The Biden administration’s latest executive order calls for a bipartisan comprehensive federal privacy law
On Oct. 30, the Biden administration released an Executive Order (EO) on “Safe, Secure, and Trustworthy Artificial Intelligence.” In part, the EO discusses the need for a bipartisan comprehensive federal privacy law. This is encouraging and adds to the much-needed dialogue for Congress to pass a privacy and security law that protects all Americans.
There are concerns that the EO’s encouragement to regulatory agencies to wield their authority to protect Americans from privacy-related artificial intelligence (AI) risk could harm AI innovation. In past years, various federal regulatory agencies, such as the Federal Trade Commission, have already had broad interpretations of their authority. That is why a call from the Biden administration for a bipartisan comprehensive federal privacy law is a critical step toward mitigating Americans’ privacy and data risk with AI technologies. Because any regulatory enforcement action should come from guardrails that Congress sets—not wobbly legal interpretations by regulatory enforcers to get their hand in the cookie jar.
This year, President Joe Biden released an AI Bill of Rights and an op-ed emphasizing the need for “serious federal protections for Americans’ privacy.” There was optimism that his 2023 State of the Union address might provide a clear path forward on a comprehensive federal privacy and security law. However, President Biden never illuminated a path forward beyond generic statements on “Big Tech,” “privacy” and “protecting children.”
Bipartisanship is essential in passing a comprehensive federal data privacy and security law
The EO’s emphasis on bipartisanship is essential. Passing a comprehensive federal privacy and security law has been a decade-long journey with little output. R Street’s Cyber team, looking for areas of bipartisan compromises on a comprehensive federal privacy and security law, extensively engaged with over 130 stakeholders including Congress, the private sector, consumer groups and privacy advocates. We were encouraged that many of those compromises were included in the 117th Congress’s American Data Privacy and Protection Act (ADPPA), including preemption with state action carve-outs and a limited private right of action. The ADPPA was a strong solution to promote global competitiveness, reduce data security and national security risks, and provide all Americans with privacy protections. Ultimately, the ADPPA never crossed the finish line—but if Congress chooses to act, there is no need to start from scratch since the ADPPA is a good bipartisan solution.
AI needs a comprehensive federal privacy and security law
AI has been used in our daily lives for years—from assisting pilots with flying us safely from the West Coast to the East Coast to helping drivers evade traffic jams safely. If we allow AI innovation to flourish, technology will exponentially benefit our society in ways we might not be able to imagine today. In order to mitigate AI risks, a comprehensive federal data privacy and security law must be passed to protect Americans’ data. It is an essential step toward harnessing the power of AI technologies while limiting exposure to privacy and national security risks.
Move beyond the AI panic with a nuanced approach to data protection and use
In addition to the call for a privacy law, the EO directs several actions to mitigate Americans’ privacy risks from emerging AI technology, including:
- Prioritize federal support for accelerating the development and use of privacy-preserving techniques.
- Promote privacy-preserving research and technologies.
- Incorporate safety, privacy and security standards into the software-development lifecycle to protect individual privacy.
- Evaluate how federal agencies procure commercially available information from data brokers.
The Biden administration’s focus on developing privacy-enhancing technologies (PETs) is an important approach. The innovation of PETs, coupled with a comprehensive federal privacy and security law, allows data to be utilized for societal good. A fearmongering approach to data collection often ignores the data’s positive impact on society. Consumer data has fueled internet innovation, creating accessibility to information that was once only available to privileged individuals. For example, consumer health data significantly contributes to innovation in the health tech industry and brings vast health improvements to society. A smartwatch can save a life, a telehealth provider can reach rural areas void of health care options and online pharmacies can provide high-cost prescription medication at a discount. Undoubtedly, there have been many failures by industry and government to protect sensitive data, and these failures should not be ignored. Researching the many forms of PETs, such as differential privacy, data clean rooms or unified ID 2.0, is a decisive step toward offering strong privacy protections while providing data utility to spur innovation.
However, many data privacy concerns exist outside of industries’ collection and use of personal data, including law enforcement’s access to data. The EO’s directive to evaluate how federal agencies, such as law enforcement, utilize commercially available data is critical to protecting Americans’ constitutional rights. In a March Energy and Commerce Subcommittee on Innovation, Data, and Commerce hearing, Rep. Kelly Armstrong (R–N.D.) commented on law enforcement purchasing data from data brokers and evading Fourth Amendment obligations. While noting that law enforcement should use every lawful tool available, he emphasized that Congress must set the guardrails on what tools are permitted. However, there are complexities to be considered when law enforcement accesses data, such as investigating crimes related to online sexual exploitation of a child using analytics tools powered by consumer data. Further, any comprehensive federal privacy and security law should take a nuanced approach to which third-party entities are considered data brokers.
This year, one narrative on these issues has held: data privacy and security legislation is popular amongst stakeholders of different political ideologies. Industry also understands that building consumer trust through data privacy and security is economically advantageous. Thus, getting an ADPPA-like bill across the finish line can be a political victory for Congress members willing to negotiate openly with industry, civil society and different-minded political opponents to reach a bipartisan solution to a comprehensive federal privacy and security law.