From the COVID-19 pandemic and related privacy challenges, to the move toward federal privacy legislation amid continued regulatory progress at the state level, to ever-emerging technologies and more, there’s no shortage of issues in the privacy world.

As the Electronic Privacy Information Center’s newly appointed executive director, Alan Butler is diving into the organization’s global work as a public interest research center focused on emerging data protection and civil liberties issues. Butler, who first joined EPIC in 2011 and most recently served as general counsel, took over as interim executive director in April 2020. The organization’s board of directors recently announced his appointment following a six-month international search.

Butler is “thrilled” to begin a new chapter in EPIC’s history in a time of such “rapid technological and social change” when he said the organization’s mission has never been more important.

Alan Butler, Electronic Privacy Information Center executive director

“I was really honored by the opportunity from the board to take on the leadership role to help us think about what are the most cutting-edge issues that we want to be working on today, how can we set up our staff, our projects, to tackle the issues that we’ll see tomorrow,” he said. “It’s really exciting to go from working in the nitty-gritty of projects to helping lead the staff to think critically through what those issues will be and how we can really advance the cause.”

Key among those issues, Butler said, is advocating for a comprehensive baseline privacy law in the U.S. and a data protection agency to ensure that the law is fully enforced.

EPIC has been closely tracking the progress of state privacy laws, Butler said, including the California Privacy Rights Act and most recently passage of Virginia’s Consumer Data Protection Act. It's also is in the process of updating its “Grading on a Curve” report, which reviews recent privacy law developments, identifies key characteristics of legislation and assesses pending proposals, to reflect the most recent advances. The organization is also connecting with coalitions and constituency groups to work through the strategies and substance behind legislative proposals.

While there are many priorities on the minds of lawmakers, Butler said he does think federal privacy legislation is a “near-term priority for a lot of folks on the Hill.”

“I do think it will be revisited in this session,” he said, “especially because one of the most interesting things about privacy as a legislative issue is it has been one of those areas where there is bipartisan interest. We’ve seen bills across the political spectrum. We may reach a point in the current Congress where other issues that are a bit more polarizing can’t move and there may actually be an instinct to look toward what issues can.”

Sticking points in the conversation around federal privacy legislation have, of course, been over private right of action and preemption. EPIC argues it’s not “reasonable or viable” to have federal legislation that preempts state privacy laws but advocates for a federal baseline that gives states, which Butler said might be in the best position to address emerging privacy issues, the flexibility to implement legislation.

“We shouldn’t have to wait for federal action, where, check the calendar, we’ve been waiting for federal action on privacy regulation for 20-plus years, and it hasn’t come. The states are a really important tool,” he said, adding they could “in many ways, drive the demand for a comprehensive federal system.”

The COVID-19 pandemic and issues it has raised throughout work, school and health environments has brought to light the need for a comprehensive set of rules and potentially “a real robust updating of some of the rules we already have,” Butler said. The pandemic has also brought attention to the intersection between public health response and data protection, with a need to ensure response systems are designed and deployed in a way that preserves privacy, he said.

“What we’ve seen now more broadly is there is, one, a development of technologies and systems in the private sector, in many cases, divorced from any direct regulatory regimes that I think probably demands more attention from federal and state regulators and potentially legislative response, though we do think it’s more important to do comprehensive rather than piecemeal legislation on most of these issues,” he said. “In the workplace setting, in the educational context, and even in the health adjacent context, we’ve seen a lot of technologies and systems emerge and be introduced this year that pose significant privacy risks and challenges and there needs to be a continued and aggressive response to that.”

Other emerging privacy issues on EPIC’s agenda include protecting sensitive location data, ensuring that privacy regimes work in tandem with fundamental rights, and establishing redress mechanisms for victims of data misuse and abuse, Butler said.

“There’s so much to do and our field has grown enormously. We’ve been around for more than 25 years, and the scope of what we work on expands almost exponentially every year. We always have to think about short-term priorities, but keep in mind the importance of our long-term goals,” he said. “There’s so much to do, and we hope we can make a real contribution to these areas. That’s what we strive to do every day.”

Photo by Iñaki del Olmo on Unsplash