2 years ago
For decades, Congress has tried and failed to pass a law to protect Americans’ data privacy. A bipartisan draft bill suggests lawmakers in both chambers are finally close to making it happen, according to multiple people who’ve viewed a draft text.
A bipartisan group of leaders of key House and Senate committees have drafted a bill that compromises on two of the biggest sticking points in federal privacy negotiations, according to four individuals who are familiar with the draft bill that is being circulated among legislators, industry and privacy advocacy groups.
Such a bill would provide a uniform national standard on what data companies can gather from individuals and how they can use it. The current situation is a patchwork of state and sector-specific privacy laws like a 1999 law that protects financial information, a 1996 law that protects health information and a 1974 law that protects information gathered by the government.
For decades, legislators have tried to pass a national privacy law. The most recent time things looked promising was in late 2019, when bipartisan House Energy and Commerce staff shared a privacy draft bill, and leaders of the Senate Commerce Committee introduced their own privacy measures — but none have advanced out of their committees.
“This is the closest that we have seen comprehensive privacy legislation get to enactment,” said David Brody, a managing attorney for the Digital Justice Initiative at the Lawyers’ Committee for Civil Rights Under Law, whose group is engaged on privacy bill talks
House Energy and Commerce Chair Frank Pallone (D-N.J.), ranking member Cathy McMorris Rodgers (R-Wash.) and Sen. Roger Wicker (R-Miss.), ranking member of the Senate Commerce Committee, are the authors of the draft privacy bill. People familiar with the negotiations say the draft bill could be released as soon as today.
The draft bill includes an agreement that the federal law will preempt most state laws — with exemptions for California and other states — and certain limited rights for individuals to sue for monetary damages if a company violates their privacy, a setup referred to as “private right of action”, according to one person who saw the draft bill. These provisions mark convergence on two previous major sticking points. Republicans had previously wanted to preempt all state laws while Democrats wanted individuals to have a broad private right of action.
Two additional people close to the negotiations confirmed that lawmakers are working to finalize a bipartisan agreement on privacy and data security. If that agreement becomes law, it would bring the U.S. closer to par with Europe, which has several such broad privacy rules, including the General Data Protection Regulation, or GDPR.
While the bipartisan privacy negotiations are further ever before, one key negotiator — Senate Commerce Chair Maria Cantwell (D-Wash.) — has not yet agreed to the compromise draft.
Cantwell is concerned that the draft doesn’t have a strong enough enforcement mechanism, according to a person who saw the draft bill text. The draft bill includes a four-year moratorium after enactment before any private lawsuits can be brought.
Meanwhile, Cantwell has shared a revised version of her Consumer Online Privacy Rights Act — first introduced in 2019 — with industry and privacy advocacy groups. The updated version would define a “substantial privacy harm” as an alleged financial harm to an individual of $1,000 or more, or an alleged physical, mental or reputational harm. Cantwell’s draft bill would prevent companies from using user-agreements to force individuals to go through arbitration to settle disputes rather than sue in court, according to a draft obtained by POLITICO.
The Pallone, McMorris Rodgers and Wicker draft bill does not block companies from forcing customers to use arbitration, except when it comes to children, according to one of the people who saw the draft. Businesses regularly include such clauses in user agreements and have pushed to maintain that right.
Tricia Enright, a spokesperson for the majority side of the Senate Commerce Committee, said Cantwell wants to hold a markup this month on a bipartisan federal privacy bill along with bills related to children’s privacy.
However, there is little time left in the Congressional calendar before Congress breaks for its August recess and then heads into the midterms. It is unclear whether Congress could get a federal privacy bill across the finish line this year.
Senate Majority Leader Chuck Schumer last week urged Cantwell to quickly finalize a bipartisan agreement, according to a person familiar with a conversation between them. Leadership support is crucial, given the limited number of legislative calendar days left before the midterm elections.
The timeline for action is limited also due to committee leadership changes. Wicker likely has little time left as ranking member on Senate Commerce as he’s indicated he’d take the top GOP leadership role of the Senate Armed Services Committee after the retirement of Sen. Jim Inhofe (R-Okla.). Wicker’s expected replacement on Senate Commerce — Sen. Ted Cruz (R-Texas) — hasn’t been a leader on federal privacy talks.
“This might be the moment that Wicker really can act to have his kind of stamp on a bill before he leaves potentially out of this committee,” Divya Sridhar, the senior director of data protection policy at tech industry group SIIA said. “So I think there's some kind of indication that this could be the moment.”
Pallone, Wicker and McMorris Rodgers’ offices declined to comment.
Carl Holshouser — senior vice president at TechNet, a lobbying group that represents Google, Amazon and Meta — said he thinks the agreement is nearly done.
“Congress has been slowly marching down the field and now appears to be on the two-yard line drafting a bipartisan bill. We’re on the brink of a big win — but the legislative clock is running out and action is needed quickly,” he said.
The U.S. Chamber of Commerce has strongly opposed any bill that includes a private right of action.
Emily Birnbaum contributed to this report.
English (US)