In recognition of Data Privacy Day, the Cybersecurity Program at the R Street Institute and its coalition partners, the Cyber Project at Harvard’s Belfer Center and Resolute Strategic Services, brought together industry experts, policy professionals and thought leaders for a nuanced discussion on the future of federal privacy legislation in the United States.

The event featured keynotes by privacy advocates Sen. Ron Wyden (D-Ore.), who introduced the Mind Your Own Business Act, and Sen. Marsha Blackburn (R-Tenn.), who co-introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, along with a panel of experts consisting of Jessica L. Rich, Cameron F. Kerry and Dominique Shelton Leipzig. While there were many important topics explored, there are three key takeaways.

  1. A data security and privacy law is part of national security. 

The event highlighted the importance of a federal data security and privacy law to national security, and the costs of continuing without one. In his keynote speech, Sen. Wyden called for his fellow senators to direct energy toward legislation, stating, “There is no question in my mind [that] data privacy legislation needs to be at the top of the congressional to-do list on tech policy.” Moreover, Wyden highlighted how there are currently no legal restrictions for American data to be sold to foreign companies and governments.

R Street Institute’s Cybersecurity Policy Director Tatyana Bolton discussed how such national security implications encouraged the coalition to seek a way forward for legislation. Panelists added how these implications play out internationally, for example, with increasingly complicated cross-border data transfers. Leipzig argued that the Schrems II ruling should be a catalyst for consensus over federal legislation, adding that on the international stage, “we really are being left behind.” You can read more about R Street Institute’s take on Schrems II here.

  1. Stakeholders are increasingly ready to seek consensus, despite barriers to legislation. 

Agreement on legislation has stalled due to a range of issues, including the design of the law’s enforcement mechanism and how it should interact with existing and future laws. As coalition partner Cory Simpson highlighted, the coalition’s work has consequently focused on three broad questions: whether state privacy laws should be preempted by a federal one; how to shape and equip enforcement at the Federal Trade Commission (FTC); and whether or not to include a mechanism for individual redress—also known as a private right of action. He placed an emphasis on all three not being an all-or-nothing approach, but finding a middle ground. To craft a way forward, Lauren Zabierek discussed the coalition’s preliminary findings and recommendations, including what entities and kinds of data should be covered. Zabierek shared that to enforce legislation effectively, a regime needs an adequately resourced FTC—including a bureau dedicated to privacy enforcement, defined preemption for states and, if necessary, a limited private right of action.

Speakers discussed their own opinions on how to move forward on some of these questions. Sen. Blackburn–capitalizing on the importance of children’s privacy–called for a unified way forward. “If we’re not careful, we’ll end up with a patchwork of state regulations. The downside to this is twofold: first, not having a consistent standard will cause confusion. And second, every jurisdiction is going to have varying levels of sophistication and expertise behind their policies.”

While Rich stated that a private right of action could be less necessary in the face of a multi-faceted enforcement regime, she and Leipzig agreed that a national law will face difficulty if it is weaker than the strictest state privacy law. Kerry observed how even if things in Congress remain similar to 2020—when the Brookings Institution published “Bridging the gaps”—there is increasing will from non-governmental stakeholders to come to the table. In addition to these priorities, Leipzig highlighted the significance of civil rights in privacy. Kerry agreed but qualified that even if goodwill from industry stakeholders is there, there is not agreement on the details of anti-discrimination measures in data legislation quite yet.

  1. There are alternative ways for privacy legislation to move forward.

Although discussion normally surrounds a joint data privacy and security bill, the current landscape offers alternative paths. Panelists discussed the risks of privacy being addressed in a piecemeal fashion rather than an omnibus style, especially in light of privacy provisions in recent antitrust efforts in Congress. Rich questioned the privacy provisions of the antitrust legislation and Bolton mentioned her recent piece on the bill’s data security implications.

Another alternative raised by the panel is to focus exclusively on data security. Because privacy tends to be more contentious, focusing on data security could be a way forward. And this would be no small win, since as Rich stated: “…data security is so significant—it’s not a slice.” While the panel considered the possibility of a strict data security law, Kerry and Bolton both stated that they remain hopeful that a bill including both data security and data privacy will make it across the finish line. The fate of law, however, could also change if the congressional majority shifts in the upcoming midterm elections. But, as Kerry stated, discussing building on consensus and existing legislation, “the problem here is that the data world has changed so much, that there is a lot that has to be done that’s new.”

A recording of the full event is now available.

This event was part of R Street’s work to identify areas of consensus for, and provide analysis on, the current roadblocks to data security and privacy legislation. Full recommendations are forthcoming. If you are interested in a conversation to hear more on our research and to discuss your organization’s perspective on privacy and security legislation, please email [email protected]

Image credit: Song_about_summer