The 116th Congress has just been sworn in, and one of the items they are likely to take up in early 2019 is the Data Care Act of 2018. The bill was introduced to the Senate back in December, and proposes significant new regulations for the handling of sensitive personal information (such as Social Security numbers and biometric data) by tech companies.
This isn’t quite a full-on EU GDPR equivalent; the standards the bill proposes aim to bring the tech industry’s practices more in line with the rules currently applied to data breaches in particularly sensitive industries like finance, law and medicine.
The early version of this bill doesn’t do a whole lot to establish specific regulatory standards, however. The main thrust of it at this point is simply in defining what sorts of specific personal data will be subject to new regulations. The bill leaves the actual rule-making process up to the Federal Trade Commission (FTC), laying out only three very broad guidelines they will hold online companies to: duties of care, confidentiality and loyalty.
What data would be protected under the Data Care Act?
Sensitive data that would be subject to the new handling rules (once drafted) includes:
Social security numbers
Passport and driver’s license numbers
Any numbers or codes attached to a financial account of any sort
Online service login names and passwords
Anything that contains a significant portion of a subject’s name in combination with their full date of birth
Biometric data (fingerprints, eye iris and retina scans, voice prints)
Sen. Brian Schatz (D-Hawaii), the bill’s sponsor, summarized the scope of data the act covers as follows: “People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Our bill will help make sure that when people give online companies their information, it won’t be exploited.”
What would this mean for state and federal standards?
If it passes, the Data Care Act would be the first of its kind to be applicable in all 50 states. However, the act does specify that it cannot “modify, limit, or supersede” any state or federal data privacy laws (whether already existent or drafted in the future).
It would appear that this leaves room for states to draft stronger or weaker laws as they see fit. This act would therefore not be either the insurmountable GDPR-style national legislation that privacy advocates want, nor would it head off the potential problem of a patchwork of state laws that worries tech companies.
As it is worded now, the Data Care Act appears to basically be a stopgap for states that have not drafted their own comprehensive data privacy laws, ensuring that all United States residents have some acceptable baseline level of protection available at the federal level. At the very least, tech companies would have to handle personal information in as responsible a way as doctors and lawyers are expected to.
Who is sponsoring the Data Care Act? Will it pass?
Sen. Brian Schatz sponsored the bill in the Senate with the support of 14 of his fellow Democrats.
Given that it was introduced at the tail end of an outgoing Congress, there has been very little public commentary on the bill. While Republican Senators have yet to address it, there is at least some level of bipartisan support for federal data privacy regulation in Congress. Senators Jerry Moran (R-Kansas) and Richard Blumenthal (D-CT) have been privately working on a bipartisan data protection bill since at least November 2018, one that appears to have even stronger terms than the Data Care Act from what little has been publicly revealed about it.
The Center for Democracy and Technology, a representative group consisting of the biggest players in the tech and telecommunications industries (such as Apple, Google and Verizon), was quick to voice support for the Data Care Act.
What about competing Federal legislation?
The future of this bill might come down to timing. A draft of the unnamed Moran-Blumenthal bill is expected to be ready in early 2019. Blumenthall has indicated that the Democrat position will be that state laws should not be pre-empted by federal legislation, something that tech companies are generally opposed to (in spite of their support for the Data Care Act).
The Consumer Data Protection Act was introduced by Ron Wyden (D-Oregon) in early November, but is more contentious due to potential lengthy prison sentences for tech CEOs should they be found to have lied to the FTC on mandatory annual data protection reports.
Breaking down the Data Care Act
The Data Care Act is in too vague of a state to meaningfully analyze at present, but a few things can be inferred at this early stage.
The tech industry support for it in spite of its allowance for state law is telling. The bill is written in an intentionally vague way that would appear to allow companies some substantial room to maneuver in terms of compliance with the personal data they hold, at least as it sits right now.
The big tech companies may also feel comfortable handing the regulatory process over to the FTC, which does not have “specialized expertise in telecommunications” (as spelled out in a December 2017 editorial by Commissioner Terrell McSweeny published in Quartz). Tech companies may be hoping that the FTC leans on them for recommendations given said lack of expertise, or simply will not be capable of enforcing regulations as effectively as other government bodies would be able to.
Taken at face value, the terms are an improvement to the status quo for people in states that do not already have strong data privacy laws regulating the online companies their information is handled by. They also do not threaten residents of states such as California, which has already passed a more extensive “GDPR-lite” bill in the California Consumer Privacy Act.
Everything hinges on the drafting of specific provisions by the FTC and the ability to then enforce those provisions. The best guess at this point is that the tech industry is hoping to have a strong presence in this process, will be left with a great deal of legal maneuverability to get around regulation of the data they hold online, and/or simply expects FTC regulation to be slow and relatively toothless when violations do occur. This will be irrelevant in states like California, but their hope is likely that most states will defer to the Data Care Act rather than draft their own stronger protections.
However, even if things should play out in this most admittedly cynical of ways, the door is still left open for future federal legislation and overhaul of the standards. The first step in determining what will happen is to see which bills are introduced to Congress first in 2019 and where support for them swings.