August recess has come and gone; and this fall, many are looking to see if the 116th Congress will move forward with landmark federal privacy protections. On Sept. 11, members of civil society and the private sector joined Brookings scholars Cameron Kerry and Benjamin Wittes for two public panels to discuss which privacy provisions Congress should or should not incorporate into law.
Although both sets of panelists represented diverse visions of a federal privacy law, they found overarching consensus on two ideas. First, the panelists agreed that a federal privacy law could benefit both consumers and businesses, and that now is the time to legislate. Second, they tended to agree that such a law should clearly outline which business practices might be permissible or detrimental, rather than leave consumers to safeguard their own data based on privacy notices.
However, not all issues were so easily agreed upon. In opening remarks, Cameron Kerry presented the privacy debate as a matrix of complexity and consensus—along one dimension, there are issues that are relatively low controversy and complexity, such as the need for businesses to clearly inform consumers of data collection. Along another dimension are more intricate and highly contested provisions, such as the role of federal preemption of state privacy laws. The crux of the debate, he explained, is in establishing boundaries for the collection, use, and sharing of personal information.
The panelists focused the conversation on what Kerry characterized as the “hard issues” and “endgame issues.” These issues, which include data sharing, algorithmic fairness, private right of action, and preemption, were more difficult to reach consensus on. Although the panelists concurred that notice-and-choice does not adequately protect consumers, the precise limitations on data collection and use, especially regarding de-identified data and public interest research, were up for debate.
Several organizations, including Intel and the Center for Democracy and Technology, have released draft privacy frameworks with provisions to mitigate any algorithmic discrimination that may result from the processing of personal data. In support, some panelists pointed out that current anti-discrimination laws had not been updated or tested to govern algorithmic bias. Because consumers are often unaware of how businesses collect and process personal data, plaintiffs may face difficulty in bringing legitimate discrimination claims. However, not all organizations have included algorithmic fairness provisions in their draft frameworks, and some panelists raised concerns over potentially subjecting businesses to broader and more open-ended algorithmic bias standards.
In addition, panelists diverged on the feasibility and scope of a right for individuals to sue companies that violate privacy laws. In opposition, some panelists argued that the Federal Trade Commission and state attorneys general are the appropriate privacy enforcers, rendering the private right of action less necessary. However, others asserted that individuals should have the opportunity to bring lawsuits should the government have insufficient resources to litigate. For some panelists, the private right of action was one way to ensure the strength of a federal privacy law.
Although most draft privacy frameworks include at least some role for state enforcement, the panelists similarly diverged on the federal preemption of other state privacy laws. While some panelists positioned a preemptive federal law as beneficial for both businesses and consumers, through setting clear and uniform rules across the nation; they also emphasized that any preemptive law would need to be substantial enough to protect consumers.
These provisions are not easy to untangle, but panelists conceded some willingness to accept trade-offs in order to both protect consumers and promote beneficial uses of data. Federal privacy legislation isn’t just a pipe dream; if Congress is able to reach a similar level of common understanding, the possibility of passing a comprehensive privacy law may yet be within reach.
Intel is an unrestricted donor to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.