Congress is likely to embark on an ambitious effort to pass a broad new data privacy law in 2019.
Tech companies are pressuring lawmakers to pass a bill to counter the European Union’s strict General Data Protection Regulation and California’s tough new privacy law. That push, combined with a wave of high-profile data breaches involving Marriott International Inc., Facebook Inc., Alphabet Inc.'s Google, and other companies, have lawmakers actively weighing legislation.
“There is increasing demand from individual consumers and businesses—large and small—for strong, enforceable federal data breach and federal privacy laws,” Aaron Cooper, vice president of global policy at BSA|The Software Alliance, said. Software companies, like Microsoft Corp. and Apple Inc., agree with calls for privacy legislation and are “hopeful that this will be a priority for the next Congress,” Cooper said.
Senators from both parties, including Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), Richard Blumenthal (D-Conn.), and Brian Schatz (D-Hawaii), have said that they will focus on privacy legislation. The lawmakers want to rein in tech companies’ data collection practices and give consumers clearer control over their data.
Lawmakers don’t want to limit tech innovation and will likely balance privacy and business interests, tech policy strategists said.
Despite the momentum, there are some significant potential obstacles. Democrats and Republicans disagree about whether to pre-empt state regulations, such as the ones mandated under the new California law.
Another major question is whether to give the Federal Trade Commission more tools to police data privacy. Schatz and other Democrats want the FTC to act as the lead data protection authority, while allowing states to enforce their own laws. Republicans may be willing to give the FTC some limited new rulemaking authority for specific privacy harms, but are unlikely to support broad civil penalty and enforcement powers for the agency, strategists said.
A comprehensive law with “clear obligations for how companies handle personal data is crucial for consumers, business and the U.S. economy,” Julie Sweet, CEO of Accenture and chair of the Business Roundtable’s Technology Committee, said in an email. The Business Roundtable represents the CEOs of 200 leading companies including Apple Inc., 3M Corp., and Cisco Systems Inc.
Several lawmakers from both parties have already begun working on legislation.
Likely incoming Senate Commerce, Science and Transportation Committee Chairman Wicker has been working with Sens. Blumenthal, Moran, and Schatz on a bill. Other committee members, including Sens. John Thune (R-S.D.), Ed Markey (D-Mass.), and Amy Klobuchar (D-Minn.), and Rep. Marsha Blackburn (R-Tenn.), are also involved in the legislative effort.
Wicker said in an emailed statement that he is committed to working on privacy legislation in 2019 and open to hearing other legislative proposals.
The Senate has already held hearings on regulating data collection and brought in companies such as Equifax Inc. after massive data breaches. But they’ll have to reach a deal on pre-emption and enforcement concerns to pass a bill.
Rep. Jerrold Nadler (D-N.Y.) who will chair the House Judiciary Committee and Frank Pallone (D-N.J.), who will lead the House Energy and Commerce Committee, will steer the House effort. Both lawmakers have said privacy is an important issue and they are likely to advance legislation.
The scope of consumer privacy protections, and how much a bill would pre-empt state privacy laws, will be major questions, Jerome said.
House Democrats may want more comprehensive privacy protections for consumers than the Senate, and may want to provide the FTC more privacy enforcement powers.
“A significant issue is whether any bipartisan bill coming out of the Senate can be reconciled with what will likely be a more aggressive pro-privacy bill coming out of the Democratically-controlled House,” said Chan Park, a privacy principal at Monument Policy Group.
Past efforts to write broad privacy law haven’t succeeded in part because of congressional committee jurisdiction issues, tech policy strategists said.
National data breach notification laws have failed since 2002 because lawmakers on committees overseeing the health and financial sector have sought carve-outs for those already regulated sectors, tech policy pros said.
But the biggest roadblock to legislation in the past—private sector opposition—has been melting away since Europe and California acted. That’s increased the chances that a broad U.S. data privacy measure will be signed into law.