The prospects for a federal privacy bill actually being signed into law in the United States in 2019 just took another big step forward with new draft legislation from Silicon Valley chipmaker Intel, which is now calling for public debate and commentary. If this privacy bill proposed by Intel eventually finds a sponsor in the U.S. Congress, that could pave the way for omnibus consumer data privacy legislation at the federal level that would impose significant penalties on any U.S. company that fails to provide reasonable safeguards for protecting personal information and data.
Details of the new Intel privacy bill
According to the details of the proposed 27-page privacy bill, companies would need to certify to the U.S. Federal Trade Commission (FTC) on an annual basis that they are taking strong measures to protect consumer data. Failure to do so could result in fines of up to $1 billion, or a maximum of $16,500 per user impacted by a serious data breach. At the same time, the bill would enable federal and state regulators to force companies to change their data practices because the bill requires a robust framework for protecting consumer data. Moreover, executives who falsely certify compliance could face criminal prosecution, as well as a maximum of 10 years in prison. Intel’s global privacy officer called it “the best privacy protection you can get,” because top executives would fear possible imprisonment for not taking adequate steps to protect data privacy.
But the bill also provides a “safe harbor” for companies, enabling them to avoid any civil actions as the result of a data breach. In other words, as long as a company pledges that it is doing everything in its power to protect consumer data with its privacy protections, it would avoid the risk of a massive civil lawsuit. This is the part of the legislation that really caught the attention of data privacy advocates, because it would essentially protect tech firms like Facebook and Google from fines. Companies would only lose this “safe harbor” exclusion if they repeatedly allow data breaches to occur on their watch. Some analysts have already called the Intel privacy bill “a major win” if tech companies are protected from civil actions.
Moreover, the new privacy bill from Intel does not have a provision requiring companies to notify victims of a data breach. By way of comparison, the typical state-level privacy law requires notification within 30, 45 or 60 days. And the much stricter European General Data Protection Regulation actually requires companies to notify victims within 72 hours in order to protect consumers. Thus, at first glance, it would appear that the Intel privacy bill still falls short of what is now considered best practices in the data privacy world.
The debate over a federal privacy bill
As Intel points out, the time is now for a national debate over consumer privacy. After public outcry over data privacy scandals at top tech giants Facebook and Google, there is clearly growing concern that the nation’s leading companies still are not paying enough attention to protecting consumer data. As more and more tech executives get pulled in front of Congress to explain how data privacy breaches could have occurred on such epic scales, the momentum is building for federal legislation that would essentially mandate consumer data privacy protection. If tech companies won’t self-regulate, the thinking goes, then the federal government will need to get involved.
Thus, Intel’s draft legislation is clearly designed to get out ahead of the debate and provide the type of “model legislation” that would appeal to both tech companies and regulators. New California privacy laws, for example, are set to go into effect in January 2020, and that has clearly motivated top California tech companies like Intel to come up with a potential alternative. As a result, the draft legislation is really all about reconciling two competing interests: making sure that consumer data privacy is protected, while simultaneously creating a framework for tech industries to grow.
In reconciling these two interests, Intel’s Global Privacy team applied six core principles, the most important of which is the notion of “risk-based accountability.” Risk-based accountability implies that companies should be held most accountable for data that is at greatest risk. Thus, the proposed Intel privacy bill provides the strongest safeguards for geolocation data, physical and mental health data, and similar types of personal data that could lead to abuse from hackers, scammers, third-party data brokers selling data or unscrupulous companies using targeted advertising. According to the Intel privacy bill, companies would need to get explicit consent if collecting this type of data. Companies would also need to provide information on how they are using this personal data.
Possible motivations for the Intel privacy bill
As noted above, Intel is clearly attempting to get out in front of a very sensitive matter that could have very profound implications for the future growth of the tech industry. Already, Apple CEO Tim Cook has called for new landmark privacy legislation that would protect tech consumers, and the pressure is growing on both Facebook and Google to explain how data breaches appear to be happening with alarming frequency.
What is interesting to note is that Intel, like Apple, does not directly collect consumer data. As a result, Intel is not in the crosshairs of regulators, in contrast to consumer-facing companies like Google or Facebook. But here’s the thing: Intel provides the chips that power digital devices made by these companies, and the company is clearly concerned that if companies like Google go out of business or are crippled by fines and penalties, that an entire swathe of its customer base could be at risk. In other words, what is bad for Google is also bad for Intel, at least indirectly.
Moreover, Intel is concerned that a broad regulatory backlash against the tech sector could have a chilling impact on the development of new technologies, such as AI. As a result, Intel specifically mentions AI in commentary about its draft privacy bill, and Intel’s privacy team emphasizes that AI (i.e. machine learning and AI-powered algorithms) could play a very important role in detecting data intrusions as well as protecting personal data.
Looking ahead to next year
Heading into 2019, it now appears more likely than ever before that a federal privacy bill is coming to the United States. The big question, of course, is what it will look like, and whether it will be as far-reaching as the European GDPR, which went into effect in May. Tech companies – led by the likes of Apple and Intel – appear to be angling for a compromise federal privacy bill solution that is less stringent than the GDPR (and even less stringent than some state privacy bills), and filled with enough loopholes to ensure that the biggest tech companies are essentially able to continue to do business as usual without the risk of massive fines.