Security Experts:

Marco Rubio Proposes New Federal Data Privacy Bill

U.S. Senator Marco Rubio (R-Fla.) introduced a bill on Wednesday designed to provide privacy legislation for the entire nation -- that is, federal law. It is based on the Privacy Act of 1974, which was introduced post-Watergate to protect people from government storage and retrieval of personal data. Rubio's American Data Dissemination Act (ADD) is designed to do similar, but is aimed at private industry's collection of personal data.

The key point in the bill is that responsibility is handed to the FTC -- who must, within 180 days -- submit detailed recommendations for privacy requirements that Congress can then impose. These recommendations must be substantially similar to the requirements of the 1974 Privacy Act. In a contribution to The Hill, Rubio explained, "We should use the non-partisan expertise from the agency of jurisdiction to ensure lawmakers make informed decisions to properly protect consumers."

If Congress fails to enact the FTC's recommendations within a further two years, the Act gives the FTC authority to issue a final rulemaking. So, within two-and-half years of this bill becoming law, there will be a federal privacy law for the people of America. Whether it is a strong law or a weak law will depend upon the FTC. The FTC's mandate is to prohibit "unfair or deceptive acts or practices in commerce"; but it interprets this as protection for both citizens and businesses.

There are two primary guidelines provided by Rubio. The first is to exempt start-ups. The idea is to promote competition. "Facebook, Apple, Amazon, Netflix, Google (FAANG) and others would welcome cumbersome regulations that prevent start-ups and smaller competitors from challenging the FAANG's current dominance," writes Rubio. Perhaps Microsoft should be added to FAANG.

The second is to give users the right to access and correct personal records that are not accurate, relevant, timely or complete as defined by the FTC, and a process for deletion of a record. It is not immediately apparent whether deletion can be applied to any record, or only those that are not accurate -- such details will come out in the FTC recommendations which will ultimately take precedence over the will of Congress.

Rubio's proposal is generally welcomed -- but with several riders. The first is that as a federal law, it will, through the Constitution's Supremacy Clause, take precedence over state laws. Consider the strong California Consumer Protection Act (CCPA) that will come into effect next year.

"Both bills seek to establish similar protections for consumers," explains Attila Tomaschek, digital privacy expert at BestVPN.com, "but Californiaís bill is markedly more strict on businesses than Senator Rubio's proposal in that it gives 'personal data' an extremely broad definition, severely limiting what data can be collected and used freely by businesses with customers in California."

Companies like Facebook have customers both within and outside of California. These companies would be bound by the federal law and not the California law.  

"Senator Rubio's proposed national privacy regulation is a step in the right direction," comments Anupam Sahai, VP of product management at Cavirin. "However, any law needs to provide real protection, along the lines of the EU GDPR or Californiaís Consumer Privacy Act. One issue with the proposal is that it preempts state laws which may offer more comprehensive privacy guarantees. This is a step in the wrong direction."

The relevance of the 1974 act in 2018 is also questioned. "While we should celebrate our federal government's attention to this global challenge," Shahrokh Shahidzadeh, CEO at Acceptto told SecurityWeek, "it is worth stressing that the Privacy Act of 1974 guardrails are not sufficient and may not be the right framework for two core reasons: firstly, the validity of exemptions in 2020 compared to 1974; and secondly, the reality that the boundary-perimeter of our world has changed significantly in the last four decades."

Shahidzadeh, like Sahai, believes a better framework would be Europe's GDPR  -- and this raises a further point. American companies trading with Europe will have to comply with the Privacy Shield operating between the EU and the U.S. This in turn means that these companies will have to offer privacy comparable to GDPR.

However, during the six months in which the FTC develops its recommendations, it will be subject to extensive lobbying from FAANG. If the FTC proposals come out weaker than GDPR, then Privacy Shield (already criticized by many Europeans) will be rocked and perhaps even scrapped by Europe. The problem here is that the FTC's recommendations will inevitably be weaker than GDPR through the requirement to exempt small, new businesses.

Rubio fears that excessive regulation will inhibit new business -- and there is indeed great debate over this. In a paper published in November 2018, Jian Jia and Liad Wagman of the Illinois Institute of Technology and Ginger Zhe Jin of the University of Maryland show that European tech firms are receiving less venture funding than their U.S. counterparts; and this primarily applies to early-stage investments. Such companies "are particularly susceptible to a negative effect from GDPR,î wrote the researchers.

However, this conclusion is questionable; there are other issues at play in Europe. The 'will she, won't she and under what conditions' Brexit affair has caused considerable EU-wide economic uncertainty; and investors hate uncertainty. Furthermore, the European Venture Report produced by PitchBook and published in October 2018, notes that while overall European investment has dropped, the share of capital received by software firms is higher than ever. The question whether strong legislation inhibits new business is moot.

Concerns over Rubio's proposal, including trade with Europe and precedence over state laws, aside, it is generally accepted that the U.S. needs a single federal law for all Americans -- just as GDPR is in effect a single federal law for all Europeans, taking precedence over any weaker (but not stronger) national laws. "Perhaps if Senator Rubio's bill would allow for individual States to enforce certain provisions, instead of overriding State privacy laws and affording all jurisdiction to the FTC, the bill would be more effective for both consumers and businesses alike," comments Tomaschek.

"With large scale data breaches occurring more commonly each year, concludes Timur Kovalev, chief technology officer at Untangle, "it is great to see a focus on data privacy with the recently proposed American Data Dissemination (ADD) Act. The ADD Act aims to create concrete rules on privacy for major commercial companies to follow within the United States. Currently, individual states are responsible for establishing their own privacy laws. The ADD Act would supersede state laws, even those states with stricter rules, which could make this Act difficult to pass. With Europe passing their own privacy rules with GDPR, data privacy is becoming a necessary conversation for governments all over the world. As hackers evolve their tactics and cybersecurity concerns continue to escalate, data privacy and consumer protection need to be top of mind for governments and businesses alike."

Related: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection 

Related: Intel Asks for Comments on Draft Federal Privacy Law 

Related: California, Home of Silicon Valley, Ramps Up Online Privacy Law

Related: Battle Lines Forming Ahead of a Looming U.S. Privacy Law Fight

Related: Clear Scope for Conflict Between Privacy Laws

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.