|The top Democrat on one committee has released a bill that would scrap the notice and consent model and strictly limit what information can be collected, processed, and shared.|
First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.
On 18 June, Senate Banking, Housing, and Urban Affairs Ranking Member Sherrod Brown (D-OH) released a discussion draft of a federal privacy bill that “rejects the current, ineffective “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data.” The “Data Accountability and Transparency Act of 2020” may possibly shift the debate on privacy legislation as other recent bills and developments have moved the window of what stakeholders believe possible on the issue of the sufficiency of the notice and consent model. Like a few other bills, Brown’s legislation would establish a new agency to regulate privacy at the federal level, thus rejecting the idea to expand the Federal Trade Commission’s jurisdiction. The package also addresses an issue that has grown in visibility over the last month or so: facial recognition technology. Most of the privacy bills have not sought to fold the new technology into their regulatory frameworks. However, at present, election year politics compounded by the ongoing pandemic and protests in the United States may serve to further diminish the already flagging chances of enactment of federal privacy legislation this year.
In his press release, Brown claimed his bill “creates a new framework that would give Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data.” He claimed “[t]he bill rejects the current, ineffective “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data…[and] contains strong civil rights protections to ensure personal information is not used for discriminatory purposes, as well as a ban on the use of facial recognition technology.” Brown add the “Data Accountability and Transparency Act of 2020” “also establishes a new independent agency dedicated to protecting Americans’ privacy rights.”
Brown stated that “[s]pecifically, the Data Accountability and Transparency Act of 2020 would:
- Ban the collection, use or sharing of personal data unless specifically allowed by law
- Ban the use of facial recognition technology
- Prohibits the use of personal data to discriminate in housing, employment, credit, insurance, and public accommodations;
- Requires anyone using decision-making algorithms to provide new accountability reports
- Creates a new, independent agency that is dedicated to protecting individuals’ privacy and the implementation of DATA 2020. The new agency will have rulemaking, supervisory, and enforcement authority, the ability to issue civil penalties for violations of the Act, and a dedicated Office of Civil Rights to protect individuals from discrimination
- The proposal empowers individuals and state attorneys general to enforce privacy protections and does not preempt more protective state laws
- Finally, the proposal would require CEO certification of compliance with the Act and contains potential criminal and civil penalties for CEO and Board of Directors
Brown had begun the process with the chair of the Senate Banking, Housing, and Urban Affairs Committee on possible bipartisan privacy legislation likely within the jurisdiction of their committee. In February 2019, Brown and Chair Mike Crapo (R-ID) requested “feedback from interested stakeholders on the collection, use and protection of sensitive information by financial regulators and private companies.” Crapo and Brown stated:
The collection, use and protection of personally identifiable information and other sensitive information by financial regulators and private financial companies (including third-parties that share information with financial regulators and private financial companies) is something that deserves close scrutiny. Americans are rightly concerned about how their data is collected and used, and how such data is secured and protected. The collection and use of personally identifiable information will be a major focus of the Banking Committee moving forward.
However, the quotes from Crapo and Brown in the joint press release suggested they may not have been entirely aligned on the scope of potential privacy legislation. Crapo asserted “it is worth examining how the Fair Credit Reporting Act should work in a digital economy, and whether certain data brokers and other firms serve a function similar to the original consumer reporting agencies.” However, Brown remarked that “[i]n the year and a half since the Equifax breach, the country has learned that financial and technology companies are collecting huge stockpiles of sensitive personal data, but fail over and over to protect Americans’ privacy.” Brown added that “Congress should make it easy for consumers to find out who is collecting personal information about them, and give consumers power over how that data is used, stored and distributed.”
Crapo provided further insight into his preferred model by which the federal government would regulate privacy at an October 2019 hearing titled “Data Ownership: Exploring Implications for Data Privacy Rights and Data Valuation.” Crapo noted that “[t]his Committee has held a series of data privacy hearings exploring possible frameworks for facilitating privacy rights to consumers….[and] [n]early all have included references to data as a new currency or commodity.” He stated that “[t]he next question, then, is who owns it?” Crapo stated that “[t]here has been much debate about the concept of data ownership, the monetary value of personal information and its potential role in data privacy.” He asserted that “[s]ome have argued that privacy and control over information could benefit from applying an explicit property right to personal data, similar to owning a home or protecting intellectual property…[and yet] [o]thers contend the very nature of data is different from that of other tangible assets or goods.”
Crapo stated that “[s]till, it is difficult to ignore the concept of data ownership that appears in existing data privacy frameworks.” He said that “[f]or example, the European Union’s General Data Protection Regulation, or GDPR, grants an individual the right to request and access personally identifiable information that has been collected about them.” Crapo contended that “[t]here is an inherent element of ownership in each of these rights, and it is necessary to address some of the difficulties of ownership when certain rights are exercised, such as whether information could pertain to more than one individual, or if individual ownership applies in the concept of derived data.” He stated that “[a]ssociated with concepts about data ownership or control is the value of personal data being used in the marketplace, and the opportunities for individuals to benefit from its use.”
Crapo asserted that “Senators [John] Kennedy (R-LA) and [Mark] Warner (D-VA) have both led on these issues, with Senator Kennedy introducing legislation that would grant an explicit property right over personal data (i.e. the “Own Your Own Data Act” (S. 806), and Senator Warner introducing legislation that would give consumers more information about the value of their personal data and how it is being used in the economy (i.e. the “Designing Accounting Safeguards To Help Broaden Oversight and Regulations on Data” (S. 1951).” Crapo contended that “[a]s the Banking Committee continues exploring ways to give individuals real control over their data, it is important to learn more about what relationship exists between true data ownership and individuals’ degree of control over their personal information; how a property right would work for different types of personal information; how data ownership interacts with existing privacy laws, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and GDPR; and different ways that companies use personal data, how personal data could be reliably valued and what that means for privacy.” (See here for more analysis of both bills.)
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.