With more than 30 bills filed in the United States Congress since 2018 to regulate privacy, several privacy-related ballot initiatives passed at state level this year with overwhelming support from the population, and state legislatures adopting or seriously debating baseline privacy laws, it looks like the US might be going through a ‘privacy renaissance’.
However, much of this effervescence is still to be concretised in law, especially at federal level. Great expectations are now placed on the shoulders of both the future Biden administration and the 117th Congress: will they build on this momentum and deliver a federal comprehensive privacy law?
A history of great expectations and fragmented results
This is not the first time the US is making serious legislative incursions into potentially comprehensive federal privacy law. In the late 1960s and the early ’70s, developments in the US building on the Fair Credit Reporting Act of 1970 led to an insightful Report of the Department of Health, Education and Welfare (HEW) – ‘Records, Computers and the Rights of Citizens’ (1973), that proposed a set of Fair Information Practice Principles, which are still influential today around the world. It was developed in parallel and published shortly after the UK’s Younger Committee Report, which provided for fairly similar principles.
The decades of fragmented federal privacy legislation that followed are characterised by the development of the information society and an absence of correlating cross-industry, baseline safeguards for how personal data is collected, used and shared. This pattern was only disrupted in 2016, when US-based companies doing business in the EU started to be alarmed about implementation of the extraterritorial effects of the EU’s General Data Protection Regulation (GDPR).
Awareness of data protection safeguards spread across the corporate world and trickled down into consumers’ inboxes, who were being flooded with information about ‘privacy policies’ being updated. Paired with the Cambridge Analytica scandal that erupted after the 2016 US Presidential elections, and brought personal data protection concerns into the mainstream, this led to tangible changes and increased awareness about the need for privacy protections. So, will things be different this time around for comprehensive federal privacy law? There are reasons to believe that yes, things will be different.
From the ground up: How states and the people are influencing privacy lawmaking
This time around there is pressure from the states and there is pressure from the people. Americans have an increased appetite for privacy. Consider the fact that close to 90% of the voters in Michigan approved a ballot initiative (akin to a referendum law) this November that amends the State Constitution to include a requirement of a search warrant to access a person’s electronic data and electronic communications.
Undoubtedly, though, California is leading the charge. On 4 November 2020, Californians voted a ballot initiative of their own, with more than 56% support, that promised to enhance the protection of their privacy, the California Privacy Rights Act of 2020 (CPRA). This law builds on and amends the California Consumer Privacy Act (CCPA), which was adopted by the state legislature in 2018 as the first baseline privacy law in the US, showing some hints of inspiration from the GDPR, and which entered into force in January 2020.
The CCPA applies across industries, broadly defines ‘personal information’ and has a set of baseline obligations for businesses in relation to how personal information is used, with a focus on limiting ‘selling’ of personal information to third parties. However, it does not set any limitations on collection of personal information, since it does not require lawful grounds for ‘processing’, as the GDPR does.
The same approach is perpetuated by the CPRA, which sets additional limitations on the use of newly defined ‘sensitive information’ but does not limit collection of any type of personal information. Additionally, the CPRA clarifies that the right to opt out of a sale of personal information equally applies to ‘sharing’ that information, eliminating the uncertainty that followed the entry into force of the CCPA and its definition of what a ‘sale’ of personal information is.
Both the CCPA and the CPRA provide for a set of individual rights, including access and deletion. Notably, the CPRA creates for the first time in the US a dedicated authority to enforce privacy law, the California Privacy Protection Agency (the CCPA is being enforced by the Attorney General of California). However, it does not expand the limited private right of action under the CCPA, which is only applicable with regard to data security breaches. The CPRA is set to enter into force in January 2023, having a lookback period of one year, and with the CCPA applying in the meantime.
Another significant development at state level is the legislative proposal of the Washington Privacy Act (WPA), in Washington State (in the north-west of the US, not Washington DC). This January, the state legislature will have a WPA version 3.0 on its table, after two failed attempts to pass it as law in the past two legislative sessions. During the most recent attempt, the State Senate passed the bill with close to unanimity, but the House of Representatives rejected it, expressing concerns around insufficient enforcement tools. The WPA bill has more similarities to the GDPR than the CCPA. For example, it uses the same concepts of ‘personal data’, ‘controllers’ and ‘processors’, includes the principles of data minimisation and purpose limitation, and provides for accountability rules and a risk-based approach, including the need to conduct ‘data protection assessments’ for specific types of data processing that present increased risks for ‘consumers’. The WPA also includes a set of rights of individuals, such as access and deletion, and with another nod to the GDPR, an individual right to portability.
Notably, the WPA proposal includes limitations of collection of sensitive data, by imposing on controllers an obligation not to process such data ‘without obtaining the consumer’s consent’, and ‘processing’ includes ‘collection’ in its definition. The newest version of the WPA does not provide for a private right of action. Similarly to the predecessor bill, its enforcement is left in charge of the Attorney General of Washington State.
Given that the legislature changed after the elections in November, it’s difficult to predict how the debates will go this time around. And with such an increased appetite for data protection and privacy safeguards, in addition to the allure of passing a law just in time to influence the process at federal level, there may be some chances for the bill to pass. At least 23 other states have multiple proposals on their agenda for baseline or sectoral consumer privacy law since 2018, but none of them as prominent and promising as those in California and Washington State, for now.
Initiatives in Congress heated up in 2020, but not enough to cross the finish line
This year was ambivalent for efforts at federal level to pass a comprehensive privacy law. On one hand, there were significant developments, with new bills that have political weight being introduced, such as the SAFE DATA Act led by Sen. Roger Wicker (R-MS), who is also the Chairman of the Senate Commerce Committee. The SAFE DATA Act consolidated several bills or discussion drafts proposed by Republican Senators. On another hand, those efforts were not sufficient to advance towards a compromise and actually pass legislation before the 116th Congress closes its session.
On the other side of the aisle, the leading legislative proposal was introduced a year ago, in December 2019, by a group of Democratic Senators led by Sen. Maria Cantwell (D-Wash): the Consumer Online Privacy Act (COPRA). Other bills were introduced in 2020, such as the Data Protection Act of 2020, by Sen. Kirsten Gillibrand (D-NY) and the Consumer Data Privacy and Security Act of 2020, introduced by Sen. Jerry Moran (R-Kansas), in addition to bills proposed to specifically deal with privacy concerns raised by responses to the COVID19 pandemic.
The Congressional Research Service noted in a comparative analysis that all of the proposed comprehensive privacy law bills introduced in Congress or published discussion drafts have common features, such as ‘recognizing individuals’ rights to control their personal information’ and ‘creating procedures to enforce those requirements’, but that they differ in key respects – ‘which federal agency would have enforcement power; whether to preempt state privacy laws; and whether to provide a private right of action’. Indeed, all these matters are politically charged and the solution to them will be a result of political compromise.
Close observers agree that, for the time being, the two leading efforts are the SAFE DATA Act and COPRA. Both define ‘covered data’ broadly, which recalls the GDPR definition of ‘personal data’ by referring to information that not only identifies an individual, but that also is ‘reasonably linkable’ to an individual or a ‘consumer device’. Interestingly, both bills chose the notion of ‘covered data’ to designate the data that would be subject to regulation, and not ‘personal data’ or ‘personal information’. Both bills also exclude de-identified data, employee data and public records from their scope.
Other common features of the two bills are 1) consent-based restrictions to process a set of defined ‘sensitive’ data, recognising in addition to classic sensitive data (such as health, ethnic origin, sexual orientation), new categories like ‘persistent identifiers’ and ‘precise geolocation information’ – of note, the SAFE DATA Act, as opposed to COPRA, does not explicitly include ‘collection’ as one of the operations defined by ‘processing’; 2) a set of rights of individuals in relation to covered data relating to them, including the GDPR staples of access, correction, deletion and even portability; 3) sophisticated approaches to algorithms and algorithmic decision-making, with complex definitions and rules, such as mandating for algorithm transparency reports (SAFE DATA Act) or for algorithmic decision-making impact assessments (COPRA), or recognising and regulating ‘digital content forgeries’ (such as deep fakes).
Where the bills significantly differ is with regard to private rights of action and preemption, with COPRA proposing a general private right of action and preempting state laws only if they conflicted with it, and if that conflict did not ensure a higher level of protection to individuals. In contrast, the SAFE DATA Act does not include a general private right of action and proposes preemption of state privacy laws.
What to expect in 2021
A relevant development for the debates around a US comprehensive federal privacy law was the invalidation of the EU-US Privacy Shield framework this July by the Court of Justice of the European Union (CJEU). The threat to transatlantic trade posed by the court’s decision took several months before it managed to draw the attention of Congress. It was only in December that the Senate Commerce Committee organised a hearing to explore the challenges posed to personal data transfers by the Schrems II judgement of the CJEU.
One of the key questions the Senators asked repeatedly throughout the hearing was whether a federal privacy law would solve the transatlantic transfers problem. The consensus of the panel of witnesses was that a federal comprehensive privacy law would certainly help, but it will not be sufficient without addressing remedies, oversight and proportionality related to accessing personal data for national security purposes.
The Senators seemed motivated to advance their work towards comprehensive federal privacy law, which is top of the legislative agenda, as evidenced by the time and energy spent in the past two years proposing thoughtful, complex bills. The two Senators leading the bills that are most discussed by privacy professionals, Sen. Wicker and Sen. Cantwell, have not been impacted by the 2020 elections (they will both be up for reelection in 2024), allowing for continuity between the work of the 116th and the 117th Congress on this topic. The momentum is mounting even more so with the developments at state level detailed above.
The economic and social effects of the pandemic and the climate change crisis will be top priorities of the incoming administration. That said, there are several reasons to believe that a Biden Presidency could be a catalyst towards solving the federal privacy law puzzle.
First, there is the track record of the Obama Presidency, where President-elect Joe Biden served as Vice-President, assuming leadership in proposing a Consumer Privacy Bill of Rights, albeit non-binding, and in adopting a thoughtful, detailed report on ‘Big Data, Algorithmic Systems, Opportunity and Civil Rights’. Second, the experience that former Obama appointees, who now are part of the transition team or are being considered for different positions in the new administration, have garnered in negotiating the Privacy Shield, working on surveillance related commitments and reform as part of that process or working on the two initiatives mentioned above. Third, Vice-President-elect Kamala Harris’s interest in consumer privacy when she was the Attorney General of California. For instance, she created the Privacy Enforcement and Protection Unit in 2012. In addition, the current Attorney General of California, Xavier Becerra, whose Office is central to the enforcement of the CCPA, was nominated as Secretary for Health and Human Services by President-elect Biden.
Last, and perhaps most importantly, there is the current geopolitical landscape and the global movement towards adopting data protection laws fit for the digital age. And with the US announcing its return as an active global player, it’s difficult to believe the new administration will not want the US to be one of the leading voices in the global privacy and data protection debate.
The President of the European Commission, Ursula von der Leyen, has already extended a hand to the incoming administration, launching a proposal for a ‘new, forward-looking transatlantic agenda’, which includes cooperation on data governance, data flows and AI. The Declaration refers to ‘our shared values of human dignity, individual rights and democratic principles’ and ‘an unprecedented window of opportunity to set a joint EU-US tech agenda’.
One point on this agenda would be ‘cooperation at bilateral and multilateral level to promote regulatory convergence and facilitate free data flows with trust on the basis of high standards and safeguards’. A US federal privacy law would decisively contribute to this aim, even if it will not solve by itself the issue of transatlantic data transfers. President-elect Biden is expected to visit Brussels early in 2021, with pending invitations from both NATO and the Council of the EU.
One additional variable to track in 2021 is Brexit and whether the European Commission will adopt an adequacy decision for the UK that will allow unrestricted transfers of personal data from the EU, in the light of the recent judgement of the CJEU in the Privacy International case. If the Commission is not satisfied that the level of protection of personal data in the UK is essentially equivalent to that in the EU and will not adopt an adequacy decision, this may create an opportunity for a rapprochement between the US and the UK in how they deal with cross-border data flows and government access to data.
To return to the question at the beginning of this overview, there are reasons to believe that US comprehensive federal privacy law may become reality during the 117th Congress, which will meet from 3 January 2021 to 3 January 2023, with the Biden administration acting as catalyst. All of the moving pieces analysed above indicate an effervescent next year.
This article is the second article in a series on the geopolitics of data regulation, exploring questions arising from the UK’s National Data Strategy, transition from the EU and new regulations, and the impact of the incoming Biden administration on Anglo-Euro-US cross-border data transfer.
Dr. Gabriela Zanfir-Fortuna is Senior Counsel for Global Privacy and EU Data Protection Law at the Future of Privacy Forum, a think tank headquartered in Washington DC. Previously she was legal officer for the European Data Protection Supervisor in Brussels. The views, thoughts, and opinions expressed in the text belong solely to the author. She can be reached at firstname.lastname@example.org.
Image credit: wigglestick