Privacy Risks and Public Benefits of Big Data Federal Proposals Regarding Data Security and Privacy Regulation

Transcription

1 Privacy Risks and Public Benefits of Big Data Federal Proposals Regarding Data Security and Privacy Regulation Presented by: Francine E. Friedman (202) January 30, Akin Gump Strauss Hauer & Feld LLP

2 Congressional Interest in Privacy and Data Security in th Congress: Active interest in regulating the collection, use, sharing, and storage of online data. 20 pieces of legislation and numerous hearings addressed various facets of the issue: Collection of geolocation information from mobile devices Selling data on users internet activities and behavior Preventing employers from asking for login information to social networks Implementing proper safeguards to prevent data breaches A modest degree of bipartisan engagement.

3 Congress Unable to Move Legislation in Despite a string of high-profile privacy breaches, significant pressure from privacy hawks, and a degree of bipartisan engagement in Congress, no changes to privacy or data security standards were passed in the 112 th Congress. Why not? Too many cooks in the kitchen? Senate Judiciary Committee (Patrick Leahy) Subcommittee on Privacy, Technology, and the Law (Al Franken) Senate Commerce Committee (John Rockefeller) Subcommittee on Consumer Protection, Product Safety, and Insurance (Mark Pryor) Subcommittee on Communications, Technology, and the Internet (John Kerry) House Judiciary Committee (Lamar Smith) House Energy & Commerce Committee (Fred Upton) Subcommittee on Commerce, Manufacturing, and Trade (Mary Bono Mack) Too many competing bills? Lack of focus? Congressional gridlock in general? Political campaigns benefit from the ability to utilize vast amounts of voter data E.g., The official Presidential Inaugural Committee (PIC) mobile app, downloaded by tens of thousands of Obama supporters, provided users with information such as toilet locations, traffic alerts, and information on inaugural festivities. The app also allowed PIC to collect and share users data with candidates, organizations, groups or causes that we believe have similar political viewpoints, principles or objectives.

4 Administration Efforts in Light of Stalled Momentum in Congress We can t wait : Lack of congressional progress spurred Obama Administration (White House, Federal Trade Commission, Commerce Department) to look at executive branch solutions in Feb White House report ( Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy ) included four key elements: Consumer Privacy Bill of Rights to offer guidelines for private sector and government efforts to give users more control over how their personal information is used on the Internet and to help businesses maintain consumer trust; Multi-stakeholder process, convened by National Telecommunications and Information Administration (NTIA), to develop voluntary codes of conduct on privacy issues identified in the Consumer Privacy Bill of Rights; Strong enforcement by the FTC within its current jurisdiction; Greater interoperability between the United States privacy framework and those of our international partners.

5 Several Noteworthy Changes in the 113 th Congress Rep. Mary Bono Mack (R-CA) defeated in reelection bid. Chaired the Energy & Commerce subcommittee of jurisdiction and led efforts to find a consensus bill related to data security and breach notification. Rep. Lee Terry (R-NE) becomes new chairman of the E&C subcommittee on Commerce, Manufacturing, and Trade. Rep. Cliff Stearns (R-FL) defeated in reelection bid. One of few House Republicans to take a leading interest in privacy and data security issues. Sen. John Kerry (D-MA) nominated for Secretary of State. A proponent of strong privacy protections and a senior senator able to work well across the aisle and leverage personal friendships with Republicans. He chaired the Commerce Subcommittee on Communications, Technology, and the Internet. Rep. Ed Markey (D-MA) running for Sen. Kerry s vacant seat. A leading proponent of stricter children s privacy protections who has worked closely with Republican Joe Barton (TX) to advance legislation. Sen. John Rockefeller (D-WV) retiring at the end of Chairman of the Commerce Committee and very strong privacy advocate.

6 What to Expect From Leaders of the 113 th Congress Chairman Terry says privacy and data security won t be his subcommittee s top priority. However, he will gather a group of Committee D s and R s to begin looking at principles for a consensus-based privacy bill that can garner support from the business community and privacy advocates alike. Terry said he will also look at data security, using Bono Mack s SAFE Data Act as a starting point for the discussion this year. He sounds open to deviating from her bill, though, which stalled in the 112 th Congress. Chairman Rockefeller intends to continue playing at full-speed over the next two years, including in his effort to make the Internet more safe. Other key players (e.g., Sens. Blumenthal, Wyden, Franken, Leahy) appear poised to continue pushing privacy legislation from their committee and subcommittee perches.

7 Potential Legislation in the 113 th Congress Expired bills may be re-introduced in the 113 th Congress, for example: Sen. Wyden (D-OR) and Rep. Chaffetz (R-UT): Geolocation and Privacy Surveillance (GPS) Act Would prohibit companies from collecting or sharing geolocation information without the user s express consent. Sens. Franken (D-MN) and Blumenthal (D-CT): Location Privacy Protection Act Would require upfront notice and opt-in consent for tracking geolocation information; creates a private right of action. Sen. Leahy (D-VT): Personal Data Privacy and Security Act Would call for businesses to enact security procedures to protect sensitive data; creates a federal standard for notifying appropriate parties in the event of a breach. Sen. Blumenthal: Personal Data Protection and Breach Accountability Act Would create data breach notification/remedy/investigation standards; creates a private right of action. Sens. Rockefeller and Pryor (D-AR): Data Security and Breach Notification Act Would require businesses and not-for-profits to implement security measures and alert consumers when data has been compromised; in the event of a breach, affected individuals would be entitled to free credit monitoring services Sen. Rockefeller: Do-Not-Track Online Act Would give consumers the ability to opt out of having their online data tracked and stored; also applies to data collected from mobile devices Sens. Carper (D-DE) and Blunt (R-MO): Data Security Act Primarily focused on financial institutions; requires entities that possess sensitive information to build safeguards and implement policies for investigating security breaches and notifying consumers when a substantial risk of identity theft or account fraud exists

8 Legislative Proposals: Who Might be Impacted? In 112 th Congress, most bills applied to all commercial entities, regardless of size or sophistication From multinational corporations to individuals developing mobile apps in a garage Regulations based on the number of records or amount of data stored Some bills applied to not-for-profit organizations (e.g., universities, charities) S (Rockefeller-Pryor) singled out universities as covered entities H.R (Stearns) singled out 501(c)(3) organizations as covered entities Direct or indirect impact on wide range of entities Data brokers Retailers and companies that advertise online Banks and other financial services companies Mobile application developers Law enforcement agencies Web browsers and internet providers Large employers and many, many others

9 What Could Spur Congressional Action? More high-profile data breaches that re-focus public attention on the issues of privacy and data security Closer coordination among legislators Fewer bills introduced More legislative energy dedicated in support of any given bill Industry advocacy on behalf of a proposal Recognition that if consumers don t feel as if their personal information is safe online, they will be less likely to use online services Recognition that a single federal law is preferable to a patchwork of dozens of conflicting state laws. This is especially salient in the case of data security and breach notification standards, where businesses are subject to local regulations in nearly all 50 states. Threat of more Executive Orders Nothing motivates congressional Republicans like the fear of an unchecked President Obama; quick action in Congress may forestall White House involvement.

10 What to Expect from the Administration in 2013 Cybersecurity executive order expected in the very near future President Obama poised to take executive action in the wake of congressional failure in late 2012 to pass a cyber bill. The latest draft order does not mention data security, but stakeholders continue to comment and await the final version of the order. NTIA multi-stakeholder process on mobile app privacy policy transparency The multi-stakeholder group is beginning to coalesce around a mobile app transparency code of conduct, but disagreement remains over how apps should communicate the ways they leverage data collection. Also undecided is the question of whether users should have to acknowledge receipt of the privacy notice before they can download an app. Once agreement is reached by all participants, adoption of the codes of conduct will be voluntary. Any entity that agrees to opt into the voluntary regime, however, must adhere to the codes under force of penalty from the FTC.

11 Privacy Risks and Public Benefits of Big Data Federal Proposals Regarding Data Security and Privacy Regulation Presented by: Francine E. Friedman (202) January 30, Akin Gump Strauss Hauer & Feld LLP