It's becoming more and more common to stumble upon an IAPP member out in the working world. However, one wouldn't expect a U.S. state legislature to be one of the spots playing home to a certified privacy professional.
State Rep. Domingo DeGrazia, D-Ariz., CIPP/US, earned his certification well before he was elected to the Arizona House in 2019. Prior to becoming a lawmaker, DeGrazia ran his own data privacy-focused law office, DeGrazia Law Firm.
DeGrazia is one of many state lawmakers who took the lead on trying to pass comprehensive state privacy legislation in 2021. His bill, House Bill 2865, did not make it out of its initial House committee assignment for the second time in three years.
In this Member Spotlight, DeGrazia gives IAPP Staff Writer Joe Duball the scoop on the perceived stumbling blocks with his bill and whether it's coming back for the 2022 session, while also discussing the value of collaborating on privacy with lawmakers from other states.
The Privacy Advisor: We'll get to how your privacy background fits into politics, but first, talk about what compelled you to choose a legal career path focused on data privacy.
DeGrazia: There's a thread through my life of consumer protection that builds through the areas of safety. In college I came up through aerospace, combining aviation safety, airport management and operations, so really working on being ahead of scenarios to prevent future harms by building good programs at the beginning. But I've also always been involved in technology with computers and mechanicals too. Those ideas came together when I was in law school and began looking at protecting clients on the data privacy front. Just really trying to be in front of the technology enough to give folks an idea of what's happening with their information and how they can be protected.
The Privacy Advisor: Without doing a deep dive into the archives, you might be the first IAPP certification holder to serve as a state legislator. How was the certification process for you? How helpful has it proven to be in your legislative role?
DeGrazia: The CIPP study and exam were not easy. That exam makes sure you know the content, but also the exceptions to it so you can weed your way through. Where that really came into play for me was when I got elected and first dropped my data privacy bill. Those components were huge for kind of knowing the history of data privacy, like 1914 forward through (Federal Information Processing Standards) — so we know what sensitive data is, how it's been used and how it can be used in negative ways — and (the EU General Data Protection Regulation). It helped me to know the subject matter thoroughly and speak intelligently about it. Quite frankly, I think a lot of folks are surprised to see a state legislator be able to talk about all the ins and outs while being able to have a productive conversation on where the policy should go. It really is a hurdle to try and get some of my colleagues who aren't aware really trained up and educated. I had a colleague a few months back hold up her phone during a floor speech and say, "I think I'm being tracked like this and there's nothing I can do." I just sit there thinking about how we've worked together for three years now and I've been dropping these privacy bills for three years, but they still just don't have a basis for it.
The Privacy Advisor: So you've pitched a data privacy bill in three consecutive sessions without gaining any traction or momentum toward passage. Instead of telling us why the bill is important, what do you consider the biggest hurdles to getting support for this bill at this point?
DeGrazia: It's a great question and the answer lies in the making of the sausage as far as laws go. We have our conceptualization of what good policy is and then you have the world of politics. The reality is that I am a Democrat and it's increasingly unlikely any Democrat is going to get a bill passed in Arizona. It's been that way the last three years. I was lucky to get my bill into a Technology Committee hearing and get it passed out. The first two years it got hung up in the rules committee. But Arizona is a very business-friendly state. I had the support of Microsoft and Apple while there were some other Big Tech companies I didn't have support from. So there's really just this constellation of factors between what legislators don't know and then some entities also telling them the bill needs to die. So the policy points can be massaged, with thresholds and definitions being able to move here or there, but getting down to the bare politics of it, some stuff just isn't ready to pass without a huge amount of support.
The Privacy Advisor: Arizona's 2022 legislative session will be the last in your current term. As you make one more pitch for a state privacy law, are there any big changes coming to the bill that you and stakeholders have been working on since the end of the 2021 session?
DeGrazia: The stakeholder meetings are ongoing, and I've always been open to changes that will make the bill better. There's nothing major on the table yet, but the first day to drop bills for 2022 is Nov. 15. The two provisions you'll see a lot of talk around will be the private right of action and the role the Arizona attorney general will have in enforcement from the standpoints of budget, staffing and general engagement. Overall though, I think a good bill is one that makes everyone kind of cranky because no one is getting exactly what they want. Now with these kinds of bills, and we saw it in Washington State, you get push back from both sides as far as advocates and business community coming at you. They each want to change it or kill it for different reasons, which has always been fascinating to me. When it comes to changes that are requested, my guiding star as a legislator is doing what it takes to protect constituents. With that goal in mind, what the business community wants doesn't concern me that much because they can hire lobbyists to advocate for their position. I want to protect the people that can't protect themselves.
The Privacy Advisor: It may have been a constant all along, but many of us in the privacy space are just coming around to the fact that lawmakers in different states do in fact discuss their bills with each other. You've partaken in such networking and outreach. How valuable have these discussions and collaborations been?
DeGrazia: The concept of unification is one of the bigger parts of making (state privacy law) work. A majority of Arizona businesses don't operate in a vacuum. The design for a law has to interlock with Washington state, California and others, while also being something businesses can relatively navigate and get into. It all has to work together, which leads to talking with colleagues from other states. We're getting our definitions lined up to be easily understandable across the board and making sure provisions work from one state to the next so there's not an onus on businesses. If we're making somewhat unified laws across the U.S., the potential outcome is the federal government picking things up and giving us one umbrella to play under. In the absence of Congress being able to get out of its own way, we're left to take care of that work ourselves and being able to turn to fellow lawmakers is just so crucial to getting this right.
Photo by Keagan Henman on Unsplash