A new year now adorns our calendars, and 2021 is expected to have its fair share of developments that privacy professionals will monitor with anticipation.

One of the most notable events will take place Jan. 20. It's the day the Biden administration takes over in Washington and the Democrats take control of the U.S. Senate. The results from the 2020 elections may be the catalyst that ultimately pushes forward a federal U.S. privacy law, a goal that has bipartisan support on Capitol Hill.

The new Biden administration and political willingness from both sides of the aisle are the main reasons why privacy professionals from Twitter, Google and Amazon are optimistic a federal law will come in the years ahead.

Twitter Chief Privacy Officer Damien Kieran is "cautiously" optimistic a federal privacy law could be passed within the next two years. Kieran said national rules are long overdue, and while there are some hurdles to getting a law onto the books, he believes there are incentives for Congress to get it done.

Kieran cited fallout from the Court of Justice of the European Union's "Schrems II" ruling as one such incentive. A federal bill could help provide a path forward following the invalidation of the EU-U.S. Privacy Shield agreement.

"The challenges with cross-border movement likely increase the incentive on the federal government to act. I think the stars have been aligned for some time, but perhaps now as a new administration comes in we can see that change," Kieran said during the 2021 Consumer Electronics Show. "They can fix the cross-border issue on its own with an executive order, or they can try and do it as part of a federal law. I think the option is there on the table to try and do it as a federal law, and that would be my preference. I think there’s good reason to do it and I think there’s bipartisan alignment to get there." 

Google Chief Privacy Officer Keith Enright, CIPP/G, CIPP/US, shared Kieran's optimism over the prospects of a federal privacy law. He said discussions around an omnibus privacy law have changed greatly over the past 20 years. When the likelihood of federal rules was assessed, Enright said the safe, default answer was always "no." 

That is no longer the case.

In addition to bipartisan support, Enright said the passage of the California Consumer Privacy Act and the California Privacy Rights Act have also helped brighten Congressional prospects. 

"If history is any lesson, that is going to be a catalyst for a tremendous amount of state-level legislative activity across the next couple of years," said Enright. "That tends to dramatically increase the chances that we can develop the political will at the federal level to do something to create a uniform rule of law so that companies know what the rules of the road are, and individual users know what their rights and protections are."

Any conversation around federal privacy legislation in the U.S. always comes with a discussion of handling different state laws, which usually results in plenty of "patchwork" talk. The panel at the virtual CES was no different.

The common thread in those debates is the challenge of having to handle a swath of different requirements across the country. Enright sees it as an issue companies already face to a certain degree.

While privacy laws in California, Nevada and Maine have been in the spotlight, Enright said patchwork rules affect everyone right now, as virtually every state has legislation that has significant privacy consequences.

"The reality that we are all increasingly dealing with is data is driving everything, and therefore virtually any set of legal requirements are increasingly either being revised or reinterpreted to be legal requirements affecting the movement and governance of data," said Enright. "I would actual argue we are already dealing with quite a patchwork."

This is not a new reality for larger tech companies. Amazon Alexa Trust Director Anne Toth said global organizations have to navigate around more than 100 different national-level privacy laws around the globe. A federal privacy law may smooth things over between 50 different states, but the patchwork will not go away, as a law in the U.S. is not going to be a one-to-one match of other rules such as the EU General Data Protection Regulation.

Toth also said it is up to the tech companies to tread those waters and provide the best experience for their users.

"There’s absolutely been regulation at the city level and municipal level. When you start to add it all together, it is a patchwork quilt, and I think even if we do get an omnibus federal privacy law, it’s not going to be GDPR either," said Toth. "There’s always going to be differences and all of us here represent companies that operate at a global scale, so we’re dealing with a forever patchwork quilt, but we’re trying to minimize the differences and we’re trying to hopefully give all of our customers everywhere a fair shake and an equal amount of privacy protection."

Optimism continues to swell around the idea that the clock is ticking closer and closer to the day a federal privacy law becomes reality. 

But the impetus isn't just to end debates around state preemption and a private right of action. The existence of a federal U.S. privacy law has important ramifications for the future of the online ecosystem.

Enright said tech companies have to work to ensure any legislation passed provides as much clarity for organizations and citizens as possible. Kieran, on the other hand, believes a privacy law can help with far bigger issues, particularly as transborder data transfers and data localization continue to be hot button topics.

"I think this is where it’s actually incredibly important for the federal government to really understand about the international future of this because it ties back to the question of a divided internet," said Kieran. "If we get this wrong, you increase the chances for the balkanization of things. These laws need to be interoperable. If they’re not, the Schrems-Privacy Shield dilemma is only the tip of the iceberg in terms of localization of both services and data, and then the internet, and that’s not an outcome that any of us wants to see."

Photo by Bill Oxford on Unsplash