You see a news story talking about the need for a national privacy law and how Congress is working on one—or, at least, should be. What year is it?
Trick question: it could be almost any year in the last two decades. Including, now, 2024. Last week, the Washington Post reported that the leaders of two key congressional committees were “nearing an agreement on a national framework aimed at protecting Americans’ personal data online.” (The news was first reported by Punchbowl News, a political newsletter). As the Post noted, this would mean that Congress is close to passing legislation that has “eluded them for decades.” Cathy McMorris Rodgers, a Republican representative from Washington State who chairs the House Energy and Commerce Committee, and Maria Cantwell, a Democratic senator from the same state and chairperson of the Senate Commerce Committee, are expected to announce the deal next week.
According to The Hill, the two members of Congress decided that the time is right to push for a national privacy law, in part because of recent fears that social platforms are harming children (a debate that I wrote about last week in this newsletter), but also due to concerns about the impact of artificial intelligence. In a statement, Cantwell said that a federal data privacy law must “make privacy a consumer right, and it must give consumers the ability to enforce that right,” adding that the bill is the protection “Americans deserve in the Information Age.” Under the draft law, companies would face limits as to what data they can collect and use, and individuals would be allowed to sue “bad actors” for violating their privacy. New data security standards would also hold companies accountable if data is hacked or stolen. And the Federal Trade Commission would form a new bureau in order to enforce the law.
Note: this post was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer
To say that such a law has been a long time in the making would be an epic understatement. Writing for the Brookings Institution in 2021, Jessica Rich, a former attorney with the FTC who at one point was in charge of its privacy arm, noted that the idea of a federal privacy law goes back to at least 2000, when the FTC called on Congress to pass one, echoing similar calls to action from leading privacy groups. Congress failed to act for a variety of political reasons, however, and nothing was passed for the next two decades, despite exhaustive debate and dozens of bills and hearings.
When the FTC made its request in 2000, Rich notes, the internet was still in its infancy as a public medium; Facebook would not exist for another four years, and the iPhone for another seven. But Rich argues that the need for a national privacy law was obvious even before such social networks and smartphone apps started tracking our behavior, location, and consumption habits. FTC surveys had already shown that despite collecting large amounts of private personal information, very few companies disclosed anything about how they collected and used this data.” Fewer still promised even the most basic protections for that data.
So why has a federal law taken so long? Although most members of the House and Senate seem to agree that privacy needs to be protected, there have been some key differences in the application of those protections in the past, along with some partisan squabbling. (Surprise!) As Politico noted in 2022, while discussing a new proposal for a bipartisan privacy bill, a previous attempt at such a law in 2019 was supported by the House Energy and Commerce Committee and the Senate Commerce Committee, but fell apart because of a clause that would have permitted anyone whose data was misused to sue the company or companies involved in a private action. Among other critics, the US Chamber of Commerce said that it strongly opposed such a right.
In the absence of a federal law, a number of states have implemented their own privacy legislation. The first to do so was California, in 2018; according to a recent estimate from the International Association of Privacy Professionals, fifteen other states now have comprehensive privacy laws. Political analysts say that these state laws, particularly California’s, have been a sticking point when it comes to crafting a national law. According to the Post, Cantwell and McMorris Rodgers’ proposed legislation would preempt state laws. They have promised that the new law will set a stronger standard than in any state. But, per the Post, this claim is “likely to provoke opposition, especially from California,” which believes that its law is better. Analysts say that there are a number of other potential roadblocks to the bill as well. One is the ticking clock: the presidential election is in November, and unless a bill moves forward and gets to a vote before then, the clock will likely have to be reset. And McMorris Rodgers isn’t running for reelection.
Meanwhile, Congress is in the midst of another battle over privacy, but from a very different perspective: namely, how much privacy and transparency should Americans expect when it comes to surveillance by their own government? A bipartisan coalition of lawmakers is trying to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, which expires next week. FISA is a controversial law that was originally designed to allow the US government to capture the phone calls, emails, and online activity of non-Americans, but also lets them snoop on US citizens whose data gets caught in those nets. Congressional critics of the latter practice argue that intelligence agencies should have to apply for a warrant in such cases. (Currently, they don’t have to do so. I wrote about a prior iteration of this debate in December.)
As CNN noted, the debate over the law has created “some strange bedfellows” in Congress. Some Republicans have found common cause with Democrats who want to reform the law to provide more transparency, while more security-focused Republicans have joined with like-minded Democrats to oppose new restrictions on intelligence agencies, arguing that it would make it harder for them to do their jobs. Per CNN, the Biden administration has been “publicly and privately lobbying Congress on the importance of Section 702 and pushing for as few changes as possible,” including any kind of warrant requirement.
According to Noah Chauvin, a counsel in the Liberty and National Security Program at New York University, Congress has directed intelligence agencies to minimize the retention and use of Americans’ information. Despite this, he writes in The Dispatch, officials from the FBI, CIA, and NSA perform “more than 200,000 warrantless backdoor searches every year” involving the private phone calls, text messages, and emails of American citizens. Many of these searches, Chauvin says, involve “alarming abuses.” He says that the government has searched the communications of members of Congress and journalists, and that the FBI has improperly searched the communications of a US senator and a judge who reported civil rights violations by a police chief.
All told, Americans could wind up being protected by law from having their private information taken and sold by social platforms and apps, but unprotected if the government wants to surveil their phone calls and electronic communications. Or those two outcomes could be reversed. What seems more likely is that citizens of the US will remain unprotected in either eventuality, as they have been for the past two decades or so. Unless something dramatic happens, and the repetitive headlines finally stop.