One year after Schrems II, the world is still waiting for U.S. privacy legislation

As the invalidation of the EU-U.S. Privacy Shield still casts uncertainty over international data flows more than a year later, the need for federal privacy legislation looms larger than ever.

Although congressional interest in revamping U.S. federal privacy laws persists, there has been only marginal action so far this year. On July 28, Sen. Roger Wicker (R-MS), ranking member of the Senate Commerce Committee, and Sen. Marsha Blackburn (R-TN) introduced a new version of the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act). The bill comes not long after Wicker and Blackburn joined their House counterparts, Reps. Cathy McMorris Rodgers (R-WA) and Gus Bilirakis (R-FL), in urging the White House to work with Congress on a federal consumer privacy law.

These Republican moves appear to stake out an issue on which key Democratic leaders in both houses have yet to take initiatives in the current Congress. In May, Sen. Richard Blumenthal (D-CT), chair of the Senate Commerce Subcommittee on Communications and an active member of a bipartisan privacy working group in the previous Congress, and Reps. Jan Schakowsky (D-IL) and Gus Bilirakis (R-FL) acknowledged that congressional action on privacy is necessary. In June, Blumenthal indicated that hearings on privacy legislation could occur this summer.

Moving privacy legislation requires focus and political will

Now the end of August is approaching, and no privacy hearings have taken place—neither in the full Senate Commerce Committee nor the Communications Subcommittee. Wicker’s SAFE DATA Act, introduced in both 2020 and 2021, demonstrates how the state of negotiations have largely frozen since the last Congress; both versions are almost identical to the Republican draft United States Consumer Data Privacy Act released in November 2019 on the heels of the Consumer Online Privacy Rights Act (COPRA) from Sen. Maria Cantwell (D-WA), now chair of the full committee. In a report last June, my Brookings colleagues and I provided a detailed analysis of the differences, large and small, between these bills, and proposed a concrete roadmap for resolving them.

In his 2021 bill, the ranking member giveth and taketh away: the bill adds a substantively and politically significant provision explicitly prohibiting companies from processing personal information in ways that violate federal civil rights laws, but also drops a provision that would have affirmed the authority of the Federal Trade Commission to seek equitable relief for violations of a privacy law. In addition, it drops sections from the 2020 version of the SAFE DATA Act; these had incorporated proposals by then-co-sponsors Sens. John Thune (R-SD) and Deb Fischer (R-NE) and, since Thune’s proposal had Democratic co-sponsors in Sens. Blumenthal and Mark Warner (D-VA), last year’s SAFE DATA Act appeared at the time to be a possible overture toward bipartisanship.

Despite the desultory legislative action, there are behind-the-scenes discussions that could lay the groundwork for meaningful negotiations. Various stakeholder groups, including industry, consumer, and civil rights advocates, have been exploring proposals resembling those in our Brookings report or similar alternatives. Depending on the interests at the table, these discussions focus primarily on limiting data collection, use, and sharing; protections against discriminatory use of personal information; private rights of action; and the scope of protection or preemption of state privacy laws. They include discussions among civil rights groups about how best to frame provisions on discriminatory use of personal information, as well as discussions among industry groups on possible private rights of action, and thoughtful work in progress on preemption at the Future of Privacy Forum and Duke’s Law and Public Policy schools.

In addition, staffers of the House Energy and Commerce Committee have been conducting a series of roundtables with various stakeholders. Compromise should be within reach, but the real negotiations will not take place until there is concrete movement on a bill. Yet this will not happen without more concerted political will on the part of key leaders in Congress or the White House. Congress does not need to wait for the administration to act—it can and should act now to kickstart an “end game” conversation that forces all interested parties to the table to hammer out the final issues that separate them.

The administration could also spur serious action on privacy. When I was in the Obama administration, at this stage we had already set in motion the process that would produce the White House blueprint for the Consumer Privacy Bill of Rights in 2012. This time around, much of the policy development has been done already through three years of legislative debate that has been productive even if it has yet to bear fruit. Even a simple signal from the White House that it would like to see privacy legislation passed could provide the needed kickstart. Doing so will require more attention directly on privacy from the administration at a high level.

Focus on competition overlooks wider problems

So far, the White House has understandably been focused on the impact of technology and data on its ambitious competition agenda. On July 9, Biden signed an executive order that, among other things, encouraged federal antitrust enforcers to apply existing laws to address anticompetitive “surveillance of users” or “aggregation of data” by a “small number of dominant Internet platforms,” and encouraged the FTC to take up rulemaking to address unfair behavior (a complex process that the FTC has set in motion). Otherwise, the executive order does not focus on actions to protect individual privacy.

The antitrust issues addressed in the executive order are significant. But they fall far short of solving the pressing need for comprehensive privacy protections across the United States. Actions by many of the major tech companies raise serious competition as well as privacy concerns. But the executive order—and antitrust laws and policies more generally—can do little to reach the vast number of non-monopolistic or smaller firms that also conduct surveillance and aggregate personal information. Mobile apps, ad-tech, and data brokers are the engines of vast ecosystems of data collection and sharing. Many significant privacy abuses arise from small or medium entities that operate in highly competitive markets, and such abuses are unlikely to be reached through antitrust law or policy. The administration should not turn a blind eye to the boundless collection, use, and sharing of data in these ubiquitous marketplaces.

The executive order also creates a potential tension between protecting privacy and promoting competition: it directs the Commerce Department to report on the competition implications of the mobile app ecosystem. In the absence of comprehensive privacy legislation, though, Apple and Google’s efforts to control app stores and the flow of data on their systems are having the greatest impact on improving privacy protection in the app and adtech ecosystems. While promoting competition in the app market could produce indirect consumer benefits, reducing Apple and Google’s ability to impose some level of privacy standards on mobile apps could enable more privacy abuses in the app ecosystem. This risk would be largely eliminated if, on the other hand, the United States had not only competitive app markets, but also a comprehensive privacy law that applies to all app developers, app markets, and advertising exchanges.

The impact of app marketplaces is one aspect of the way the absence of such a law leaves it to companies to set the rules for privacy. Even more widely, most companies’ privacy policies and terms and conditions of service set the rules for privacy today. It is one thing to have a patchwork of laws adopted by state legislators —and another thing altogether to leave privacy standards up to individual companies.

Without baseline privacy legislation, the United States remains an outlier compared to the over 100 countries that have baseline privacy laws. These include not only all major U.S. allies, but recently Brazil and very soon India; even China, despite pervasive government surveillance, is close to the final adoption of legislation that will place tight restrictions on corporate use of personal information.

Both Senators Blumenthal and Blackburn noted this gap at Politico’s June event; Blackburn explained that “our allies are looking to us and saying ‘online privacy is important … why do you not have a standard?” while Blumenthal stated “the rest of the world is leaving us behind.” And, at a recent Brookings event, Rep. Suzan DelBene, herself the author of a privacy bill, said “if the U.S. doesn’t [have] a clear domestic policy, we won’t be able to shape standards abroad and we risk letting others drive global policy,” a view endorsed unanimously by panelists at the event.

The gap between the U.S. and its allies and trading partners looms even larger with the risks to transatlantic data flows from the invalidation of the Privacy Shield. Federal privacy legislation like the SAFE DATA Act or COPRA could help sustain a new data transfer framework by imposing restrictions on how private companies collect and store personal information. This subsequently could affect the scope of information the U.S. government can access from the private sector—even if such legislation does not specifically address government surveillance authorities that EU’s Court of Justice focused on in Schrems II. Enacting a comprehensive privacy law would go a long way toward persuading the world that Americans care about privacy and, as I have written previously, that America is not “a digital Wild West.”

We have heard many calls to action for privacy legislation over the years. But unlike in the past, agreement on legislation is within reach. This is not the time to abandon the effort. Both Congress and the administration need to step up before the opportunity slips away.

Apple and Google are general, unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.