USA: Privacy advocate groups release data protection plan for Biden Administration
Public Citizen and a coalition of privacy, consumer rights, and consumer organisations released, on 10 November 2020, a data protection policy framework and fact sheet for the next Administration. In particular, the groups note that privacy legislation in the US lags behind and state that that a new approach to privacy is needed. In a series of ten action points, the groups summarise key policy modifications necessary for the next Administration to reform the federal privacy landscape.
Data protection agency and federal privacy law
The plan outlines that the current framework of privacy enforcement by the Federal Trade Commission ('FTC') and the Federal Communications Commission ('FCC') lacks consistency and authority, noting, specifically the lack of either authorities with respect to rulemaking powers. The plan recommends that both authorities take appropriate action with respect to privacy violations and issue more substantial penalties on non-compliant companies. Additionally, the plan details that enforcement for privacy legislation should include:
- a clear basis for enforcement action when the rules governing data practices are violated;
- enforcement by federal and state agencies and a private right of action
- the ability to seek injunctive relief to stop illegal practices quickly;
- meaningful penalties for violations;
- the ability to obtain redress for affected individuals; and
- the ability to change company's data practices moving forward.
Further to this, the plan advises that a new national data protection agency is created that is focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges. Such agency should have far-reaching scope including the authority to, among other things, assess the threat landscape in the US, promulgate rules to protect privacy and security, issue opinions and guidance on privacy topics, and submit annual reports to Congress on the state of privacy in the US.
The important role that states have in privacy legislative reform is also highlighted by the plan. Although, the next Administration is advocated to encourage Congress to pass federal meaningful and comprehensive federal privacy legislation, the plan also warns of the dangers of a law that would pre-empt current state privacy laws and the work of the state Attorneys General. Specifically, states such as California, Illinois, Vermont, and Massachusetts were highlighted as states with laws that could be undermined if such a federal pre-emption took place.
Privacy as a civil rights and vulnerable people
Moreover, the plan outlines disproportionate harms resulting from inadequate privacy safeguards with respect to disadvantaged groups and vulnerable members of the populations. Therefore, the plan recommends that baseline federal privacy legislation should be built on familiar frameworks such as the U.S. Code of Fair Information Practices and the widely followed Organisation for Economic Co-operation and Development Privacy Guidelines. Some of the core principles of both include:
- transparency about business practice;
- data collection and use limitations;
- data minimization and deletion;
- purpose specification;
- access and correction rights;
- data accuracy; and
The plan also contends stronger protections for children should also be enacted with respect to data collection and marketing practices over the internet, citing them also as vulnerable part of the population whose privacy protections should be safeguarded. Furthermore, the plan advises that the Children's Online Privacy Protection Act of 1998 should be strengthened by increasing covered age to 17, banning behavioural and targeted ads, banning the use of student data for advertising, and requiring manufacturers and operators of connected devices and software to prominently display a privacy dashboard detailing how information on children and teens is collected, transmitted, retained, used, and protected.
The plan calls on the next Administration to welcome privacy experts into key government positions. Accordingly, individuals who hold these positions should be representative of the country, demonstrate a commitment to civil and privacy rights, racial justice, fluency in digital rights and technology issues, and lack significant conflicts of interest.
In relation to a federal privacy law, the plan recommends that a law should include clear limits on government access to personal data enacted by the following modifications:
- require a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand jury subpoena, or a court order;
- require clear and convincing evidence that the subject of the information is reasonably suspected of engaging in criminal activity and that the information sought would be material evidence in the case;
- require that law enforcement provide the individual concerned with prior notice and the opportunity to contest the search; and
- authorise the court reviewing the warrant application to modify the order if the scope of records requested is unreasonably voluminous in nature or if compliance with such order otherwise would cause an unreasonable burden.
Finally, the plan urges that algorithmic transparency be included in a federal privacy law which should be based on principles of transparency, accountability, and oversight. Since, according to the plan, individuals cannot have meaningful control of their privacy with the current practices of unfair or imbalanced contractual terms, the plan recommends that policies should be modified and that meaningful consent should be required and 'take-it-or-leave-it' practices prohibited. On federal agencies, the plan states that they should encourage innovations in privacy especially with regards to encryption and privacy enhancing techniques and, finally, it calls on antitrust enforcement agencies to ensure that privacy interests are considered in the merger review process.
Edidiong Udoh Privacy Analyst