Democrats cemented control of federal executive and legislative branches this week, after two Democrats won run-off Senate elections in Georgia. The transition creates the potential for a federal privacy law to make it out of chambers of Congress, though no one is holding their breath.
Partisan and bipartisan data privacy proposals get caught up most frequently in differences between a citizen's right to sue a company for data infringement and a federal law's ability to overrule existing state laws. Even with a Democratic majority, the path toward federal data privacy legislation is a little muddy.
"I see three potential paths forward," said Daniel Castro, VP of ITIF and director of the Center for Data Innovation, including:
- The Senate Committee on Commerce, Science and Transportation quickly resolves the "outstanding issues" of preemption and private right of action. "Given how long the process has been so far, I'm not very optimistic on the likelihood of this option," said Castro.
- A bipartisan group lands on a more centrist bill.
- Or a Democrat-led Congress could "start with a clean slate," he said.
The Biden administration has already signaled a push for national privacy rules. "We should be setting standards not unlike the Europeans are doing relative to privacy," President-elect Joe Biden said to The New York Times last year.
Now that he has a Congress leaning in his favor, it's up to members to meet at the privacy crossroads.
"Right now it's about how much is changing on Capitol Hill. In the end both chambers are almost exactly divided on privacy legislation," said Bartlett Cleland, senior fellow for Technology and Innovation at Pacific Research Institute, in an email. "Perhaps now that environment is present in Congress, but I think it's a bit too early to really know."
Both parties favor data privacy
Ahead of the next legislative session, here are a number of leaders in Congress with a platform prioritizing privacy including Sen. Kirsten Gillibrand, D-NY; Rep. Suzan DelBene D-WA; Sen. Maria Cantwell, D-WA; Sen. Jerry Moran, R-KS; and Sen. Roger Wicker, R-MS.
Each congressperson's bill never made it beyond its introduction on their respective chamber's floors. With Democratic control, "perhaps they'll actually make it to the floor in 2021," said Daniel Barber, CEO of DataGrail.
Wicker has been particularly relentless in data privacy pursuits, proposing a draft in December 2019, a COVID-19-specific bill in May 2020, and the SAFE DATA Act in September 2020.
The SAFE DATA Act was derived from a previous draft by Wicker in December 2019, just after Cantwell presented the Consumer Online Privacy Rights Act (COPRA). In the year since, neither senator has done much to reconcile opposing issues, though they align on protecting consumers from inappropriate data use by companies — the means to do so, however, remain partisan.
"New committee leadership, particularly in the Senate, may decide to scrap Sen. Wicker's draft bill and put forth something new that incorporates other Democratic priorities," said Castro.
Cantwell's bill, introduced in 2019, more closely aligns with Europe's General Data Protection Regulation (GDPR) than Wicker's, as it does more to protect consumers. "There is a silver lining that something may get passed but how much of a game changing law it would be, analogous to GDPR in Europe, I still remain somewhat of a cynic," said Heather Federman, VP of Privacy & Policy at BigID.
Congress has motives to act fast though, given Privacy Shield's overruling in July. The decision jeopardized and limited supplier opportunities for U.S.-based businesses, and impacted about 5,000 organizations. The European Union effectively said U.S. data transfer and protection standards are insufficient.
Along with the EU's Digital Services Act and Digital Markets Act new rules, "selling to European customers is going to become even more burdensome from a compliance perspective," said Federman.
National rules are influenced by advancements in privacy legislation in California. In November, California voters passed the California Privacy Rights Act (CPRA), effectively making the CCPA stricter, which Wicker might have to bend to in the SAFE DATA Act.
The CPRA establishes the California Privacy Protection Agency, which will tag-team with the state's Department of Justice. Vice President-elect Kamala Harris played a role in establishing a privacy enforcement unit within the state's DOJ in 2012 when she served as the state's attorney general. The formation of the unit was years ahead of the CCPA, in which other states are mirroring their data privacy efforts.
"With Democrats controlling both the House and Senate, it's more likely all the talk of a federal privacy bill to finally take shape," said Barber. Evidence is in the bill introduced by Rep. Anna Eshoo, D-CA and Rep. Zoe Lofgren, D-CA last year.
Where's the focus
The role the FTC will play in a future privacy law is also dependent on the political party crafting it, and it's currently a diverging factor.
During the Trump presidency, the FTC was engaged in pursuing high-level privacy issues concerning tech companies unlike ever before. The FTC recently settled with Zoom for privacy concerns uncovered in March and in 2019 the Commission issued a record $5 billion fine with Facebook for its role in Cambridge Analytica data misuse.
"The FTC became politicized over the Cambridge analytic scandal," said Jim Halpert, partner at DLA Piper, speaking on a virtual panel by Pacific Research Institute in December. "That created a feeling among the privacy advocates and consumer advocates that the FTC was too weak."
While Dan Caprio disagrees with Halpert's politicization assessment of the FTC, he said the Facebook settlement likely changed the landscape for companies in- and outside of big tech. It "elevated risk" because it folded personal liability for company leadership into the legalities, said Caprio, co-founder and executive chairman of The Providence Group, during the panel.
The FTC has been clamoring for more data privacy authority for years and if there is a federal law implemented,"the FTC will almost certainly get enforcement authority for that privacy bill," according to Halpert. "I think we can expect if that happens under the Biden administration, for them to take that enforcement role pretty seriously."
The Facebook settlement is a nod to perhaps other big tech policing concerns. "More broadly, there will also be a push for antitrust cases, though those could take years," said Federman.
FTC Chairman Joe Simons has a background in antitrust and will likely continue its pursuit. In February, the Commission announced it was looking into all non-reportable acquisitions made by big tech since Jan. 1, 2010 through Dec. 31, 2019.
"I think a new chairman will be equally focused on competition and consumer protection. That's going to make a huge difference in the way that the regulator perceives corporate interest," said Caprio.
The FTC's focus on areas of big tech like antitrust or Section 230 is the "key question," said Cleland. If Congressional attention shifts too drastically to those issues, privacy legislation will suffer. "If the air is sucked out of the room on those issues I don't see privacy going anywhere. Also there are a measly 18 months until Senate and House campaigns are in full swing."