As Joe Biden settles into his presidency, lawmakers are hinting at legislation that could influence privacy standards. Just this month, Virginia Gov. Ralph Northam signed a robust state privacy law that Sen. Mark Warner, D-Va., praised as “an important first step in providing vital privacy protections to Virginians." Many believe national standards could follow.
Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals (IAPP), expects 2021 to be a robust year for privacy, as the U.S. negotiates new Privacy Shield regulations with the European Union, the Federal Trade Commission (FTC) moves toward a more aggressive agenda and global developments, especially versus China, leverage U.S. cyber diplomacy.
How might the U.S. approach to privacy change under the Biden Administration?
Tene: I think there might be an expectation the Biden administration will be more focused on privacy, consumer privacy. The Obama administration was more proactive with the Consumer Bill of Rights. During the Trump administration, the White House wasn’t obstructionist but didn’t try to shepherd it along.
But privacy did get some boosts over the past four years while the issue itself didn’t take priority.
Tene: Even without the Trump administration’s help, there was a lot of progress in Congress. Republicans and Democrats produced a pretty comprehensive privacy bill, [Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act], with the DATA Privacy Act [Digital Accountability and Transparency to Advance Privacy Act]. I think we kind of start from that basis. We’re not going back to square one. With Democrat control of the Senate, House and White House, the White House might be more involved in process. But there’s no movement in that space yet.
To what extent will activity at the state level – California Consumer Privacy Act enforcement deadlines, passage of the more stringent California Privacy Rights Act and the new Virginia privacy law, for example – affect the trajectory of privacy on the national level?
Tene: State laws are proliferating. And with state law pressure on Congress to do something, the administration might get involved and push. And there’s a need for détente with Europe. So, the stars are aligning. I don’t think it’s low-hanging fruit, though. It’s still challenging to bridge the gaps on hardcore issues, but not impossible. It’s not going to be where one side gets all. There must be compromise.
What might federal legislation look like?
Tene: It will look like SAFE DATA Act lite. It has the support of Republicans. And the Democrats have a version. There are subtle differences between the two, so the [final legislation would] look like something in between. I don’t think one side will get its full wish list. And I don’t think Democrats will expend political capital to ram this one through.
What are the sticking points?
Tene: For Republicans, it’s a non-starter to have a federal law that’s not pre-emptive. For Democrats, pre-emption is tough to swallow because the California delegation has so much clout, especially in the House. And pre-emption would be pre-emption of California law. They wouldn’t just blithely set aside law voted for by its constituents. Republicans don’t want a 51st law alongside other state laws. And businesses want clarity.
To set CPRA aside, a federal law has to be stringent. Businesses and Republicans in Congress [also] are worried if consumers have the ability to sue, there would be a nightmare of class actions and small, petty claims as lawyers try to win big. Democrats say there are not enough resources to enforce a law. The FTC can only do so much. The [Biometric Information Privacy Act] in Illinois just had robust enforcement – a claim for $650 million in damages from a Facebook facial recognition [class action case].
Under Biden, will the FTC’s privacy agenda get more teeth?
Tene: The FTC only has effectively three commissioners, with Commissioner Rohit Chopra to chair the CFPB. Two commissioners will be appointed by President Biden and he might make the acting Chair [Rebecca Slaughter] the permanent chair. Once they’re in place, we can gauge what the commission might look like. Slaughter gave some [hint of] direction that she’d like to take the agency – she talks about more enforcement, including deleting the algorithm of facial recognition employed unjustly.
Using notifications to the public is something the FTC can do – a naming and shaming kind of thing. The market will punish companies. Focusing on ed tech is important for her and incredibly important for all of us with kids in system, learning remotely since last March. Fairness and equality, algorithmic discrimination, that’s her agenda for the new FTC.
Where might the U.S. be heading on issues like cross-border data flow?
One of first appointments th Biden administration made was an assistant secretary of commerce in charge of Privacy Shield negotiations. The administration is willing to expend capital to negotiate and work with the EU. There’s some eagerness in EU to solve the problems that came with Schrems II. I don’t think surveillance reform [at the heart of Schrems II] is doable in the U.S. right now. But the EU realizes it’s important to business, so it can be addressed top level. I don’t think many people in the privacy world were surprised by Schrems II. It was expected. What might have been surprising is how narrow a path the data protection agencies see for data flow.
And then there’s China and its relationship with privacy.
In respect to China there are a couple of major issues – including proposal of a draft China data protection law that might be debated and passed in the next People’s Congress. Raising great interest among lots of companies doing business with China is the China and U.S. tension over technological exports. On Huawei and infrastructure around the world, the U.S. has pushed back hard. It’s a battle with many fronts. The U.K. aborted Huawei and 5G after pressure from the U.S. And there was an executive order that tried to ban TikTok. Tensions are heightened and there will be casualties in technological and platform exports.
