For decades, lawmakers pushed for a comprehensive federal law protecting user data – but it never survived the chaos of a deeply divided Congress. But on Tuesday, the Energy and Trade Committee held its first hearing to discuss a new proposal that lawmakers believe could actually cross the finish line.
Named the U.S. Data Privacy and Protection Act, the proposal marks an important step forward in congressional data privacy negotiations. For years, any measure that would set a national standard for user data protection has been lacking final approval due to party disagreements. From Republicans retaining support for bills allowing states – such as California – to spread their own rules to Democrats demanding private action, discussions have failed again and again.
But lawmakers on both sides of the aisle made it clear Tuesday that they are the closest they have ever been to passing a comprehensive privacy bill. “This is the closest we have come to establishing a national standard – a standard that many have long said is urgently needed,” said Cathy McMorris Rodgers (R-WA) in a hearing on Tuesday.
The measure allows Americans to access, correct and request the deletion of any personal data that companies have collected about them. It also calls on the Federal Trade Commission to define what forms of data are needed for companies to collect – a first step in minimizing the amount of data that companies are allowed to collect. Civil liberties and child protection are also emphasized in the measure, which would prohibit companies from serving targeted advertisements to children under 16 and would force them to make annual civil rights assessments of their algorithms.
“This proposal is the first serious, bipartisan, bicameral, comprehensive national privacy bill that directly addresses the bottlenecks that derailed earlier efforts,” said Frank Pallone (D-NJ), chairman of the full committee, in a statement. Tuesday. “This legislation represents a fundamental change in the way data is collected, used and transferred.”
Business groups opposed many of the measure’s compromises, including a private right of action that would allow civil lawsuits in response to data privacy violations. When the draft was first circulated last week, the Chamber of Commerce called the measure “unfeasible” and that it “should be rejected” in a draft letter, according to CNBC. The language of the draft only allows users to sue companies up to four years after a breach. If, during that time, the FTC or Attorney General decides to take a case, the individual could no longer pursue his or her own lawsuit.
However, the proposal includes some gains for businesses. Most notably, the measure would precede state privacy laws with a few exceptions, such as the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act. Technical leaders, such as Apple CEO Tim Cook, have long advocated for a national privacy law. Last week Cook sent a letter to lawmakers asking them to implement privacy rules “as soon as possible.”
Despite the broad bipartisan support of the U.S. Data Privacy and Protection Act, not all lawmakers are happy about it. Senator Maria Cantwell (D-WA), chair of the Senate Business Committee and a major figure in moving privacy rules to the floor, circulated her own draft proposal, which includes stronger private law enforcement, according to The Hill.