Definition of STALEMATE …
– a situation in which no action can be taken or progress made; deadlock.
– to bring to a standstill.
Some critics might suggest that this definition of the Chess term describes perfectly the current state of affairs in the Senate, as lawmakers clash over Pre-emption and Private Right to Action — the two polarizing issues at the centre of fierce disagreement between the two sides of the house.
If last week’s Senate Commerce, Science and Transportation Committee hearing is anything to go by, achieving any kind of agreement over the details relating to implementation and enforcement remains as elusive as ever.
Just another day at the office — or is the Senate finally approaching the tipping-point on the need to pass comprehensive federal data privacy legislation?
Yes folks, Data Privacy was back under the spotlight last Wednesday, less than a week after Republican lawmakers proposed a nation-wide privacy framework, requiring businesses to disclose their data collection, processing and transfer activities more prominently, while providing consumers with the ability to easily access, correct, erase and transfer their personal data to another service.
During the course of the day, lawmakers were given an opportunity to air their views on how to effectively legislate national privacy standards. California Attorney General Xavier Becerra and a select group of former Federal Trade Commission officials all emphasized the need for a comprehensive bill — they were preaching to the converted!
Senator Roger Wicker, R-Miss., chaired the hearing, just under a week after he and other Commerce committee Republicans unveiled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act September 17.
The Act is said to strengthen the Federal Trade Commission’s ability to hold businesses accountable for the misuse of consumer data, by allowing the commission to obtain monetary remedies for consumers, develop new rules to expand the scope of ‘sensitive data’ and also to establish a data broker registry.
Michael Gold, co-chair of the privacy, information management and data protection group at Jeffer Mangels Butler & Mitchell LLP, said:
Folks have been talking about this for years, and a lot of people believe that folks in Congress have been waiting to see what the states are doing, … But at the same time, for an economy as large and complex as we have in the U.S., to let the individual states legislate issues of this magnitude doesn’t make a great deal of sense.
Inspired by the EU’s General Data Protection Regulation (GDPR) becoming law in May, 2018, and the California Consumer Protection Act taking effect on January 1, 2020, several hearings have been held by the Commerce Committee, to explore the possibility of enacting privacy rules that would apply across the U.S. But while both Republicans and Democrats agree such legislation is necessary, they have failed to agree on certain key issues, including whether individual states should be able to set tougher rules, and whether consumers should be allowed to bring private lawsuits for violations of their personal data.
Morrison & Foerster LLP partner Nathan Taylor, said:
The SAFE DATA Act really highlights the tension and divide between Republicans and Democrats that have bogged down data privacy and breach legislation for the past 15 years, and you don’t even have to look at the substantive privacy aspects of the bill,
“This has been fruitful in the sense that I think we’ve got a lot of very good ideas,”
The compelling position presented by experts, is that Democrats and Republicans appear to be remarkably aligned in their desire to pass national privacy legislation, and therefore should avoid bickering over the differences that actually do exist, in order to make rapid and sustained progress on getting privacy legislation passed as quickly as possible.
During the hearing, Senator Schatz said there’s healthy competition among the committee members to develop and advocate for their own privacy bills. Schatz, a COPRA co-sponsor, added:
This has been fruitful in the sense that I think we’ve got a lot of very good ideas, …but we’re sort of on a razor’s edge between that competition being fruitful and competition preventing us from enacting legislation.
Having been fuelled by the EU’s General Data Protection Regulation (GDPR) that became law back in 2018, closely followed by California’s CCPA, which came into effect on January 1, 2020, the Commerce Committee has held a number of hearings to explore the possibility of bringing in privacy legislation that would be applied nation-wide.
Two major differences currently holding up progress are to do with whether a federal law should pre-empt state laws — and, how enforcement will actually work in practice. On the one side, Republicans argue that a federal bill should supersede state laws and be enforced by the Federal Trade Commission (FTC). On the other side, Democrats — aligned with Cantwell — want to allow states the room to innovate beyond the federal standard. They also want a bill to provide consumers’ with a private right of action.
“I would expect those two issues to remain quite polarized,” said Gray, adding:
They were polarized similarly when we saw comprehensive legislation working its way through Washington state earlier this year and it led to the bill not passing.
Although members of both sides of the house have agreed in principle, that such legislation is necessary, they have. so far, failed to agree on certain key issues such as whether individual states should be allowed to implement more stringent rules, and whether consumers should be allowed to bring lawsuits claiming damages for alleged violation of their personal data.
During the hearing, California’s AG, Xavier Becerra’s testimony was largely based on his experience of implementing the CCPA. Becerra served as a mouthpiece for the pre-emption argument. He is also an advocate for the right to private action.
Cantwell and other Democrats on the committee are concerned that pre-emption — meaning federal law would supersede state privacy laws — could prevent states such as California from innovating beyond the national minimum. They hope to drag states that have yet to adopt data privacy laws up to a nation-wide standard, without restricting those states that want to innovate beyond a national law.
Becerra said: “I would urge that you consider that we could set a standard, but just don’t make it the ceiling, … Let it be the floor.”
Former FTC Chair and Commissioner Jon Leibowitz, along with some other witnesses, said the bills proposed by both Cantwell and Wicker already go significantly further than the CCPA. Leibowitz also said he would not support pre-emption if, in his opinion, a federal law would be weaker than state-level laws.
At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes,
Another former FTC chairman and commissioner, William Kovacic, voiced his support for giving rule-making authority to the FTC, so that it can adapt a federal data privacy standard as and when new issues appear. The very nature of the internet means that it does not recognize state boundaries. Therefore, any state-implemented expansions of the law would become de-facto nationwide standards because a business that has to comply with, for example, California’s CCPA, complies with that state law not within the borders of California alone.
Kovacic said he did not think individual states would necessarily feel any urgency to press ahead if they were confident that a national scheme would be adaptable and flexible. He added he is confident that legislation coming out of the committee will not only be adaptable, but that legislators would, from time to time, return to the issue at hand and ensure that it is kept up to date.
Private Right of Action
Cantwell’s opening statement included a strong stance articulating a need for citizens to be able to search for redress if their privacy rights are violated on their own. Cantwell said even if Congress empowers the FTC and state attorneys general to enforce a nationwide data privacy standard, there will never be enough resources to police the plethora of companies collecting consumer data.
“We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat,” Cantwell said.
Becerra, in response to questions from Cantwell, added the private right of action makes legal protections tangible. Citizens have to have remedies available to them for their rights to be meaningful, according to Becerra.
Though both Republicans and Democrats agreed the FTC should be granted more resources in order to enforce privacy regulations, Cantwell and Becerra argued that citizens still need that extra outlet to advocate for themselves because state attorneys general and the FTC will never have the bandwidth to deal with every problem that arises.
“I guarantee you consumers would prefer to have the California attorney general move their case instead of them,” Becerra said, “but at the end of the day if we don’t have the capacity, then some of those consumers will take up the opportunity if they are given the right to go to court.”
In his response to Cantwell’s questions, Becerra said the private right of action makes legal protections tangible. Citizens need to have remedies available to them in order for their rights to be meaningful.
Republicans and Democrats both agreed that the FTC should be given additional resources enabling it to enforce privacy regulations. Becerra and Cantwell argued that consumers have to have an extra outlet to advocate for themselves because the FTC and state attorneys general will never have sufficient bandwidth to cope with every single problem that occurs.
I guarantee you consumers would prefer to have the California attorney general move their case instead of them, ….but at the end of the day if we don’t have the capacity, then some of those consumers will take up the opportunity if they are given the right to go to court.
Gray said private right of action is likely to be even more important, if pre-emption wins the day. “Most privacy advocates and civil rights advocates and a lot of the Democratic leadership would strongly prefer a privacy bill, especially if it’s going to supersede state laws, to include a private right of action so that individuals can challenge alleged violations directly themselves.
Maureen Ohlhausen, former FTC commissioner and acting chair, said in her written testimony, in past instances, private rights of action have usually just lined the pockets of attorneys without realizing true redress for victims. She added leaving enforcement up to state attorneys general and the FTC would create a level of consistency that in the end benefits consumers more than individual attempts to right the boat.
“It seems that in the discussion of data privacy at the federal level, this has become an article of faith,” Wicker said, “and I really regret that because I think it amounts to a stumbling block that may prevent national legislation from being enacted.”
So, there we have it. Stalemate — at least for the time being.
But isn’t that the way things generally go in the Senate — however complicated or straightforward the process of ironing out differences can be.
But, like most games of Chess, when the game is over, the pawn and the king go back to the same box.