The House Energy and Commerce Committee advanced major data privacy legislation Wednesday along with two other bills that would compel federal reporting on cross-border ransomware complaints and require IoT vendors to warn consumers about surveillance components in the connected devices they manufacture.
The top item on the docket was the American Data Privacy and Protection Act, the House’s version of a comprehensive privacy bill that congressional Democrats are seeking to advance. The committee voted overwhelmingly (53-2) in favor of the bill, and committee leaders from both parties hailed the passage as a landmark moment and opportunity in U.S. digital privacy.
“Today’s vote has been years in the making and is a major step forward in our bipartisan effort to establish national data privacy protections for all Americans,” said Reps. Frank Pallone, D-N.J.; Cathy McMorris Rodgers, R-Wash.; Jan Schakowsky, D-Ill.; and Gus Bikirakis, R-Fla.; in a joint statement. “The American Data Privacy and Protection Act puts people back in control of their online data. It creates a strong national standard that will finally minimize the amount of Americans’ information companies are allowed to collect, process, and transfer. This will rein in Big Tech’s power and establish clear, robust protections for people, especially children. Under our solution, companies will face real consequences if they track our kids’ data or use that information to exploit them for profit.”
Reactions to the House bill highlights the intense interest and wrangling the legislation has spawned among interest groups across the spectrum, where digital civil liberties organizations are warning it contains significant loopholes that could still permit the kind of invasive data consumer data collection that lawmakers are attempting to address while business and tech groups are lobbying for further changes that are more friendly to industry.
The American Civil Liberties Union has praised parts of the bill that seek to limit algorithmic bias and require companies to implement “privacy-by-design” concepts into their software and other products. But in a letter this week ahead of the markup, the organization said there are still too many provisions that allow companies to harvest user or employee data and limitations to a private right of action may impede many individuals from suing to enforce other parts of law, like requiring impact assessments and design evaluations of algorithms.
“The ACLU greatly appreciates the work and commitment to privacy and nondiscrimination reflected in the ADPPA, but at the same time, we also have serious concerns about the likely effect of several provisions," Christopher Anders, ACLU’s federal policy director, wrote in a letter this week ahead of the markup. “Importantly, all of the problems can be fixed.”
Meanwhile, John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a trade association representing many of the largest technology companies in the country, put out a statement that offered qualified support for the broad thrust of the House bill, saying the version that passed out of committee Wednesday “improves upon earlier drafts in certain areas” and would be a genuine boon for data privacy, but also stressed that the group intended to continue to press for further changes.
“However, more work needs to be done to improve provisions regarding the regulation of algorithms and targeted advertising, and to further clarify the responsibilities of service providers before the bill advances further,” said Miller, who has also provided testimony to lawmakers around the bill in House hearings last month. “While the bill as written provides meaningful privacy protections to American consumers, progress on privacy should not come at the expense of undermining innovation in artificial intelligence and potentially threatening national competitiveness.”
Ransomware Act and IoT transparency
The RANSOMWARE (or the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies) Act passed unanimously through the committee. It would require the Federal Trade Commission to report biennially to Congress on the number and detail of cross-border it receives on ransomware and other cyberattacks committed by foreign nations as well as any efforts it has made to engage with law enforcement agencies or courts in other nations cooperate on investigation and prosecution of the responsible parties.
The bill specifically singles out four nations — Russia, China, North Korea and Iran — that have been at the forefront of discussions in Washington around state-use of ransomware and the responsibility governments have for the actions of malicious cyber groups operating within their borders.
“My bill will help Congress, the FTC and other law enforcement entities better understand these attacks and learn to how to better combat them,” said Rep. Michael Bilirakis, R-Fla., the legislation’s chief sponsor.
The panel also unanimously voted in favor of the Informing Consumers About Smart Devices Act, introduced last year by Rep. John Curtis, R-Utah. It would require manufacturers of internet-connected devices to disclose to consumers whether it includes a photo or video camera. It would not include devices that commonly have cameras built-in, such as mobile phones, laptops or devices specifically marketed and sold as cameras. The bill gives the FTC the authority to fine or punish violators and charges the agency with developing more specific guidance for manufacturers within six months of passage.
“I don’t want my refrigerator or my microwave or whatever to be feeding to someone somewhere in the world what I’m doing every single minute of my day, and I want the right to know if those microphones and cameras are in devices,” said Rep. Debbie Lesko, R-Ariz., who also supported the bill.