What Will Privacy Look Like Under a Biden Presidency?
On January 28, it’s Data Privacy Day, where we all get to spend the day thinking critically about the importance of protecting our personal data online. Did you know that the reason Data Privacy Day falls on the 28th is because the Convention for the Protection of Individuals with regard to Automatic processing of Personal Data was opened for signature by the Council of Europe on this day in 1981? On January 20, 2020, Joe Biden was sworn in as America’s 46th President, so we thought it would be fitting to take a deep dive into how the new Biden Presidency might approach privacy over the next few years.
Will Privacy be a Priority?
In truth, Biden has been rather light on details when it comes to specifics around data privacy. There are a few signals however, that Biden may be a positive influence for advancing stronger privacy and data security protections. On the record: Biden stated in January 2020 that the U.S. should be “setting standards not unlike the Europeans are doing relative to privacy.” In the same interview, he also suggested that any Supreme Court nominees should have a strong recognition of the right of privacy. Foreign Policy: Biden’s Foreign Policy Plan laid out a vision for advancing the “security, prosperity, and values of the United States” by renewing alliances, strengthening our own democratic principles at home, and ensuring a level playing field in trade. This includes bolstering protections for data privacy, and ensuring adequate protections against cyber theft. Domestic Policy: Biden’s plans specifically call out the importance of considering diverse stakeholders when it comes to data protection. For example, Biden promises to take account of the “needs of the disability community when strengthening and enforcing data privacy protections,” and to ensure that adequate privacy protections are enforced when collecting data on LGBTQ+ people. A Biden-Sanders Unity Task Force issued recommendations in August which also cited the need to develop best practices around preventing student data sharing by for-profit organizations, curbing civil rights and personal privacy abuses around police use of body cameras, and setting guidelines regarding the use of biometric surveillance and information sharing at the border. It’s noteworthy that with regard to the reforms around immigration, the Biden-Sanders recommendations outline five of the seven GDPR principles — transparency, accuracy, accountability, fit for purpose, and timely. While Biden’s technocratic approaches often favor more data collection, it’s helpful to note that in most cases, sentences on data collection are followed by the importance of disaggregation of data, transparency and accuracy, to ensure privacy is maintained. Big Tech: Biden has emphasized the importance of reigning in Big Tech, by signaling that he plans to pursue antitrust actions and potentially repeal or reform Sec. 230 of the Communications Decency Act, which gives broad immunity to online platforms for content posted by users. He has called out privacy concerns and excessive data collection by firms such as Facebook, Google and others as one of the reasons that Big Tech needs another look. Biden Appointments: Biden is also surrounding himself with experts in privacy, tech and AI from the Obama administration, including:
Christopher Hoff (U.S. Department of Commerce) – Hoff will serve as deputy assistant secretary for services at the U.S. Department of Commerce, overseeing the U.S. Privacy Shield negotiations with the EU. He has an extensive privacy background, and has had a long career in the public and private sector in privacy matters. [IAPP Profile]
Robert Silvers (U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency) – Silvers is expected to be appointed to lead the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, a position formerly held by Christopher Krebs. Silvers is currently a partner at Paul Hastings, and is the vice chair of the firm’s privacy and cybersecurity practice. [Paul Hastings bio]
Alondra Nelson (OSTP Deputy Director) – Nelson is a professor at the Institute for Advanced Study, who studies societal impacts of emerging technologies, including AI and algorithmic impacts on bias, data privacy and corporate influence on research. [Wikipedia]
The VP, Kamala Harris, also has hands-on experience pushing privacy and consumer protections, both during her tenure as California’s AG, and in Congress.
Will There be a National Privacy Law?
The US’ byzantine system of patchwork, sectoral federal and state laws has made privacy compliance tough for business. Currently, all states have mostly sectoral (e.g., medical privacy, social security protections), laws on the books, but more states are looking to follow the lead of states like California and Maine in crafting broader legislation. All 50 states, plus the District of Columbia, Guam, and Puerto Rico also have data breach notice laws in place. It’s no secret that big tech firms are heavy political donors, and that compliance with dozens of disparate laws is far more costly than compliance with wholesale approaches like the GDPR. Privacy is also one of the few issue areas where bipartisan support is possible (albeit via very different means). That raises the question – will Congress push for a new federal Privacy Act? While many have speculated for years that a national privacy law is ‘on the horizon’, at best, we can offer only hopeful optimism.
Cross-Border Data Protection
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the U.S. Privacy Shield, a mechanism used by many US firms to transfer data between the EU and US. In the case of Irish Data Protection Commissioner v. Facebook, Schrems, et al. (Schrems II), the CJEU found that the US’ broad surveillance powers, lack of notice to affected EU data subjects, and virtually no right of redress, meant that the US law did not meet the level of data protections necessary to meet adequacy requirements under the GDPR. This ruling has the potential to nullify countless numbers of cross-border transfers for organizations large and small. Despite the Court’s broad declaration of invalidity, that hasn’t stopped the EU and US from trying to work things out. Currently, this task is undertaken by the Deputy Undersecretary for the Department of Commerce, and the recent appointment of Hoff signals that such talks may be top of mind for the administration. That said, it’s highly unlikely that the US will reform broad surveillance powers currently granted to the three-letter agencies, so the likelihood of meeting the spirit of the GDPR’s broad data protection obligations seems unlikely.