January might tell us all we need to know about the possibility of federal privacy legislation coming to the United States in 2021.
Not only will it see the Biden administration take over from outgoing President Donald Trump, but it marks a milestone of sorts: six months since the EU-U.S. Privacy Shield was ruled invalid. In the time since the Court of Justice of the European Union’s determination, the U.S. approach has seemingly been to carry on as usual—a strategy that could serve to backfire on companies in the weeks ahead.
So warned one privacy expert.
“In speaking to at least one litigator, I’ve heard an ominous prediction that there may be court orders in Europe on one or more major U.S tech companies by [Jan. 20—Inauguration Day],” said Peter Swire, professor of law and ethics at the Georgia Tech Scheller College of Business. “That would grab some headlines and attention to the issue.”
Attention too little, too late for the companies on the receiving end. Swire’s warning came at a Senate Commerce Committee hearing this month on the future of transatlantic data flows in the wake of the Privacy Shield’s invalidation. During the hearing, Senators and witnesses alike spoke of the need to act fast on a new alternative, with Ranking Member Maria Cantwell (D-Wash.) saying “it must be a top priority” for the Biden administration to get a new agreement in place.
“If we can’t figure out how to work with Europeans, I’ve got news for you: We’ve got problems,” said Cantwell.
“We’ve got problems,” might be the understatement of the year when looked at through a wider lens. Once President-elect Joe Biden takes office, it’s hard to imagine him making Privacy Shield a top priority. The coronavirus pandemic continues to take its toll on the country and, as of this writing, essentials like $2,000 stimulus checks and the annual U.S. defense spending bill hang in limbo over partisan squabbling. Data transfers are the lifeblood of many companies with transatlantic operations, but precedence is sure to be given to something like economic relief that would prove vital to many American families struggling amid COVID-19.
So if January comes and goes and the “top priority” that is Privacy Shield hits the backburner, one can likely assume a federal privacy law could expect to get equal treatment. It’s been a year since the same Senate committee met to discuss legislative proposals by Cantwell and Committee Chairman Roger Wicker (R-Miss.), and yet the sticking points of private right of action and preemption still remain unresolved. When the committee revisited those proposals in September, much was said of the standstill—but little has happened since.
“There is a sort of healthy competition among members on both sides of the aisle that has been fruitful in the sense that I think we’ve got a lot of very good ideas, but we’re sort of on a razor’s edge between that competition being fruitful and that competition preventing us from enacting legislation,” said Sen. Brian Schatz (D-Hawaii) then. The same could be said now.
And while Congress has spun its wheels on privacy legislation, it’s hard to blame anyone. As Wicker said at this month’s hearing, there is a vast amount of “complexity” to the situation. Important to note is that a privacy law won’t solve the crux of the Privacy Shield issue—U.S. surveillance. “We could fix these issues—appropriate safeguards, rights, and enforcement—but over here is going to be this large issue about data gathering by the government,” said Cantwell. Addressing such concerns extends beyond one senate committee.
And if preemption is a point of debate now, wait until more states beyond California enact their own laws—many of which could pick up steam in 2021 as the federal government continues to stall.
“Doing nothing is riskier than anything,” said Schatz at this month’s hearing. “For your customers, for the Shield problem, and for the prospect of 50 different states enacting 50 different statutory frameworks. It seems to me that we have to legislate at the conceptual level rather than the procedural level and empower expert agencies to implement the statute through rulemaking.”
Simply put: Don’t expect a quick fix.
Special report: Compliance, infosec & battling cyber-threats
- Currently reading
Temper expectations on a U.S. federal privacy law in 2021