Some Legislative Experts Don’t Expect Progress Soon
Democrats and the Republicans introduced a number of proposed bills in 2019 designed to create a federal privacy law. But will Congress be able to achieve a compromise in 2020?
Reece Hirsch, a partner who heads the privacy practice at the law firm Morgan, Lewis and Bockius, says that while there is an increased interest in comprehensive federal privacy legislation in the wake of the passage of the California Consumer Privacy Act, Congress appears very far from reaching a consensus.
“A federal privacy bill is unlikely until the framework of state privacy laws becomes so complex and burdensome for businesses that it forces Congress to take action to clarify the regulatory landscape,” Hirsch says.
In the latest attempt at building a consensus, the House Energy & Commerce Committee recently unveiled a preliminary draft of a bipartisan consumer privacy bill. The committee is now seeking comments from privacy experts, trade associations and companies.
The draft side-steps several of the most divisive issues, including whether a federal law should override state privacy laws and whether individuals should be empowered to sue companies over privacy violations.
These two issues have led to months of stalled negotiations. Democrats, including Rep. Maria Cantwell, D-Wash., have argued in favor of not having a federal law supersede stronger state laws. They also favor allowing individuals to sue companies for privacy violations. Meanwhile Republicans, including Rep. Roger Wicker, R-Miss., have said they will not support a federal privacy law unless it pre-empts state legislation, such as CCPA, to create uniform rules for all to follow. They also argue against giving consumers the power to file privacy lawsuits, fearing that many frivolous litigations against companies could create an unnecessary burden.
Earlier bills introduced by Cantwell and Wicker share many common elements, says Caitlin Fennessy, researcher director at International Association of Privacy Professionals. Both seemed willing to negotiate on key points, she notes. “This led many to believe that a national law could be round the corner,” she adds.
But there’s still a long way to go, says Attila Tomaschek, digital privacy expert at ProPrivacy, an organization that says it fights for digital freedom and privacy. “The dispute over certain points is more or less what is holding up any real progress on establishing a federal regulatory standard for data privacy,” Tomaschek says.
“Essentially, once those certain contentious details of each party’s proposals are ironed out, a workable bipartisan federal privacy bill will emerge eventually. How soon that will happen, though, is obviously still a matter of debate. With Congress embroiled in impeachment proceedings, along with the looming 2020 presidential election, I do not see anything happening before the end of next year.”
Perhaps the most contentious issue, some observers say, is whether to give individual consumers the right to sue for privacy violations.
“I would foresee that the challenge in coming to some sort of bipartisan agreement on the private right of action in the law will be particularly difficult, even more so than compromising on pre-emption of state laws,” Tomaschek says. “Republicans, and understandably, many businesses, are vehemently opposed to including a private right of action in any federal data privacy legislation. Therefore, that point will remain hotly contested and will certainly be a significant challenge for Republicans and Democrats to come to an agreement on.”
But there’s also plenty of disagreement on whether a federal law should supplant all state laws.
“The moment you try to incorporate multiple laws into one law, there is a dilution that happens between the most stringent law and the weakest and you get into an average kind of situation,” says Maninder Bharadwaj, partner, risk advisory, at Deloitte. “So you will see a dilution happening in some places and you will see an uptick happening in other places. Democrats will push for stringent law, while Republicans are in favor of easing doing business. So it will be tough to come to an agreement.”
Sadia Mirza, privacy attorney at Troutman Sanders, notes: “I don’t think California is going to want to undo what it has been putting into place with respect to the CCPA over the last 1.5 years, but from businesses’ perspective, one comprehensive bill is the way to go without more stringent state requirements,” Mirza says.
Key issues that need to be addressed in building a consensus for a federal privacy are:
- Who will enforce the law?
- What kind of exemptions will companies get and under what circumstances?
- What power will states have to enforce stricter requirements?
- Under what circumstances, if any, could individuals sue a company over privacy issues, including data breaches?
But at a time when the Congress is deeply divided over President Donald Trump’s impeachment, and the 2020 presidential election looms, building a consensus on a federal privacy bill could prove challenging.