Rep. Steve King (R-IA) questions Sundar Pichai

Waiting for Federal Data Privacy Reform? Don’t Hold Your Breath.

Despite a litany of high-profile data breaches, federal action on data privacy is unlikely to go anywhere in 2019 as partisanship and lack of technology literacy complicate Congressional action.

The fines are piling up for US companies like Facebook and Google. Security researchers have announced the discovery of some 700 million stolen credentials in the cyber underground. At long last, the time seems ripe for comprehensive, federal data security legislation in the U.S. But on this issue, 2019 is shaping up to look like 2018…or 2017, for that matter: a year with plenty of good legislative intentions, but nothing to show for them when the final gavel falls.

Countervailing forces of partisanship, presidential politics and a full docket of competing issues are likely to sap the ability of the 116th Congress to tackle data privacy. At the same time, a lack of understanding by lawmakers of the nuances of technology and data privacy will make crafting meaningful, bipartisan data privacy legislation an uphill climb, according to experts interviewed by The Security Ledger.

Facebook: We Didn’t Give Anyone Data Without User Permission

Rep. Steve King (R-IA) questions Sundar Pichai
Rep. Steve King (R-IA) questioning Google CEO Sundar Pichai in December, 2018.

Clearly, the need exists. In the wake of serial scandals, including the breach of Equifax in 2017 and Marriott’s Starwood Resorts in 2018, the drum beat of massive data breaches shows few signs of stopping or even slowing.

Many possible options for Congress

“If Congress really wants to get involved in this, they need to devote a lot of energy and resources to understanding more problems” with data privacy said Paul Rosenzweig, a Senior Fellow of Cybersecurity and National Security at the R Street Institute.

There are many possible courses that Congress could take, Rosenzweig said. Legislators can play a role in data security reform through legislation or through oversight of companies that handle private data.

Massive Marriott Breach Underscores Risk of overlooking Data Liability

For example, congressional oversight allows the legislature to investigate how laws are enforced by the White House. Hearings on major data breaches and the legal response to them could expose a lack of enforcement of consumer privacy laws.

Rosenzweig doesn’t see oversight as a likely option in 2019, however, and the hearings with Google and Facebook executives showed why: expertise is needed to make changes and hold companies accountable on issues as nuanced and complex as these. Congressional hearings underscored a broad lack of knowledge in both the House and Senate.

Technology literacy an obstacle

In fact, hearings in 2018 and early this year only served to highlight lawmakers’ lack of fluency on data security and privacy issues. The lack of technology literacy among lawmakers was on full display in December during Congressional testimony by Google CEO Sundar Pichai or testimony by Facebook CEO Mark Zuckerberg. Those hearings were punctuated by memorable gaffes from members of Congress like Senator Orrin Hatch or Representative Dorris Matsui, who seemed unfamiliar with well established phenomena, such as how location tracking works or Facebook’s reliance on ad revenue rather than user subscriptions to earn money.

Is 2019 Privacy Rights’ Break Out Year?

The other tool available to Congress is to draft new privacy and cyber security legislation, Rosenzweig noted.  

Advocates of a stronger federal role in protecting consumer privacy point to the European Union’s General Data Protection Regulation (GDPR) as a strong example of what the US should be working toward at the federal level. GDPR, which was passed in 2012 and went into effect in May, 2018, regulates the use of data for the privacy of EU residents. Since going into effect, EU regulators have received more than 59,000 notices of data breaches and issued 91 fines.Those include multi-million dollar fines on Facebook and Google.

Regulation by other means

Despite being an EU law, GDPR is having a profound effect on U.S. data privacy and security practices, as well. According to Cisco’s Data Privacy Benchmark Study, the US is “57% GDPR ready” putting it in line with Germany and Canada. Perhaps prompted by GDPR, companies are taking notice on consumer privacy issues as an investment that decreases sales delays and lowering the cost of breaches, Cisco noted.

Headlines about massive breaches like the recent revelation about hotel chain Starwood have convinced the public that cyber security is a big issue. Despite that,  there is no indication that data privacy will be a policy priority for the coming legislative session. And even legislation introduced this year could take years to find its way to passage. Ernesto Falcon, Legislative Counsel with the Electronic Frontier Foundation said that if any legislation makes it to Congress, it could look like a “four year or longer process.”

Political Realities

Politicians may be eyeing polls that suggest the issue isn’t top of mind for voters. Pew Research Center polling, for example, shows individuals are aware of cyberattacks from state actors such as Russia and North Korea. But privacy is not within the top 15 legislative priorities for voters.

Polling by the Pew Foundation suggests Americans have strong views about data privacy…but don’t count it as a top priority. (Image courtesy of Pew.)

Instead, as victims pile up by the hundreds of millions in the U.S., lawmakers seems paralyzed by partisanship, bending apolitical data privacy and security issues to suit partisan attack lines. Thus: the spectacle of the Pichai hearings, as Republicans grilled the CEO about alleged biases against conservative voices in Google’s search algorithm, while Democrats pressed for information about misappropriation of Google searches to propagate disinformation campaigns during the 2016 presidential election.

With Washington D.C. on the sidelines, privacy advocates like Falcon are looking to the states for leadership. The California Consumer Privacy Act is one recent example of progress in the US. South Carolina and Vermont are two other states that are following suit, introducing legislation on breach notification and data privacy respectively.

While scattered, these laws point to a trend among state governments to regulate companies behavior and protect consumer privacy, says Falcon. Ultimately, Congress could set a minimum level of protection, with states choosing to adopt stricter measures, Falcon said “If more states start protecting their citizens with a set of privacy protections that’s a net good.”

Still, the focus on data breaches and privacy violations is only a part of the problem according to Dipayan Ghosh with Harvard’s Shorestein Center. “Privacy is not the end-all-be-all” but rather is part of a larger process to “balance power” between consumers and companies, Ghosh told The Security Ledger.  The ultimate goal is to create “privacy, competition, and transparency” within the tech industry. Data privacy legislation is step one in a much larger process of accountability, he believes.

That road looks long, indeed.

Paul F. Roberts contributed to this report.