Readout from a Congressional Data Privacy and Security Briefing
On Sept. 21, 2022, R Street’s Cyber team, in partnership with Public Knowledge and The Leadership Conference on Civil and Human Rights, hosted a briefing geared toward Hill staffers on data privacy and security legislation. The briefing focused on the American Data Privacy and Protection Act (ADPPA), which was released by the House Energy and Commerce Committee in July by a 53-2 vote. We sought to provide an overview on the legislation, explore specific aspects and highlight the broader need for action.
House Energy and Commerce Chairman Rep. Frank Pallone (D-N.J.), one of the main sponsors of the ADPPA, opened the program with introductory remarks. He emphasized several provisions in the bill, including additional protections for consumers and children. He also highlighted the legislation’s bipartisan backing and movement on key areas that have been obstacles in the past.
The briefing featured a panel of diverse experts, including Brandon Pugh of the R Street Institute, Paul Lekas of the Software & Information Industry Association (SIIA), Sara Collins of Public Knowledge and Yosef Getachew of Common Cause. The panel was moderated by Lauren Zabierek of the Harvard Kennedy School’s Belfer Center, who helped lead an earlier effort at reaching consensus on privacy legislation.
Highlights are shared below.
Reasons to Support the ADPPA
Each panelist began by sharing reasons their organization supports the ADPPA and highlighting the need for data privacy and security legislation more broadly. While there was some overlap, each speaker raised a different aspect. These reasons included ensuring the United States remains competitive on the global stage; providing rules of the road for how data can be used and shared; increasing protections for marginalized communities; allowing Congress to act on privacy policy questions instead of federal agencies; and increasing national security and data security.
Discussions also touched on the current landscape of privacy legislation, which includes laws in five states, federal laws in different sectors like health and finance, and international frameworks, among others. Some panelists conveyed that this structure supports legislative action itself because it leaves a gap in protections for individuals and leads to a patchwork of laws that impacts businesses.
The Necessity of Compromise for the ADPPA
Panelists shared historical efforts at passing legislation along with traditional points of contention like a private right of action, preemption and the role of the Federal Trade Commission (FTC) in rulemaking and enforcement. Some highlighted the important role of compromise in the ADPPA since some members of Congress and external groups have moved on specific areas in the spirit of passing a federal law. For instance, some traditionally opposed to broad preemption are supportive of a bill with it because other parts were included, like a private right of action, and vice versa. However, support for the bill does not revolve solely around these key areas because the substance and fundamental provisions are still important.
An attendee raised California’s concerns with preemption, especially as House Speaker Nancy Pelosi (D-Calif.) said work is needed to address outstanding concerns. Panelists’ responses to this included reflecting on the changes to the ADPPA to account for the California Privacy Protection Agency; providing a role in enforcement for states; the ADPPA being stronger in multiple areas like civil rights; and providing rights for all Americans.
Possible Adjustments to the ADPPA
While panelists all expressed support for the progress so far, each shared ways the ADPPA can be fine-tuned, and not all agreed with each change mentioned. Some suggestions included clarifying the distinction between Federal Communications Commission (FCC) and FTC in privacy enforcement; revising the applicability and scope of algorithmic impact assessments; tailoring specific definitions for algorithms and sensitive covered data categories; ensuring the ability to use publicly available information in the public interest; and revisiting the applicability of sections to some entities like nonprofits and small businesses. Even broader changes are possible, but they could impact the delicate attempt at consensus.
Panelists explored a variety of other questions, such as how provisions apply to communities of color and the benefits and challenges with the provisions surrounding children.
Overall, the panel showed how groups with different ideologies and constituencies are coming together in the spirit of compromise to help make data privacy and security legislation a reality given the overarching need for action. The ADPPA still has barriers ahead, like the timing of the election and some outstanding concerns, but it is the most significant step in the U.S. privacy journey thus far.
