Federal Privacy Law in 2021?
• read
On December 9, just one week after WireWheel’s SPOKES Privacy Technology Conference, where the concept of a U.S. federal privacy law was widely discussed, the Senate Committee on Commerce, Science, and Transportation held a hearing that raised this very issue.
Framing the Debate
As reported by IAAP.org, some committee members argued that a federal privacy law could indeed come to pass in 2021 and would settle those issues raised by the EU’s Court of Justice [CJEU] nullification of the Privacy Shield framework. ‘It should be possible,’ Washington University School of Law Koch Distinguished Professor in Law Neil Richards said.’ The U.S. used to be the leader on commercial privacy in the early 1970s and sort of abdicated that to Europe.’ (Duball, 2020).
Corporate Vice President, Deputy General Counsel and Chief Privacy Officer, Microsoft Julie Brill agrees. Speaking on the Privacy Tech Leaders panel regarding the need for federal privacy law at SPOKES she says:
I think it’s really about thought leadership…the absence of US [federal] privacy law has a lot of implications, not just with respect…to state laws and trying to have a Federal standard…but also in terms of the International conversation. I think we’re losing our competitiveness on thought leadership and possibly from an economic perspective as well.
―Brill
“We’re both working for very large multinational technology companies and are fortunate to have a fair amount of resources at our fingertips” notes Lindsay Finch, EVP Global Privacy and Product Legal, Salesforce, “and I really am worried about the impact on small and medium sized businesses.”
Former Obama administration Acting Under Secretary, U.S. Department of Commerce and WireWheel CEO Justin Antonipillai notes that “the transition to the Biden administration has brought back a lot of the discussion points around federal legislation…and there’s a lot of momentum behind Washington passing its own version of a law.”
The central figure behind the California Privacy Rights Act (CPRA) Alistair Mactaggart does not see state law and national law as mutually exclusive (although it does raise preemption1 issues).
“I look at HIPAA2 , I look at GLBA3. Both of those are floors not ceilings,” offers Mactaggart. “So the precedent has already been set for national privacy legislation that is it a floor.”
Interestingly, neither does Alistair (a real estate developer in California) see the lack of a federal privacy law as a hindrance to business.
I don’t, frankly, buy the industry lament ‘Oh, we can’t possibly live with 50 different laws’ because they do it in licensing, they do it in opening hours, they do it in sales tax, they do it in health and [banking]…and many states have their own version of HIPAA or, as in California, we have our own version of medical and financial services privacy laws that are stricter from [sic] the federal ones. So I tend to think that if there is a federal law at least Californians will be arguing hard for it not to preempt.
―Mactaggart
Mactaggart even sees the state-level enactment of data privacy law as a competitive advantage (for California at least) – particularly if it earns unassailable “adequacy” status from the EU authorities. “I think it’d be great for Californians…it is one more reason why privacy won’t get weak…[and] great for business…if you’re going to put datacenter somewhere, you’re going to put it in the adequate state so you can process data from around the world.”
National Security Concerns Remain
The federal vs. state debate per force concerns multiple government agencies responsible for national security and the consequent statutes that impact data privacy. It is this national security element of transatlantic data transfers that was at the heart of the Schrems II decision.
As “Department of Commerce Deputy Assistant Secretary for Services of International Trade Administration James Sullivan told Sen. Richard Blumenthal, D-Conn., and fellow committee members, ‘I think potential federal data privacy legislation would be very well received by the EU, but it will not address the immediate national security issues cited by the [CJEU].’” Sullivan also noted that “that ruling [i.e., Schrems II] focused exclusively on government access to data and did not in any way question Privacy Shield’s protections with regard to commercial collection or use of data…” (Duball, 2020).
As the lead negotiator for the original Safe Harbor agreement, WireWheel’s Antonipillai understands how national security, and law enforcement more generally, is a major impediment to national privacy legislation. Playing a bit of insider baseball, he notes that “when you start to develop a national privacy law, it goes through an interagency process and two of the groups that end up weighing heavily are national security and law enforcement. And right now the amount of data that is held by third-party platforms is an enormous resource for law enforcement for civil enforcement purposes…That voice isn’t the same in states.”
Some Things are Certain
Does data privacy and protection go federal in 2021? Will more states follow California’s lead? Predictions are always best left for the possessors of tea leaves and crystal balls but certainly, the debate will intensify both at the state and federal levels.
Data privacy, inclusive of protection and control, is now part of the public consciousness. The passage of the CPRA with, what is in today’s terms, a stunning majority of 56 to 44% is indicative of this. And it suggests that individuals desire having control over their data, not just assurances that it is protected. This has been increasingly demonstrated by consumer attitudes and behaviors and further buttressed by the Google and Apple announcements (see here).
It is a mix of the individual rights, market dynamics, state vs. federal primacy, national security, politics, and foreign government requirements. Data Privacy looks to be that place where they will meet. Or collide.
[1] The preemption doctrine refers to the idea that a higher authority of law (such as federal law) will displace the law of a lower authority of law (state law such as the CPRA) when the two authorities come into conflict.
[2] Health Information Portability and Accountability Act contains privacy rules regarding the protection and use of an individual’s health information.
[3] The Gramm–Leach–Bliley Act repealed parts of the Glass–Steagall Act of 1933.