Recent years have been kind to privacy-enhancing technologies. And that might just be the beginning.
Laws such as the EU General Data Protection Regulation and California Consumer Privacy Act have made PETs necessary for organizations to stay on top of their compliance obligations. Due to the increased demand for the tools, investors also turned their eyes to the privacy tech market, investing hundreds of millions of dollars to bolster the development of the space.
Now U.S. lawmakers have decided to shine a spotlight on the research and development of PETs following the introduction of the Promoting Digital Privacy Technologies Act, a bipartisan piece of legislation brought forth by Sens. Catherine Cortez Masto, D-Nev., and Debra Fischer, R-Neb., and Reps. Anthony Gonzales, R-Ohio, and Haley Stevens, D-Mich.
"Any time a federal government bill validates a space by just saying, ‘This is, in fact, a space,’ it's huge for our industry," said Wirewheel CEO Justin Antonipillai, who also formerly served as acting under secretary at the U.S. Department of Commerce. "It validates that there is such a thing as (PET). And the way they defined it is a good first start and the fact that it identified certain things that are left open will enable agencies that understand this area quite well to include things that are going to be critical."
Under the proposed bill, the National Science Foundation and other federal agencies will support "merit-reviewed and competitively awarded research on (PETs)."
The agencies will assess and fund research into several categories of PETs, specifically on tools that support "deidentification, pseudonymization, anonymization, or obfuscation of personal data" and "research on algorithms and other similar mathematical tools used to protect individual privacy when collecting, storing, sharing, or aggregating data" as areas of focus.
Additionally, the National Institute of Standards and Technology would work with private, public and academic stakeholders to develop "voluntary, consensus-based resources" to help increase the integration of PETs by the public and private sectors.
The involvement of NIST and the NSF has caught the attention of privacy professionals, who believe their inclusion, as well as the existence of the bill itself, has brought recognition to the PET space.
Antonipillai was heartened to see the NSF given the opportunity to lead the charge in accelerating the development of PET. He added it showed lawmakers understood the complexity of the privacy-technology landscape.
Fox Rothschild Partner and Chair of GDPR Compliance and International Privacy Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, shared similar sentiments about NIST lending its credibility to the efforts. Kagan said privacy professionals can point to the participation of the federal agencies should they wish to persuade their organizations to help develop the standards outlined in the law.
"With NIST, by creating standards that apply uniformly to the country, it makes it a little bit easier for privacy professionals and anyone involved to understand and apply them so that you know what you have to do or don’t do," Kagan said. "If you are a champion for privacy within your organization, I would think it would be an easier sell to executives and the C-suite, telling them that this is something that NIST and the government are involved with and they are looking for participation in the private sector."
The bill is broken down into six sections, and industry observers believe there is room to either flesh out, adjust or add new areas as the process moves forward. For example, personal data is defined under the bill as "information that identifies, is linked, or is reasonably linkable to, an individual or a consumer device, including derived data."
Kagan said this definition lines up with how personal data is defined in the CCPA and other privacy laws, though this poses a potential challenge for privacy professionals, as it creates a broad spectrum for what constitutes personal data.
Microsoft Principal Corporate Counsel and Digital Crimes Unit Lead for the Americas Victoria Beckman shared a similar sentiment.
"I do think (the definition) is very broad and could give a lot of room for how to interpret it, but I do think because of the evolution of privacy laws in general, from the GDPR to the CCPA and all the copy cats that have come afterward, that the trend is to define everything under the sun that somehow relates to an individual as personal data," Beckman said. "It’s not surprising, but I definitely think it could be a little bit less vague. It also includes derived data, but it doesn’t explain what that means."
While the bill is in an early stage, Kagan said she would like to see future iterations address how it will interplay with laws such as the California Privacy Rights Act, Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.
"What’s missing for me is, even as a general statement, how does this interact with privacy legislation?" Kagan said. "How does the interplay work? One of the big issues with implementing (PETs) is that they, to a great extent, do not resolve or sometimes even clash with existing data protection regulation, like the GDPR and CCPA."
Having bipartisan support behind the bill has brought a sense of optimism about its future, including by those on Capitol Hill.
"We really appreciate working with Rep. Gonzales, who has been a great partner on the science committee and with widespread technology issues in general," a spokesperson for Rep. Stevens told The Privacy Advisor. "I think getting buy-in, especially around an issue as sensitive as privacy is really important to make sure we have the trust of the American people."
While there have been efforts to get a federal privacy law off the ground, bipartisan differences still need to be addressed. The parties agree the country needs national legislation but still differ in several areas, namely state preemption and a private right of action.
Those differences are not expected to play a part with the Promoting Digital Privacy Technologies Act. Antonipillai said the proposed tech bill is far less controversial than the dialogue around federal privacy rules, giving it a better chance at going the distance.
It's a common viewpoint among those in the industry.
"This bill is not necessarily controversial or something that will go by party lines because there are no issues of enforcement or preemptions of state laws which are normally the roadblocks for other privacy-related bills," Beckman said. "It’s a pretty vanilla bill in terms of what they are proposing, which is to research and create standards, and I think having both parties on board will just make it more likely to be fast-tracked and approved."
The bill is in its early days, but if all goes well, the sentiment seems to be it has a good opportunity to become law. Should it do so, would it possibly jumpstart talks on a federal law?
The common consensus seems to be no, at least not with the bill on its own. Beckman said the results of the bill, such as a boon to privacy tech research, could help move the dialogue forward on a federal level, adding, "any conversation where privacy, research and weighing the benefits of (PETs) will be part of the basis to build a federal privacy bill."
Anonos CEO and General Counsel Gary LaFever believes it would be a missed opportunity if the proposed bill doesn't move the needle on a federal privacy law.
LaFever sees the tech bill not only as an opportunity to balance privacy rights and innovation and influence future privacy laws, but also as a chance for the U.S. to take a step forward in the international data protection community and restore its reputation around the world.
"It would color federal, state and even the international application of laws in a way that puts the U.S. where it was back when we helped create the Fair Information Practicing Principles," LaFever said.
"The U.S. came up with some of the very early privacy standards, but we are lagging behind now. I think this could help propel us forward by driving the innovation with a principled protection approach, and I would like to think it could color a federal data privacy act, as well as how global companies can interoperate in a way that still enables them to use data. I really think that’s at risk without something like this."
Photo by Andy Feliciotti on Unsplash