Cristin Traylor and Alice O'Donovan, with McGuireWoods, discuss the outlook for national privacy legislation in the U.S.
On September 17, 2020, four Republican senators (Roger Wicker – Mississippi, Chairman; John Thune – South Dakota; Deb Fischer – Nebraska; and Marsha Blackburn – Tennessee) introduced sweeping federal privacy legislation entitled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act, or the SAFE DATA Act. This proposed comprehensive national privacy law has three main components:
• Provides consumers with more choice and control over their data.
• Directs businesses to be more transparent and accountable.
• Strengthens the enforcement power of the Federal Trade Commission (FTC).
On September 23, 2020, a hearing titled “Revisiting the Need for Federal Data Privacy Legislation,” was held to analyze the current state of consumer data privacy laws and various legislative efforts to address data protections. According to Sen. Wicker, the SAFE DATA Act “would establish a nationwide standard so that businesses know how to comply no matter where their customers live, and so that consumers know their data is safe wherever the company that holds their data is located.”
Julie Brill, former Commissioner of the FTC and Microsoft’s Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel for Global Privacy and Regulatory Affairs, submitted written testimony in favor of the SAFE DATA Act, describing it as critical for providing a national framework for U.S. businesses to allow them to better compete in the global market. She posited that an American privacy law could work in conjunction with the European Union's General Data Protection Regulation (GDPR) and other global privacy laws, thus evidencing for other countries that the U.S. is protective of data privacy. According to Brill, a comprehensive law would also address consent and collection issues related to COVID-19 health data, while at the same time promoting racial equality and prohibiting data discrimination.
Brill’s comments are particularly pertinent at present. The GDPR contains stringent restrictions with regard to transferring personal data outside the European Union – such transfers are prohibited unless certain “safeguards” are implemented. Up until July of this year, one of the safeguards available to businesses needing to transfer personal data from the European Union to the U.S. was the EU-U.S. Privacy Shield Framework. This was designed by the U.S. Department of Commerce and the European Commission with the aim of supporting transatlantic commerce by providing companies in the EU and the U.S. with a mechanism to comply with data protection requirements when transferring personal data from the EU to the U.S. On July 16, 2020, however, the European Court of Justice (ECJ) invalidated the Privacy Shield Framework, citing concerns about “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities” in respect of personal data transferred from the European Union to the United States, on the basis that these limitations mean that personal data transferred to the U.S. from the EU does not have the requisite protection required under EU law.
More than 5,000 businesses in the U.S. were accredited under the Framework (in many cases, at some considerable expense). The ECJ ruling does not prevent companies from transferring data between the EU and the U.S. using other safeguards, such as “standard contractual clauses.” However, these alternatives may be more cumbersome and less practical – and there is in any case a question mark over whether they can protect data adequately in countries such as the U.S. that do not have statutory privacy protections as robust as those in the EU. This creates significant difficulties for thousands of U.S. and European companies, and makes U.S. businesses less competitive in the global marketplace. The European Commission and the U.S. Department of Justice have released a statement saying that they are working to find a solution to the Privacy Shield problem, but it is difficult to see how any permanent resolution can be found without a significant shift in the U.S. data privacy landscape.
Jon Leibowitz, former Commissioner and Chair of the FTC, and Maureen Ohlhausen, Former Acting Chair of the FTC, both backed the federal privacy law, advocating that the legislation be “technology- and industry-neutral,” and that it should be even more comprehensive than the California Consumer Privacy Act (CCPA). Unsurprisingly, Xavier Becerra, California Attorney General, advocated for a federal privacy law that does not preempt state laws such as the CCPA. Leibowitz and Ohlhausen prefer to exclude private rights of action, and instead provide both the FTC and the state attorneys general with the enforcement power of the national privacy law.
Other national privacy acts have been introduced over the past six months, such as the COVID-19 Consumer Data Protection Act of 2020, the Public Health Emergency Privacy Act, and the Data Accountability and Transparency Act of 2020, showing an increased interest in comprehensive regulation of consumers’ personal data. We are keeping an eye on this proposed legislation, which would have vast implications for all industries.
Published December 9, 2020.