Security and policy experts in a video discussion hashed out the possibility of federal legislation on privacy picking up momentum and what such a law might bring to the security and data arenas.
How data is gathered, securely stored, used, and even sold have increasingly become top of mind for the public and politicians along with the accountability placed on companies that touch such data -- but federal data policy that speaks to such matters is still not on the books.
Data privacy laws can be found in other forms and jurisdictions. Policies such as the California Consumer Privacy Act are meant to give consumers in that state more control over their information that businesses might use. The General Data Protection Regulation (GDPR) is a European Union law governing data privacy and protection. While the Health Insurance Portability and Accountability Act introduced federal policy specifically on the disclosure of patients’ health information, there has yet to be legislation that speaks to broader data privacy at the national level.
Hosted by the International Association of Privacy Professionals (IAPP), the conversation brought together Tatyana Bolton, policy director for cybersecurity and emerging threats at R Street Institute, and Sara Collins, senior policy counsel at Public Knowledge.
Cobun Zweifel-Keegan, managing director for Washington, DC, with IAPP, moderated the LinkedIn Live session, which was built around the notion that there may be consensus growing for federal privacy legislation to move forward. Competing bills previously made the rounds in Congress, but stalled. Though no new legislation has been introduced, the conversation explored how such policy might unfold.
Zweifel-Keegan said the discussion was framed to avoid the politics of policymaking to focus on what the emerging consensus seems to be and practical realities of potential legislation.
Optimism flavored Bolton’s remarks as she spoke on pieces of similar comprehensive legislation introduced in recent years. “We have legislation that’s already starting from a fairly good point in the sense that there’s a lot of things that have already been agreed to,” she said. As far as specific legislation, Bolton said draft bills from Sens. Roger Wicker, R-Miss., Maria Cantwell, D-Wash., and Jerry Moran R-Kan. merited attention for the discussion.
Collins said there was a discussion draft released by the House of Representatives at the end of 2019 that while a bit stale represented the most recent, known thinking of the committee. “If you look at Cantwell, if you look at Wicker, if you look at the discussion draft, you start to see vectors of similarity,” she said. That includes data minimization and figuring out permissible purposes such as reasonable data processing. There are more in Congress, Collins said, who may also have influencer positions on this type of legislation, including Rep. Cathy McMorris Rodgers, R-Wash., Sen. Kirsten Gillibrand, D-N.Y., and a number of others.
Bolton said some of the differences in various on federal privacy bills include defining what is sensitive covered data, what entities are covered, as well as with state bills. “All of them have different interpretations of which companies should comply,” she said. “Are we talking about credit card processors or are we excluding companies that only process your information for credit card transactions or are we just talking about data brokers?”
There are also questions about whether there would be limits on how much the entity makes, whether through sale of information or just in terms of revenue, Bolton said.
Preemption of State Law
Getting states on board with new federal policy may take some compromises on such things as preemption of state law. Bolton said different ways to handle preemption have been considered, such as broad preemption for any states that want to enact new comprehensive privacy frameworks. “That would be completely preempted; however there would be carve-outs, for example, for areas of traditional state control,” she said. “That would include statutes surrounding unfair and deceptive practices, state constitutional law, state criminal law, laws that govern specific relationships like student privacy, landlord-tenant relationships, or employer-employee relationships.”
The role algorithmic decision-making plays with data might become a speed bump to federal policy moving through Congress because there has not been clear consensus on particular language of what to include, Bolton said. “If time is starting to become an issue, some of these areas like biometrics and algorithmic decision-making where there is still ongoing debate, you may see some of these pieces drop off,” she said.
Collins agreed that an algorithmic accountability bill is not likely to make its way through Congress right now but could be part of future legislation. “This conversation, I hope -- because of where the tech accountability discussion is much more broadly -- is not going to go away,” she said.
There is a desire among Congressional leaders, Collins said, for a tech accountability policy package to advance as concerns continue to rise about the power wielded by large technology companies that have access to more and more of the public’s data. “I would be really sad if we don’t have a privacy bill to put forward for the tech accountability package,” she said. “All the stakeholders are there; we know what needs to happen. This really is a very opportune moment to have something bipartisan that can move in a package when everybody wants to do something about big tech.”