On 12 January 2015, President Obama announced a package of far-reaching and dramatic changes to the shape of privacy laws in the U.S. This package is seen as a direct response to the changing emphasis on privacy and data security in the country in light of the Snowden revelations and the recent spate of cyber-attacks. The speech acted as a preview to the President’s annual State of the Union address, although the proposals were less prominent than had originally been anticipated.
The State of the Union was in the end focused around a broad appeal for national unity rather than a heavy emphasis on policies. Instead the President repeated his calls for unity and cohesion, themes which were evident in the week preceding the speech and clearly aimed at encouraging bipartisan cooperation. Obama himself characterised the speech as “less a checklist of proposals and [more a] focus on the values at stake in the choices before us.”
The story so far
2014 saw an unprecedented number of increasingly severe and high-profile attacks on cyber security. In particular, the Sony Pictures hack in December 2014 brought the issue into the global consciousness, with huge amounts of personal and sensitive data about celebrities and Sony employees being released into the public domain. And in an embarrassing turn of events for President Obama, the U.S. military’s Central Command (which leads US military action in the Middle East) was hacked shortly after his speech announcing the new proposals. In that instance, the military’s Twitter account was flooded with pro-ISIS posts, some using the hashtag #CyberCaliphate, the sum total of which forced the government to admit that their account had been “compromise.d. More justification for the introduction of far-reaching privacy reforms to address what President Obama called “enormous vulnerabilities.”
Free eBook: Modern Retail Security Risk – Get your copy now.
On the consumer side, a recent survey (the results of which were released in November 2014[1]) suggests that 91% of Americans believe that consumers have lost control over how personal information is collected and used by companies. The survey looked at attitudes to privacy and data in the wake of the Snowden scandal and also revealed that 64% of Americans believe that it is up to the government to regulate the way advertisers access data. Both of these statistics will have provided further justification for the administration’s proposals.
So, what changes are on the horizon?
There are four major themes of the reforms proposed by Obama:
– A Consumer Rights Bill
This is the most significant proposal and likely to be the most controversial. Taking the President’s February 2012 Consumer Data Privacy white paper as a blueprint, the Obama administration has committed to releasing a revised legislative proposal within 45 days of the announcement, incorporating analysis from the public consultations held on that white paper. So by the end of February, we will have a clearer idea of how the bill may look and what its key priorities might be, which should take into account industry opinion from all sides of the debate.
– Tackling identity theft
The introduction of the Personal Data Notification & Protection Act will establish a single, national standard for reporting data breaches and mandate the report of any such breach within 30 days of the date of its occurrence. A number of companies have also committed to making customers’ credit scores available to them for free, allowing customers to take control of their credit history and providing an “early warning system” for identity theft.
– Safeguarding student privacy
The central theme here is ensuring that data collected in the educational context is used only for educational purposes. To do this, the government will introduce the Student Digital Privacy Act, which will prevent companies from selling student data to third parties for purposes unrelated to the educational mission. Additionally, 75 companies have signed up to new commitments aimed at protecting against misuse of data, and the President used his speech to encourage others to follow suit.
– Protecting electricity customer data with a code of conduct
The Department of Energy has developed a new voluntary code of conduct for utilities companies aimed at protecting electricity customer data (including energy usage statistics). As more companies sign up, the government hopes that levels of consumer awareness will increase, thereby improving choice, making consent more informed, and putting controls on data access.
Are the proposals likely to become law?
Of the changes above, it is the Consumer Rights Bill that is the stand-out point, both because of the changes it has the potential to bring and the controversy that will likely surround it. Given that President Obama faces a hostile Republican-controlled Congress for the first time in his administration, there will be significant obstacles to passing the bill. The bill will likely go through many different iterations, and as such it is difficult to predict how far any reforms might go.
One factor which will determine successful passage of the proposals is the extent to which they might be perceived as partisan Democratic policy. This is a question of proposal content and political communication. The President may be able to garner Republican support in both houses on the basis of recent high-profile privacy/cyber incidents (Sony hack, Target breach, US Central Command Twitter account hack) to ensure relatively speedy adoption of The Personal Data Notification & Protection Act and The Student Digital Privacy Act. Successful adoption of Consumer Rights Bill would seem to be a thornier matter, however.
There is also some debate as to the effect of any proposals, with consumer and privacy groups concerned that they may not match up to the protection afforded by some of the more robust State laws passed recently in areas such as California. Privacy campaigners say that a federal baseline is needed but stress both the importance of States being given the freedom to establish stricter standards as well as the concerns they have about what they see as inevitable watering down of the federal standard.
Furthermore, the proposals may give rise to a broader discussion about the role of long-standing federal agencies such as the Federal Trade Commission and the Department of Health and Human Services in regulating privacy issues. Indeed, there may well be calls for this greater federal harmonisation of privacy law to be accompanied by a dedicated federal data protection agency. It will be fascinating to see whether any debate on this issue will reflect the discussions currently taking place on the other side of the Atlantic in relation to the draft General Data Protection Regulation’s proposed one-stop shop mechanism.
In addition, there is the possibility that some groups may interpret the Bill as the first step towards a Constitutional Amendment providing an explicit right to privacy. Any such interpretation would be extremely controversial given the importance American culture attaches to freedom of expression and the current international climate on this topic.
The next chapter
The Obama administration seems serious about these proposals. The prominence given to the reforms in the week before the State of the Union is indicative of the fact that this is likely to be a major policy initiative. The White House is hosting a summit on cybersecurity at Stanford University on 13 February, where the proposals and general themes will surely be ventilated more fully with a view to keeping the issue in the public consciousness as well as that of the legislators.
The package discussed above deals with consumer protection and data privacy measures, but there is also widespread acknowledgement of the fact that government and private entities need to be in agreement on the changes being introduced. That means proper incentives for the private sector to buy in to the reforms and safeguards for them when it comes to the government requesting disclosure of personal data from large organisations. The private sector is also concerned about disjointed compliance with the proposals, which risks putting those companies that comply with the proposals early on at a competitive disadvantage compared to those that hold out. This will slow the process and hinder reform.
There seems to be a level of consensus on the big ideas at the centre of these reforms, namely a need to reinforce cyber security and protect consumers for the mutual benefit of the individual, business and the economy. Making this a big issue in the run up to State of the Union and the announcement of the February summit are the first steps in driving the privacy reforms forward, but far from the end of the story.
[1] “Public Perceptions of Privacy and Security in the Post-Snowden Era” – Pew Research Centre, 12 Nov 2014
By Phil Lee, Privacy Partner, Fieldfisher
About Fieldfisher
Fieldfisher, is a multinational law firm headquartered in London, United Kingdom. The firm has practices in sectors including Real Estate, Energy, Financial Services, Government & Public Services, Hotels & Leisure, Life Sciences, Media, Telecoms and Technology. Fieldfisher has over 150 partners, 210 other lawyers and nearly 300 support staff across offices in Brussels, Düsseldorf, Hamburg, Paris, London, Manchester, Munich, Palo Alto and Shanghai.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.