If one effort to check the power of Silicon Valley was supposed to be easy under the Biden administration, it was passing a national data privacy law.
That hope is quickly evaporating.
Even amid a surge in Covid-related scams stealing consumer data and a recent Facebook leak that exposed the personal information of half a billion users, privacy legislation shows signs of having stalled. Lawmakers have held no hearings on a comprehensive national privacy law and have no plans to hold one anytime soon, while disagreement grows over what such legislation should include.
And that doesn’t bode well for Washington’s broader push to take on the tech industry’s titans. The deadlock on privacy sets a precedent for how much — or little — this Congress can move on other more politically divisive issues, like strengthening antitrust laws to better rein in Silicon Valley, or tightening rules around how social media companies police their users’ posts.
Lawmakers of both parties generally agree that there should be limits on what personal information tech companies can extract from their users, and that those people should have a say in how their data is used. That makes privacy perhaps the least contentious tech policy debate facing Congress.
Privacy legislation is “certainly easier than the platform content issues — there are just fundamentally different worldviews, I think, on those issues between the two parties,” said Cameron Kerry, a former general counsel for President Barack Obama’s Commerce Department who led that administration’s development of a privacy Bill of Rights.
In contrast, Republicans and Democrats have largely divergent goals for scaling back the so-called Section 230 protections that prevent social media companies from being sued over what their users post. Republicans accuse the platforms of censoring conservative voices and want to restrict websites’ ability to take down content. Democrats argue that companies must face consequences if they fail to take down dangerous material and misinformation.
Antitrust is also becoming increasingly politically charged, despite complaints from both Democrats and Republicans that companies like Google, Facebook, Amazon and Apple control too much wealth and power. On top of that, “opening up competition laws is just inherently really complicated and not the kind of thing that gets done in a single Congress,” Kerry argued.
The long-debated privacy law, on the other hand, has bipartisan support, and lawmakers have spent years working through some of the thornier details. People following the legislation closely have described the latest versions of the two parties’ leading privacy bills as about 80 to 90 percent in agreement.
The generally agreed plan: Limit what data companies can siphon from their users, require those companies to put out clear policies explaining what information they’re collecting and how they’re using it, and give consumers control over how and whether their data gets shared with others.
And the momentum to get privacy legislation across the finish line this Congress was there. New privacy laws in states like California have intensified pressure on Congress to take action on the federal level, as have Covid-related privacy concerns for remote workers, students and patients. The tech industry is even increasingly lobbying for a federal privacy law in hopes of avoiding a patchwork of state rules that would make compliance more challenging.
But progress has been thwarted by new barriers: a lack of urgency from President Joe Biden, emboldened progressives pushing a more aggressive agenda and a rising preoccupation with privacy threats from China.
So instead of making headway on a bill, the Senate Commerce Committee has scheduled no imminent hearings or other legislative activity on the comprehensive national privacy law, according to a committee aide. Chair Maria Cantwell (D-Wash.) and the panel’s top Republican, Roger Wicker of Mississippi, also have yet to discuss the committee’s privacy agenda for this Congress, the aide said.
Leaders of the House Energy and Commerce Committee have also made little headway advancing a counterpart bill, though staffers plan to hold bipartisan roundtable discussions on the matter soon.
Sen. Chris Coons (D-Del.), who chairs the Senate Judiciary subcommittee on privacy and technology, told POLITICO in a recent interview that he struggles to see a “workable path forward” on legislation.
Much of the hope for passing legislation this year had rested on the idea that Biden would make data privacy a priority the way it had been under Obama, said Omer Tene, vice president and chief knowledge officer for the International Association of Privacy Professionals. That administration put out the consumer privacy “Bill of Rights” and enlisted the Commerce Department to see it through. But under Biden, that hasn’t happened.
“One would think that a little nudge from the White House or from Commerce might actually be enough to make it happen,” Tene said. “Now, I’m not so sure that it’s within reach in the near future.”
Instead, Biden has hardly spoken publicly about privacy since taking office and has been slow to staff up in key areas that will help shape Washington’s approach to the issue. He has yet to tap a permanent chair for the Federal Trade Commission, the country’s chief consumer protection agency. And the Commerce Department, tasked with steering negotiations on an EU-U.S. deal to govern international data transfers, is still filling out its ranks.
But even if data privacy had the full attention of the president and Congress, the shift to a Democratic-controlled Washington is making compromise more difficult.
Lawmakers had planned to spend these months hashing out the remaining two, largely partisan points of disagreement: whether a federal law should preempt state rules, and whether individuals should be able to sue companies over privacy violations.
But progressives’ calls for a privacy bill to include even stronger protections — including on civil rights issues like algorithmic discrimination — are getting louder this year with support from civil society groups. That’s creating a new hurdle that could force leaders on both sides of the aisle to rethink where, and just how much, they’ll compromise. A number of civil society groups have coalesced around a civil rights-oriented privacy bill introduced last year by Sen. Sherrod Brown (D-Ohio), even over the longstanding proposals from Cantwell and Wicker.
But perhaps the most surprising foil in the fight for a privacy law has been China.
Lawmakers have zeroed in on bills focused specifically on protecting Americans’ data from the Chinese government — potentially at the expense of a more comprehensive privacy law.
“We are legislating privacy through efforts to ban Chinese tech,” said Samm Sacks, a senior fellow at Yale Law School’s Paul Tsai China Center who specializes in the geopolitics of data privacy.
Lawmakers introduced hundreds of bills and resolutions related to China during the last Congress and are offering even more focused on data this session, including a proposal from Democratic Sen. Ron Wyden of Oregon to effectively block Americans’ sensitive information from being sold to foreign adversaries.
But focusing solely on China means muddying important distinctions among privacy, security and economic competitiveness, Sacks said, adding that this in turn sidelines work to regulate U.S. companies. Legislation to counter Chinese data collection does not address the enormous amounts of user data collected and monetized by the likes of U.S.-based Google, Apple, Facebook and Amazon.
The other big tech issues are likely to face similar headwinds even if lawmakers can resolve their partisan divides. Biden has so far said little on his plans for Section 230, despite saying on the campaign trail that he’d like to revoke it, and he has yet to fill key antitrust posts at the Justice Department and FTC. Progressives in his administration want to push for more aggressive antitrust action against Silicon Valley. And the big piece of tech legislation working its way through Congress right now is focused on neither of these issues but instead on ways to increase American innovation to stay ahead of China — a goal that may at times conflict with efforts to curb U.S. tech companies’ power.
For privacy, some in Washington are pushing other avenues to implement protections.
FTC commissioners are floating doing a rulemaking to address “unfair” or “deceptive” practices and better protect consumer privacy. The U.S. and the European Union are also still trying to strike a deal on a new iteration of the so-called Privacy Shield to govern how user data is shared across the Atlantic, which could provide some more general guardrails.
And privacy advocates are hoping that the desire to be globally competitive could spark action in Congress.
Europe’s General Data Protection Regulation, a sweeping law that took effect in 2018, has already provided momentum for U.S. efforts, and now China may well have a consumer privacy law before America does. The foreign power’s Personal Information Protection Law is likely to be enacted by the fall.
“When China has a consumer protection law before the U.S. does, and we are one of the only democracies in the world without… we are at a huge disadvantage,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “We’re not on the playing field.”