On 12 January 2015, President Obama announced a package of far-reaching and dramatic changes to the shape of privacy laws in the US. This package is seen as a direct response to the changing emphasis
On 12 January 2015, President Obama announced a package of far-reaching and dramatic changes to the shape of privacy laws in the US. This package is seen as a direct response to the changing emphasis on privacy and data security in the US, in light of the Snowden revelations and the recent spate of cyber-attacks. The speech acted as a preview to the President's annual State of the Union address, where the new privacy proposals will certainly feature.
The story so far
2014 saw an unprecedented number of increasingly severe and high-profile attacks on cyber security. In particular, the Sony Pictures hack in December 2014 brought the issue into the global consciousness, with huge amounts of personal and sensitive data about celebrities and Sony employees being released into the public domain. And in an embarrassing turn of events for President Obama, the US military's Central Command (which leads US military action in the Middle East) was hacked shortly after his speech announcing the new proposals last week. In that instance, the military's Twitter account was flooded with pro-Isis posts, some using the hashtag #CyberCaliphate, and the government was forced to admit that their account had been "compromised". More justification for the introduction of far-reaching privacy reforms to address what President Obama called "enormous vulnerabilities".
On the consumer side, a recent survey (the results of which were released in November 2014[1]) suggests that 91% of Americans believe that consumers have lost control over how personal information is collected and used by companies. The survey looked at attitudes to privacy and data in the wake of the Snowden scandal, and also revealed that 64% of Americans believe that it is up to the government to regulate the way advertisers access data. Both of these statistics will have provided further justification for the administration's proposals.
So, what changes are on the horizon?
There are four major themes of the reforms proposed by Obama:
This is the most significant proposal, and likely to be the most controversial. Taking the President's February 2012 Consumer Data Privacy white paper as a blueprint, the Obama administration has committed to releasing a revised legislative proposal within 45 days of the announcement, incorporating analysis from the public consultations held on that white paper. So by the end of February, we will have a clearer idea of how the Bill may look and its key priorities, which should take into account industry opinion from all sides of the debate.
The introduction of the Personal Data Notification & Protection Act will establish a single, national standard for reporting data breaches, and mandate the report of any such breach within 30 days of the date of its occurrence. A number of companies have also committed to making customers' credit scores available to them for free, allowing customers to take control of their credit history and providing an "early warning system" for identity theft.
The central theme here is ensuring that data collected in the educational context is used only for educational purposes. To do this, the government will introduce the Student Digital Privacy Act, which will prevent companies from selling student data to third parties for purposes unrelated to the educational mission. Additionally, 75 companies have signed up to new commitments aimed at protecting against misuse of data, and the President used his speech to encourage others to follow suit.
The Department of Energy has developed a new voluntary code of conduct for utilities companies, aimed at protecting electricity customer data (including energy usage statistics). As more companies sign up, the government hopes that levels of consumer awareness will increase, thereby improving choice, making consent more informed and putting controls on data access.
Are the proposals likely to become law?
Of the changes above, it is the Consumer Rights Bill that is the stand-out point, both because of the changes it has the potential to bring and the controversy that will likely surround it. Given that president Obama faces a hostile Republican-controlled Congress for the first time in his administration, there will be significant obstacles to passing the bill. The Bill will likely go through many different iterations as it becomes closer to being a Bill that is capable of gaining the required Congressional support, and as such it is difficult to predict how far the reforms will go.
One factor which will determine successful passage of the proposals is the extent to which they are perceived as partisan Democrat policy. This is a question of proposal content and political communication. The President may be able to garner Republican support in both houses on the basis of recent high-profile privacy/cyber incidents (Sony hack, Target breach, US Central Command Twitter account hack) to ensure relatively speedy adoption of The Personal Data Notification & Protection Act and The Student Digital Privacy Act. Successful adoption of Consumer Rights Bill would seem to be a thornier matter.
There is also some debate as to the effect of any proposals, with consumer and privacy groups concerned that they may not match up to the protection afforded by some of the more robust State laws passed recently in areas such as California. Privacy campaigners say that a federal baseline is needed, but stress the importance of States being given the freedom to establish stricter standards and the concerns they have about what they see as inevitable watering down of the federal standard.
Furthermore, the proposals may give rise to a broader discussion about the role of long-standing federal agencies such as the Federal Trade Commission and the Department of Health and Human Services in regulating privacy issues. Indeed, there may well be calls for this greater federal harmonisation of privacy law to be accompanied by a dedicated federal data protection agency. It will be fascinating to see whether any debate on this issue will reflect the discussions currently taking place on the other side of the Atlantic in relation to the draft General Data Protection Regulation's proposed one stop shop mechanism.
In addition, there is the possibility that some groups may interpret the Bill as the first step towards a Constitutional Amendment providing an explicit right to privacy. Any such interpretation would be extremely controversial, given the importance American culture attaches to freedom of expression, and the current international climate on this topic
The next chapter
The Obama administration seems serious about these proposals. The prominence that they are giving to the reforms in the week before the State of the Union is indicative of the fact that this is likely to be a major theme this year, rather than just occupying a line or two in the speech (as has been the case in the past).
The package discussed above deals with consumer protection and data privacy measures, but there is also widespread acknowledgement of the fact that government and private entities need to be in agreement on the changes being introduced. That means proper incentives for the private sector to buy in to the reforms, and safeguards for them when it comes to the government requesting disclosure of personal data from large organisations. The private sector is also concerned about disjointed compliance with the proposals, which risks putting those companies that comply with the proposals early on at a competitive disadvantage compared to those that hold out. This will slow the process and hinder reform.
There seems to be a level of consensus on the big ideas at the centre of these reforms, namely a need to reinforce cyber security and protect consumers for the mutual benefit of the individual, business and the economy. Making this a big issue at the State of the Union is the first step in driving the privacy reforms forward, but it is far from the end of the story.
[1] "Public Perceptions of Privacy and Security in the Post-Snowden Era" - Pew Research Centre, 12 Nov 2014
The story so far
2014 saw an unprecedented number of increasingly severe and high-profile attacks on cyber security. In particular, the Sony Pictures hack in December 2014 brought the issue into the global consciousness, with huge amounts of personal and sensitive data about celebrities and Sony employees being released into the public domain. And in an embarrassing turn of events for President Obama, the US military's Central Command (which leads US military action in the Middle East) was hacked shortly after his speech announcing the new proposals last week. In that instance, the military's Twitter account was flooded with pro-Isis posts, some using the hashtag #CyberCaliphate, and the government was forced to admit that their account had been "compromised". More justification for the introduction of far-reaching privacy reforms to address what President Obama called "enormous vulnerabilities".
On the consumer side, a recent survey (the results of which were released in November 2014[1]) suggests that 91% of Americans believe that consumers have lost control over how personal information is collected and used by companies. The survey looked at attitudes to privacy and data in the wake of the Snowden scandal, and also revealed that 64% of Americans believe that it is up to the government to regulate the way advertisers access data. Both of these statistics will have provided further justification for the administration's proposals.
So, what changes are on the horizon?
There are four major themes of the reforms proposed by Obama:
- A Consumer Rights Bill
This is the most significant proposal, and likely to be the most controversial. Taking the President's February 2012 Consumer Data Privacy white paper as a blueprint, the Obama administration has committed to releasing a revised legislative proposal within 45 days of the announcement, incorporating analysis from the public consultations held on that white paper. So by the end of February, we will have a clearer idea of how the Bill may look and its key priorities, which should take into account industry opinion from all sides of the debate.
- Tackling identity theft
The introduction of the Personal Data Notification & Protection Act will establish a single, national standard for reporting data breaches, and mandate the report of any such breach within 30 days of the date of its occurrence. A number of companies have also committed to making customers' credit scores available to them for free, allowing customers to take control of their credit history and providing an "early warning system" for identity theft.
- Safeguarding student privacy
The central theme here is ensuring that data collected in the educational context is used only for educational purposes. To do this, the government will introduce the Student Digital Privacy Act, which will prevent companies from selling student data to third parties for purposes unrelated to the educational mission. Additionally, 75 companies have signed up to new commitments aimed at protecting against misuse of data, and the President used his speech to encourage others to follow suit.
- Protecting electricity customer data with a code of conduct
The Department of Energy has developed a new voluntary code of conduct for utilities companies, aimed at protecting electricity customer data (including energy usage statistics). As more companies sign up, the government hopes that levels of consumer awareness will increase, thereby improving choice, making consent more informed and putting controls on data access.
Are the proposals likely to become law?
Of the changes above, it is the Consumer Rights Bill that is the stand-out point, both because of the changes it has the potential to bring and the controversy that will likely surround it. Given that president Obama faces a hostile Republican-controlled Congress for the first time in his administration, there will be significant obstacles to passing the bill. The Bill will likely go through many different iterations as it becomes closer to being a Bill that is capable of gaining the required Congressional support, and as such it is difficult to predict how far the reforms will go.
One factor which will determine successful passage of the proposals is the extent to which they are perceived as partisan Democrat policy. This is a question of proposal content and political communication. The President may be able to garner Republican support in both houses on the basis of recent high-profile privacy/cyber incidents (Sony hack, Target breach, US Central Command Twitter account hack) to ensure relatively speedy adoption of The Personal Data Notification & Protection Act and The Student Digital Privacy Act. Successful adoption of Consumer Rights Bill would seem to be a thornier matter.
There is also some debate as to the effect of any proposals, with consumer and privacy groups concerned that they may not match up to the protection afforded by some of the more robust State laws passed recently in areas such as California. Privacy campaigners say that a federal baseline is needed, but stress the importance of States being given the freedom to establish stricter standards and the concerns they have about what they see as inevitable watering down of the federal standard.
Furthermore, the proposals may give rise to a broader discussion about the role of long-standing federal agencies such as the Federal Trade Commission and the Department of Health and Human Services in regulating privacy issues. Indeed, there may well be calls for this greater federal harmonisation of privacy law to be accompanied by a dedicated federal data protection agency. It will be fascinating to see whether any debate on this issue will reflect the discussions currently taking place on the other side of the Atlantic in relation to the draft General Data Protection Regulation's proposed one stop shop mechanism.
In addition, there is the possibility that some groups may interpret the Bill as the first step towards a Constitutional Amendment providing an explicit right to privacy. Any such interpretation would be extremely controversial, given the importance American culture attaches to freedom of expression, and the current international climate on this topic
The next chapter
The Obama administration seems serious about these proposals. The prominence that they are giving to the reforms in the week before the State of the Union is indicative of the fact that this is likely to be a major theme this year, rather than just occupying a line or two in the speech (as has been the case in the past).
The package discussed above deals with consumer protection and data privacy measures, but there is also widespread acknowledgement of the fact that government and private entities need to be in agreement on the changes being introduced. That means proper incentives for the private sector to buy in to the reforms, and safeguards for them when it comes to the government requesting disclosure of personal data from large organisations. The private sector is also concerned about disjointed compliance with the proposals, which risks putting those companies that comply with the proposals early on at a competitive disadvantage compared to those that hold out. This will slow the process and hinder reform.
There seems to be a level of consensus on the big ideas at the centre of these reforms, namely a need to reinforce cyber security and protect consumers for the mutual benefit of the individual, business and the economy. Making this a big issue at the State of the Union is the first step in driving the privacy reforms forward, but it is far from the end of the story.
[1] "Public Perceptions of Privacy and Security in the Post-Snowden Era" - Pew Research Centre, 12 Nov 2014