The rumors of the death (or at least “dearth” -- of activity) of the 112th Congress are somewhat exaggerated, to morph a phrase from Mark Twain; at least regarding the last couple weeks prior to the Independence Day recess. Not only did Congress pass major legislation related to the FDA, transportation programs and student loans in the last two weeks, it has been active on the privacy/data security front as well. Here’s an overview:
Privacy / Do Not Track
On June 19, the House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet held a hearing on, "New Technologies and Innovations in the Mobile and Online space, and the Implications for Public Policy,” featuring witnesses from eBay, the Association for Competitive Technology (app developers), TRUSTe, and NYU Law School. Lawmakers on both sides of the aisle expressed serious concerns about the over-collection of consumers’ private information by various online businesses and the quality, or complete lack of, privacy notices for mobile apps, among other issues. They were clearly grappling with whether to legislate, potentially imposing a one-size-fits-all policy on the internet economy, or to let industry regulate itself, with company-by-company policies, leaving no mechanism for enforcement and potentially allowing a patchwork of state regulations to fill the void. No consensus was reached - among the witnesses or the subcommittee members.
On the same day, two senior members of the House Energy and Commerce Committee and co-Chairmen of the House Privacy Caucus, Ed Markey (D-MA) and Joe Barton (R-TX), wrote the World Wide Web Consortium (W3C) Tracking Protection Working Group in support of default Do-Not-Track browser settings and urging them to “commit to user control over both data collection and use.” Read the letter here.
Not to be outdone, on June 28, the Senate Committee on Commerce, Science, and Transportation held a hearing on “The Need for Privacy Protections: Is Industry Self-Regulation Adequate?,” at which witnesses from the Association of National Advertisers, TechFreedom (non-profit, non-partisan think tank), Mozilla, and Ohio State Law School testified. In the case of Chairman Rockefeller, to ask the question to answer it: Self-regulation is inadequate and Do-Not-Track legislation is needed because “companies will always be tempted to misuse the consumer information they collect.” Industry disagrees and wants more time to develop a consensus self-regulatory approach and innovate new mechanisms to meet consumer privacy demands.
In the last two weeks, H.R. 5949, legislation to reauthorize the FISA (Foreign Intelligence Surveillance Act) Amendments Act of 2008, a law that permits warrantless wiretapping for antiterrorism purposes, was approved by the House Judiciary and Intelligence Committees. The bill would simply extend the FISA Amendments Act, set to expire at the end of the year, for another five years. Similar legislation, S. 3276, was approved by the Senate Intelligence Committee on June 7 but has stalled due to objections by Sen. Ron Wyden (D-OR) over a lack of information on how many Americans’ communications have been collected to date under the law.
Senate Majority Leader Harry Reid (D-NV) has announced that the Senate will take up cybersecurity legislation (S. 2105) in July in an attempt to flush out positions and force a vote, despite no apparent majority support for a particular bill. On June 27, seven Senate Republicans reintroduced their voluntary, non-regulatory cybersecurity bill, the SECURE IT Act, S. 3342 with new language to tighten the definition of cyber threat information and to address privacy and civil liberties concerns among other changes. In the meantime, Sen. Sheldon Whitehouse (D-RI) continues to work on reaching a compromise with certain other Republican colleagues. July election year politics don’t bode well for cyber legislation notwithstanding its national security implications.
If cybersecurity legislation does in fact make it to the Senate floor, it will draw a host of amendments on other privacy and data security issues. Count on data breach amendments to be among them: On June 22, Sen. Pat Toomey and other Republican members of the Commerce, Science, and Transportation Committee introduced legislation, S. 3333, to preempt a “patchwork” of state laws and create a national standard requiring companies to protect and secure consumers' electronic data. Toomey’s bill would require companies to take unspecified “reasonable” steps to protect personal data, but would not give the FTC power to write new regulations. In the event of a data breach, businesses would need to notify affected consumers “as expeditiously as practicable,” though delay would be allowed if notification could impede a civil or criminal investigation. Democratic attempts to garner bipartisan support for a version of their broader data breach bill, S. 1207, have been unfruitful.
On June 27, Sen. Al Franken introduced the “Protect Our Health Privacy Act,” S. 3351 to require health providers to encrypt portable devices that store health information and to restrict Business Associates’ use of protected health information. The bill stems from a particular data breach incident affecting Minnesotans and has the support of several consumer-oriented and civil liberties groups.