Bipartisan bill breaks impasse over federal data privacy negotiations
Rep. Jan Schakowsky (D-Ill.), chair of the House Energy and Commerce Consumer Protection Subcommittee, said the bill will “end the discriminatory use of your data, it will force companies to adhere to high standards of security and data minimization, and it will prohibit payment-for-privacy practices.
Currently, Americans’ data is protected – in places – by a patchwork of state- and industry-specific privacy laws, such as a 1999 law that protects financial information, a 1996 law that protects health information and a 1974 law that protects information collected by the government.
Lawmakers have tried to pass a national privacy law since the 1970s. The last time things looked promising it was late 2019when bipartisan House Energy and Commerce staff shared a privacy bill and Senate Commerce Committee leaders introduced separate measures along partisan lines — but none advanced out of their commissions.
Consumer and civil rights groups applauded the discussion project. “Privacy rights are civil rights,” David Brody, general counsel for the digital justice initiative at the Lawyers Committee for Civil Rights Under Law, said in a statement. He said the group was encouraged that the bill would “curb the endemic data-based discrimination that occurs due to a lack of privacy protections.”
Industry representatives are also optimistic. “We have more hope than we have in years that a bipartisan privacy bill can make it to the president’s desk this Congress,” said Carl Holshouser, senior vice president. from TechNet, a lobby group that represents Google, Meta and Amazon. in a report.
The compromise bill includes an agreement that federal law will prevail over state laws by default — with exemptions for California and Illinois laws in particular, as well as broad categories of state laws — and some limited rights for individuals to sue for damages if a company violates their privacy, a configuration called a “private right of action.” Republicans had previously wanted to get ahead of all state laws, while Democrats wanted individuals to have a broad private right of action.
The compromise bill includes provisions that would require groups that collect data to minimize what they collect. “Covered Entities are prohibited from collecting, processing or transferring Covered Data beyond what is reasonably necessary, proportionate and limited to provide specific products and services,” according to a summary of the bill provided by its sponsors.
The bill would also prohibit the transfer of sensitive data to third parties without the “express affirmative consent of the person to whom it relates,” according to the summary. It would also require “big data holders that use algorithms to evaluate their algorithms annually and submit annual algorithmic impact assessments to the FTC.” It increases online data privacy protections for children under 17 and would ban targeted advertising to children under 17.
If today’s compromise becomes law, it would bring the United States closer to Europe, which has several equally broad privacy rules, including the General Data Protection Regulation, or GDPR.
Of course, as bipartisan privacy negotiations are more advanced than ever, a key negotiator – the Senate Commerce Speaker Maria Canwell (D-Wash.) — is skeptical.
In a statement, Cantwell said, “For American consumers to have meaningful privacy protections, we need strong federal law that is not riddled with enforcement loopholes. Consumers deserve to be able to protect their rights from day one, not four years later. »
The bill provides for a four-year moratorium after its enactment before private suits can be brought.
Meanwhile, Cantwell has shared a revised version of its Consumer Online Privacy Rights Act – first introduced in 2019 – with industry and privacy advocacy groups. . The updated version would define “substantial harm to privacy” as alleged financial harm to an individual of $1,000 or more, or alleged physical, mental or reputational harm. Cantwell’s bill would prevent companies from using user agreements to force individuals into arbitration to settle disputes rather than sue, according to a draft obtained by POLITICO.
On the other hand, the bipartisan project does not prevent companies from forcing customers to resort to arbitration, except when it comes to children. Companies routinely include such clauses in user agreements and have lobbied to maintain this right.
Tricia Enright, a spokeswoman for the majority side of the Senate Commerce Committee, said Cantwell wants to organize a bump this month on a bipartisan federal privacy bill, as well as privacy-related bills. children.
However, there is little time left in the Congressional calendar before Congress breaks its August recess and then heads into the midterms. It’s unclear whether Congress could get across the finish line on a federal privacy bill this year.
Senate Majority Leader chuck schumer last week urged Cantwell to quickly finalize a bipartisan agreement, according to a person familiar with a conversation between them who was granted anonymity because they were not authorized to speak publicly. Support from leaders is crucial, given the limited number of legislative calendar days left before the midterm elections.
The timeline for action is also limited due to changes in committee leadership. Wicker likely has little time as a ranking member on Senate commerce, as he has indicated he will take on the GOP leadership role on the Senate Armed Services Committee after the senator’s retirement . Jim Inhofe (R- Okla.). Wicker’s expected Commerce Senate replacement – Sen. Ted Cruz (R-Texas) – has not been a leader in federal privacy discussions.
“Maybe this is when Wicker can really act to get his kind of stamp on a bill before he potentially leaves this committee,” said Divya Sridhar, senior director of data protection policy. of the SIIA technological industrial group. “So I think there’s kind of an indication that this might be the time.”
The American Chamber of Commerce strongly opposed any bill involving a private right of action. “We are confused and concerned given the fact that he is awarding attorneys’ fees to plaintiffs, which has the potential to generate class action lawsuits,” said Jordan Crenshaw, director of the Technology Engagement Center at the Chamber of Commerce. United States. IBM also opposes the legislation. Christopher Padilla, IBM’s vice president for government and regulatory affairs, said in a letter to Cantwell, Wicker, Pallone and McMorris Rodgers that “the best way to avoid the many pitfalls of a private right of action is not to include it”.
Some advocacy groups are also wary. Justin Brookman, director of privacy and technology policy at Consumer Reports, called the legislation “promising,” but said he didn’t want the privacy bill’s efforts to distract from the projects. technological antitrust law that have been reviewed and advanced out of the committee. “It would be great if we could do both, but I don’t know what that effort does to distract from that competitive effort.”
Emily Birnbaum contributed to this report.