capitol-building-congress-washington

Why experts have hope in the federal privacy bill – even if it doesn't pass

Although Congress looks increasingly unlikely to pass a major bipartisan proposal on federal privacy legislation, experts say negotiations on the American Data Privacy and Protection Act are a major step forward and will likely become the framework for future privacy discussions. 

“We are long overdue for a strong federal privacy standard and we have never been this close to making that a reality,” said Alan Butler, Executive Director of the Electronic Privacy Information Center or EPIC. 

With midterm elections this year, the proposal is up against a condensed legislative calendar, and facing pushback from some in the California delegation and civil liberties groups who say it does not go far enough to protect consumers.

ADPPA passed out of the House Energy and Commerce Committee last month with a 53-2 margin — with the only votes against coming from Reps. Anna Eshoo (D., Calif.) and Nanette Diaz Barragán (D., Calif.)

Many privacy practitioners say it represents a significant step towards a bipartisan agreement on federal online privacy standards. That agreement was achieved through a series of compromises — including over the preemption of state laws, such as those in California, that have cropped up to protect privacy as Congress failed to act. 

But with the House in recess for the month and concerns being raised by members from Speaker Nancy Pelosi’s home state of California, it’s not clear when or if the legislation will be scheduled for a House vote. 

The bill also faces challenges on the Senate side: criticism from Senate Commerce Committee Chair Maria Cantwell (D., Wash.) and the rapidly approaching midterm elections. 

Those elections may change the power balance in Congress. 

But the bipartisan momentum already garnered by the current version of ADPPA has stakeholders pushing to get their policy priorities locked into the bill this session or risk those priorities being left out if and when Congress does take action. 

“If people have problems with the legislative language this year, they are trying to fix it now,” Peter Swire, a longtime privacy scholar and professor at Georgia Tech, told The Record. 

Locking down the details

When it comes to addressing complex issues, many of the definitions and concepts that ultimately become law are crafted over years — increasingly in piecemeal proposals that later get rolled into larger packages, said Swire, who served in privacy policy roles in the Clinton and Obama administrations. 

For example, in the years after passing the Health Insurance Portability and Accountability Act of 1996, or HIPAA, Congress debated updates to the law that reflected the expansion of electronic medical records and included further privacy and security requirements — such as breach disclosure. 

Language was crafted and debated in committee, gaining bipartisan support, but none passed. But then the Health Information Technology for Economic and Clinical Health Act, or HITECH, was included in the 2009 American Recovery and Reinvestment Act — using language cribbed from the previous proposals, Swire noted.

That’s why ADPPA’s negotiations now are so important, he said. 

“The language from this year becomes the baseline for any future effort,” said Swire. “When it comes to detailed definitions and complicated provisions, they won’t get locked down completely this year, but it’s extra hard to change them in the future.”

Having generally agreed upon language ready to be included in a major legislative package is all the more important in a Congress whose gridlock and division make such packages the most likely vehicle for passage, Swire said. 

What’s in ADPPA

If it becomes law, ADPPA would represent a major shift in the way data protection and privacy is governed in the U.S. — setting a national standard for issues now largely governed by a patchwork of state regulations. 

A discussion draft of the bill was first released in June by House Energy and Commerce Chair Frank Pallone (D., N.J.), ranking member Cathy McMorris Rodgers (R., Wash.) and Senate Commerce Committee Ranking Member Roger Wicker (R., Miss.).

The proposal includes a focus on reducing the amount of data companies can collect, bans on targeted advertising towards minors, and requires companies to evaluate algorithms for potential harmful outcomes, among other provisions aimed at addressing a broad array of data and privacy related harms. 

The bill would set “a very robust standard,” according to Butler. 

The legislation includes what is called a limited right to private action – a potential route for people to sue for monetary damages if their privacy is violated. This is a consumer-focused action generally favored by liberal legislators, but opposed by conservatives. 

That policy is balanced by a general preemption of state laws in the proposal. Supported by conservatives, this provision means federal law would supersede past or future state-level laws regarding online privacy. 

Liberals, especially from California — which has already passed more robust privacy protections at the state level — are unenthusiastic about this aspect of the bill, arguing it would stop states from stepping in to prevent future harm if the federal government fails to act.

Those sorts of trade-offs are what helped the bill gain traction on the Hill. 

“The reason it’s gotten so far is because everyone at the table knew there was going to have to be compromises made,” Sara Collins, Senior Policy Counsel at Public Knowledge, told The Record.

What’s holding it back?

Preemption, as laid out in the legislation passed by the House Committee, includes a number of exceptions but would most significantly affect California — which passed the strongest state-level protections.

“The California Dems are not an insignificant number and they have made it clear they have issues with this bill,” said Collins. 

Similar concerns about preemption are among those raised by the Electronic Frontier Foundation, or EFF.

“While it's exciting that Congress is considering consumer privacy legislation after literal decades of spinning its wheels, the ADPPA, as written, stops states from innovating on these issues,” the digital rights organization wrote in a July blog post. “EFF wants Congress to set a baseline for privacy protections. But the ADPPA should not trade away states' ability to react in the future to current and unforeseen problems.”

The group wrote that the private right to action is “riddled with exceptions and limits,” leaving it with “no teeth.” EFF cited a two-year delay between the law’s passage and when consumers could sue for violations as one concern. It also called for legislation to ban waivers and arbitration agreements that would limit consumers' right to sue even if the bill became law.  

It also objected to the Federal Trade Commission (FTC) gaining oversight of the privacy and data practices of telecom providers — an area currently overseen by the Federal Communications Commission (FCC). 

“Congress must not remove telecommunications companies from the scrutiny of expert federal regulators with a deep understanding of the industry,“ EFF wrote. 

EFF isn’t alone in its oversight concern. Collins, although generally positive about the bill, said she was “not enthused about the FCC having their authority taken away here.”

Steps are being taken to incorporate feedback, Axios reported last week. But with a short timeline, as well as Cantwell’s ambivalence towards the ADPPA, the legislation’s backers are facing an uphill battle. 

“The problem is it’s taking the House a long time to come to reality about what strong enforcement looks like,” Cantwell told The Spokesman Review last month, adding she could not support the bill without tougher enforcement mechanisms — such as a broader civil right to action and a ban on forced arbitration. 

That doesn’t mean passage is totally off the table. 

Swire said there are a number of areas of compromise, particularly when it comes to preemption, that might help move things along — such as adding further exceptions grandfathering in state privacy laws already in effect. 

He also pointed to the legislation’s popularity when it faced its first hurdle in the House.

“The House Energy and Commerce Vote was overwhelmingly positive and completely bipartisan – that sends a signal to everyone that this bill is serious this year,” said Swire.

Even if it’s not serious enough to actually pass this year, boosters see it as a model they hope will take hold.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Andrea Peterson

Andrea Peterson

(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.