In this two-part series, we explore the growing interest among United States (US) citizens and lawmakers in a comprehensive federal data protection law. Part 1 examines the market drivers and potential impact of a comprehensive federal data protection law in the US. Part 2 will describe the provisions that would be beneficial to include and the actions organizations can take now to prepare.
Enterprises are awash in personal data, from employee records to customer profiles. That’s true whether you’re an online retailer, a regional healthcare provider, a multinational technology company, a financial services firm, or a government agency.
Organizations are likewise deluged with the risk of cyberattacks – many of which target the personal data stored and transferred across datacenters, cloud environments, networks, and endpoints. As a recent example, in March 2023, lawmakers and their staffs in the House and Senate were victims of an “extensive” data breach that included home addresses, health insurance plans, and Social Security numbers.
Not surprisingly, individuals are taking notice and demanding that organizations meet higher standards for protecting their data. This clamor has captured the attention of lawmakers in statehouses across the country, as well as representatives at the federal and executive levels.
Currently, six states have comprehensive data protection laws on the books, with more secular laws being even more pervasive at the state level. It’s also anticipated that at least 15 states will introduce new data protection legislation in the near future. The resulting patchworks of compliance requirements and potential penalties can cause difficulties for organizations attempts at managing governance, risk, and compliance (GRC), efficiently conduct operations across jurisdictions, and providing a consistent level of privacy protections to their employees and customers globally. A comprehensive US federal privacy law could help address some of the concerns that arise from this state-level patchwork approach.
Of course, no organization wants unnecessary regulatory burdens. But a law at the federal level could establish a baseline for privacy best practices and offer a consistent framework for safeguarding personal data. It would also enable the US to provide evidence of its commitment to ensure the appropriate protection and use of personal data derived from international individuals, which in turn will be taken into consideration when data protection authorities assess whether the US should receive an adequacy decision. This will also enable US companies doing business around the world to provide comfort to their international customers and regulators regarding the requirements imposed on that company and the protections mechanisms required for personal data.
Privacy Law Drivers
Europe preceded the U.S. in passing comprehensive data protection regulations, in part influenced by a political history that caused residents to place a premium on privacy. Some examples of these data protection regulations are The Data Protection Directive, enacted in 1995, and then the General Data Protection Regulation (GDPR), implemented in 2018, along with the GDPR, as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the EU (Withdrawal) Act of 2018 (UK GDPR), standardized data protection requirements across the European Union (EU) and the UK.
Due to the extra-territorial scope of GDPR and the importance of the EU to the global market, the GDPR has had a major impact on company operations and data protection laws around the world. For instance, the California Consumer Privacy Act (CCPA), also adopted in 2018 and subsequently amended by the California Privacy Rights Act of 2020 (CPRA), bears similarities to GDPR.
In 2016, the European Commission deemed the EU-US Privacy Shield Framework (Privacy Shield) as adequate to enable data transfers between the EU and the US for those companies that were certified under the program. After Privacy Shield was invalidated as a compliant transfer mechanism by the European Court of Justice in 2020, EU and US leaders announced a new framework, the Trans-Atlantic Data Privacy Framework, also called the E.U.-U.S. Data Privacy Framework (DPF). In October 2022, President Biden signed an executive order to implement the DPF. The European Commission subsequently issued a draft adequacy decision in December 2022 that is currently under review and being considered in conjunction with opinions that have been provided by other European data protection authorities, including the European Data Protection Board.
This advancement of data protection requirements should be no surprise, as President Biden has made it clear that cybersecurity and privacy will be a priority for the U.S. government. In May 2021 the Executive Order on Improving the Nation’s Cybersecurity set a milestone, requiring federal agencies to move rapidly toward a zero trust architecture. Then in October 2022, the White House’s Blueprint for an AI Bill of Rights established principles for design and use of automated systems, with a clear emphasis on privacy.
Other federal bodies have also grown serious about cyber regulations. In 2022 the SEC proposed new rules on cybersecurity risk management for public companies and investment firms that shift data protection from best practice to enforceable requirements.
Progress Toward Federal Legislation
With consumer and geopolitical forces driving toward stronger privacy protections, it’s understandable that US lawmakers are taking an interest. A comprehensive federal law could be used to signal to the EU and the global market that the US takes privacy seriously.
The American Data Privacy and Protection Act (ADPPA) is the current comprehensive federal data protection bill that is being considered in the US House of Representatives. However, the bill continues to face opposition from the Senate Commerce Committee and California lawmakers. A primary objection was that it contains a preemption clauses, meaning the law would preempt state data protection laws, except for specific exceptions that are called out in the bill.
Any legislation with a chance of being enacted will have to allow states to set requirements above and beyond the federal law, in at least limited scenarios. But even with state-level additions, a federal law could be used to create a consistent, best-practices framework for how organizations should process, transfer, and use personal data.
In our next post in this two-part series, we’ll describe beneficial provisions such a law could include—and the actions your organization can take now to prepare.