Three Big Issues Congress Must Resolve to Enable Passage of Data Privacy & Security Legislation
With last week’s data privacy hearings before the Senate Commerce, Science & Transportation Committee and House Consumer Protection & Commerce Subcommittee now in the rear-view mirror, the outlines of the debate are coming into sharper focus. Moving forward, three big issues will dominate Congress’ deliberations on data privacy and social media regulation.
Defining the Scope of Data Regulation. Congress could consolidate and nationalize the current regulatory regime or it could extend that regime into new areas. States long ago enacted laws that require companies to notify their customers, mitigate their damages and pay fines in the event of a data breach. These law are meant to protect “personally identifiable information” (or “PII”) like full name, street address, social security number and credit card account info . Some states also have laws that require companies to adopt “reasonable” cybersecurity measures. Congress too has selectively imposed data breach and security requirements on certain industries, including financial services and health care. One path Congress could take would be to pass a nationwide data breach and security law applicable to all industries. But Congress could also move past familiar boundaries to regulate companies’ collection, use and sale of “personal data” (a broader set of information than PII, encompassing browsing history and purchasing habits), in the spirit of the European Union’s General Data Protection Regulation (2018) and California’s Consumer Privacy Act (2018). Such a move would target popular apps and social media websites like Amazon, Facebook and Google, and represent a major expansion of data regulation in the United States. At last week’s Senate hearing, at least one industry trade group, BSA – The Software Alliance, supported federal legislation more stringent than the California CPA.
Choosing a Regulatory Model. Congress needs to select a regulatory model to implement whatever data requirements it decides to impose. Data breach notification statutes rely on a traditional “command and control” regulation, in which a government agency enforces specific regulatory requirements and punishes companies for non-compliance. At the House hearing, the command-and-control model was attacked by the American Enterprise Institute as irrational and discriminatory against small business. Using a “common law” model, the Federal Trade Commission (FTC) develops case-by-case precedent by bringing selective enforcement actions against individual companies, based on a broad statutory mandate. In many cases, the FTC tries to negotiate a consent decree with the company, outlining specific cybersecurity measures the FTC deems suitable for the subject company. These consent decrees in turn provide a kind of “safe harbor” for other companies in that industry to adopt. In a third model, Congress and the states have relied on broadly-worded mandates that companies adopt “reasonable” measures appropriate to their size, their cyber vulnerabilities and the sensitivity of the data they handle. Determining what is “reasonable” for any one company is not entirely clear, and so companies have gravitated towards voluntary security standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Congress could ride this trend and simply mandate some level of adherence to cybersecurity standards such as the Framework.
Whether to Preempt the States. As noted, states have for many years taken the lead in data regulation. As of now, every state in the union has enacted a data breach law and many states also have “reasonable measures” cybersecurity laws. Navigating 50 separate (and sometimes contradictory) regulatory regimes in the event of a data breach presents an enormous challenge for private industry. At the Senate hearing, the trade group 21st Century Privacy Coalition denigrated the existing state laws as “a crazy quilt patchwork.” This is why many trade groups are pressing for Congress to preempt existing state data regulation in favor of a single, nationwide set of requirements. Conversely, data rights advocates praise the overlapping state regimes as healthy, democratic experimentation. They argue that Congress should enact regulatory minimums but permit states to enact more stringent requirements. Preemption may prove the most important issue of all, since it is the driving force behind industry support for a nationwide data privacy and security law.