Submit to Digest

The State of Privacy under a Biden Administration: Federal Cybersecurity Legislation, Strict Regulatory Enforcement, and a New Privacy Shield with the EU

Reports Privacy

From January 20th onward, the Biden administration has collided headfirst with unprecedented public health, economic, and national security crises, symptoms of a pandemic that have sparked intense speculation around the new administration’s privacy policy. Digital contact tracing, sweeping collection of personal data, sophisticated modes of AI surveillance, foreign data hacks, and real world manifestations of cyber terrorism have provoked serious public concern surrounding privacy protection. Yet many observers find reason for hope in the new administration, encouraged by Vice President Harris’s strong track record in privacy enforcement and the return of various Obama staffers who contributed to the former President’s Consumer Privacy Bill of Rights and formation of the Federal Privacy Council. Biden has stated his administration is “elevat[ing] the status of cyber issues” and “launching an urgent initiative to improve our capability, readiness and resilience in cyberspace.” Accordingly, the President has fortified national security by hiring defense experts with extensive experience in cybersecurity, a policy matter that was low in the Trump administration’s priorities.

The beginning of the Biden administration coincides with a growing push for federal privacy legislation. Numerous privacy protection bills have been introduced to Congress in recent years, and while proposed legislation has thus far failed, an April 2020 Congressional Research Service report indicates that the bills largely agreed on creating a bundle of digital rights including the right of access to online personal data. Where the bills diverged involved the inclusion of individual rights of action and the preemption of state law. Nevertheless, the call for privacy legislation is loud on both sides of the aisle. With Democratic control of the Senate and House following the Georgia election runoff, the Consumer Online Privacy Rights Act (“COPRA”), S. 2968, 116th Cong. (2019), is the strongest candidate for federal privacy legislation, as opposed to the Republican-led Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (“SAFE DATA”), S. 4626, 116th Cong. (2020). COPRA would establish new digital rights enabling consumers to request the deletion of personal data collected by commercial websites, in addition to prohibiting companies from collecting “sensitive data” without the user’s express consent. Crucially, states would retain the ability to enact stronger privacy legislation that goes beyond the protections of COPRA, and grant citizens a right of action against companies suspected of violating their privacy rights.

Progress in state legislation, meanwhile, is moving quickly: by some accounts, it is possible that at least half of the states could adopt data protection laws over the next few years. California has proven itself a leader in privacy protection, and it was during Harris’s tenure as Attorney General that the California Online Privacy Protection Act (“CalOPPA”)––the first state law requiring privacy disclosures on commercial websites––was amended to its present, stricter form. Inconsistent privacy law across the states, however, is frustrating for entities both within and outside the country, and has caused legal friction between the US and EU, complicating cooperative data flow––a problem especially pertinent during the pandemic. Tensions came to a head this past summer with the “Schrems II” decision, which voided the “Privacy Shield” protecting data transfers between the US and EU. Since Schrems II, transatlantic data transfer has been riskier and costlier, with privacy regulations in conflict between the EU’s General Data Protection Regulation (“GDPR”) and the American “sectoral approach,” wherein privacy requirements vary from industry to industry. To produce a new Privacy Shield, the US and EU would have to cooperate to address concerns on both sides, including European misgivings concerning Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and certain Executive Orders and Presidential Directives. This reconciliatory project will prove complex and challenging, but Angela Merkel, at least, seems optimistic that some new agreement may be reached: “America is and will remain our closest ally, but it expects more from us — and rightly so. We are working on it.” On the American side, Biden’s responsibility will be to achieve uniformity in privacy law by enacting federal legislation. If COPRA were to fail in the Senate or House, Congress could look to GDPR as a model for its own legislation, as some believe the California legislature did for the California Consumer Privacy Act (“CCPA”). Taking cues from both GDPR and California laws, Congress could craft provisions paralleling those that European and Silicon Valley entities already follow, easing much of the intergovernmental confusion.

The Biden administration has also focused its attention beyond Congress and toward agencies, namely the Federal Trade Commission (“FTC”), pushing for more aggressive enforcement of privacy regulations and antitrust action. If COPRA passes into law, the FTC will be responsible for enforcing it, and to that end Biden is appointing senior officials whom he believes competent for the task. After Republican Joe Simons stepped down as FTC Chairman, the President appointed Democrat Rebecca Kelly Slaughter as Acting Chair, taking a significant step toward flipping the FTC’s Republican majority. The FTC has already begun an investigation into the data collection practices of companies such as Facebook, Amazon, Twitter, and YouTube, and will face executive pressure to enforce regulations wherever appropriate.

The Biden administration’s emphasis on enforcement will find strong leadership in Vice President Harris, whose time as Attorney General of California was marked by substantial legal action in privacy and technology. Early in her tenure, Harris responded to a series of data breaches by creating the Privacy Enforcement and Protection Unit, and produced a report titled Privacy on the Go: Recommendations for the Mobile Ecosystem. Not long after, she managed to get Amazon, Apple, Google, Microsoft, and two other companies to agree to the Joint Statement of Principles, committing the tech giants to five standards strengthening consumer privacy. Among the many important deals Harris struck with Big Tech, one influential settlement required a tech startup to hire a Chief Privacy Officer (“CPO”). During her time at the White House, Harris could attempt to require CPO positions in federal agencies, a move that Travis LeBlanc, a member of the US Privacy and Civil Liberties Oversight Board, urges as necessary “for ensuring that privacy gets the attention it rightly deserves.” LeBlanc argues that agencies are currently held unaccountable for their collection and use of personal data, but CPOs could ensure proper privacy practices while also advancing agency objectives. He therefore advocates mandating all agencies have CPOs who report directly to agency heads and are empowered to enforce privacy regulations.

With so many crises competing for attention, many privacy goals will be put on hold during the President’s first one hundred days, and not all the measures discussed in this article may come to fruition. However, it is inevitable that the Biden administration will confront serious cybersecurity threats of terrorism, economic injury, and political sabotage. LeBlanc states that “privacy and cybersecurity are inextricably intertwined,” and according to the Cyberspace Solarium Commission, the country is at serious risk of “catastrophic cyberattack.” It is difficult to overstate the gravity of the role the Biden administration now assumes, but there is hope that strong actors in the administration will take action to protect private data and safeguard human rights––whether those rights exist primarily in the physical or digital world.