Congress tries again for comprehensive data privacy bill

Douglas Rissing/Getty Images

The bill would establish national data privacy standards, with the Federal Trade Commission crafting rules for enforcement.

A bipartisan, bicameral privacy bill would direct companies to establish nationwide data security practices and require large firms to hire privacy and data security leads in an effort to put more pressure on the private sector to safeguard customers’ data from hackers and cybercriminals.

The American Privacy Rights Act is backed by Senate Commerce Committee Chair Maria Cantwell and House Energy & Commerce Committee Chair Cathy McMorris Rodgers. According to a discussion draft released on Sunday, the measure would throw a blanket over patchwork state data privacy laws while allowing individuals to seek legal action against companies that unsuccessfully follow directives to protect their personal data from exploitation or abuse.

“We have to have a bright line here where we’re catching bad actors and policing the information age,” Cantwell told The Washington Post on Sunday.

The bill authorizes the Federal Trade Commission to establish a new bureau to enforce the legislation, and collaborate with the Department of Commerce on the rulemaking. The bill would also require “large data holders” — defined as companies with at least $250 million in annual revenue and collect data on 5 million individuals or 15 million devices, among other factors — to conduct privacy impact assessments every two years and file internal control assessments to the FTC annually.

It also forces the FTC to terminate a commercial surveillance rulemaking it took up in 2022, which garnered pushback from GOP lawmakers who said the agency was overreaching and abusing its authorities by circumventing congressional privacy debates, which have been at a stalemate for some two years.

The measure would also ensure individuals know “when their data has been transferred to foreign adversaries,” according to a joint press release from the committees. The House last month unanimously approved a measure that would penalize data brokers who enable the transfer of Americans’ sensitive data to foreign rivals like China. Covered data under that bill includes genetic info, biometrics, financial accounts and health records, similar to the categories listed in a related White House executive order.

A final version of the bill does not have a planned introduction date as of yet. The pair of lawmakers heading the proposal will likely seek feedback from their peers about what to modify or add to the measure before legislation is introduced. Lawmakers will have to move swiftly with the upcoming November presidential election and McMorris Rodgers set to leave Congress in January.

Private sector firms and federal agencies are target-rich environments for hackers, who often use stolen data for financial gain or intelligence-gathering. The Biden administration has been pushing entities to ease the burden of security responsibilities off of individuals and put them into the hands of organizations that handle their data for commercial purposes, but those have relied on voluntary commitments and lacked enforcement mechanisms. 

Because different sectors handle customers’ data differently, it’s nearly impossible to craft cybersecurity standards that can be thoroughly followed by everybody without irking stakeholders. Efforts to pass legislation setting national standards for data privacy and security go back decades with few successes other than laws covering certain aspects of health and financial information.

Still, high-profile hacks against large firms over the past year have sounded alarms over the adeptness of private sector cyber standards. One incident in which a UnitedHealth subsidiary was hit by ransomware has delayed prescription fillings and led to cash crunches at clinics and other facilities, getting the attention of the Biden administration and lawmakers.

Some vulnerabilities sometimes go undetected for years, and their consequences could be devastating to those whose data is stolen.

A comprehensive data privacy and security law “is more important now than ever,” said Brandon Pugh, director and resident senior fellow for the cybersecurity and emerging threats team at the R Street Institute think tank. “Foreign adversaries continue to collect and exploit data against Americans, while most of us still lack even basic privacy protections despite rising data risks,” he wrote in an analysis of the draft.