Authors: Stacey Gray, Senior Counsel (US Legislation and Policymaker Education), Polly Sanderson, Policy Counsel
This afternoon, The Brookings Institution released a new report, Bridging the gaps: A path forward to federal privacy legislation, a comprehensive analysis of the most challenging obstacles to Congress passing a comprehensive federal privacy law. The report includes a detailed range of practical recommendations and options for legislative text, the result of work with a range of stakeholders to attempt to draft a consensus-driven model privacy bill that would bridge the gaps between sharply divided stakeholders (read the full legislative text of that effort here).
Among the legislative options for issues that will have to be addressed to pass a federal privacy law, the report explores: endgame issues (including preemption and enforcement), hard issues (such as limits on processing of data, civil rights, and algorithmic decision-making), solvable issues (such as covered entities, data security, and organizational accountability), and implementation issues (such as notice, transparency, and effective dates).
- Read the full report here
- Read The Brookings Institution’s summary here
- Read the model legislative text here
- Watch The Brookings Institution’s June 3rd webinar, “What will it take to bridge gaps in federal privacy legislation?”, here
Below, we discuss how the Brookings report addresses the two “endgame issues,” enforcement and preemption, in a path towards federal privacy legislation. We agree that these are endgame issues given that neither is optional–both topics must be addressed in any federal privacy law–and because they are issues on which lawmakers on both sides of the aisle (and more broadly, industry and privacy advocates) remain the most deeply divided.
Any meaningful federal law must contain provisions for its enforcement. However, there is considerable disagreement regarding how a privacy law should be enforced. Enforcement mechanisms can vary widely, from agency enforcement (by the Federal Trade Commission or another federal agency), to state law enforcement (such as Attorneys General), to various kinds of private rights of action (by which individuals can challenge violations in court).
A number of Senate and House Democrats and privacy advocates are proponents of a federal private right of action (usually in addition to federal agency enforcement). Many privacy advocates observe that private litigation has played an important role in enforcing federal civil rights laws. They have also expressed concerns that a federal agency will not have sufficient resources, political will, or incentives to adequately enforce the law, for example, when a violation involves harm to only one or a few individuals. Read more from advocates:
- Gaurav Laroia & David Brody, Free Press, Privacy Rights Are Civil Rights. We Need to Protect Them (Mar. 14, 2019);
- Joe Jerome, Tech Policy Greenhouse by TechDirt, Can You Protect Privacy If There’s No Real Enforcement Mechanism? (May 29, 2020).
In contrast, most tech and business groups, and many Republicans, have expressed support for the more centralized enforcement authority of the Federal Trade Commission. Typically, they observe that data privacy harms can be difficult to define and measure, and argue that centralized enforcement would provide needed clarity and legal certainty to businesses and consumers around a consistent national standard. Business stakeholders also tend to cite concerns over contingency-based class action litigation, including risks to small businesses and financial incentives for meritless litigation. Read more from tech and business groups:
- Alan McQuinn and Daniel Castro, Information & Technology Information Association, The Costs of an Unnecessarily Stringent Federal Data Privacy Law (Aug. 5, 2019);
- U.S. Chamber, Institute for Legal Reform, Ill-Suited: Private Rights of Action and Privacy Claims (July 2019).
The Brookings proposal suggests a potential compromise: a tiered and targeted private right of action. Recovery would typically be limited to “actual damages,” but would impose statutory damages of up to $1000 per day for “wilful or repeated violations.” Specified harms under the duty of care would not be subject to a heightened standard, while other violations would require individuals to show a “knowing or reckless” violation to sue. Technical violations only give rise to suit if they were “wilful or repeated.” Importantly, potential plaintiffs would also be required to exercise a “right of recourse” before bringing a suit. This approach would give covered entities an opportunity to receive notice and cure the violation, and individuals a way to address privacy disputes outside the courts.
When Congress passes a federal privacy law, lawmakers must decide to what extent it will “preempt,” or nullify, current and future state and local privacy and data protection laws. Given the nature of modern data flows, most companies see clear benefit in uniform obligations across state lines and for consumers to have a core set of common rights. However, some argue that privacy can also have a uniquely local character, and note that state legislators have been at the forefront of many novel privacy protections, including in response to crises or rapid technological changes.
The Brookings report proposes several potential compromises to attempt to bridge the gaps between the broad preemption in Senator Wicker (R-MS)’s staff discussion draft and the narrow preemption provisions in most Democratic bills, including Senator Cantwell’s Consumer Online Privacy Rights Act (COPRA). The report suggests preempting state laws only where they interfere with federal provisions specifically related to data collection, processing, transfers, and security. It also recommends that the Federal Trade Commission be authorized to preempt any state law inconsistent with the federal standard, and suggests a limited eight-year sunset clause on preemption.
We are optimistic that this new report from The Brookings Institution will be a source of thoughtful debate, and help stakeholders advance the conversation about these contentious issues. In addition to the difficult “endgame” issues of enforcement and preemption, the report identifies a detailed and wide range of other solvable issues having to do with implementation or operational issues on which there is broad agreement. As a result, it provides a highly practical starting point for stakeholders to engage around key issues that will need consensus.
The report observes that its recommendations “will not satisfy maxialists on either side of the debate” but that it may address “legitimate interests of divergent stakeholders.” Indeed, both sides have something to gain from striking a balance – and we agree that “both have something to lose from continued inaction and stalemate.”