With early voting already underway, Republicans are poised to make very significant gains in both the House of Representatives and the Senate on Nov. 2. Current polling trends are pointing to divided government in 2011, with Republicans narrowly winning the House, and Democrats holding the Senate by a razor thin margin. These changes in the composition of Congress and the possible Republican control of the House committees will have important impacts on privacy and data security legislation. In the near term, financial institutions and other organizations can expect a waned enthusiasm for these issues as both respective parties deal with the resultant legislative gridlock that divided government will bring.
In the House -- leadership likely to change
What would Republican control of the House imply for the tech industry? Among the most important implications, the GOP would chair the House committees. For privacy and data security legislation, this would be most significant with respect to the powerful House Energy and Commerce Committee, which has jurisdiction for more than half of the legislation that moves through Congress. Conventional wisdom originally held that current chair, Henry Waxman (D-Calif.), would be replaced by ranking Republican and former Commerce Committee chair Joe Barton (R-Texas). However, after Barton's BP gaffe and term limit rules, he has considerable obstacles in his path. Other Republicans vying for the top spot on Commerce include Fred Upton (R-Mich.), Cliff Stearns (R-Fla.) and John Shimkus (R-Ill.). Upton is the present favorite to head the committee.
Substantively, how might this potential change in leadership affect the present privacy agenda? Currently, there are two privacy bills pending in the 111th Congress, but a lead bill has yet to emerge. A Republican-led House is less likely to show enthusiasm for privacy measures that could stifle business innovation, but if they do address this issue, the Republicans are likely to show a preference for the one that is less regulatory.
- Boucher-Stearns Discussion Draft: The Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) discussion draft bill would require websites to specify how they are using Web users' information and with whom it is being shared, or they will face sanctions by the FTC. It would allow consumers to opt-out of behavior-based advertising, and require express permission from individuals in order for companies to share personally-identifiable information with unaffiliated third parties, and to collect sensitive information, such as medical records, financial accounts, Social Security numbers, sexual orientation and precise geographic location information.
- Best Practices Act: Bobby Rush's (D-Ill.) H.R. 5777 would require companies to notify individuals of the type of information they are collecting and why, or face sanctions by the FTC. The legislation would require companies to provide individuals with an opt-out option and obtain consent before collecting, using or disclosing sensitive information, but would exclude from its requirements companies participating in an FTC-approved Safe Harbor Self-Regulatory Choice Program.
Both bills appear to work in tandem with the industry's self-regulatory efforts, but the Boucher-Stearns bill is more likely to advance in a Republican-led House because of the additional regulatory enforcement power given to the FTC in Rush's bill. Moreover, the Boucher-Stearns bill is co-sponsored by Stearns, who is vying for the Commerce Committee chairmanship and is likely to obtain another committee leadership post if he loses his chairman bid.
In the Senate -- leadership change unlikely
Odds are that Republicans are much less likely to gain control of the Senate than the House. Further, the key Democratic advocates for privacy and cyber security matters, including John Kerry (D-Mass.), Jay Rockefeller (D-W.Va.), Joe Lieberman (I-Conn.) and Mark Pryor (D-Ark.), are not up for re-election in the 2010 cycle. Thus, on the Senate side, the chamber will probably not face a complete leadership change; rather, voting margins in the Senate are likely to narrow, causing increasing legislative stalemates. Despite these challenges, the Senate Democrats will probably continue to push the privacy and data security legislation currently on its agenda:
- Privacy: On July 27, Kerry announced he would pursue an online privacy bill in the Senate, pledging to go beyond targeted advertising to include new, baseline standards for privacy protection.
- Cybersecurity: Senator Lieberman's bill, S. 3480, is viewed as the comprehensive lead bill among many cybersecurity legislative efforts to combat the looming threat of cyberterrorism. S. 3480 has implications for both the government and private sectors. However, this bill remains on hold because Majority Leader Reid (D-Nev.) has yet to settle the long-standing dispute over which federal agency should have authority over private sector cybersecurity. There were speculations that this bill would be considered in a lame duck session of Congress, given its importance to combating cyberterrorism, but recent releases by Republican Congressional aides indicate that this item will be slated for 2011.
- Data Breach: The Data Security and Breach Notification Act of 2010, S. 3742, by Pryor and Rockefeller, is a companion piece of legislation to another bill of Rep. Rush, H.R. 2221. The bill creates a national standard for personally identifiable information and permits state AG enforcement (as well as federal enforcement) of the new standard.
Legislative gridlock may spur regulatory action
A Republican House coupled with a nominally Democrat-led Senate and a Democrat in the White House, is a formula for certain gridlock on Capitol Hill if, as many predict, Republicans aim to block legislative progress for the next two years in order to deprive the President of significant achievements on which to campaign in the 2012 election cycle. Privacy and cyber security matters (other than as they impact homeland security) are third-tier political issues, far behind the economy, health care, education, immigration and terrorism. Congress also may need to pare down its ambitious privacy and cyber security agenda as it slogs through the potentially contentious quagmire of the 2011 budget, taxes (income and estate) and the president's jobs initiatives. However, there is at least a belief that gridlock on the large issues might result in progress on some legislation that is more core and less controversial.
Most likely, in the event of a divided Congress, the president would ramp up his reliance on the federal agencies. Presently, there are many privacy and cybersecurity measures pending before regulatory agencies such as the Federal Trade Commission, the Federal Communications Commission, the Department of Commerce, the Department of Energy and the Department of Health and Human Services (and once the Consumer and Financial Protection Bureau staffs up, we can expect to see privacy and cyber security measures pending before that body as well). Expert agency priorities may also assist with the legislative process. For example, because privacy is a top agenda item for the FTC (with its omnibus privacy report soon to be issued), consumer groups, and even businesses (and trade associations representing them), all groups are starting to acknowledge the benefit to certainty and uniformity on some issues. The definition of personally identifiable information, the regulatory treatment of behavioral advertising and security in the cloud, are all becoming less politicized as business practices dictate the need for regulatory certainty.
Thus, as the 2010 midterm elections approach and then the incoming crop of legislators move from campaign mode to governance, it seems likely that privacy and data security legislation will continue to be among the many issues confronting elected and appointed officials in Washington. The priority they will be given in the cacophony that will likely prevail in the next two years will depend on the breadth, severity, and duration of the stalemate that might result on Capitol Hill in the event of divided government and the extent to which relevant expert agencies can successfully elevate the issues to a less politicized status.
About the authors:
Judith Harris, Christopher Cwalina, and Amy Mushahwar are attorneys at the Washington, D.C. office of Reed Smith LLP, an international law firm. The authors are members of the firm's Data Privacy, Security and Management practice and regularly advise clients on regulatory issues pertaining to data privacy and information security.