The US Hasn’t Passed a Strong Data-Privacy Law in 20 Years. It’s Not Getting Easier

By Charles McDermid

Two most-recent privacy bills introduced to Congress indicate an increasingly partisan approach to surveillance technology, adding yet another stumbling block for U.S. lawmakers who have not passed a significant federal data-protection law in two decades, experts told Digital Privacy News. 

More than a dozen privacy bills now are before Congress, including the additions last month of the Democratic-backed Facial Recognition and Biometric Technology Moratorium Act of 2020 and the Lawful Access to Encrypted Data Act, which was put forth by Republicans. 

In the past, bipartisanship had emerged around national surveillance issues — such as the USA Freedom Act of 2015, which updated parts of the Patriot Act — but privacy advocates now worry that today’s polarized political arena could worsen the legislative logjam.

The U.S. remains one of the last developed countries that does not have any national consumer privacy or data-security laws, or its own federal data-protection agency.

“On the whole, Congress has a number of privacy priorities and waning time to accomplish them,” Lauren Sarkesian, senior policy counsel at New America’s Open Technology Institute, told Digital Privacy News.

“Given the dynamics of the ongoing pandemic and protests over police brutality, these affirmative privacy efforts should be a priority.”

Lauren Sarkesian, New America’s Open Technology Institute.

“While at this point Congress is likely unable to take up comprehensive privacy legislation until 2021, it should move forward now with legislation designed to address the specific threats posed by new COVID-19-related surveillance, and legislation addressing facial-recognition technology.

“Given the dynamics of the ongoing pandemic and protests over police brutality, these affirmative privacy efforts should be a priority,” Sarkesian said.

An ‘Anti-Encryption’ War 

The two newest bills put the issue of partisanship in stark relief — and not for the first time.

In May, Senate Republicans proposed the COVID-19 Consumer Data Protection Act, and Democrats responded the same month with the Public Health Emergency Privacy Act. Both bills remain before Congress with no time frame for discussion. 

“A strong privacy bill that gives users power to control the use and sharing of their data is long overdue from Congress,” Karen Gullo of the Electronic Frontier Foundation (EFF), told Digital Privacy News.

“Any such bill must let the states protect people as well, including letting people sue companies and others that violate their privacy.

“While both the facial-recognition bill and the encryption bill deal with aspects of privacy, we see them as separate from universal privacy-protective bills like the one California recently enacted, with opt-in, right to sue and strong data-transparency provisions,” she said.

Gullo made clear the EFF, a San Francisco-based advocacy group, firmly opposed the government’s use of facial recognition.

“The ban is especially needed now — face surveillance disproportionately hurts vulnerable communities, as it is prone to misidentify people of color, as well as women, and young people,” she said.

“We also strongly oppose the encryption bill, which would require companies to build back doors allowing the government to break encryption that people rely on to keep their communications private and secure.”

GOP Chair’s Position

South Carolina Sen. Lindsey Graham, the Republican chairman of the Senate Judiciary Committee and an author of the Lawful Access to Encrypted Data Act, argued in a statement that the proposed law “respects and protects the privacy rights of law-abiding Americans” while putting “terrorists and criminals on notice that they will no longer be able to hide behind technology.”

“A strong privacy bill that gives users power to control the use and sharing of their data is long overdue from Congress.”

Karen Gullo, Electronic Frontier Foundation.

But Gullo disagreed: “The attorney general and F.B.I. have been waging an anti-privacy, anti-encryption war for months now in an effort to convince lawmakers that police need special access to read encrypted messages or break into locked iPhones in criminal investigations.

“The EARN IT Act (meant to fight child-abuse images) and encryption-data bills, if passed, would end user privacy as we know it,” Gullo said.

Last Strong Law: 2000

Emmanuel Pernot-Leplay, an expert on comparative data-protection law, said the last opportunity the U.S. had to pass a federal privacy law was the Consumer Privacy Bill of Rights, proposed by the Obama administration in 2015.

He told Digital Privacy News that attempt at a sweeping consumer-privacy bill “didn’t survive the change of presidents.” 

That means, by Pernot-Leplay’s estimation, the last meaningful privacy law passed by Congress was the Children’s Online Privacy Protection Act (COPPA), which took effect in 2000.

Even so, the current legislative impasse might be showing signs of loosening, he said.

“State laws remained limited until the CCPA (the California Consumer Privacy Act of 2018), and since then more states have increased their requirements,” Pernot-Leplay said. “Now, the U.S. Congress could do so as well.

“The same logic or movement could drive both Congress and individual states to reinforce data protection: privacy scandals, demand from citizens, data-protection strengthening across the globe.

“And it may also be that the federal government wants to take the lead on this topic and pass a federal law that would supersede states’ laws.” 

Sarkesian, of the Open Technology Institute, called for the swift passage of the ban on facial-recognition technology, pointing out that several major tech companies had stopped sales to law enforcement, in acknowledgment of the bias and civil-rights issues it presents. 

“It may also be that the federal government wants to take the lead on this topic and pass a federal law that would supersede states’ laws.”

Emmanuel Pernot-Leplay, data-protection law expert.

“These actions should be a wake-up call for Congress, as companies are being left to self-regulate,” Sarkesian told Digital Privacy News. “This is a time when lawmakers need to take decisive moral action and show leadership to scale back surveillance, which disproportionately impacts Black and brown communities.

“Congress should move past its typical partisan impasses to move this legislation, which directly responds to the issues of racial injustice we’re dealing with as a country,” she said.

Sarkesian added: “The Lawful Access to Encrypted Data Act, however, is quite the opposite situation, and should be abandoned.

“In introducing this bill during Black Lives Matter protests and calls to ‘defund the police,’ Sen. Graham was completely disregarding the movement happening across the country and world.

“This move was especially appalling amid the pandemic, which is forcing all Americans to rely on strong cybersecurity and encryption services more than ever, for so many of our day-to-day activities.”

She continued: “Many privacy issues don’t fall very cleanly along party lines.

“But, here with the Lawful Access to Encrypted Data Act, politics do seem to be at play — and those who are pushing forward bans on encryption rather than bans on surveillance technology are missing what this moment calls for.”

Charles McDermid is a writer based in Asia.

Sources (external links):