This article is part of the Future Agenda, a series from Future Tense in which experts suggest specific, forward-looking actions the new Biden administration should implement.
In the United States, companies are largely not required by law to protect your personal data. There are some exceptions—certain specific types of data are regulated (health information, for instance, or data about children under 13), and the California Consumer Privacy Act, which went into effect this year, imposes some security and privacy requirements on companies collecting information about California residents. But those piecemeal solutions do not come close to adequately addressing the huge gap at the heart of U.S. civilian cybersecurity policy: the absence of a federal data protection law.
At the top of the Biden administration’s cybersecurity agenda should be passing a piece of legislation that lays out clear definitions as well as security and privacy standards for personal information. Fortunately, there are a number of promising versions of such legislation already drafted, and growing support from the private sector for the federal government to act on this issue. A federal data protection law should, at minimum, include a clear definition of what constitutes personal data, standards for what precisely companies have to do to protect that data, what they have to tell their customers about their data collection, sharing, and analysis practices, what penalties may result from failing to meet these requirements, and, finally, a threshold for how large a company has to be before it is required to comply with these requirements, in order to avoid squashing new, smaller entrants in the market.
It’s an embarrassment that in 2020 that the country that played such an integral role in building and then commercializing the Internet has fallen so woefully behind other nations in developing suitable policy and regulatory measures to address the resulting risks. And it’s not just embarrassing, it’s actively harmful—to consumers whose personal data is being stolen or exposed on a regular basis and to companies that lack clear guidance on how they should be protecting their customers’ data. Arguably, the absence of a clear federal standard for data security and privacy in the United States also created a regulatory vacuum that has been filled by a patchwork of different laws passed by individual states, leading to multiple compliance headaches for private firms. Those headaches are further compounded for multinational companies by foreign laws that allow for heavy penalties seemingly directed at U.S.-based tech firms.
This means there are reasons to pass a federal data protection law not just from an ethical standpoint but also from a purely practical perspective . We’ve already seen that happen with data breach notification laws in this country. There is no federal data breach notification law in the United States—it’s possible a federal data protection law might include notification requirements, but it might also focus more narrowly on the requirements for collecting and protecting personal data. In the absence of federal legislation, back in 2002, California passed the first law requiring companies to report breaches of personal information and other states gradually followed suit until, eventually, every single one had passed its own breach notification law, with its own definition of what constituted personal information and its own requirements for how companies had to respond, who they had to report to, what the timeline for reporting would be, and whether the requirement applied to encrypted information.
It’s possible this system of individual state laws has led to somewhat more reporting of data breaches than a federal law would have, since many companies choose to adhere to the most stringent state laws for all of the customers rather than trying to tailor their breach responses to 50 slightly different laws. Certainly it led to more reporting back in the early 2000s when California passed its law long before Congress seemed to have any appetite for such legislation. But it’s no longer 2002 and we shouldn’t need California to drag us, state by state, over the course of more than a decade, into a similarly confusing system of dozens of inconsistent data protection and privacy laws that companies have to scramble to comply with.
Moreover, Congress has waited so long to act that it already has a lot of examples it can draw on and learn from when it comes to data protection legislation—besides the CCPA, there’s the European General Data Protection Regulation, the Japanese Act on the Protection of Personal Information, the Brazilian General Data Protection Law, and the Indian Personal Data Protection Bill that appears to be nearing passage in India, to name just a few. This proliferation of laws around the world isn’t just a sign that the U.S. has fallen behind on this issue, it’s also an indicator of how much work U.S.-based companies are already doing around data security in order to operate in other countries. Some international harmonization of these standards would mean U.S. firms face fewer obstacles in trying to transfer data between different countries.
That’s not to say that the United States should pass the exact same regulations as Europe or any other country—indeed, one of the advantages that Congress has from waiting so long to act on this issue is the ability to avoid some of the pitfalls of those laws, including the excessively high maximum fines permitted and the overly broad right to be forgotten measures, which have been construed as requiring search engines to remove news articles about harassment allegations under the European GDPR.
Several members of Congress and advocacy groups have already drafted versions of a federal data protection law, suggesting that if Biden’s administration is willing to make this a priority, it should be able to find the necessary support. One draft worth highlighting, particularly since it comes from a bipartisan congressional commission, is the Personal Data Security and Privacy Protection Act of 2020 draft proposed earlier this year by the Cyberspace Solarium Commission. It strikes a good balance between providing individual consumers with transparency and access to their data and requiring reasonable security measures for that data without placing an unduly onerous burden on businesses, while also considering the importance of international harmonization and interoperability.
Cybersecurity is a moving target and it may well be that data protection regulation needs to be revisited periodically and updated. But it’s well past time for the federal government to make some first steps on this issue and help reassure both U.S. consumers and businesses that they are not on their own when it comes to protecting their data. The Biden administration can’t make this happen on its own—but if it wants to find opportunities for bipartisan action in Congress, a data protection law is a great place to start.