The number of high-profile data breaches over the past year may have a silver lining: Congress may be more willing to consider a U.S. version of the European Union’s General Data Privacy Regulation (GDPR).
Even after all the committee hearings and the flurry of legislative proposals introduced in the House of Representatives and the Senate, there hasn’t been a lot of movement on security and privacy out of Congress over the past few years. Many of the bills never made it out of committee, or if they passed the House, stalled in the Senate. That’s why it is so heartening that Rep. Will Hurd (R-Tx), the chairman of the Information Technology Subcommittee of the House Committee on Oversight and Government Reform, toldl attendees at the Aspen Cyber Summit in San Francisco that a U.S. version of GDPR was a possibility. While nothing has been planned yet, the proposed bill would not be an exact copy of GDPR, Hurd told The Register.
“One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to?” Hurd said. “A year ago, the answer would have been not ‘no,’ but ‘hell, no.’ I think more people are open to that now because of some of the breaches.”
Congress is already looking ahead at the 2020 elections and the security of election infrastructure. The Secure Elections Act still has a chance to become law. That doesn’t mean Congress has the appetite to tackle privacy and security legislation beyond election security. For example, it’s not clear whether the Senate will finally pass the popular Email Privacy Act—the House has passed it twice already, unanimously in 2016, and as part of a spending bill earlier this year. The email privacy law, which would require law enforcement to obtain a warrant before accessing private communications and documents stored online, faltered in the Senate the first time despite strong bipartisan support because surveillance-friendly amendments were tacked onto the bill.
A similar fate may be in store for Sen. Ron Wyden’s (D-Ore) Consumer Data Protection Act of 2018, which would give the Federal Trade Commission the authority to establish data privacy standards and fine companies up to 4 percent of their annual revenue for violating those rules.
“A year ago, the answer would have been not ‘no,’ but ‘hell, no.’ I think more people are open to that now because of some of the breaches.”
There is some pressure to pass a federal law before the California privacy law goes into effect in 2020, but it’s very unlikely that a California-style law (which was opposed by many tech companies) would pass Congress. The California law would shift more of the responsibility for data protection to companies, and there will be penalties for companies for not being careful with customer data. That’s part of the problem: there is bipartisan agreement that a federal privacy law is necessary, but not a lot of agreement on what form those protections or penalties should take.
“We need to be evaluating what our friends across the Atlantic did because it is still coming up in conversations about privacy here in the United States,” Hurd, a former CIA officer and advisor to security company FusionX, said at the Aspen Institute event.
Regardless of what happens with the data-privacy law, expect a lot more hearings with companies in the hot seat being grilled by lawmakers about how they handle consumer data.
Data privacy shouldn’t depend on which state the consumer lives in, and companies shouldn’t have to piece together different state regulations for data security to understand their obligations. Yet that is exactly the kind of situation that’s shaping up, with states moving ahead with their own laws.
“I think a component of the privacy conversation in the 116th Congress is going to be, is GDPR working, and how is that impacting the United States?” Hurd said.