Privacy, Compliance Management, Data Security

Lawmakers seek to end Big Tech’s ‘operating in the dark’ when it comes to privacy

US Capitol dome

Congress reaffirmed its commitment to crafting a federal data privacy law, setting its sights on big tech companies and data brokers harvesting, selling, and sharing consumer data without their knowledge and failing to properly secure it from unauthorized access.

The U.S. needs a national standard to change “the status quo regarding people’s data,” said House Energy & Commerce Committee Chair Rep. Cathy McMorris Rodgers, R-Wash., during the Innovation, Data, And Commerce Subcommittee Hearing on March 1.

The hope is to “rein in big tech” and give consumers greater control over their data. McMorris Rodgers stressed that a broad, comprehensive bill is required, as the current state is “unacceptable. Data brokers’ and Big Tech’s days of operating in the dark should be over.”

Congress made great strides on a bipartisan national privacy law ahead of the COVID-19 pandemic. Both Republicans and Democrats consistently agree that a law is needed given the challenges currently posed by the patchwork of state laws, but disagree on whether the standard would supersede state law with federal legislation.

In late 2019, the Senate Commerce Committee sought to figure out the best way to ensure consumers have more control over their personal information and to penalize companies that fail to protect user data.

The only agreement reached before the pandemic, however, was that if a federal privacy bill were to pass, it would need support from both sides of the aisle.

Healthcare stakeholder groups have long lobbied for a privacy law that would, at a minimum, protect health data generated by consumers and not covered by the Health Insurance Portability and Accountability Act, given the spate of privacy violations by these developers.

The FTC has ramped up use of its authority to fill the regulatory gaps, but during yesterday’s hearing, several members of Congress raised concerns over recent regulatory actions enacted by the agency.

Hinting at the letter sent to Amazon after its One Medical acquisition, Rep. Gus Bilirakis, R-Fla., stressed that companies “shouldn’t be subject to random or punitive letters in the mail, notifying them that certain practices could be unfair or deceptive.”

“It is essential that the FTC enforce the laws that we as a Congress enact and specifically authorize, but not go rogue beyond the rules of the road we provide,” said Bilirakis, adding that regulatory certainty is needed, but it “must be fair.”

The hearing saw testimony from former FTC privacy and security leader Jessica Rich, who’s currently the of counsel and senior policy advisor for consumer protection at Kelley Drye & Warren.

Citing limited authority, Rich stressed the FTC needs a federal privacy law and broader “authority from Congress to be a truly effective privacy enforcer.”

Without a comprehensive federal privacy law, the FTC’s privacy enforcement is limited to Section 5 of the FTC Act, she said, adding that the general purpose law was enacted long before the current state of digital innovation, which means “sometimes the legal tests simply don’t work for privacy.”

The law also lacks clear standards for companies and is “mostly reactive, allowing the FTC to challenge data practices afterwards," Rich said. As a result, the agency is working to “plug at least some of these holes by developing a privacy regulation.”

But the approach comes with a number of obstacles, including using up the agency’s limited resources.

“Without specific direction from Congress to develop a privacy rule, the FTC must rely on its rulemaking authority under the FTC Act, which is also called Magnuson-Moss rulemaking,” said Rich.

The concern is that the FTC could “unduly burden legitimate business activity.”

Bilirakis said he believed there must be a balance to prevent government overreach. However, the representative did not share specifics on these plans.

For Rich, a national data privacy law should empower the FTC, as well as state attorneys general. These agencies have been crucial in picking up the enforcement slack in lieu of a federal standard. The current state of privacy law, or lack thereof, is burdening these agencies, which are also limited in their scope.

While the committee did not find a solution, the members will hold another meeting to better shape possible legislation.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.