Businesses push for national privacy rules

The U.S. Chamber of Commerce has published a list of principles it hopes the government will follow for federal data privacy legislation — marking the rare occasion on which the business advocacy group is proposing, rather than fighting, regulation of its constituents.

The big picture: Tim Day, senior vice president of the Chamber Technology Engagement Center, which compiled the chamber's proposal, acknowledged to Codebook that this is a defensive move.

• California recently passed its own data protection law, and the chamber worries other states may follow suit.
• Internationally, countries have begun to model privacy laws on the European Union's restrictive data privacy rules. A U.S. policy could counterbalance the E.U.'s influence.

The Trump administration is also poised to throw its weight in the national privacy policy debate for similar reasons.

The chamber's proposals emphasize simplicity and uniformity across industries and localities. That may not prove easy in a nation that's never been simple or uniform.

• By definition, a single national policy on privacy would preempt states from having their own policies.
• That has some clear advantages. For example, right now, each state (plus D.C. and the principalities) has its own law on how companies inform consumers about data breaches, resulting, companies say, in a confusing patchwork of regulations.
• Individual states' security standards could cause even more confusion if states envision different mixtures of products, personnel and auditing.

But privacy advocates argue that the relative ease with which states can pass these laws is valuable because federal rulemaking is so slow."If you lose the state laws, you don’t just lose the substance of those laws. You lose the states' agility," says Laura Moy, executive director of Georgetown University's Center on Privacy & Technology.

• While industries have asked for a single national standard for breach notification for years, Congress has been unable to agree on one. Meanwhile, according to Moy’s research, 8 states have already passed breach legislation in 2018.

The U.S. regulates privacy differently in each industry, unlike the rest of the world, with a different standard for health care than for retail. The chamber hopes to trim that to a single standard.

The details: The chamber also wants to require any enforcement to be based on “concrete harm.”

• Focusing on definitive or imminent harm rather than potential problems would limit the government’s ability to force firms to prevent breaches, including statutory fines for not meeting security standards. The Federal Trade Commission's chief role is to combat fraud, not regulate privacy.
• Alan Friel, partner at BakerHostetler, noted that statutory fines are levers that states normally like to have at their disposal.
• “The chamber is suggesting a well-accepted federal privacy principle,” says Friel. “The question in the post election-meddling and Cambridge Analytica world is, do we want something more than FTC deception authority?”