Bipartisanship on comprehensive federal privacy and security legislation continues at House Subcommittee on Innovation, Data, and Commerce hearing
The House Energy and Commerce Committee’s Subcommittee on Innovation, Data, and Commerce, held a hearing on March 1, 2023, titled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.” The almost four-hour hearing examined how personal data is treated and handled in today’s digital ecosystem, the dangers facing the United States if Congressional inaction continues, and the path forward. Three witnesses testified during the hearing, including Alexandra Reeve Givens of the Center for Democracy & Technology; Graham Mudd of Anonym, Inc.; and Jessica Rich of Kelley Drye & Warren LLP.
In their written testimony, all three witnesses agreed that a comprehensive federal data privacy and security law, like the American Data Privacy and Protection Act (ADPPA) from the 117th Congress, is needed for the United States. This sentiment was echoed at the hearing by most, if not all, members. It also aligns with the apparent support from most of Congress, evidenced by the standing ovation and loud cheers at President Joe Biden’s State of the Union address when he mentioned the need for privacy protections. Likewise, R Street continues to advocate for a comprehensive federal data privacy and security law to provide consistent consumer rights and protections; certainty for business; and stronger data security safeguards.
House Energy and Commerce Subcommittee Chairman Gus Bilirakis (R – Fla.) opened the meeting and encouraged a responsible government approach to enforcing clear privacy and security regulations for businesses to comply. He cautioned, “…[i]t is essential that the FTC enforce the laws that we as a Congress enact and specifically authorize, but not go rogue beyond the rules of the road we provide.” Bilirakis reaffirmed the “desperate” need for Congressional action on broader comprehensive privacy and data security.
House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R – Wash.) reaffirmed her interest in passing comprehensive privacy and data security protections with one national standard. She commented that the ADPPA protected children’s privacy but did not stop there—it protected all Americans, no matter where they lived.
A few members noted that there might be additional changes to ADPPA, but it was unclear what those might be. While many aspects of privacy were raised during the hearing, most of the conversation revolved around the ADPPA. This post explores key issues that came up during the hearing.
A comprehensive federal privacy and security law is needed to protect children’s privacy in the United States
Members on both political sides seemed interested in protecting childrens’ privacy. Vice Chair Tim Walberg (R – Mich.) stated that the ADPPA included provisions that help put parents back in the driver’s seat. Members asked specific questions about other pieces of federal privacy legislation and how much they protect childrens’ privacy, including the Children’s Online Privacy Protection Act (COPPA) and the Family Educational Rights Privacy Act (FERPA). Rich stated that COPPA is “very outdated” and that the United States needs special protections for children and teens, which the ADPPA provided. Givens noted that FERPA does not protect students’ data when educational technology companies gather information from a direct relationship with a student and that a comprehensive federal privacy law would fill in the gaps.
On a broader level, there was discussion about whether a comprehensive data privacy and security bill like ADPPA contains provisions that impact children, specifically. Provisions were highlighted, like target advertising bans on children younger than 17 years, enhanced limitations on sharing children’s personal information with third parties, a dedicated Youth Privacy and Marketing Division at the Federal Trade Commission (FTC), and increased oversight of COPPA safe harbors. Rich noted that the FTC “absolutely” needs more resources to protect children.
Multiple members noted that a bill like ADPPA protects all Americans, not just children.
FTC and Enforcement
Questions came up on enforcement, including the role of the FTC, states and individuals. Rich provided insights on the limitations of FTC enforcement, including that it is under-resourced, with about “50 dedicated people to privacy,” which pales in comparison to other countries enforcing privacy laws. She also noted the “cumbersome” Magnuson-Moss rulemaking process.
One theme became clear: the FTC’s current resource and authority limitations to enforce privacy rules are reasons for congressional action to address areas the FTC cannot.
Federal Preemption Discussed
The need to have one federal standard versus a patchwork of state standards was highlighted numerous times. Rep. Jeff Duncan (R – S.C.) expressed his concerns over California’s “overly restrictive” privacy laws. Rich mentioned there should be “some level” of preemption to ensure consistency. She also noted that many consumer advocacy groups believe the ADPPA is stronger than any other state privacy law. However, Rep. Jay Obernolte (R – Calif.) was blunt about his views on the ADPPA carveouts, stating that the ADPPA should completely federally preempt state laws to avoid the patchwork of state regulation that is “destructive to entrepreneurism.”
National Security and Cyber Risk
Members explored the nexus between data privacy, national security and cyber risks multiple times. This followed R Street’s Cybersecurity and Emerging Threats Director Brandon Pugh’s February testimony to this same committee, where he honed in on the intersection of privacy and security, including how national security and data security should be key drivers in passing a federal privacy and security law.
Mudd commented that he could not quantify the amount of data being collected because the amount was “incomprehensible.” Rep. Pallone focused on egregious examples of data brokers’ practices, and Rep. Neal Dunn (R – Fla.) touched on his concerns about the Chinese Communist Party (CCP) posing a threat to the “free world.” He warned that the CCP “cheerfully sabotage freedom of democracy everywhere they go.” Rep. Debra Lesko (R – Ariz.) mentioned her data security concerns over the Internet of Things (IoT) devices, like residential security cameras and doorbells. Responding to Rep. Dunn, Givens noted that the problem with the digital ecosystem today is that American consumers do not know where their data is going. She warned that anybody, including “foreign intermediaries,” could access it.
Law Enforcement Objections to the ADPPA
Some law enforcement officials have criticized specific provisions of the ADPPA. Rep. Debra Lesko (R – Ariz.) noted law enforcement concerns and commented on “strik[ing] the right balance between protecting consumer’s data while not creating loopholes for criminals.” Given believes the ADPPA correctly balanced those considerations, noting that users’ rights to delete data and ability to opt out of data brokers’ information on them are limited when it can impact law enforcement investigation.
Kelly Armstrong (R – N.D.) weighed in on the issue of law enforcement skirting Fourth Amendment obligations by accessing secondary sources, like data brokers, rather than using a search warrant on a primary source for their investigations. He noted that any good law enforcement investigator would use every tool available, such as “warrantless purchase” of information from data brokers. However, it is Congress’s job to set the guardrails. He believes the ADPPA provisions that some law enforcement organizations object to are a “feature” to uphold the constitution rather than a “bug” to impede law enforcement investigations.
R Street’s Position
The R Street Institute has supported a comprehensive national privacy and security law to promote global competitiveness, reduce data security and national security risks, and provide all Americans with privacy protections. In response to this hearing, Brandon Pugh submitted comments for the record, which Chairman Bilirakis accepted.
R Street’s Cyber Team believes it is essential for both sides to continue moving forward with a comprehensive data privacy and security bill with a spirit of bipartisanship and compromise.