Congress is considering a US federal privacy law. It’s been brewing for the last ten years and is getting closer. On July 20, 2022, the House Energy and Commerce Committee overwhelmingly voted (53-2) to advance the American Data Privacy and Protection Act (ADPPA), H.R. 8152, to the full House of Representatives. But there are still problems to navigate.
SecurityWeek talked to Mitzi Hill (a partner at law firm Taylor English Duma, and Adjunct Professor of Law at Emory University Law School), and Christina Montgomery (Chief Privacy Officer at IBM) to examine the merits and likelihood of a US federal privacy law.
Current state of privacy legislation in the US
The current state of privacy legislation is a patchwork. There are four state privacy laws. There are individual requirements within regulated verticals such as finance and healthcare. There’s the PCI DSS requirement for companies wishing to accept credit card payments. And there are international laws (primarily GDPR, but an increasing number of other international laws) that must be met on the global level.
“We have on the books four state laws, most of which take effect in 2023, one of which has been in effect for a couple of years,” explained Hill. “And we have one federal agency, the FTC, that in the absence of any explicit federal privacy legislation, has stepped in and said we think certain privacy issues are fair or unfair trade practices – and therefore we can enforce against them. So, we’ve got a mishmash, and it’s hard for companies to figure out what standards apply to them and what they can and cannot do with data they collect about people.”
Montgomery has a similar view. “Absent a national preemptive framework, with various states creating their own rules of the road, businesses will be expected to comply with a complex patchwork of laws. Additionally,” she added, “while protections for consumers don’t cross state lines, their online habits almost always do. Navigating this complex patchwork is confusing for businesses and consumers alike.”
The implication is clear: both business and consumers would benefit from a single, uniform privacy regulation across the whole nation. But is it possible?
Two clauses within the ADPPA (PDF) have been, and to some extent still are, the primary sticking points. These are the ‘private right of action’ and the ‘preemption’ clauses. Montgomery explained the business concern over the former.
“[The private right of action] gravely undermines the objectives of the overall bill,” she said. “Essentially, this provision would create a permanent state of uncertainty for consumers and businesses by driving more lawsuits based on technical infractions or where little recovery goes to consumers. Congress should instead support strong and consistent privacy enforcement by providing exclusive enforcement authority to the Federal Trade Commission and to state attorneys general.”
There is a side consideration here. The country may already be slowly moving toward accepting the private right of action regardless of ADPPA. A ruling on (Jennifer) Clemens v ExecuPharm Inc filed by the Court of Appeals at the beginning of September 2022, overturned an earlier District Court ruling that had dismissed Clemens’ action against ExecuPharm following theft of personal data and its exposure on the dark web.
The Court of Appeals ruled, “Given that intangible harms like the publication of personal information can qualify as concrete, and because plaintiffs cannot be forced to wait until they have sustained the threatened harm before they can sue, the risk of identity theft or fraud constitutes an injury-in-fact. Accordingly, we will vacate the judgment of the District Court on all counts…”
“It is an interesting turn from so much prior jurisprudence in the US,” commented Hill. “Our judges have not historically been terribly receptive to claims arising out of data breach, because the harms are so often seen as speculative.”
She added, “The impact of this, if the plaintiff ultimately can press a case, is profound. Having a federal circuit recognize that theft and publication of personal data can create a cognizable claim even without a statutory basis would be a massive shift for the US… In addition, the fact that this involves an employee claim against a former employer is very interesting: most of the data protection statutes we do have in the US starting in 2023 won’t cover employees. So, from that perspective as well as the merits, this is a case to watch.”
FTC enforcement, under the agency’s existing enforcement authorities, together with state attorneys general, is already part of the bill – and the FTC has signaled its willingness to accept the role of privacy enforcer. On July 11, 2022, it announced, “Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.”
It concluded, “The Commission is committed to using the full scope of its legal authorities to protect consumers’ privacy. We will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data. The FTC’s past enforcement actions provide a roadmap for firms seeking to comply with the law.”
ADPPA also gives the California Privacy Protection Agency authority to enforce ADPPA in the same way as it would enforce California’s state-level CCPA (and presumably CPRA from next year).
This is a nod toward concerns over the preemption clause. A preemption clause generally requires that a federal law will always override any state laws – and California is known to have concerns that its own privacy law will be weakened by a federal law.
The current state of the ADPPA bill has attempted to assuage such concerns, since it will expressly preserve 16 different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. Whether this will be enough to overcome preemption concerns is not yet clear.
Montgomery is still concerned. “As I said to the lawmakers I met in DC about this topic over the summer,” she told SecurityWeek, “the current ADPPA is not something we can support in its current form. Data is the backbone of our economy, and we need to ensure we are still able to provide and account for the critical data uses and transfers that consumers have come to expect and rely on – like ensuring credit card transactions happen smoothly, being able to make airlines reservations, and so on. Any ‘one size fits all’ approach is a concern.”
The European experience
The difficult balancing act for all privacy legislation is the need to reconcile personal privacy rights with international trade and business innovation requirements. There is an inevitable conflict between the two that can only be reconciled with considerable care. Here, the European experience may be helpful.
Europe is an informal federation of individual nations, where the constitution is based on current EU law and court decisions. The US is a formal federation of individual states underscored by a written constitution. Both blocs have a requirement to rationalize different preferences between the individual nations and the individual states within the limitations imposed by their respective constitutions.
An additional similarity can be drawn in the overall political make-up. While legislation is often in the hands of elected lawmakers who are close to the people (House of Representatives and the European Parliament), management of the law at bloc level is often down to appointed officials (the US Administration and the European Commission). Elected lawmakers have a great incentive to consider the people. Unelected officers are often more concerned with the economy at a national level.
This is where the conflict between people and economy is most visible – and Europe has failed to reconcile it. While the European Parliament’s implementation of GDPR is clear, the EC has struggled, and so far, failed, to maintain ‘legal’ transfer of personal data between the EU and the US. The EC developed first the Safe Harbor concept and then the Privacy Shield concept to allow EU to US data transfer. Both have been declared illegal by the European Court as conflicting with the wording of GDPR, and therefore the European constitution.
The US can solve the balancing act between people and economy by starting afresh – but it will be far from easy. In its favor, privacy is not a concept enshrined in the US constitution. And while privacy is almost baked into European DNA, it is not at that level in the US. US demand for personal privacy is growing, but is possibly more concerned with government oversight. If anything, it is business that is baked into the American DNA.
Montgomery is a strong advocate of finding the right balance. “We can, should, and must find ways to protect both. It’s essential that consumers’ privacy is protected and that consumers are given basic rights with respect to their data, including knowing what data is collected about them, what it will be used for, and have the right to access and correct that data. At the same time, we need privacy protections to work for the digital economy as well.”
She added, “We have advocated for policymakers to take a risk-based approach to regulation, balancing the harms and benefits associated with specific uses of personal data, and focusing on high-risk uses of personal data, rather than painting all data uses with the same broad brush. It is critical that regulations in the data privacy space protect consumers while also promoting the innovations that will benefit consumers, including privacy protecting innovations.”
Effect of the midterms
Discussing ADPPA today is conjecture. Right now, it has a greater threat to its progress: the US midterms. Progress has stalled, and the general belief is that lawmakers were more concerned about the midterm elections. Hill believes there will be little or no progress in the immediate future. “Having said that,” she added, “what we often see is a bill that doesn’t pass in one legislative session may get revived in the next one. So, depending on the amount of turnover in Congress, you may still have several champions who may be able to pick up the ball where it went out of bounds, and carry it forward from that point. That’s something that we won’t know until the midterms have happened.”
ADPPA has one advantage. It is surprisingly non-partisan. “I think you can probably read the news coverage of this federal bill and assume that things fall into partisan camps because of the pro-consumer versus pro-business lines of characterization that are given to the motives of various legislators.”
But she added, “I don’t know that privacy is really as much a partisan issue as some other things.” Furthermore, she continued, “It seems to me that in the last few years, the large government/small government distinction between what you could expect a conservative to support and what you could expect a liberal to support is not quite as clear as it used to be.”
In short, anticipation of the pending midterm elections wounded recent progress of a federal data privacy law; but only time will tell whether that wound is fatal.
The future for a federal privacy law is uncertain. Demand has certainly been growing – but the value is more for the smaller, more localized business with little international trade. Larger organizations already tend to focus on complying with a few of the major existing standards – such as CCPA (CPRA from next year), GDPR, and perhaps the NIST framework. Adequate conformance to these will almost certainly provide conformance to most other regulations – but smaller companies have difficulty with the complexity and cost of this approach.
With any delay in passing ADPPA, more states will produce their own laws. As this number grows, antipathy toward the preemption clause will intensify. “I think the prospects for this bill are dim,” comments Hill. “I think if many more years go by without a federal bill, the prospects get dimmer and dimmer, because the more states you have legislating privacy, the less need there is for a federal bill. It’s an interesting thing, ‘time’. But I also think more Americans are going to be thinking about privacy in the coming years than maybe have before. It’s going to be an interesting time.”