Future of Privacy Forum Senior Fellow Peter Swire, CIPP/US, has been working in privacy’s legislative landscape since the late 1990s, when he served as chief counselor for privacy under President Bill Clinton. Today, he believes the U.S. is on the cusp of passing comprehensive federal privacy legislation.
“This new Congress has the best chance for comprehensive federal legislation that I’ve ever seen,” he said.
Swire and other members of the Future of Privacy Forum recently presented a look toward 2021, sharing their expectations on what the Biden administration, Federal Trade Commission and states will accomplish on privacy in the coming year.
Political landscape
Former Vice President Joe Biden’s election as president and Democratic control of the House suggests there is potential to see legislation similar to packages considered over the past year, particularly as the political parties narrowed in their differences on those proposals, Swire said. Sens. Roger Wicker, R-Miss., and Maria Cantwell, D-Wash., each proposed legislation — the American Framework to Ensure Data Access, Transparency, and Accountability Act and the Consumer Online Privacy Rights Act, respectively.
“Something like last year’s bills might have a chance because Republicans and Democrats have come to agreement on so many of the provisions,” he said. “If Congress wants to do something in the next two years, they can do it here on privacy. This is a rare bipartisan opportunity and so we could really see comprehensive privacy legislation pass in the new Congress.”
FPF CEO Jules Polonetsky, CIPP/US, noted that many Biden appointees or members of the transition team have been steeped in the legislative process around data protection.
“There’s not a huge learning curve. Folks who were involved in the Consumer Privacy Bill of Rights that Obama did or who were part of the negotiations around the Privacy Shield are prominent among the current or likely appointees,” he said. “So, although there is going to be a big deluge of competing issues, we seem to have likely a collection of people who are in a position to walk in and pick up from where things left off.”
In addition to political parties nearing consensus on federal legislation, the business industry has reasons to support it, as well, key among them is last summer's "Schrems II" decision and ongoing discussions with Europe on transborder data flows, Swire said.
“This situation is the biggest risk I’ve ever seen to data flows being cut off from Europe to the United States,” he said. “Passing a commercial privacy law would help the atmosphere considerably as negotiations go forward with Europe.”
State action will increase federal momentum
Legislative action in California is also an inspiration, Swire said. Companies have already taken steps to comply with the California Consumer Privacy Act, as new legislation, the California Privacy Rights Act, passed in November and could change requirements.
“With the fight in Europe and the possible new round of requirements from California, industry is looking to a federal law to help create some kind of a path to having ways to comply nationally with these issues,” Swire said.
It’s also worth pointing out, Polonetsky said, that parties have reached consensus on issues that were key points of debate years ago, like access, deletion and portability. Today, these components have been implemented within the CCPA and the EU General Data Protection Regulation, and they are in Democratic and Republican federal legislative proposals.
“So much peace has been made with what were for years table stake issues,” he said. “Not that there aren’t still complexities to work out, but it’s worth noting how things moved.”
While many states considering comprehensive privacy legislation paused discussions in light of COVID-19, FPF Senior Counsel Stacy Gray, CIPP/US, said when legislative sessions begin again privacy is expected “to come back in full force” and a lot of states are anticipated “to be considering complex privacy laws.”
Washington is expected to see a third iteration of the Washington Privacy Act. A version of the proposal narrowly failed in the House last year, but Gray said it might be more likely to pass following changes in the makeup of the House in November.
“If the WaPA passes that will likely influence other states interested in passing similar protections for their own residents and will also create another major, slightly different model from California and will significantly increase the momentum toward a federal privacy law,” she said.
Privacy movement internationally
Privacy will continue to be a focus in countries around the world in 2021, FPF Vice President of Policy John Verdi said.
China is expected to pass comprehensive legislation, “some might even say a GDPR-inspired law,” he said. India is “very close” to adopting “sweeping data protection reform which owes much to Europe’s GDPR.” In Canada, legislation has been tabled to update the country’s federal privacy legislation, the Personal Information and Electronic Documents Act, and Brazil has passed the General Data Protection Law.
“The largest markets in the world are moving toward comprehensive data protection laws based on various models, and I think it’s no surprise lawmakers on Capitol Hill are pursuing comprehensive privacy and data protection efforts,” Verdi said.
Photo by Kelly Sikkema on Unsplash