A panel of cyber experts expressed their support this week for the most recent congressional effort to create national data privacy standards, but also voiced some criticisms of draft legislation released last month to push those proposed standards forward.
House and Senate committee leaders last month unveiled a discussion draft of their latest effort to create a national data privacy law via the American Privacy Rights Act (APRA) of 2024.
The discussion draft of the bill released by Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell, D-Wash., and House Energy and Committee Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., aims to set clear, national data privacy rights and protections for Americans.
Those proposed data privacy rights would limit the ability of big tech companies like Meta and TikTok to use Americans’ data without their permission – including through the use of algorithms that often fuel AI applications.
During a May 8 Senate Commerce, Science, and Transportation Subcommittee on Consumer Protection, Product Safety and Data Security hearing, Chair John Hickenlooper, D-Colo., asked witnesses if they think there needs to be a sense of urgency in passing the APRA.
While all four cyber experts agreed there is a sense of urgency – especially as AI and quantum computing are on the rise – they also offered constructive criticism for elevating the bill.
“I do think there should be a sense of urgency,” said James Lee, chief operating officer at the Identity Theft Resource Center. “Just look at artificial intelligence and just the efficiency and the depth and breadth that that is bringing to everything from creating malware to a phishing attack.”
But he noted that legislators should be “aware of the law of unintended consequences” when it comes to passing the APRA.
The current working draft calls for data minimization, but Lee cautioned that businesses still need data. “We need it for some very specific purposes because it’s used for anti-fraud, it’s used for identity verification, to prevent identity crimes,” he said. “In our zeal to protect consumers and give them access, we also have to be realistic that we still need some data.”
Prem Trivedi, policy director for New America’s Open Technology Institute, expressed skepticism toward APRA for its proposed transfer of preemption authority from the Federal Communications Commission (FCC) to the Federal Trade Commission.
“We would focus on this issue not to have overbroad preemption of the FCC’s ability to exercise long standing expertise in their domain on privacy,” Trivedi said.
Senior Director of Government Relations at the Security Industry Association, Jake Parker, said there is a “window of opportunity” for a Federal data privacy standard now, and it’s important that lawmakers act soon.
“Three years ago, there was one state that had their data privacy law, and now there’s 19,” he said. “There is potential that if they’re different enough, that a 50-state patchwork of laws could harm the economy.”
Parker mentioned that there are “significant improvements” to today’s APRA draft versus the one that was introduced two years ago, but there are questions if “what’s in the proposal now is adequate enough to be truly the national standard.”
The American Privacy Rights Act was first introduced in the last Congress on a bipartisan, bicameral basis. It passed the House Energy and Commerce Committee on a vote of 53-2 but stalled in the House after that.
The discussion draft released last month came just seven months before the 2024 elections – making for a tight timing window to consider the bill during the busy election season.
“This is a wonderful time to work on something like data privacy on a bipartisan basis right before a big election,” Sen. Hickenlooper said. “I’m hopeful [we’ll] continue to push with a sense of urgency this year to get this done. I think it’s doable.”