Top privacy law issues in 2022 as Congress debates federal law


Will 2022 be the year of a national privacy law? We see new federal proposals, ongoing negotiations on key issues such as private right of action and state preemption, and new activity at the state level. There’s still a long way to go, and 2022 probably won’t be the year, but watch 2023.

Here are five key questions to watch for next year as this debate evolves.

Identify pressure points from state law

Clearly, one of the main pressure points for Congress is activity in states regarding “general” or “comprehensive” privacy laws.

With the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and new laws coming into effect in 2023 in Colorado and Virginia, Congress and (more importantly) various constituencies are paying attention to states. With each state law passed, the basis for any potential privacy law increases (meaning the price of preemption goes up).

At the same time, while there are clearly some similarities between these laws, there are also some critical differences, which means that no obvious state model emerges.

A new Massachusetts proposal – which appears to be successful – could be, in the words of Woody Hartzog, professor of law and computer science at Northeastern University, “the most revolutionary data privacy legislation in the United States.” .

My point remains that if three to six major states pass a law along the lines of the CCPA – in any reasonable analogy (especially if that includes aggressive Massachusetts law) – then American companies will have to go to Congress and seek protection. national privacy policy. law.

Is there a realistic alternative to notification and choice?

There is growing criticism from a wide range of groups of the role of the traditional “notice and choose” regime for privacy law. The concern is that following a ‘notice and choose’ route places too much of a burden on the consumer without imposing appropriate restrictions on businesses that collect and use personal data.

So far, however, with the exception of some prominent academic circles and other advocacy activities, no meaningful alternative approaches have emerged in these state laws. The CCPA, for example, places very few direct restrictions on covered businesses, while providing consumers with significant additional ‘notice and choice’ options.

Virginia law provides that no processing of sensitive data can emerge without the consumer’s consent, without explaining how that consent will be obtained or what realistic alternative there will be for consumers when presented, presumably, with an “all-inclusive” approach. or nothing”.

I have written about the possibilities of a context-based option, but these concepts have for the most part not yet emerged in the proposed legislation.

Addressing the role of the FTC

The Federal Trade Commission, under new leadership, is engaged in a broad set of actions to broaden its global reach, on data privacy, security and a wide range of other areas of consumer protection. This may include an extended rulemaking process to develop unfair privacy principles related to its authority under Section 5 of the FTC Act.

Congress can also give the FTC the power to impose Section 5 penalties at first instance (rather than only being able to prosecute penalties after violations of previous orders).

At the same time, several bills pending in Congress give the primary regulatory authority under a national privacy law to a new agency rather than the FTC. So anyone interested in debating a national privacy law should watch what the FTC is doing, both on its own and as part of the overall pressure on Congress.

Will Congress Tackle Algorithmic Discrimination?

The Biden administration has also embarked on its own initial efforts to develop some specific privacy principles. In December, the National Telecommunications and Information Administration hosted three “listening sessions,” designed to “provide data for a report on how business data flows of personal information can lead to disparate effects and outcomes. for marginalized or disadvantaged communities ”.

This raises the key question of whether Congress will attempt to address these issues of bias and discrimination involving the use of big data and algorithms in a national privacy law. Traditionally, we have dealt with these concerns as civil rights issues or in the context of other subject-specific laws (for example, insurance or health care), rather than through protection law. of privacy.

Will Congress address this extremely complicated issue in a national privacy law and all the other things it needs to deal with?

Will the law have an impact on the issue of data transfer in the EU?

Finally, how will Congress attempt to address growing concerns from the EU and other countries about the transfer of personal data to the United States? The key element of the current concern – emanating from the Schrems 2 decision – is how the US government can access data transferred to the United States.

Few, if any, of the major privacy bills that have been introduced address this issue in any meaningful way. Business will be watching closely to see if Congress can help find a solution with EU authorities to this increasingly difficult problem.

This column does not necessarily reflect the opinion of the Bureau of National Affairs, Inc. or its owners.

Write for us: Guidelines for Authors

Author Info

Kirk J. Nahra is a WilmerHale partner in Washington, DC, where he is the co-chair of the firm’s global cybersecurity and privacy practice. He teaches privacy issues at several law schools, is a fellow of the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis, and a fellow of the Institute for Critical Infrastructure Technology.


Source link

Previous Healthcare cyber threat came months before HSE was hit by hackers
Next Experts detail the DanderSpritz framework logging tool used by Equation Group hackers