Senate Democrats Publish Privacy and Data Protection Framework

Proposal seeks wide-scoped federal privacy legislation including private right of action, CEO accountability, and whistleblower rights.

Ever since the California Consumer Privacy Act was signed into law in June 2018, with its looming effective date of January 1st 2020, a desire for a federal privacy law has been seen from all sides of the table, including Big Tech, Democrats, and Republicans. The problem is, they want different things.

In September this year 51 CEO’s from top-companies, such as Amazon, IBM, DELL and JP Morgan Chase, sent an open letter to Congress, asking for a “comprehensive consumer data privacy law”. The goal: One federal privacy law to supersede all competing state-wide efforts, to avoid the cost of having to comply with a patchwork of differentiating bills.

Although Capitol Hill set about drafting proposals with initial enthusiasm, the collisions between Democrats and Republicans have seemingly brought things to a standstill.

The main point of conflict focuses on whether the federal law should or should not preempt state-laws, such as the CCPA. In the eyes of the Republicans, following the reasoning of Big Tech, supersession is the whole point of a federal privacy law. The Democrats however, with the dominant California delegation at their helm, see a federal privacy law as a minimum baseline, which should take a step back for State-wide legislations going beyond this minimum.

Another polarizing point is whether consumers should have a right to private action (Democrats) or not (Republicans).

A group of Democratic senators have taken a clear stance in favor of a far-reaching federal privacy law this Monday. They released a set of core principles which should be included in any comprehensive data protection law. The framework is clearly meant to be used to draft the federal privacy bill, but should also lay the groundwork for any state-wide laws.

The principles will come as a shock to the more conservative side of the debate, due to their strong demands:

• There is a GDPR-like data Minimization principle for the collection of data, as well as a Sharing Limit principle. Taken together, these prescribe that businesses can only collect and share data when it’s directly related to the services and products they provide. They also hint at opt-in requirements for both collection and sharing.
• The Democrats’ principles also champion consumer rights we’ve seen before in the CCPA and GDPR. Consumers should have the right to access their data, transfer their data to other companies, delete their data, and to know what data is collected about them and who it’s shared with. In addition, they list the right for consumers to correct their data, and to restrict the transfer and retention of their data. And of course, consumers must not be discriminated against for exercising any of their new rights.
• The framework mentions “increased CEO accountability” but doesn’t elaborate. This phrase seems to align with Senator Ron Wyden’s Oct. 17th privacy bill proposal which granted the FTC the power to go directly after CEO’s that lie about their privacy practices, threatening with fines and possible jail-time. The idea is closely modeled after CEO accountability for the integrity of financial statements under the Sarbanes Oxley Act.
• The framework aims to impose real accountability and names “whistleblower rights” and “consumer redress mechanisms” as tools to get there. It is unclear whether this stipulates a private right of action for all types of violations, or only certain types (like the CCPA and data breaches, or other types of unauthorized data access). Considering the purpose of imposing real corporate accountability for all forms of privacy violations, it can be assumed that the principles push for a private right of action for all violations.
• The principles hint at severe fines, when stating that “Enforcement of privacy rights must serve as a serious deterrent, not just an acceptable cost of doing business”. When the FTC imposed a record-breaking $5 billion penalty on Facebook as a response to the Cambridge Analytica scandal, many criticized that this sum pales in comparison to Facebooks $55 billion yearly revenue.

Though opinions on this set of principles will be divided, all can hopefully agree on one point: They have the potential to reinvigorate the debate about a federal privacy regulation, and that can only be seen as a good thing.