By David Hoffman, Associate General Counsel and Global Privacy Officer
Summer is over and the Congressional recess has passed, yet we still have not seen a federal privacy bill. Partly due to Congress’s slow progress, those who care about privacy are becoming more vocal in calling for action. Yesterday, I had the pleasure of participating in a privacy legislation panel at the Brookings Institute, at which the call for action was made loud and clear. The event, Protecting Information Privacy: Challenges and Opportunities in Federal Legislation, featured a detailed discussion about not only the urgent need for a federal privacy law but more importantly, the specific issues that the law should cover.
Cameron Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow at Brookings and the former General Counsel to the Department of Commerce in the Obama Administration, provided opening remarks and a snapshot of what he viewed as the criticality of passing a comprehensive federal privacy law.
Importantly, Cam emphasized that the general approach to privacy law has shifted in the last five years. When he used to make trips to the hill to advocate for a comprehensive national framework, it was hard to find allies. Now, the question isn’t around “if” we need a privacy law, but, rather “how” and “when”.
The second part of the event featured a panel in which I had the opportunity to participate. The panel was moderated by Benjamin Wittes, who co-founded and serves as the editor-in-chief of Lawfare and who is also a Senior Fellow at Brookings. The discussion was recorded and will be broadcast on the Lawfare Podcast as Episode 542: What Should Privacy Legislation Do?
Without spoiling too much, Sally Greenberg from the National Consumers League, and Lydia Parnes of Wilson Sonsini Goodrich & Rosati joined Cam Kerry and me agreeing that now is the time for legislation. I made the point that the current environment of weak notice and choice based laws like the California Consumer Privacy Act put too much burden on individuals to protect them from the malicious practices of data brokers and others who monetize and weaponize data. Until people can trust that they have government regulators who will sufficiently enforce robust privacy protections, we will be left with an environment that discourages the types of innovative use of data that can help society solve some of its most pressing problems, like the delivery of effective heath care and addressing climate change.
All the panelists agreed that the time is now for Congress to address these issues.
The second panel, moderated by Michelle Richardson of the Center for Democracy and Technology, featured Stu Ingis from Venable, Denise Zheng from the Business Roundtable, Berin Szoka from Tech Freedom and Neema Guliani from the ACLU. The panel analyzed the need for a law that focuses on harmful uses of data, instead of just transparency. Ingis, Richardson and Zheng have all done significant work on detailed legislative proposals and there was uniform agreement that a US federal law is possible in the next 18 months.
A consensus theme of the day was that the FTC is sorely under-resourced to protect consumer privacy. Panelists agreed that any federal bill needs to call for increased FTC resources, including more technical and legal staffing. The FTC has protected consumers’ privacy for decades, but is stretched thin in terms of its ability to realistically do so today. Congress must act now to give the FTC the authority and resources it needs to protect privacy and hold bad actors accountable.
Yesterday’s debate reinforced that a federal privacy law is critically needed. If Congress needs help with the drafting, it appears there are many people from industry, think tanks and the advocacy community who are ready to help get this done. If they are pressed for time, I recommend they just introduce and pass Intel’s proposed bill.