Policy Studies Cybersecurity

Congress Needs to Start Caring About Our Privacy as Much as China Does

Key Points

America’s adversaries are eager to steal and exploit our data.
If Congress wants to protect American’s data, it needs to pass a federal data security and data privacy law.
Previous bills have set the groundwork for future legislation. Settling issues around preemption, private right of action and agency enforcement will be difficult, but it is achievable.

Executive Summary:

As much as 90 percent of the world’s data was created in the last two years alone. Since then, developments like cheap data storage, rapidly-maturing artificial intelligence and machine learning have accelerated humankind’s ability to derive value from this vast new data pool. As a result, our ability to generate, collect, analyze and monetize data is surpassing our ability to consider the consequences such advances hold for our economy, privacy or even national security. The policy implications regarding these changes are profound.

Domestic life is now overwhelmingly conducted online and the data generated by virtue of this activity is a source of great innovation, as the COVID-19 pandemic has laid bare. We are simultaneously blessed with, reliant on and increasingly vulnerable to the complex variables of digital interconnection. Even before the pandemic, it was clear that the expansive digital connectivity we enjoy comes with increasing risks— particularly that of the loss of data security and privacy.

The consequences of data loss now reach far beyond web page defacement. Increasingly, stolen data is becoming a means of harming U.S. national interests via the theft of intellectual property, interference with our elections and financial and reputational loss. In the face of these clear and dynamic threats, the United States must act on data security and privacy legislation. Americans are broadly concerned about securing their data but believe themselves powerless to do anything. Because consumer data now connects national security and consumer protection so decisively, Congress must act to fulfill its constitutional responsibility not only to regulate interstate commerce, but also to provide for the common defense.

Our adversaries have repeatedly demonstrated a willingness to steal our data and commit resources or incur risks to push their visions of a less-secure, less-private, more malleable and more controllable internet onto the world. Congress must demonstrate a similar pragmatism, but one rooted in American values. If the internet is to remain open and interoperable—if it is to be used as a medium over which information freely flows uncensored by government—then Congress must act to ensure the digital realization of our American values.

The 117th Congress’s predecessors have fortunately already poured the foundation for strong data security and privacy. The last questions standing in the way of consensus are significant, but imminently surmountable. Lawmakers should keep in mind that their task is not to agree on and then create a utopian ideal for data handling, but rather to establish a strong federal floor for data security and privacy. This robust federal floor will not only protect everyday Americans from data theft and exposure, but will also bring coherence to interstate commerce, improve the global digital interoperability of American businesses, shore up our defenses against cyber espionage and attack, and, critically, demonstrate to our allies and our adversaries alike that American values are not 20th century anachronisms, but are here to stay. Such a law sounds like a tall order—but consensus is closer than it appears.


This paper seeks to reframe the need for data security and privacy legislation to acknowledge a stark reality: Xi Jinping’s Chinese Communist Party is placing a high priority on everyday Americans’ data and it is past time that Washington do the same. The case for such a law also extends beyond the defensive by also promising to be a key enabler of commercial and geopolitical innovation. Providing direction to the marketplace and laying a legislative foundation will allow American companies to more easily interface with the privacy and security regimes of our democratic allies, making interoperability and e-commerce easier with those countries that have already embraced 21st-century data legislation. The United States will also be able to more credibly wield its values as tools of foreign policy having moved beyond extolling them and graduated to committing those values to law.

These economic and political breakthroughs are within grasp. While a federal floor delineating rights and responsibilities of consumer data stakeholders sounds daunting in the abstract, Congress has already achieved 80 percent of the work. Finishing the last 20 percent of such a bill by settling issues of preemption, private right of action and agency enforcement will admittedly be difficult, but there is nothing uniquely divisive about these challenges and lawmakers routinely settle such issues. More difficult is attempting to compete with China without such a law.

Press Release: Congress Needs to Care More About Our Cybersecurity

Image credit: beebright

Featured Publications