We have all heard the news about several recent breaches and scandals involving sensitive data. These controversies have caused growing concerns on whether our personal information is safe or not. As a result, many are calling on Congress to establish a nationwide data protection and data privacy framework.
Currently, there is no single comprehensive federal law governing companies’ data privacy practices. There have been several attempts over the years by Congress to fill in the gaps, but that only resulted in a complex patchwork of sector-specific privacy laws ultimately leading to inconsistent protections and confusion for consumers.
Consequently, several states including California have developed their own statutory frameworks for data protection, creating a patchwork of state laws. Not without its problems and detractors, California’s new law, the California Consumer Privacy Act (CCPA), is set to go into effect at the end of this year. Unfortunately, it only makes things worse. CCPA applies to information that is not sensitive, meaning companies will be forced to focus on compliances that consumers do not value. In addition to that, this law requires the disclosure of information that consumers and businesses will find both confusing and frustrating. It does not make sense to have a patchwork of state laws on this issue. Your privacy and security should not change depending on where you are in the U.S.
As Congress looks at ways to improve consumers’ privacy and security, it is important to have a thoughtful approach that balances privacy and security with competition and innovation for consumers. Last week, I participated in an annual Capital to Capital Exchange program which was in Copenhagen this year. I served on a bipartisan panel made up of Congressmen and cyber security experts from Denmark where we discussed what the U.S. can learn from the EU and Danish companies about the General Data Protection Regulation (GDPR) and its implementation. Although the GDPR is a uniform standard across all EU countries, it negatively impacts businesses and consumers by overregulating. Twenty percent of firms claim that the GDPR is impossible to comply with and less than 50 percent are fully compliant. In addition to discussing the pros and cons of the GDPR framework and other privacy principles and ideas, we debated whether preemption by Congress is appropriate in this area in order to avert a patchwork of state-level privacy laws.
Last Congress, the Energy and Commerce Committee held several hearings discussing privacy and security issues including the first time that Facebook CEO Mark Zuckerberg had testified before the House of Representatives. As the U.S. potentially crafts its own federal privacy and data protection legislation, it is imperative that we look at the short comings of the GDPR and CCPA and get it right the first time. There are four main principles I believe we must include: one national standard for privacy and security rules, increased transparency and accountability for consumers, improved data security practices and balanced impact on small business and innovation.
For more information on my activities in our district and in Washington, I encourage you to follow my Facebook page at https://www.facebook.com/Rep.Billy.Long and my Twitter page at https://twitter.com/USRepLong. You can also subscribe to my weekly newsletter, “Long’s Short Report,” by visiting https://longforms.house.gov/newsletter-and-email-updates-form