Society and Congress must grapple with complex issues stemming from rapid technological advancement, including robots patrolling our streets, which has intensified the debate on personal privacy and safety. This delicate balance raises questions about law enforcement’s level of access to personal data and the potential trade-offs between privacy and security. As the 118th Congress revisits the pathways to pass comprehensive federal data privacy and security legislation like the 117th Congress’s American Data Privacy and Protection Act (ADPPA), they will have to consider this balance—especially around law enforcement access to data collected by third parties.

The Gray Area of Harm: Indirect vs. Direct

Whether a particular crime has indirect or direct harm can often be difficult to distinguish. Social mores and laws attempt to tackle the difficult task of distinguishing between indirect and direct harms, and it is a contention in the ADPPA. The ADPPA’s Section 101 provides several permissible purposes for the collection, process or transfer of covered data. One permissible purpose is to address fraud, harassment or illegal activity. However, some law enforcement organizations have critiqued this purpose because it only permits the use of personal data to prevent or investigate “illegal activity,” which is defined in the ADPPA as a criminal act that can “directly harm.” They contend that using personal data while preventing or investigating indirect crimes such as “ransomware” and “money laundering” would not be permitted. Further, some third-party entities that partner with law enforcement agencies believe indirect crimes include possession of “child exploitation material” and “illegal drugs.”

The Debate Surrounding Third-party Data Collection

A heavily debated issue is third-party data collection, which is when entities, colloquially known as data brokers, indirectly collect a consumer’s personal information. The ADPPA’s Section 206 would have regulated these third-party collecting entities. However, third-party collecting entities can have different purposes and goals. Some data analytic companies can be a resource to law enforcement investigations and community safety by providing evidence-based and insight-driven investigations. If those companies are not engaging in nefarious data practices like collecting and selling sensitive data like geolocation and behavioral-type data, public safety issues might arise if they are assumed to be. During the ADPPA’s Committee markup,  Rep. Debra Lesko (R–Ariz.) and Rep. Ann Kuster (D–N.H.) successfully advocated for amending the ADPPA to exclude entities like the National Center for Missing and Exploited Children (NCMEC) from the definition of “covered entity” to ensure they can collect, process and transfer data to prevent and assist in any child abduction, trafficking, abuse and exploitation. While many people might agree that excluding the NCMEC as a covered entity is paramount to community safety, the debate rapidly heats up when discussing law enforcement purchasing personal data from data brokers—in what many civil liberties advocates argue is a Fourth Amendment workaround. Overall, there seem to be some complexities to third-party collecting entities—such as which organizations should be exempt, what specific types of data they collect and how that data is used that might require a nuanced approach.

In a March Energy and Commerce Committee’s Subcommittee on Innovation, Data, and Commerce hearing, Rep. Kelly Armstrong (R–N.D.) commented on law enforcement purchasing data from data brokers and evading Fourth Amendment obligations. While noting that law enforcement ought to use every lawful tool available, he emphasized that Congress must set the guardrails on what tools are permitted. He believes the ADPPA provisions that some law enforcement organizations object to are a “feature” to uphold the constitution rather than a “bug” to impede law enforcement investigations. Further, Rep. Anna Eshoo (D–Calif.), who voted against the ADPPA, argued, “[t]he bill also has a loophole that could allow law enforcement to access private data to go after people seeking abortions.” However, the exact loophole Rep. Eshoo is referring to is unclear and was not mentioned in her Committee markup comments.

Deleting Data as a Means to Evade Law Enforcement Investigations

Law enforcement is using technology and intelligence gathering to investigate crimes at a rapid pace, and there are concerns that bad actors will use the ADPPA as a detection shield. The ADPPA’s “Do Not Collect” registry would have required that covered entities that collected data indirectly from an individual, upon request, must delete all covered data related to that individual. Many third-party covered entities indirectly collect individual data and provide that as a service to law enforcement agencies. The concern is that bad actors will use this deletion right to have their information deleted and avoid being detected by investigators altogether. Some might point to Section 206(b)(3)(C)(iii) to alleviate those concerns, which allows third-party-covered entities to decline deletion requests when the data is necessary to “effectuate the purpose” of entities like the NCMEC, and they have “actual knowledge” that the individual requesting data deletion has been convicted of a crime related to abduction or sexual exploitation of a child. However, bad actors who have not been convicted of a crime or who covered entities do not have “actual knowledge” could delete their data to avoid detection.

Finding the Right Balance

Passing a comprehensive federal privacy and security law will have a positive impact in many ways, including on public safety and national security. However, ensuring civil liberties and data privacy protections for individuals, while providing community safety, will take the continued collaborative effort between law enforcement organizations, civil liberties advocates and Congress members.

More Cybersecurity Policy

Stay in the know. Sign up fo R Street’s Newsletter today.