The Race Is On To Create A Federal Online Privacy Law: First Entry From Reps. Eshoo & Lofgren
from the lots-of-thought,-but-little-chance dept
There's a race on to have Congress introduce a comprehensive federal privacy law. As you may (or may not?) know, the US really doesn't have a law protecting our privacy. To date, any privacy protections have been a mixture of other laws, from the defanged 4th Amendment protecting (in theory more than reality) against government intrusion into our private lives, to the FTC's consumer protection mandates. However, many people recognize that this probably isn't doing enough to protect privacy in this age -- and with the EU taking the lead with the GDPR, it's become clear that the US needs to put at least something in place. So far, Congress has failed to come up with much, and there's a bit of a ticking time bomb in the form of California's hugely problematic CCPA law, which is set to go into effect on January 1st, despite a long list of problems with the law.
So much of the discussion has been around whether or not a new federal law will come into play that pre-empts various states trying to create their own set of privacy laws. Reps. Anna Eshoo and Zoe Lofgren have now announced their entrant into the discussion with their Online Privacy Act. It is quite long and detailed, coming in at 132 pages which I recommend reading. They've also created a one page summary of the bill.
The bill is ambitious, detailed and thoughtful... but also has some problems and is not likely to become law. There's a lot in the bill, but it will create a brand new federal agency, staffed with 1,600 employees, to "enforce users' privacy rights." Along those lines, it establishes what those rights are -- with much of it pulling from concepts currently found in the GDPR (i.e., rights to access, correct, delete, and download information companies hold about you). There are some opt-in requirements for using your data for things like machine learning (what seems like a response to the kerfuffle over IBM using Flickr images to train facial recognition AI).
The law would also put a bunch of obligations on companies regarding data minimization and also force the companies to be more upfront about what they need particular data for. It would also limit the sale or transfer of personal information. It also criminalizes "doxxing" which it defines as disclosing "personal information with intent to cause harm." If this became law, that section might run into some 1st Amendment problems.
Part of the "thoughtfulness" of the bill is that Eshoo and Lofgren have clearly heard some of the concerns that were laid out about the GDPR or other approaches to privacy. It includes an exemption for small businesses and then also includes a "ramp up" phase for companies that cross out of the small business realm. I'm always a bit concerned about "small business exemptions" because they lead to weird incentives and not always great outcomes. From a purely efficient standpoint, I tend to think that if the law is written in a manner that requires exempting certain classes of companies, it tends to highlight problems with the overall law itself, though there are some exceptions to that rule.
Importantly, the bill also calls out that it should have no impact on journalism, and acts of journalism (reporting on people) should never be seen as violating the law. That could lead to some conflicting situations within the bill, but hopefully the blanket exemption on journalism would protect journalistic activity.
That said, there are still problems with the bill. The biggest one is that it does not appear to pre-empt state laws, which is kind of the whole reason for introducing a federal law in the first place. I know that some privacy activists have pushed back against state pre-emption, but that by itself makes the bill somewhat useless, because California's law and other state privacy laws would more or less wipe this law off the books in terms of effectiveness. I understand the thinking that some have put forth that letting states craft their own privacy laws encourages more experimentation and thoughtfulness, but it makes little sense on an internet that crosses all borders. Complying with all state privacy laws is going to be a huge mess -- and therefore it seems like a federal law must include pre-emption of state laws for it to be valid.
The bill also includes a private right of action, which is seen by many to be problematic -- as it's going to enable the rise of what are, in effect, privacy trolls. Again, there are reasonable concerns about if it's only left up to government enforcement that enforcement will be lax, or will suffer from regulatory capture, but leaving open a broad private right of action could have significant problematic consequences. The bill also seems clearly designed to set up certain non-profits to file a bunch of class action privacy lawsuits:
NONPROFIT COLLECTIVE REPRESENTATION.— An individual shall have the right to appoint a nonprofit body, organization, or association which has been properly constituted in accordance with the law, has statutory objectives which are in the public interest, and is active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in this Act on his or her behalf.
I worry a bit about the incentive structure there as well. I certainly have faith that groups like EFF would use this particular power wisely and in pursuit of actually protecting our privacy, but there are a number of non-profits out there that would likely take this to ridiculous extremes and immediately go after lots of companies for potentially dubious reasons.
Most reports on this acknowledge that this bill is unlikely to become law. It does not currently have bipartisan support, and the creation of an entirely new government agency, the lack of state pre-emption, and the private right of action have been seen as non-starters for many.
All that said, we're likely to see a bunch of privacy bills showing up in Congress soon, so it's worth exploring the details of this one. And, of course, it should be noted that both Lofgren and Eshoo represent parts of Silicon Valley, which might make you assume that the bill is "friendly" to tech companies. Looking through the details, though, and that would be a mistake. While I'm sure some will criticize the bill for not going far enough, this would create a pretty massive overhaul in how online privacy is handled in the US today and would, in effect, create an equivalent of the GDPR. That might still "benefit" large companies in making it more difficult for others and new entrants to compete (even with the small business exemption), but this bill doesn't do any favors for internet companies.
I do still worry that most of our attempts to regulate privacy fail because we often misunderstand what privacy means, and I do worry that the approach in this bill, as with the GDPR and the CCPA, suggests a static, rather than dynamic internet world, in which the focus is on "limiting" things, rather than recognizing how they might be better enabled by putting more control in the hands of the end users. So much of the structure of this and other bills seems based on the idea that there are central entities "controlling" our data -- which may be the case today, but need not necessarily be the case in the future.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anna eshoo, competition, doxxing, gdpr, online privacy act, privacy, private right of action, state pre-emption, states, zoe lofgren
Reader Comments
Subscribe: RSS
View by: Time | Thread
There should be a law saying companys must use basic measures to protect user data, unique passwords should be used ,personal
user data should not be placed on public pages where any one can see them.
the Esa put all the user data of visitors ,journalist,s ,bloggers on a public facing website .
it was a file containing all the user info of those people who applied for a media visitor badge to e3 2019.
name, adress, phone no, email adress ,home ,office adress .
there was no password on this file.
So they doxxed anyone who gave their data to the esa.
Anyone could just click download file x.
And read all the personal user data.
companys should be fined if user data is hacked into if they did not take reasonable precautions to secure it, such as using complex passwords and encryption of data .
IF companys sell data or send it to third partys they must disclose it
to the public on a easy to read privacy agreement on the website .
[ link to this | view in chronology ]
In my opinion, any legislation that requires more than 10-15 pages to write has already been compromised by special interests once you get past the title page.
[ link to this | view in chronology ]
There's also the fact that there's no federal jurisdiction over privacy. Article I, Section 8 of the Constitution lists the powers of the federal government and protecting/regulating citizen privacy is not on that list. And just so there was no confusion, Amendment X was included to drive home the point that any power not on the Art. I, Sec. 8 list belongs to the state and local governments, not the federal government.
This means privacy regulation is properly a matter of state law and jurisdiction, not federal.
[ link to this | view in chronology ]
Re:
Ah! Pedantry!
When we talk privacy we often discuss the trade of a person's private information for benefits, most often financial. This information is almost always gathered as part of a transaction as well. As this information is almost always digital and these trades are most likely to involve transactions that are a mix of intra- and inter-state that are likely impossible to fully untangle, this could quite easily fall under the existing constitutional and common law authority to regulate interstate commerce.
[ link to this | view in chronology ]
Re: Re:
Even if it doesn't, the courts won't care. SCOTUS already said intra-state non-commerce can be regulated under the commerce clause, because it has the potential to affect interstate commerce.
[ link to this | view in chronology ]
Re: Re: Re:
That ruling would be covered under 'common law authority'.
[ link to this | view in chronology ]
Re: Re: Re:
Yes, the Supreme Court buckled to FDR's court-packing threat and started finding all the president's clearly unconstitutional public works programs constitutional after all, using some of the most tortured logic in American jurisprudential history to do so.
Among other things, it is now true as a matter of law that a person's mere existence on the planet affects interstate commerce, which pretty much means the federal government has jurisdiction over just about everything, in clear contradiction of the text of the Constitution and the intentions of those who wrote it to create a federal government of severely restricted size and power.
[ link to this | view in chronology ]
If states come through with a patchwork of stricter laws than the federal law, it may make the federal law irrelevant, and would certainly complicate compliance. However, that would just mean the federal law is not useful, even though it would still be valid. Regardless, it would also serve as a baseline that companies would need to meet even in the most permissive states.
[ link to this | view in chronology ]
Is embarrasment "harm"?
Has that often happened? Usually people do that just to cause embarrasment, maybe inconvenience, rather than actual harm—unless they use the term very broadly.
[ link to this | view in chronology ]
Re: Is embarrasment "harm"?
Depends on if you get SWATted, or the Very Fine People who support El Cheetos start burning crosses on your lawn. Generally doxing is considered a threat. "I know where you live and so does everyone else."
[ link to this | view in chronology ]
Privacy Bill trigger
The one page bill says it is sponsored by "Congresswomen". "Women"? They used the word "women" and they are from California?
I feel triggered. I need a safe space..... :)
[ link to this | view in chronology ]
Privacy bill
I applaud at least the effort to rein in privacy, but one thing I didn't see (TL;DR) is how would this effect data that is ALREADY OUT in the wild?
Kinda hard to unring that bell.
[ link to this | view in chronology ]
i need to change the channel..
Lets see..
In the past, Our laws and constitution protected us from both sides, and other nations, as well as the corps..
Then the corps got the right to REMOVE your federal/Religious/any rights..Just by a signature.
then we had complaints, from women, about NOT having rights..
We have gov. agencies that give us no rights, its part of their job, until they take it to court..
The idea of a wireless system was great for the corps and Police agencies, as the Landline phone system had Allot of protections..
[ link to this | view in chronology ]
One other thought.....
Again, I didn't read all 132 pages, but......
IMNTBHO, there HAS to be some sort of provision that prevents companies from bypassing the law by refusing service unless the consumer surrenders their rights under this law (if it becomes law).
For example, back in the 80's, when I was in the Army, and you filled out paperwork (to take leave or change pay allotments, for example), the law (at the time) said the Army could not require you to give them your SSN. However, every single form had small print on it that read: "Federal Law prohibits us from requiring the use of your social security number. However, if you fail to provide it, this form will not be processed" (or words to that effect).
[ link to this | view in chronology ]
Re: One other thought.....
The army has a long history of just ignoring the law and making their own up on the fly. It is well established law already that you can't require anyone give up any rights under the law just to provide service to them. The army just doesn't care and no one holds them accountable for it almost ever.
[ link to this | view in chronology ]
Re: Re: One other thought.....
Damn skippy!
[ link to this | view in chronology ]
Re: Re: One other thought.....
If that's true, it seems it is not enforced, since companies routinely require customers to give up the right to sue in order to get service.
[ link to this | view in chronology ]
Re: One other thought.....
Even today it is very difficult to sign up for insurance coverage without providing your SSN. During the course of my current employment we switched insurance providers and had to fill out new paperwork. I had recently been the victim of tax fraud (someone else using my name & SSN to file) so I didn't want to give the insurance company my SSN. After weeks of getting screwed around with "we have a procedure but nobody knows what it is" I finally gave in and submitted the standard form with my SSN.
1 year later that insurance company was hacked and my info was confirmed among the disclosed.
Good times. Not that hacking is directly related to this story but it should be. Companies should be held responsible for keeping client data secure. It's too late for me... 6 known hacks including my data and counting.
[ link to this | view in chronology ]
Re: Re: One other thought.....
can you please list the service providers you currently use so we can choose differently ?
[ link to this | view in chronology ]
So more government regulation then. I seem to me that until the existing regulations are enforced and working correctly adding another layer will not yield the desired results.
[ link to this | view in chronology ]
Re:
That's a dumb argument. If all you have are incomplete or broken laws, what does that fix? You will never get 100% correct application and enforcement of laws, so that lets everyone off the hook.
Far better to actively fix what is broken, and address the lack of enforcement at the same time. With a decent law, appropriate enforcement should be easier anyway.
[ link to this | view in chronology ]
Privacy as defined by Masnick is privacy from everyone except his surveillance valley sponsors.
[ link to this | view in chronology ]
Re:
How's that Richard Liebowitz defense fund coming along bro?
[ link to this | view in chronology ]
"active in the field of the protection of individual rights and freedoms with regard to the protection of their personal data"
idk - I wonder whose privacy they are talking about here.
My guess is - after passage, you will have less privacy.
[ link to this | view in chronology ]
I have started getting around to reading it. The journalism definition is too narrow to cover all legitimate journalistic activity that has been recognized by the various courts.
Also, the journalism does not say "for the purposes of this bill" so it is also too broadly defines journalism across all federal law in a way that would probably be impermissible under the 1st amendment.
[ link to this | view in chronology ]
Re:
Have read a lot of it, there aren't explicit instructions on how to keep the decisions of the governmental body "narrowly tailored" for Supreme Court precedential purposes. At least someone is trying though.
[ link to this | view in chronology ]
Re: Re:
Okay, I guess there are many places that the instructions are possibly good enough but going back to the definition of journalism, it doesn't provide any room for excluding information that has been gathered from public consumption. The most straightforward reading is that you must distribute to the public all the information you gathered. That is not nearly narrowly tailored enough. It also removes editorial decisions from the process.
Those things would probably lead to it getting thrown out pretty quickly.
A lot of it is pretty good though and at least they are trying.
[ link to this | view in chronology ]
Re:
I need to install a grammar checker or learn to type slower.
[ link to this | view in chronology ]