India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

The U.S. might (finally) be ready for federal privacy legislation. Let’s make sure it protects us.

  • This post will give you an update on the potential for federal privacy legislation in the United States
  • This post is for casual readers who are interested in the state of play in Washington D.C.
  • This post will explain why the time may be ripe for a federal data privacy law, and why that means that the users should engage in the debate

Many Americans believe they have a right to privacy. Some would be shocked to learn that there isn’t a federal privacy law in the United States. We have sector-specific laws that apply to things like medical records, and we have an agency charged with preventing companies from engaging in unfair and deceptive practices, but there isn’t a framework for broad legal protections like the one Europeans enjoy.

There are countless interest groups and political players in Washington D.C. And in recent memory, many powerful voices have stood against a federal privacy law. However, that is now changing. Some of these powerful groups are actually calling for a federal standard. Thanks to a number of factors that we explore below, it looks like the time is ripe for action. That is good news, but it also means that we all need to participate in the discussion. If laws are drafted without the voice of the people, new federal legislation could trample on our right to privacy instead of protecting it.

Factor 1: The General Data Protection Regulation (GDPR)

The biggest change in the political environment derives from the GDPR. The GDPR is a broad data protection regulation in the European Union. We have worked extensively for its adoption in the E.U. and written numerous times about it, including here. The GDPR is important in the United States because even though the biggest companies that handle data in the U.S. lobbied against it, now that it is law they are obligated to follow the rules (provided they have data on or offer services to Europeans). With the rules in place, the big tech companies now have a strong incentive to standardize data protections across markets.

Factor 2: California’s new privacy law

Perhaps just as important to the tech companies as the changing international environment is a state bill that passed in California. The bill, signed by the governor in June 2018, is scheduled to take effect on January 1, 2020. This law has broad protections for Californians, like the GDPR has for Europeans. California isn’t alone. Several other states are now pursuing additional privacy protections for their residents. Many companies, in the tech sector and elsewhere, do not want to comply with as many as 50 different state privacy laws. Companies are beginning to lobby for a federal privacy standard that would replace state-level protections. (This could be good news, but only if that federal standard is better than the state rules, not a step down.)

In fact, just last week, industry organizations like the Internet Association and the Chamber of Commerce released a proposal with principles for what they’d like to see in federal privacy legislation.

(Note: the California law isn’t perfect – it was passed quickly and has some typos and structural issues that will need to be fixed. However, its protections are strong and should be retained, and as the first comprehensive privacy statute, it represents a huge victory for privacy in the United States.)

Factor 3: Internet Service Providers (ISPs)

ISPs want to make money. They look at the huge growth at companies like Facebook and Google and they see opportunities to expand. However, ISPs have traditionally had different rules than internet companies. Many ISPs think this is unfair and they want a federal rule that will apply to all companies equally. Anyone who has ever worked on Net Neutrality will recognize that ISPs are a very powerful group in Washington D.C. The fact that they do not oppose privacy rules and may in fact support them is therefore getting attention.

Factor 4: The “Privacy Shield” arrangement

The United States and Europe have a mechanism to allow data to be transferred from the E.U. to the U.S. This is critical for U.S. companies that do business abroad. The agreement is contingent on the European Union determining that Europeans’ data will be protected when it travels to the U.S. (We don’t think it will be. In fact, we recently called on the European Union to suspend this arrangement.) The Privacy Shield arrangement is currently under review in Brussels, and the Trump administration should be keen to show that the U.S. is taking privacy seriously. In addition, the National Institute of Standards and Technology (NIST), a part of the U.S. Commerce Department, recently kicked off a process to establish baseline privacy principles that could be adapted to create guidance or even legislation.

Factor 5: Conservatives in Congress

Some conservatives in Congress and in the White House believe that tech companies have a bias against conservatives. They argue that companies like Google and Twitter are using their market size to tilt public opinion. These conservatives would like to tighten regulation on tech companies. While Access Now does not support regulation that would infringe on free speech, the fact that some members of Congress are willing to regulate tech companies means that Congress may be more likely to consider legislation to protect privacy.

Factor 6: Facebook and Cambridge Analytica

If you’ve read up to here in this blog post, we’re sure you’re aware that Facebook is still under fire after it was revealed that users’ information was improperly shared with a company called Cambridge Analytica. (Read more about that here.)

This scandal has caused users around the world to question how this could happen. In the U.S. it captured the national attention. Many people were shocked, and those who weren’t shocked have reflected more deeply on what few privacy protections we really have. This has changed public opinion and it is causing lawmakers in Washington D.C. to start paying attention.

Conclusion: change is happening. Make sure you’re part of it.

There are two conclusions that we’d like you to take away from reading this post. The first is that, for the first time in recent memory, it appears possible that we may see federal action on privacy rules in the U.S. At this point, it is too early to know what shape it might take. We could see industry self-regulation, federal principles, federal guidelines, agency rules, or legislation.

The second conclusion is that you need to pay attention and participate. If tech companies and ISPs draft the privacy laws and lawmakers leave users out of the debate, the companies will protect themselves from fines and lawsuits. They will remove the teeth from any new rules. We have to take this opportunity to ensure that any new rules will protect us from the companies. That means we have to pay attention. We have to be informed. We have to share what we learn with our friends, family, and neighbors. And we have to take action to make our voices heard.

For now, our team in D.C. will keep fighting for strong privacy protections. We’ll let you know when there are opportunities for you to participate in the process.