislation.
Why Are We Talking About National Privacy Regulation Now?
Until recently, one major factor preventing a serious discussion about a national privacy law was the almost uniform opposition of Silicon Valley and the large tech companies. These companies were concerned that data privacy regulation would inhibit their ability to monetize the data they collect and prevent further innovation in the information sector.
Recently, however, the industry has started to rethink that view. As abuses of data by major tech companies have come to light, Silicon Valley leaders have come to fear that data privacy legislation may be inevitable and have moved from a posture of opposing all legislation to seeking to shape the new regime. At the same time, the nation's first state-level generally applicable data privacy law, the California Consumer Privacy Act (CCPA), is scheduled to take effect in 2020. Several other states have proposed similar data privacy laws, causing businesses to grapple with the fact that they may shortly need to comply with a patchwork of complicated and conflicting state-level regulations.
Consumer groups, meanwhile, have long wanted more stringent data privacy rules in the United States. Ironically, they recently have become less interested in a national standard because they worry that the large tech companies will shape national legislation to reduce the levels of protections now being granted or contemplated at the state level. Thus, one of the core issues that Congress will need to consider is whether any new national privacy legislation preempts state law — essentially wiping out any state-level protections (as the business lobbies desire), or if instead it sets a floor for the minimum amount of data protection allowed while still allowing states to create their own, more stringent protections (as advocated by consumer groups).
What Might Be in a US Privacy Law?
Though it is highly unlikely that Congress would model any US law after GDPR or even the CCPA, it is likely that the debate about such a law would force Congress to address some of the same issues. For example, GDPR defines a series of "rights" that individuals maintain in data about them, such as the right to know what data companies hold about them, to correct that data, and to erase it in certain circumstances. Though the United States is unlikely to elevate these kinds of protections to the level of a "fundamental human rights" (as GDPR describes them), Congress will need to consider whether to grant individuals any power to determine how or when their data is used by companies. Similarly, the United States has so far avoided mandating general security standards and does not have a national data breach notification statute; instead, each state has its own such statute. A new privacy law might well include such a national standard.
Probably the two biggest challenges facing legislators considering a national privacy law is how to define personal data and what limits ought to be placed on how companies can use such data. The US has generally adopted a fairly narrow definition of personal data — including certain health information as well as Social Security numbers and key financial information, but excluding more general information about a person, such as their political, ethnic, or sexual identity. The tech industry would prefer a narrow definition so that it can continue to monetize the vast amounts of data it collects about activities and consumer preferences — such as reading habits, hobbies, friend groups, political affiliations, and even location data — without further regulation.
Consumer groups seek to broaden the definition of personal data to prevent the kinds of practices that led to the recent Facebook scandals. Similarly, consumer groups aim to set clear limits on when and how companies can use personal data. GDPR, for example, only allows the processing of personal data if the company has one of six enumerated legal bases for doing so. US law is unlikely to be quite so restrictive but will need to find some method of describing what companies are allowed to do (or at least what they are not allowed to do).
How Would a National Privacy Law Be Enforced?
Once the contours of the restrictions are determined, Congress will then need to determine how the new privacy law will be enforced. To date, regulation of data privacy and security issues have either fallen to special agencies enforcing industry-specific privacy regulations (such as Health and Human Services, which enforces HIPAA violations, or the bank regulators, which enforce Gramm-Leach-Bliley violations) or to other federal agencies using their preexisting regulatory authority. Thus, the Federal Trad Commission has brought privacy and security actions pursuant to its authority to promote consumer protection, and the Securities and Exchange Commission has brought enforcement actions against public companies pursuant to its regulatory authority over public companies.
A new federal privacy law would create a much clearer regulatory regime and potentially a new regulator to enforce it. More controversially, consumer groups would like to guarantee that any privacy regulation allows for an individual right of action to ensure that individuals can force companies to abide by privacy regulations even in the absence of government action. It is probably unlikely that a new national privacy law will be passed before the next election, but it is worth keeping an eye on this Congress, as it may begin to shape the future of privacy and security law in the United States.