Last month, the Government Accountability Office (GAO), the U.S. government agency responsible for monitoring and auditing government spending and operations, released a 56-page report recommending that Congress consider enacting a federal internet privacy law in the United States. The report had been requested by the House Energy and Commerce Committee. You can view the GAO report here.
According to the GAO report, “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.” In the report, the GAO recommended that the Federal Trade Commission (FTC) be responsible for enforcing internet privacy while also raising concerns about the FTC’s enforcement abilities.
The GAO report gives added momentum to the creation of a federal data privacy statute in the U.S. In the U.S., though most states have enacted laws regulating the collection and use of personal data, no comprehensive federal statute governing the collection and use of personal data currently exists. The federal privacy-related legislative landscape currently involves a patchwork of laws dealing with specific categories of information such as medical health information (The Health Insurance Portability and Accountability Act) or financial information (The Financial Services Modernization Act (Gramm-Leach-Bliley Act)). The FTC also addresses internet privacy issues under the Unfair and Deceptive Practices Act.
After several well-known recent data security breaches, including breaches involving Equifax, Facebook, Google+ and Uber, certain lawmakers have been increasingly calling for a federal data privacy statute. Last fall,for example, multiple federal privacy bills were introduced in Congress, most notably a bill entitled “The Data Care Act” introduced by fifteen U.S. Senators, a bill entitled the “Consumer Data Protection Act” introduced by Oregon Senator Ron Wyden, and a bill entitled the “Information Transparency and Personal Data Control Act” introduced by Congresswoman Suzan DelBene of Washington.
Leaders of prominent technology companies, including Apple CEO Tim Cook, have also begun to speak out in support of a federal data privacy statute. In general, the viewpoint of these leaders is that a federal data privacy statute would provide consumers with greater confidence in the use of technology. Also, if a federal data privacy statute were to pre-empt state law on the issue, an almost universal desire among technology companies, the compliance roadmap for technology companies would be easier to navigate than having to contend with the varying requirements under the state laws.
There are many hurdles needed to be overcome to create a federal data privacy law acceptable to all stakeholders. These hurdles include state pre-emption, determining appropriate levels of statutory fines and determining the proper agency to enforce the statute. Even so, we seem to be inching closer to a new federal privacy law.