Senate Democratic privacy principles: Endgame or game over for a bipartisan bill?

QUALITY REPEAT   Facebook CEO Mark Zuckerberg is surrounded by members of the media as he sits down to testify before a joint Senate Judiciary and Commerce Committees hearing regarding the company's use and protection of user data, on Capitol Hill in Washington, U.S., April 10, 2018. REUTERS/Aaron P. Bernstein - RC15E5907460

This week, Senate Democratic leaders released a set of privacy principles that help to frame the debate on federal privacy legislation. This comes as the focal Senate committee, the Committee on Commerce, Science and Transportation, is reportedly planning an early December hearing  to take up privacy bills.

Members of a Senate Commerce group have been working on a bipartisan basis for over a year to come up with a bill to provide baseline privacy protections—but they have yet to issue any proposal. The Senate Democrats’ announcement includes the Democratic members who have been in this working group from the beginning—Sens. Richard Blumenthal (D-CT) and Brian Schatz (D-HI)—as well as Edward Markey (D-MA), who filed a comprehensive privacy bill in April and also authored several privacy bills during his time in the House. It also includes Ranking Member Maria Cantwell (D-WA), who has been leading negotiations on privacy legislation with Chairman Roger Wicker (R-MS) since summer. Joining these Commerce leaders are the ranking members from three other Senate committees, which have jurisdiction over some privacy laws and have held privacy hearings this session. These are Dianne Feinstein (D-CA), Sherwood Brown (D-OH), and Patty Murray (D-WA), of the Judiciary, Banking, and Health, Education, Labor & Pensions committees respectively. And finally, these leaders on privacy legislation are joined by Minority Leader Chuck Schumer (D-NY). It’s a line-up that for all intents and purposes speaks for the Democratic caucus as a whole.

The substance of the principles is at high-level of generality but stakes some notable ground in the privacy debate:

An emphasis on addressing how companies collect, use, and share personal data

The principles touch on each of these aspects regarding how companies handle individual data. They begin by declaring: “Collection of data must be minimized so that it is narrowly tailored to its authorized use” and calls for accountability mechanisms that “shift the responsibility and liability of protecting privacy from consumers, who are overly burdened with understanding complicated, take-it-or-leave-it privacy policies, to the entities that hold their data and their senior corporate executives.” The principles suggest a number of ways to restrict how personal data is processed, including limits relating to sensitive data sharing with third parties, and limits on tracking of individuals across sites and devices. They refer to a “right to control … data” in terms of individual rights of access, correction, delegation and portability, and “strict limits” on how sensitive data is used. Notably, these principles do not mention consent.

A shoutout for civil rights

The principles frame provisions on algorithmic discrimination as “civil rights protections.” These generally resemble a joint proposal from the Lawyers’ Committee for Civil Rights and Free Press in prohibiting use of personal information in ways that “result in illegal bias or discrimination,” including voter suppression, and “transparency” on algorithmic decisions that result in discrimination and the ability to challenge such decisions.

Strong enforcement at several levels

The principles allude to a number of ways to give force to the substantive provisions. At the corporate level, they refer to “consumer redress” and to CEO accountability; the latter appears to be a nod to Sen. Wyden’s Mind Your Own Business Act proposing that senior executives certify privacy disclosures. At the federal level, they call for strong authority, including criminal penalties, and “streamlined” rulemaking authority. The latter could mean that they propose to give the Federal Trade Commission rulemaking authority under the Administrative Procedure Act in place of its more cumbersome Magnuson-Moss Warranty Act authority, although the principles do not identify the FTC or any other federal agency. They also include enforcement at the state level.

A private right of action without federal preemption

The principles themselves are silent on federal preemption of state laws, but the senators precede them with: “Nothing in this framework should be interpreted to change or displace existing privacy laws, or privacy laws scheduled to go into effect.” The latter phrase obviously refers to the California Consumer Privacy Act scheduled to take effect January 1, 2020. The principles are quite explicit about including a private right of action as well.

In September, I discussed at a Brookings event where issues in the debate fall in matrix of substantive complexity on one axis and political consensus on the other. I characterized preemption and private rights of action as “endgame issues”—politically significant issues that cannot be resolved without first resolving the strength of privacy protection and enforcement. Lately, my conversations with those involved seem to dwell on preemption and private rights of action, so that may suggest that Senate negotiations on a baseline privacy bill are reaching their endgame.

It is difficult to read what this means for the state of negotiations or how Senate Republicans will react, because negotiators are keeping a tight hold on information. Nonetheless, Senate staffers affirm that efforts to reach a bipartisan committee leadership agreement on a bill are continuing. Failing this, it is likely that individual members will file their own bills in time for the December hearing.

Either way, some Senate staffers may be missing Thanksgiving dinner. But it would be toward a good cause. Congress has lot on its plate right now between appropriations bills and impeachment. Once these difficult and divisive battles are over, though, both parties may want to show they can get something done—and baseline federal privacy protection would accomplish something for every person in America.