Three Takeaways from Beyond the Basics: The Many Pillars of a U.S. Privacy Law
On April 25, R Street’s Cybersecurity and Emerging Threats team hosted a lunchtime event to discuss the many factors that make up a federal data privacy and security law. Building on key aspects highlighted during prior events, experts discussed nuanced aspects of privacy legislation and ways to move forward.
The event featured a keynote address by Google’s President of Global Affairs and Chief Legal Officer Kent Walker and a fireside chat with Axios Technology reporter Margaret Harding McGill. This was followed by an expert panel discussion with Sara Collins, Maneesha Mithal and Lartease Tiffith, which was moderated by Senior Fellow and Policy Counsel Brandon Pugh. The event covered myriad topics but focused on three main ideas:
When it comes to a national data privacy law, “the time to act is now.”
In his keynote address, Kent Walker discussed both the urgency and importance of passing U.S. privacy legislation. Describing an “all hands on deck” moment for privacy, he explained that a majority of Americans support increased regulation of consumer data use. A law would increase transparency, clarity and consistency around data practices and provide “consistency around the country — not a patchwork of 50 different state laws.” Another key tenet of privacy is data security. Referring to information, Walker asserted “if it’s not secure, it’s not private.”
With these high stakes, Walker expressed no illusions about the work needed to get a privacy law passed. Congress must reach bipartisan consensus to get a law across the finish line—which can’t be done without compromise or goodwill. Walker cautioned against making perfect the enemy of good, “or of better, more consistent consumer protections for all Americans.” This sentiment was later echoed by the panel. On the other hand, Walker expressed optimism during the fireside chat with McGill about the possibility of legislation, citing positive momentum on Capitol Hill and with the White House. “We are more encouraged now than we have ever been before.”
Innovative and collaborative approaches are required.
Highlighting the importance of passing a privacy law evoked discussions about alternative approaches to legislation. During the fireside chat, McGill and Walker delved into what responsible data practices look like. Essentially, companies can seek to retain a level of service to customers while reducing the amount of data needed to provide those services. Concepts like differential privacy, zero-trust computing, defense-in-depth and more can improve privacy and data security solutions while allowing businesses the freedom to continue existing business models.
Panelists expanded on this idea and talked about what a privacy law should seek to achieve at its highest levels. Mithal argued that the law should answer the following question: What problems are we trying to solve that existing frameworks do not? She later cited the protection of civil rights online as an example. She added that, as they draft legislation, congressional stakeholders should keep in mind the need to avoid duplicative or burdensome compliance mechanisms or shifting the burden of enforcement to consumers. Tiffith, also discussing compliance, stated that a risk-based approach when it comes to categorizing data can avoid burdensome compliance requirements, which subsequently make it harder to enter the market. On the other hand, panelists analyzed how a law could also seek inspiration from existing frameworks like the European Union’s General Data Protection Regulation or the Fair Credit Reporting Act.
Legislation must strike the right balance of privacy enforcement options.
In addition to high-level conversations, panelists addressed a number of more specific areas pertinent to a privacy law, including framing a law around a duty of loyalty and/or care, using arbitration as a middle ground, considering how civil rights fit in and striking the balance of a limited private right of action with stronger Federal Trade Commission enforcement.
Pugh asked how a duty of loyalty, for example, could create a framework around the interests of consumers by creating a fiduciary relationship with companies. Collins argued that concepts like a duty of loyalty pin down high-level concepts around consumers and their expectations toward companies’ data stewardship. But such concepts are also difficult to apply in the privacy space—as Tiffith pointed out, they are typically seen in medical and legal professions.
Panelists also discussed limiting a private right of action through arbitration and a right to cure. The question over arbitration is not a new one, as pointed out by Collins. But, as Tiffith commented, arbitration could be a compromise between two of the most debated aspects of a law—preemption and a private right of action. Mithal added that arbitration boils down to compromise but cautioned against letting this become another roadblock to negotiations. The panelists also debated the merits of companies being able to address privacy violations as part of a private right of action.
But these different issues—varied as they are—are not necessarily independent of each other. Collins stated that, together, they form a multifaceted perspective to “hopefully take the best bits of all of these different things and [build] a law that works for consumers.”
While panelists were mixed in their optimism over passing a privacy law this year, Mithal stated, “I actually hope the drafters [of legislation] are listening to this conversation. Because I think there’s been a lot of interesting ideas here about how to bridge gaps.”
A recording of the full event is now available.
This event was part of the R Street Institute’s work to identify areas of consensus for, and provide analysis on, the current roadblocks to data security and privacy legislation. Full recommendations are forthcoming, and a one-page overview is available here. If you are interested in learning more about our research and discussing your organization’s perspective on data privacy and security legislation, email [email protected].