Jacqueline Klosek and Andrew Lurie

Now that the Democratic Party has control of Congress after 12 years of Republican rule, gonzo pundits to armchair politicians are predicting big changes in the next two years. While it is likely that the new Congress will spend a considerable portion of its time debating the Iraq war, the proposed minimum wage and other high-profile issues, privacy is expected to be among the issues Congress confronts. The recent transitions in power have led privacy experts to expect that the new Congress will push through at least a few new measures designed to stabilize the privacy landscape.

Recent Trends in Privacy
After years of scale-backs of personal privacy rights, especially in the aftermath of 9/11, the outgoing 109th Congress did make some progress in certain aspects of privacy regulation. Toward the end of 2006, just before it adjourned, Congress passed a few measures of interest to those in the privacy realm. In the waning days of the session, the House and Senate each passed measures that were intended to address the problems of obtaining telephone records through the use of pretexting. On Jan. 12, 2007, President Bush signed into law the "Telephone Records and Privacy Protection Act of 2006." The new legislation establishes criminal penalties for the fraudulent or unauthorized acquisition or disclosure of confidential phone records information. In addition, during its final week in Washington, the 109th Congress passed the US SAFE WEB Act, a law designed to enable the Federal Trade Commission to better protect consumers from spam, spyware and Internet fraud on a global scale.

Overview of Significant Changes in the Legislature
Except for a brief period in 2001-2002 when the Democrats narrowly held sway over the Senate, the Republicans have maintained control of both houses of the legislature since 1994. The recently departed 109th Congress continued this trend, with the 55 Republicans in the U.S. Senate, 44 Democrats and one Independent. The House was comprised of 230 Republicans, 202 Democrats and one Independent. After the swearing in of the 110th U.S. Congress on Jan. 4, 2007, the House now is made up of 233 Democrats and 202 Republicans, while the Senate is split between 49 Democrats and 49 Republicans, with two Independents who plan to caucus with the Democrats, giving the Democrats a slight edge.

The abrupt switch in party leadership in both houses of the legislature has pundits predicting that the First Session of the new Congress will witness a swing to the political left, and the ripple effects could lead to a newfound focus on privacy rights. The new Democratically dominated political arena will likely be more receptive to privacy concerns, and privacy advocates, such as Sens. Dianne Feinstein, D-Calif., and Patrick Leahy, D-Vt., and U.S. Rep. Ed Markey, D-Mass., will be emboldened and empowered to push forward their mandates with a new sense of vigor. Leahy has been particularly critical of various acts of the current administration that he views as invasive to individual privacy rights, including wiretapping and compiling of databases regarding consumers. Leahy already has been publicly advocating changes in these measures. Significantly, Leahy was recently selected to oversee to the Senate Judiciary Committee, which presides over the writing of laws on topics ranging from criminal justice and wiretapping to intellectual property. The Committee's first hearing last month centered on the administration's data mining efforts, which sent a clear message about Leahy's priorities.

Data Security Breaches
One area of particular interest to federal lawmakers is the issue of what organizations should be required to do in the event of a data security breach. As a result of the numerous highly publicized security breaches that occurred during 2006, the majority of states have already enacted legislation that compels entities to notify their residents in the event of certain types of data breaches. Most of these measures have been modeled after California's ground-breaking law. However, Congress was unable in 2006 to reach consensus on how to protect individuals from the effects of data security breaches.

With the beginning of the current congressional session, there already has been some movement on the issue in the Senate. On January 10th, Feinstein reintroduced a bill aimed at protecting individuals from identity theft by requiring federal agencies and businesses to notify consumers in the event of a data breach. The proposed measure, entitled, the "Notification of Risk to Personal Data Act" (S. 239) had been introduced in the 109th Congress but was not passed. The measure, if passed, would preempt the numerous state security breach notification laws and provide for uniform federal protection in the event of a data security breach.

Collection and Use of Information by the Government
Leading Democratic Party members have called for a formal investigation into the myriad data mining activities that the government has undertaken - almost always under the guise of national security - in the past few years. While much of the concern about these issues has centered around the government's use of new technology, such as retinal scans and tracking systems, very recently, the concerns shifted to familiar territory, after, in connection with a Postal Service reform bill signing statement, President Bush claimed the right to open domestic mail in exigent circumstances, such as national security reasons. A bipartisan group of senators is seeking a resolution reaffirming that the privacy of the U.S. mail will be protected.

Regulation of Data Brokers
Data brokers also may be the subject of much focus in 2007. After the ChoicePoint breach in early 2006, the recently departed Congress took a long look at data brokers last year but was unable to push any of the proposed measures through to passage. For his part, Leahy has spoken out on the issue, asserting that the increasing proliferation of data brokers and the burgeoning market for collecting and selling personal information is a particularly troublesome topic. In the opening days of 2007, Leahy has assured privacy advocates that he will push again for legislation that establishes stronger penalties designed to deter identity theft and requires companies to notify individuals when their information has been compromised.

Social Networking Sites
It is also expected that social networking sites will garner some attention in 2007. In early December 2006, Sens. Charles E. Schumer, D-N.Y., and John McCain, R-Ariz., issued a joint press release to announce that they planned to introduce a bill that would require registered sex offenders to submit their active email addresses to local law enforcement organizations. It is anticipated that such a measure would help to protect users, especially older children and teens, of social networking sites like the popular MySpace.com from registered sex offenders. The legislation would enable these social networking sites to cross-check new members against a database of registered sex offenders and block predators from signing up for the service. Under the proposed measure, registered sex offenders would be required to provide an email address to their probation or parole officers and keep such officers apprised of any changes to such email address. Any sex offender submitting a fraudulent email address in an attempt to circumvent the law would face criminal penalties, including possible imprisonment, and any offender caught using an unregistered email address would automatically be in violation of probation or parole terms and face a return to prison.

Use of Social Security Numbers
It is likely that legislative action is likely around protecting Social Security numbers (SSNs). Given the immensely valuable nature of SSNs and their status as a sought-after target in identity theft operations, much thought already has been given to this issue at the state level. The result of this deliberation has been a slew of differing requirements and considerable compliance challenges for companies operating in more than one state. A federal measure would guarantee a minimum level of protection for all individuals, regardless of their state of residence. In addition, if a federal measure passes that includes a preemption provision, it would provide businesses with a more harmonized and less complex framework for them to more easily comply.

There already has been some activity in this area in the Senate. In early January, Feinstein introduced the "Social Security Number Misuse Prevention Act" (S. 238). The proposed measure, which is a reintroduction of a measure that failed to pass last term, would bar the sale or public display of a SSN without an individual's consent. The primary target of the proposed measure would be governmental agencies. The bill would prohibit federal, state and local government agencies from displaying SSNs on public records posted on the Internet or available to the public on CD-ROMs or other electronic media. It also would prohibit government agencies from printing SSNs on checks. While directed mainly at governmental authorities, the measure also would place limitations on the circumstances under which businesses can lawfully request SSNs from their customers.

The First Days of 2007 -Stay Tuned
Early indications suggest that privacy laws will be a hot topic in 2007. When the First Session of the 110th Congress began on Jan. 4, 12 privacy- and security-related bills were introduced on the first day. While it remains too soon to accurately predict what will occur with respect to privacy rights in 2007, the recent political shift has given privacy advocates reason to believe that significant changes are in the works.

The authors are attorneys with Goodwin Procter LLP in New York. They may be reached for comment at


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it



This e-mail address is being protected from spam bots, you need JavaScript enabled to view it



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»