The Center for Democracy and Technology has published a draft privacy bill designed to pre-empt state privacy laws including the California Consumer Privacy Act (CCPA) and Hawaii’s recently drafted Data Care Act.
According to CDT Chief Executive Nuala O’Connor, the advocacy group began working with tech firms and privacy advocates a year ago in order to draft the bill.
The federal bill, which is designed to strengthen consumer data and privacy protections, has previously been red-flagged by privacy experts as a possible way to overrule stronger state-level privacy laws. Now the drafted federal privacy bill has surfaced with what experts are describing as critical holes.
A sudden change of heart
In September, Apple, Google, Amazon, and Twitter all began calling loudly for a nationwide federal data privacy law in the US. This came as something of a surprise - because those same firms have spent years lobbying against exactly this kind of protection for consumers. So, why the change of heart?
The sudden U-turn is largely in reaction to California’s quickly-passed CCPA; a law they feared could cause a snowball effect across other states. For tech firms, the possibility of varying state-level privacy protections is a real headache.
With the potential for different privacy protections and data practices becoming necessary across state borders, the possibility of accidentally infringing on people’s rights would become an everyday risk.
Joel Kaplan, Facebook’s top lobbyist, already warned the Information Technology Industry Council that a patchwork of legislation across the US would produce a regulatory nightmare.
What Kaplan actually means is that cross-state differences would be expensive to manage, difficult to enact, and stifling of current business practices.
With that in mind, big tech has hatched plans for a nationwide privacy bill. The problem, however, is that Facebook and other tech firms' desires are massively at odds with the wishes of privacy-conscious individuals. It stands to reason that any privacy bill supported by big tech will be systematically designed to permit it to continue processing vast amounts of consumer data.
As suspected, the newly drafted CDT bill has been written in a way that leaves potential for data abuse. Allie Bohm, policy counsel at the non-profit advocacy group Public Knowledge, says the bill has “serious gaps.”
Bohm believes that by permitting firms to get consumers to agree to Terms of Service - consumers will be compelled to continue giving up their privacy in return for access to their services. Bohm is convinced that tech firms will find ways to alter the wording of their policies in order to bypass privacy protections - such as restrictions on sharing personal data with third parties.
What’s more, because of the lack of competition within the tech industry Bohm foresees it being too hard for most consumers not to cave in and accept invasive terms. Roslyn Layton from the American Enterprise Institute also has concerns. Layton is troubled by the fact that the bill does not cover US government bodies’ use of personal data.
Layton reminds us that the government is the single largest handler of consumer data in the US. With that in mind, it would seem vital for data protection rights to be extended to government institutions also.
A work in progress?
Michelle Richardson, Director of the Privacy and Data Project at CDT has defended the draft claiming it is still a work in progress. Richardson wants the draft to inspire conversation among privacy groups and the tech sector with a view to finalizing and improving the proposed legislation.
Although CDT is on the surface a consumer rights advocacy group, it is important to remember that it is funded by donors including the likes of Alphabet (Google) and Apple. As long tech firms are allowed to have a major influence on the direction that this bill takes - it seems likely that the end result will never be what privacy advocates hope for.
Some good news is that the US now has a divided Congress - Republicans control the Senate and Democrats control the House of Representatives. In theory, this could mean that privacy legislation has a higher chance of success. On the other hand, it could mean that a weak federal privacy law could make its way through Congress with relative ease; leaving US citizens in a bad spot.
California's CCPT bill is due to come into force in January of 2020, which gives tech firms plenty of time to attempt to get a weak federal bill through Congress