Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/23/2019
10:30 AM
Seth P.  Berman
Seth P. Berman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Will the US Adopt a National Privacy Law?

Probably not before the 2020 election. But keep an eye on this Congress as legislators debate how to define personal data and what limits to place on how companies use it.

As we approach the one-year anniversary of Europe's General Data Protection Regulation (GDPR), Congress is again considering whether the United States should join Europe (and most major economies) by adopting some form of national data privacy and security regulation. In February, the House and Senate each held hearings on data privacy, and for the first time in years there appears to be at least some interest among the different stakeholders for national legislation.

Why Are We Talking About National Privacy Regulation Now?
Until recently, one major factor preventing a serious discussion about a national privacy law was the almost uniform opposition of Silicon Valley and the large tech companies. These companies were concerned that data privacy regulation would inhibit their ability to monetize the data they collect and prevent further innovation in the information sector.

Recently, however, the industry has started to rethink that view. As abuses of data by major tech companies have come to light, Silicon Valley leaders have come to fear that data privacy legislation may be inevitable and have moved from a posture of opposing all legislation to seeking to shape the new regime. At the same time, the nation's first state-level generally applicable data privacy law, the California Consumer Privacy Act (CCPA), is scheduled to take effect in 2020. Several other states have proposed similar data privacy laws, causing businesses to grapple with the fact that they may shortly need to comply with a patchwork of complicated and conflicting state-level regulations.

Consumer groups, meanwhile, have long wanted more stringent data privacy rules in the United States. Ironically, they recently have become less interested in a national standard because they worry that the large tech companies will shape national legislation to reduce the levels of protections now being granted or contemplated at the state level. Thus, one of the core issues that Congress will need to consider is whether any new national privacy legislation preempts state law — essentially wiping out any state-level protections (as the business lobbies desire), or if instead it sets a floor for the minimum amount of data protection allowed while still allowing states to create their own, more stringent protections (as advocated by consumer groups).

What Might Be in a US Privacy Law?
Though it is highly unlikely that Congress would model any US law after GDPR or even the CCPA, it is likely that the debate about such a law would force Congress to address some of the same issues. For example, GDPR defines a series of "rights" that individuals maintain in data about them, such as the right to know what data companies hold about them, to correct that data, and to erase it in certain circumstances. Though the United States is unlikely to elevate these kinds of protections to the level of a "fundamental human rights" (as GDPR describes them), Congress will need to consider whether to grant individuals any power to determine how or when their data is used by companies. Similarly, the United States has so far avoided mandating general security standards and does not have a national data breach notification statute; instead, each state has its own such statute. A new privacy law might well include such a national standard.

Probably the two biggest challenges facing legislators considering a national privacy law is how to define personal data and what limits ought to be placed on how companies can use such data. The US has generally adopted a fairly narrow definition of personal data — including certain health information as well as Social Security numbers and key financial information, but excluding more general information about a person, such as their political, ethnic, or sexual identity. The tech industry would prefer a narrow definition so that it can continue to monetize the vast amounts of data it collects about activities and consumer preferences — such as reading habits, hobbies, friend groups, political affiliations, and even location data — without further regulation.

Consumer groups seek to broaden the definition of personal data to prevent the kinds of practices that led to the recent Facebook scandals. Similarly, consumer groups aim to set clear limits on when and how companies can use personal data. GDPR, for example, only allows the processing of personal data if the company has one of six enumerated legal bases for doing so. US law is unlikely to be quite so restrictive but will need to find some method of describing what companies are allowed to do (or at least what they are not allowed to do).

How Would a National Privacy Law Be Enforced?
Once the contours of the restrictions are determined, Congress will then need to determine how the new privacy law will be enforced. To date, regulation of data privacy and security issues have either fallen to special agencies enforcing industry-specific privacy regulations (such as Health and Human Services, which enforces HIPAA violations, or the bank regulators, which enforce Gramm-Leach-Bliley violations) or to other federal agencies using their preexisting regulatory authority. Thus, the Federal Trad Commission has brought privacy and security actions pursuant to its authority to promote consumer protection, and the Securities and Exchange Commission has brought enforcement actions against public companies pursuant to its regulatory authority over public companies.

A new federal privacy law would create a much clearer regulatory regime and potentially a new regulator to enforce it. More controversially, consumer groups would like to guarantee that any privacy regulation allows for an individual right of action to ensure that individuals can force companies to abide by privacy regulations even in the absence of government action. It is probably unlikely that a new national privacy law will be passed before the next election, but it is worth keeping an eye on this Congress, as it may begin to shape the future of privacy and security law in the United States.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Seth P. Berman leads Nutter's privacy and data security practice group. Corporations and their boards engage Seth to address the legal, technical, and strategic aspects of data privacy and cybersecurity risk, and to prepare for and respond to data breaches, hacking and other ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.