Will the US Move to a Federal Privacy Law in 2021?

Written by

Data privacy trends in the US in light of this year’s election and other recent events were discussed by a panel during the FTI Consulting webinar The New Privacy Landscape: California’s New Law and Prospects for Federal Action.

The significance of the California Privacy Rights Act (CPRA), passed last month to expand the existing California Consumer Privacy Act (CCPA) was firstly highlighted by the panel. Dominique Shelton Leipzig, firmwide co-chair of Perkins Coie’s Ad Tech Privacy and Data Management Practice, explained that this new law will bring about major changes to how data can be used in the state, and “companies really need to start thinking about this now.”

This includes requiring protection for sensitive information such as race, sexual preferences and trade union membership, while consumers also have a right to opt out of information sharing. Additionally, an agency will be set up to help enforce the legislation, including the power to issue fines.

Welcoming the move, Chris Calabrese, Microsoft’s senior director of privacy and data policy, said he expects the legislation to lead to greater trust in companies, and noted that “with the changes to the law we’ve moved closer to the GDPR model.” He also expressed hope that such an approach will be adopted on a wider scale in the future, including at a federal level.

A more co-ordinated approach to data privacy rules worldwide is needed to help companies implement a global strategy, according to Charles Palmer, FTI Consulting senior managing director, outlining the difficulties a lot of smaller businesses have had in staying compliant when operating across different jurisdictions. “We are at a point where there needs to be coalescing around some common standards,” he commented.

There does appear to be some movement by way of a federal privacy law getting enacted in the future, which would help resolve issues such as the ruling this year from the Court of Justice of the European Union (CJEU) that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful. Jason Van Beek, general counsel, Office of the Senate Majority Whip, outlined initial conversations that have taken place between a congress committee and stakeholder groups about this. “If not passing one, then just getting it out of committee would be a positive step forward for a lot of interest groups looking to find a resolution to the issue of the privacy shield,” he noted.

In the current absence of a federal law on this area, the possibility of the state of California alone achieving adequacy to allow data transfers with the US was mooted by Shelton Leipzig. “There’s definitely going to be an attempt to get California designated as an adequate territory,” she said.

Nevertheless, Calabrese argued the Schrems II case, which led to the ruling over the EU-US privacy shield, highlighted that while having a federal privacy law in the US is important, it won’t necessarily guarantee an adequacy decision from the EU. This is because the big issue in this case was about surveillance by law enforcement agencies. He commented: “We’ve got to take both sides of that coin and address both of them,” adding that “there are creative ways to address this.”

In terms of the development of privacy legislation at a federal level in 2021, Van Beek added that while it is an important issue on the agenda, the continuing uncertainty over the congress election result alongside the COVID-19 crisis means it is unclear how this will progress next year and how high it will be on the agenda of law makers.

What’s hot on Infosecurity Magazine?