News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Deja vu? The politics of privacy legislation during COVID-19 Related reading: Republican senators to introduce the COVID-19 Consumer Data Protection Act

rss_feed

""

While the COVID-19 outbreak has brought about numerous changes to our daily lives, it has not brought U.S. Congress any closer to bridging the partisan divide over the shape and scope of federal privacy legislation. Although both Democrats and Republicans in Congress have introduced privacy legislation related to the ongoing COVID-19 pandemic in recent weeks, lawmakers from either side of the aisle remain at odds over at least two key provisions: a private right of action and preemption of state law.

The same lack of agreement on these issues also brought about a halt to progress last year in passing a federal privacy law, efforts which had been met with enthusiasm by many privacy advocates and were also supported by a large majority of the public.

Ultimately, establishing baseline privacy protections at the federal level would be one way to alleviate growing distrust and fears throughout society about data misuse, which would encourage the adoption of contact tracing technologies that can play a role in mitigating the spread of coronavirus.

A familiar script

For those who have been following U.S. developments around privacy at the federal level, a familiar script is playing out with respect to the two recently introduced pieces of federal privacy legislation related to COVID-19.

It goes like this.

First, Republicans introduce a bill that would require consent to process sensitive data and protect various individual rights, such as rights to access, transparency and data security. Notably, this bill would preempt state laws that provide for stronger privacy protections and lack a private right of action, being solely enforced by the Federal Trade Commission and state attorneys general.

Then, Democrats introduce a bill that provides even stronger protection for individual rights and includes protections for a few more, such as the right to nondiscrimination. It also provides a more expansive definition of “sensitive data,” establishes a private right of action, and includes a non-preemption clause.

Lastly, these thorny issues and politically contentious differences remain unresolved, and efforts to enact a data privacy law at the federal level come to a halt.

Oh, and one more thing: California adds a pathbreaking privacy act to its November ballot.

For the most part, this series of events played out in November and December 2019, when Republicans in the Senate unveiled the Consumer Data Privacy Act, after which Democrats in the Senate introduced the Consumer Online Privacy Rights Act, and again earlier this month, when Senate Republicans introduced the COVID-19 Consumer Data Protection Act, followed by the introduction of the Public Health Emergency Privacy Act by Democrats in both the House and the Senate.

While close, Congress has not completely agreed about the scope and shape of a federal privacy law. The difference this time, however, is that the COVID-19 Consumer Data Protection Act may be rolled into a phase-four coronavirus recovery package, which means it has a real shot at passing.

Consensus and contention

In a previous white paper, I analyzed two pieces of federal privacy legislation introduced late last year, one sponsored by Democrats and one by Republicans. There were several points of agreement that were encouraging to privacy advocates who are pushing for more rights at the federal level. Areas of consensus included requiring consent to process sensitive data, transparency, data security and risk assessment obligations, as well as issues of corporate accountability, such as the designation of privacy and data security officers.

The two bills also overlapped to some degree in how they defined “sensitive data” and the level of protection they afforded to the individual rights to access, correction, deletion and data portability, albeit some nuanced differences could be found between the texts. For example, the Republican-backed bill was limited in how much protection is afforded to the exercise of individual rights, and it also included broader exceptions.

The most readily apparent differences between the bills, meanwhile, revolved around the preemption of state law and private right of action, as well as a couple of other issues, such as recognizing “harmful” data practices and establishing a new FTC bureau. While the Republican-backed bill contained broad preemption, the Democratic bill would have preserved state law and superseded it only in cases of direct conflict and when the state law provided weaker protection.

COVID-19 privacy bills

Like their 2019 counterparts, the recently introduced COVID-19 privacy bills from each party agree on several key principles, as detailed in a recent analysis by the Future of Privacy Forum. The agreement includes the requirement to obtain consent to process data, keep data collection to a minimum, and afford protection for individual rights, such as the right to correct inaccurate information.

These two bills differ, however, with respect to the scope of entities and data that would fall under their purview (the Democratic bill is broader in scope). Most consequential for their potential reconciliation, however, are the positions they take toward a private right of action, which the Electronic Privacy Information Center has described as one of the “basic elements of a comprehensive privacy law,” as well as the preemption of state law.

It is unclear what a negotiated, partial or limited private right of action or preemption would look like — or even if negotiated forms of these provisions would be politically feasible — but privacy legislation on Capitol Hill is unlikely to move forward before the parties’ positions on these two issues are reconciled.

Why more privacy protection is needed

At least part of the legislative intent behind the two COVID-19 bills is to alleviate privacy concerns that may inhibit people from using contact tracing apps that can mitigate the spread of coronavirus. This goal may be especially important given that public opinion in the U.S. toward the data collection practices of companies and government agencies has soured in recent years.

For example, according to a recent Pew Research survey, about 3 in 4 Americans say the data collection practices of companies and government bring them very little to no benefit at all. Indeed, by a ratio of 4 to 1, Americans say that the potential risks of data collection by companies outweigh the potential benefits.

These dour views seemed to have tainted public attitudes toward coronavirus mitigation efforts. Regarding the collection of cellphone location data to combat the spread of COVID-19, in particular, Americans are anything but optimistic. The majority (60%) say that such data collection will “not make much of a difference” in stopping the spread of the coronavirus, while 22% say that it will only “help a little.”

This skepticism is not merely held by fringe groups in society, and it does not imply that the U.S. public is misinformed. A Brookings Institution report about the use of contact tracing apps, written by Ashkan Soltani, a former chief technologist for the FTC, the University of Washington's Ryan Calo, and Professor of Biology Carl Bergstrom, concluded that “no clever technology — standing alone — is going to get us out of this unprecedented threat to health and economic stability.”

Complicating matters even further is the lack of trust most people have in large tech companies to keep their personal information private. Yet, as privacy scholar Paul Schwartz recently pointed out, “public use of these apps ultimately depends on the extent of trust in them.”

Thus, national efforts to combat coronavirus that rely on these data-collecting technologies will be hindered by the U.S. public’s absence of trust, which has continually eroded over the years by high-profile data breaches and scandals, such as Facebook-Cambridge Analytica.

What this relationship between trust and technology use makes clear is that, in an open and democratic society, the goals of protecting privacy and safeguarding public health are mutually reinforcing, not mutually exclusive.

Conclusion

As we continue to track legislative developments at the federal level in the wake of COVID-19, the most recent sequence of events bears a striking resemblance to events of the past year.

Yet, even in the midst of a pandemic, Congress remains divided on the scope and shape of privacy legislation to enact. As an analysis of the two most recent pieces of COVID-19 privacy legislation demonstrates, Democrats and Republicans remain divided over key issues, such as the private right of action and preemption of state law.

Perhaps the epitome for such a scenario is the character of Phil Connors, the weatherman portrayed by Bill Murray in the comedy film "Groundhog Day," who is forced to relive the same day over and over. After countless repetitions of Feb. 2, the protagonist finally manages to break the cycle by doing what is right and helping the townspeople of Punxsutawney, Pennsylvania, to solve their problems.

Let us hope that legislators in Congress can similarly break out of the current cycle by doing what is right for the public and put in place much-needed baseline privacy protections.

Photo by Maria Oswalt on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Müge Fazlioglu, CIPP/E, CIPP/US IAPP Staff Contributor
Tags
Government
Health Care
Telecommunications
U.S.
Big Data
Enforcement
Internet of Things
Location Privacy
Privacy Law
Privacy Opinion
Surveillance
Comments

If you want to comment on this post, you need to login.

Related Stories
Tracking the politics of US privacy legislation
Observers of the debate around the potential for a new federal data privacy law know that dozens of relevant bills have been introduced and debated in U.S. Congress over the past couple of legislative sessions. While they make for good reading and discussion material, do any of them have a realistic...
Read More queue Save This
Related Stories
Tags
Government
Health Care
Telecommunications
U.S.
Big Data
Enforcement
Internet of Things
Location Privacy
Privacy Law
Privacy Opinion
Surveillance
Recent Comments