The 2012 elections are over. And it is time to assess the implications for privacy and cybersecurity in Washington and beyond.
With the continuation of a divided government – a Democrat in the White House, Republicans in control of the House, and Democrats in control of the Senate – for the next two years, many think the country in general is in for “more of the same” when it comes to politics, public policy and lawmaking.
So, is that the case on the issues of privacy and cybersecurity? Will we see more of the same in the Executive Branch, at the Federal Trade Commission, and on Capitol Hill? Certainly the challenges to the protection of data and critical infrastructure are growing, as are media and public awareness of these issues. Given that dynamic situation, will lawmakers and regulators maintain the status quo, make incremental changes, or will they move in a different direction with respect to these issues?
Our view is that:
- The Obama Administration will continue its multi-stakeholder effort geared towards the development of codes of conduct, augmenting a privacy bill of rights that it will support in proposed legislation and on the international stage.
- The FTC will remain under Democratic leadership, but with a new head of the Division of Consumer Protection and most likely with a new Chair. Significant enforcement actions, the use of the “bully pulpit,” and leadership in exploring knotty privacy issues will continue to characterize the FTC’s privacy and data security agenda.
- On cybersecurity legislation, it’s unclear whether the White House and key congressional leaders will refocus cybersecurity legislative efforts on a narrower set of consensus topics, or if the Senate leadership’s commitment to comprehensive legislation will continue. A widely-expected Executive Order will, if issued, provide a political opening for directional change.
- Developments in the news will continue to influence the privacy and cybersecurity agenda for policymakers. A major data or cyber incident has the potential to alter the focus and priorities on Capitol Hill, at the FTC and in the Administration.
With the Republicans in control of the House, congressional action on privacy is still likely to be mostly through the oversight and hearing function than through an aggressive push for new legislation. For example, two days after the election, a bipartisan group of lawmakers, including Reps. Edward J. Markey (D-MA) and Joe Barton (R-TX), Co-Chairs of the Congressional Bi-Partisan Privacy Caucus, released responses to letters sent to nine major data brokerage companies.
While fiscal issues are expected to dominate the new Congress, agenda items for the 113th Congress could include cybersecurity legislation. Cybersecurity risks to national and economic security are increasingly well documented. Depending on the contents of and reaction to the Administration’s expected Executive Order, a renewed attempt at cybersecurity legislation is quite possible.
There is significant momentum for an update of the 1986 Electronic Communications Privacy Act (ECPA). The fact that law enforcement has access to personal data stored in the Cloud, and with third parties generally, with less-than-complete legal protections is the main impetus for reform. However, law enforcement is applying counter-pressure to ensure it is not deprived of investigative information.
Do Not Track (DNT) legislation may resurface and gain momentum. So far online privacy has largely been left to self-regulation. Within the past year or so the World Wide Web Consortium (W3C) established the Tracking Protection Working Group and launched work to standardize DNT opt-out tools, even as the US-based marketing industry coalesced around the Digital Advertising Alliance. However, Internet companies and privacy groups disagree about how tight DNT controls should be. Congress could take action if a stronger consensus fails to emerge.
–Acknowledgements to Christopher Wolf, Harriet Pearson, Lance Bultena, Dan Solove and Sachi Jepson for their contributions to this Analysis