Will Congress kill the push for data privacy?
With a lame duck session ahead in Congress, Democratic leaders in the House are facing demands to move forward pending bills. Many industry groups are hoping that Congress will take up the American Data Privacy and Protection Act, a privacy bill that would lock in place a single national standard and shut down efforts now underway in the states to expand consumer protection.
Speaker Nancy Pelosi (D-Calif.) has been targeted by one of the bill's supporters, a former top official at the Commerce Department, who claims that her "pride" is the reason the bill has not moved.
A better explanation could be that Speaker Pelosi believes in the legislative process and that a better privacy bill is still possible. The most well-known problem with the federal privacy bill is that it will overwrite stronger state privacy laws, most notably the California Privacy Rights Act.
This is unusual in federal privacy law and clearly controversial. Backers of the bill claim that it is stronger than the California law, oblivious to the well-stated objections of Speaker Pelosi, Gov. Gavin Newsom, the California attorney general, the California speaker of the house, the California Privacy Protection Agency, and also Californians for Consumer Privacy, the group that gathered 9 million votes in support of the state law, by far the most successful privacy campaign in U.S. history.
This is the moment when those in California get to ask the D.C. pundits what have *they* been smoking? There is a simple solution to the objection from
California: Remove the language that preempts stronger state laws. If the federal bill is indeed stronger, as the backers contend, then compliance with the California law should be easy.
But that is only the start. The federal bill has a weak private enforcement scheme that fails to provide any dollar amount for a violation of the law. That will create a real problem for enforcement because privacy violations, though consequential, are often difficult to quantify. And that is why privacy laws typically set out a specific dollar amount to help guide litigants and courts as to outcomes.
A related problem is that the enforcement provision kicks in two years after the bill goes into force. That is also without precedent. But both problems can be solved - provide a stipulated damages amount and remove the unnecessary delay. If there is a violation of the law after the bill is enacted, then enforcement should follow.
Another problem with the current draft is that it excludes Europeans from the scope of coverage. At first, I thought that was simply a drafting mistake as no consumer privacy law enacted by Congress had ever excluded non-U.S. residents from coverage, but I have since learned that this provision was intended.
It is difficult to describe just how bad that provision is. The United States is at this very moment trying to establish a legal framework that will permit the continued flow of personal data of European consumers to United States internet companies, which is critical to the digital economy. Two previous attempts had failed because the
European Court of Justice concluded that the United States simply did not provide comparable protection to the safeguards available in Europe. President Biden signed an executive order to establish an EU-US Data Protection Framework, following lengthy negotiations between the U.S. Department of Justice and the EU Justice Ministry.
If the Congress now passes a privacy law that, for the first time, excludes European consumers, it is not difficult to predict what the next judgment from the European court will be. That problem can also be fixed by removing the qualifier that excludes non-U.S. residents from the scope of coverage. U.S. companies should be responsible for protecting the privacy of the consumer data they choose to collect regardless of where they may reside. That is also a rule that will strengthen international trade.
Then there is the problem of the Federal Trade Commission's ability to safeguard privacy. Under the proposed bill, the FTC has central enforcement responsibility. The FTC has a noble history protecting consumers and promoting good business practices, but it has struggled with privacy enforcement. An organization I led brought the privacy cases that established the FTC's legal authority over Facebook and Google. It took two years for us to get favorable outcomes, and even then, the FTC was reluctant to enforce its own order. We even sued the FTC in federal court to enforce its own order against Google. A sympathetic judge acknowledged the problem but said she lacked authority to compel an agency to exercise its enforcement powers.
Years passed and violations piled up. The Cambridge Analytica scandal broke. Whistleblowers came forward. The FTC was unwilling to act. It took more than eight years from the settlement we obtained against Facebook in 2011 before the Commission took its first enforcement action against the company.
The FTC's spotty enforcement record combined with the long period that FTC rulemakings require, the two-year delay in private enforcement, and the preemption of state authority - could set back privacy protection in the United States for many years.
In almost every other country in the world, there is a dedicated privacy agency with the specific authority and expertise to enforce data protection law.
“President Biden signed an executive order to establish an EU-US Data Protection Framework, following lengthy negotiations between the U.S. Department of Justice and the EU Justice Ministry. If the Congress now passes a privacy law that, for the first time, excludes European consumers, it is not difficult to predict what the next judgment from the European court will be. That problem can also be fixed by removing the qualifier that excludes non-U.S. residents from the scope of coverage.”