Many issues are top of mind for privacy professionals these days and the list continues to build. Those working out of the U.S. have their plates full with state privacy law compliance, data transfer conundrums and user privacy requests.
There are few things that can help unlock solutions to these mounting dilemmas, but federal privacy legislation in the U.S. continues to be touted as what will be as close to an all-encompassing remedy as there is. Those sentiments were laid out plainly from the keynote stage at Thursday's opening session of IAPP's Privacy. Security. Risk. 2021 in San Diego. Privacy leaders from a few of the largest U.S.-based Big Tech companies took part in a discussion with IAPP President and CEO J. Trevor Hughes, CIPP, that kept circling back to prospects of a federal privacy law.
The consensus among panelists was a law likely will not come to fruition until 2024, but they did acknowledge what legislation could do to alleviate current tensions around various activities associated with personal data use.
"I think it's going to be up to all of us as companies — and it will need to be a diverse set of companies — to talk to U.S. Congress and advocate around issues you're seeing as states implement statutes that conflict with each other," said Apple Chief Privacy Officer Jane Horvath, CIPP/G, CIPP/US, who joined Hughes, Microsoft Corporate Vice President & CPO Julie Brill, and Google CPO Keith Enright, CIPP/G, CIPP/US, for the keynote panel. "The other thing that is going to tip us a bit is the international piece. China has a law, India has a draft law, and it's not long until the U.S. is the odd man out."
Privacy and data protection are indeed global topics now, and Brill sees risks associated with being left out of the global conversation.
"When (the EU-U.S. Safe Harbor) went down, I spent a lot of time in Europe for the (U.S. Federal Trade Commission) explaining that we do have a robust system. It's complicated with both federal, state and sector laws, but it's robust," Brill said. "It's hard for the rest of the world to understand what it is. So if we want to be part of (Organisation for Economic Co-operation and Development), G-7 or G-20 conversations, or we want to have more adequacy agreements with the EU and elsewhere, it just makes the conversation, from policy and frankly politics perspectives, much easier. Then the U.S. can say 'Here's what we believe in.'"
Among the international matters of great importance that may be hampered by the U.S. privacy regime is the free flow of data between the EU and the U.S. Conversations are ongoing on both side of the Atlantic, with U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, noting at P.S.R. breakout session later Thursday that EU and U.S. officials are in more advanced stages on agreeing to a EU-U.S. Privacy Shield replacement.
Even still, Horvath sees the answer to the data flow dilemma in a federal privacy law more than anything else, saying "the way to settle a lot of this" is through legislation that gives the U.S. the ability to "be playing on the same level."
Congressional dialogue on privacy has recently ramped up again, but legislation has been a mere piece of those talks rather than the focus. These conversations come as many states attempted to pass comprehensive privacy legislation in 2021 — some with more success than others — and more are expected to come to the table when many state legislatures open up again in the early months of 2022.
According to Enright, state laws in lieu of one overarching federal standard won't do companies or consumers any good.
"We're anticipating more data protection laws that will probably not be consistent," Enright said, noting the idea of pre-emption was a favorable option. "It's not necessarily that we should be hyper-fixated on preserving the ability to have a simpler standard, but what we are after is uniform rule of law that will allow all companies, large and small, to understand what the compliance obligations actually are so they can proceed with confidence in their business."
Many believe frameworks for the California Consumer Privacy Act and the California Privacy Rights Act are the de facto national standards at this time given how many companies they cover. A question was raised by Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, in the second keynote panel on the influence CCPA and CPRA might have on potential state laws and a federal law.
For Golden Data Law Partner Lydia de la Torre, a California Privacy Protection Agency Board member, it is hard to consider those impacts while still trying to establish CPRA rulemaking, which she said will have a process similar to CCPA while adding some procedural steps, like board approval of the rules, before publishing.
What de la Torre did acknowledge was the fresh look CCPA and CPRA provide as far as legislating on privacy.
"We have had a model for data governance since the 1990s with the European model. This California move has created a different model that I think is compatible, but it comes with a different perspective," de la Torre said during her panel with Leipzig and California Supervising Deputy Attorney General Stacey Schesser, CIPP/US. This includes provisions that allow for the "opting out of data sales, for example, and now we're talking about other opt-outs with CPRA. It's my hope that those concepts carry over to other states and whatever happens at the federal level because … if it doesn't include that type of language it's going to result in detriment to the consumers with how they're going to be confused."
Schesser has hopes the privacy rights Californians now have can be extended to all individuals in the U.S. at some point, but she indicated federal legislation must go beyond the law she's helping to enforce.
"It needs to be the strongest version of any of these frameworks," Schesser said.
"I also think the best indication of what the future holds is based on the past. The states will continue to be very active in this space. … Until the federal government acts, states will continue to be very active in this space. I wouldn't be surprised if some other states have a law on the books by this time next year, and states continue to be very active around enforcement. Do not discount the role of state attorneys general in the privacy space."
If you want to comment on this post, you need to login.