The committee and witnesses in the tech space discussed comprehensive privacy reform while states continue to enact their own laws and regulations on data privacy.
02/21/2022 11:00 A.M.
3.5 minute read
The House Committee on Administration discussed federal data privacy standards in a hearing, “Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors,” last week.
The committee is chaired by U.S. Rep. Zoe Lofgren, D-Calif., who in November 2021 reintroduced the Online Privacy Act, which creates user data rights and limitations and obligations for companies collecting and using consumers’ data. It would also establish the Digital Privacy Agency to enforce privacy laws. U.S. Rep. Anna Eschoo, D-Calif., is a co-sponsor of the Online Privacy Act.
In her opening statement at the hearing, Lofgren said comprehensive privacy reform is long overdue.
She added that despite the enactment of California’s comprehensive data privacy law, online data collection has not slowed; and that constraining the collection and retention of data by internet companies will require a change in business models.
The committee’s ranking member, U.S. Rep. Rodney Davis, R-Ill., noted, however, that online data and privacy are rare topics for the committee to discuss and should be covered by the committees of jurisdiction, the House and Commerce Committee and House Judiciary Committee. The House Administration Committee would be responsible for considering the impact of online data and privacy discussions on legislative agencies, Davis said.
U.S. Rep. Bryan Steil, R-Wis., highlighted personally identifiable information—like biometric and genetic data—deserving stricter privacy regulation during the hearing. Steil emphasized that Americans mistakenly believe that the Health Insurance Portability and Accountability Act (HIPAA) protects medical data in the tech context, but one hearing witness, Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, noted that HIPAA applies only to information shared between health insurers and medical providers, and data protection is not extended to health care apps. Fitzgerald further cautioned about potential uses of medical data against consumer interests, including in insurance rates and employment hiring.
Fitzgerald called for a comprehensive law—rather than sectoral laws—that moves beyond the failed notice and consent regime. Witness Shoshanna Zuboff, the Charles Edward Wilson Professor Emerita at Harvard Business School, added that democratic governance must be put back in control of the information and communication spaces, rather than an unimpeded private sector force.
Marshall Erwin, the chief security officer for the Mozilla Corporation, noted a baseline federal standard must include core privacy practices, including data minimization requirements, with Fitzgerald clarifying the obligation should be placed on companies to delete extraneous consumer data. Fitzgerald advocated that knowledge of information collection is insufficient, and basic privacy rights should require data collectors to limit collection, use, and storage, of personal data.
U.S. Rep. Barry Loudermilk, R-Ga., brought the financial services perspective to the discussion, pointing to a multitude of sectoral laws and standards.
Daniel Castro, vice president of the Information Technology & Innovation Foundation, noted other countries do not take a sectoral approach and view the American state patchwork skeptically, impacting American competitiveness through loss of contracts with European companies subject to the General Data Protection Regulation.
Fitzgerald cautioned the mistakes made in the artificial intelligence space should not be repeated, and innovation around privacy should be encouraged.
During the hearing the committee addressed privacy protection in legislative branch agencies, which related to Lofgren’s Online Privacy Act, and enacting sweeping federal data privacy and security requirements—despite significant outstanding (partisan and cameral) dissension over allowing private rights of action in online privacy and data security violations.
Checking in on Data Privacy
Meanwhile, data privacy is on the legislative agenda in several states as they seek to enact data sharing safeguards for consumers, and it remains on federal regulators’ radar for rulemaking in 2022.
ACA International member Kim Phan, a partner at Ballard Spahr LLP in Washington, D.C., recently spoke on the topic on the ACA Huddle, explaining that we can expect to see a lot of state regulatory scrutiny and federal updates on data privacy. ACA members can listen to the episode here.
The Federal Trade Commission has always been the de facto privacy and data security agency, Phan noted. A significant development this year will be the FTC’s implementation of the Safeguards Rule, which strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information, ACA previously reported.
Read the complete article here. ACA will continue to follow these state activities and keep members updated in ACA Daily.
For more state updates, members are invited to join the weekly ACA Huddle at 11 a.m. CDT on Wednesdays.
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.