With a notoriously ineffective legislative body at the federal level, hope may seem thin, but cybersecurity expert Scott Allendevaux makes the case that 2024 may be the perfect time.
In the midst of the dysfunction that’s so prevalent in Congress, there’s an emerging opportunity for bipartisan cooperation on an issue of pressing national interest: the enactment of federal privacy legislation.
Even a group of three Federal Trade Commision nominees — consisting of two Republicans and one Democrat — are in consensus regarding the urgent need for Congress to craft a comprehensive federal privacy act. Such legislation would serve to harmonize the patchwork state privacy laws that currently exist, offering clarity instead of confusion faced by those tasked with adhering to a multitude of state-level regulations while giving Americans a nationwide standard so desperately needed.
The concept of data privacy has become an increasingly salient issue for the American public. The United Nations reports that 137 nations have embraced various forms of data protection. In the U.S., all 50 states have instituted at least basic breach notification laws, though not all states have comprehensive data protection guardrails. The California Privacy Protection Act (CPPA) stands as the most stringent followed by 11 other states with strong forms of data protection statutes and still others with measures in the works.
These recent developments are further fueled by the rapid adoption of artificial intelligence (AI) across a growing expanse of modalities, accelerating the urgency for privacy and governance within the domain of AI. President Joe Biden recently enacted an executive order noting that “artificial intelligence holds extraordinary potential for both promise and peril” and therefore “Americans’ privacy and civil liberties must be protected as AI continues advancing.” The order features eight guiding principles, including the protection of privacy rights as a running theme, compelling federal agencies to draft guidelines for AI governance within the next year.
The Biden Administration clearly reiterates its support for Congress to advance comprehensive privacy legislation. These sentiments are shared by a recent U.S. House subcommittee hearing on AI, echoing the need for comprehensive federal privacy legislation as the bedrock of any AI regulation. During that conference, co-sponsors Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-Wash.) of the American Data Privacy and Protection Act (ADPPA) reiterated the need to pass such a law. “I strongly believe that the bedrock of any AI regulation must be privacy legislation…” Palolone said.
The American Data Privacy and Protection Act, first proposed in 2022, represents the closest the U.S. has come to establishing a federal data privacy standard, reflecting a bipartisan consensus on the essential features of effective privacy legislation. The bill’s progress signals a tangible shift toward a unified approach, a necessary step to counter the fragmentation caused by the current patchwork of state privacy laws. As the nation grapples with the intricacies of AI regulation, the consolidation of data privacy laws emerges as a logical precursor, setting the stage for more comprehensive AI governance.
Amazon’s Dutch Data Privacy Case May Decide Future of European Class Actions
Familiar target of GDPR violation claims, the tech giant is now a guinea pig in EU’s class-action reforms
Read moreDetailsPersonal information is modern-day treasure
Though often confused, there’s a clear distinction between data privacy and data security. While security entails the secrecy of one’s personal information, privacy encompasses an entitlement of rights, such as understanding what data is being collected about oneself, the assurance of its accuracy and the right to request its deletion.
In a world driven by data, personal information has become the modern-day treasure. The reigning corporate giants are no longer the oil companies or railroad titans but such tech power players as Google, Oracle, Microsoft, Amazon, Salesforce and IBM. Collectively, these companies possess mass troves of users’ personal data — putting them in a position of dominance that will only grow as the use of cloud services and artificial intelligence expands. Malevolent actors will seek to gobble up users’ personal data to disrupt their lives. The reality has prompted a shift toward enacting data privacy laws as a protective shield for our digital footprints.
It’s because of these factors that a federal data privacy standard is looking increasingly likely. Because these tech giants have an unregulated access and storage allowances for personal data, federal regulators are likely to step in, creating something similar to the Fair Credit Reporting Act, except for personal data. Federal regulations will grant consumers certain essential rights as the volume of data continues to grow exponentially. It is a right and privilege every American will have sooner, rather than later.
It’s not only a benefit for consumers, but administrators of data centers would benefit from a unified standard. The current patchwork presents a tumultuous landscape where administrators are burdened with navigating and conforming to 50 distinct standards, not to mention international regulations. Even the definition of a basic term like “consumer” differs from state to state, and in some cases is even contradictory. In an era where information flows at the speed of light, the existing framework imposes hurdles on interstate commerce, ultimately stifling healthy competition.
The U.S. won’t be starting from zero; a blueprint for comprehensive data privacy regulations already exists in the form of the EU’s General Data Protection Regulation (GDPR), which has been governing data privacy in the EU and beyond for several years now. Whereas Americans have only an implicit right to privacy, the GDPR provides individuals with an explicit right to data privacy, unifying the EU under a single approach.
While the U.S. leads in technology development, it falls behind in the establishment and enforcement of privacy rights. The enactment of the robust federal law would resolve the ambiguities present in various state laws, empowering consumers with a clearer understanding of their personal data and its utilization.
Whether the U.S. chooses to directly follow the GDPR, a robust federal data privacy law should include certain key tenants like transparency and consent, data minimization, data subject rights, purpose limitation, accountability and other key data protection principles.
Big tech firms will almost certainly oppose any attempts to tamp down on their data free market. Industry lobbyists are expected to label some of the provisions as overly burdensome. It is the responsibility of Congress to champion consumer interests and prevent the prevalent misuse of data. Given the current environment and the explosion of data, failure to act would be the equivalent of legislative malpractice.
Achieving the enactment of data privacy rules may appear challenging given the current state of Congress; however, it is imperative for this issue to take center stage, and accomplishing that will necessitate active engagement from voters.
Just as they do on other pressing matters of the day, everyday people must voice their concerns and urge their federally elected representatives into action.
Scott Allendevaux, LP, CISSP, CIPP/US, HCISPP, CIPT, CIPM is senior practice lead at Allendevaux & Co., an Ohio-based cybersecurity agency. 
