The attention of a U.S. privacy pro is divided pretty well these days.Â First and foremost, compliance efforts for theÂ California Consumer Privacy Act are underway. But there’s also other laws â€”Â both domestic and international â€” to consider,Â along with heightened focus on incident response and prevention.
Regardless of how occupied privacy pros’ minds are these days, there likely remains a space carved out for the unknown that is: a potential federal U.S. privacy law. Momentum for federal legislation has slowed on Capitol Hill in recent months, but congressional discussions persist, leaving stakeholders to wonder what could come of them and when.Â
The truth is no one really knows when federal legislation could come about. Some say the U.S. is a year or two away, while others think it’s closer to 10 or more. Some of those who think the latter include former U.S. government employees.
PwC Principal for Cybersecurity and Privacy Jocelyn Aqua, CIPP/G, DropBox Head of Public Policy Ted Dean and WireWheel CEO Justin Antonipillai, each of whom worked on U.S. privacy for the Obama administration, explained their thoughts behind that timeline last month at the IAPP’s Privacy. Security. Risk. conference in Las Vegas.
“I didn’t think it could happen last year, and I don’t think it will this year,” said Aqua, a former government privacy official who spent 15 years with the U.S. Department of Justice. “What happens when you have something so important is that everyone gets to weigh in and not everyone, even those in the government, have any clarity on what they would like at this point.”
Aqua admitted that her perspective was jaded from her prior government work. She watched non-privacy bills go back and forth between the branches of the U.S. government and the time it took to get comprehensive legislation through. However, Aqua said the CCPA and aÂ new privacy initiativeÂ that’s headed for California’s 2020 ballot could move the needle in federal talks.Â
“If there’s anything that could trigger it, it’s a ballot measure in California that basically matches [the EU General Data Protection Regulation],” Aqua said. “Still, I’m not even sure. Everyone in the space says something different. My opinion is that we are still in listening mode despite the fact there have been significant breaches and privacy incidents.”
Dean, the former deputy assistant secretary and acting assistant secretary in the International Trade Administration of the U.S. Department of Commerce during the Obama administration, explained that while the GDPR is indeed a case study toward federal U.S. legislation, many forget the EU took years to properly craft and pass that regulation. Dean also pointed to the current political climate as a snag in U.S. efforts. While he acknowledged conversations are “more robust than ever before,” he doesn’t see the bipartisanship necessary for big progress on legislation.
“I think there are big issues that are unresolved and split on partisan lines, which makes them harder to resolve in terms of of preemption and a private right of action,” Dean said. “Those are two key holy-war-type issues that are hard to square the circle on, but it also comes down to the politics being really tough.
“Politically, as an observer to the landscape who lives and works in [Washington], it’s difficult imagining the Democratic House effectively handing something to [the Trump Administration] that would be viewed as a big win.”
Anonipillai, who also worked in the Obama administration as acting under secretary for economic affairs at the U.S. Department of Commerce, bases his timeline on the U.S. government’s history and tendencies on privacy, specifically as it relates to national security concerns. The DOJ and intelligence community are rooted into the lawmaking process, according to Antonipillai, and he deems that a “complicating factor.” The example he used was the Electronic Communications Privacy Act passed in 1986.
“I haven’t met anybody in the privacy space that doesn’t think that this is an insane law at this point. It’s absurd,” Antonipillai said. “One of the major provisions of the law says email on a major email provider for 180 days does not require a warrant for the government to obtain that data from the provider directly. … Nobody thinks that’s a reasonable law right now. But you can’t get a law passed that corrects that because of the interests of civil enforcement agencies, DOJ and others.”
A wild card for federal legislation optimists could be the general public. Antonipillai said while challenges stemming from within the government are an uphill battle, public distrust related to personal data and the lack of information regarding its use could be a driving force toward a single federal law sooner rather than later.
“Human beings in the U.S. think something is wrong. The balance is off in some way,” Antonipillai said. “They don’t feel like they have any idea on what’s being collected. There’s little sense on where it’s going and they don’t feel like they have control. That’s why you saw the [CCPA] ballot initiative polling at 85 to 90% and agreement across the political spectrum. … So I do think there’s this long-developing ‘people are sick of it’ kind of motion. It just takes a while to get there.”