Data privacy: urgent need for federal legislation as ‘patchwork’ laws raise risks for businesses and consumers in US

Ruth Green, IBA Multimedia JournalistWednesday 16 February 2022

The absence of a national US data privacy law has made the country a global outlier. As more states vie to fill the legislative gap, there’s concern the lack of federal legislation could jeopardise US competitiveness and its position as a world leader on data protection and privacy issues.

‘The United States needs a federal privacy law,’ says Julie Brill, Microsoft’s Chief Privacy Officer and Corporate Vice-President for Global Privacy and Regulatory Affairs. For Brill, who has three decades of data protection and privacy expertise under her belt, the argument is crystal clear: as the EU’s General Data Protection Regulation (GDPR) established a global benchmark for privacy regulation and prompted many countries to overhaul their own privacy laws, the US has no choice but to follow suit. ‘Brussels is already there of course, through GDPR, and we see Brazil adopting a very robust law,’ she says. ‘We see India moving forward soon with a robust law. Even China has a very robust law, so global norms are going to be shaped.’

Without established ‘rules of the road’ on privacy that align with other jurisdictions, Brill fears US businesses will find it increasingly difficult to interact with companies in other parts of the world. ‘For US companies and for US policymakers, the adoption of a privacy law is going to be important for the United States’ ability to compete,’ she says. ‘It’s really important for US competitiveness and for the benefit of US customers to be able to continue to participate in the global economy.’

Brill is also concerned that the lack of a unified domestic approach could hamper the country’s ability to drive global policy and standards in this space. ‘In the absence of a cohesive federal policy that’s spelled out in some kind of a law, the US is going to continue to be missing from the thought leadership table on data protection and privacy issues.’

Jessica Lee, Chair of the IBA Cybersecurity and Surveillance Committee and Co-Chair of the Privacy, Security & Data Innovations at Loeb & Loeb in New York, agrees there’s an urgent need for federal privacy legislation. ‘There is value in having a national standard for privacy,’ she says. ‘Our patchwork approach to privacy leaves gaps in privacy obligations that could be addressed by a comprehensive federal privacy law. These gaps create uncertainty for businesses and leave consumers unprotected.'

In lieu of federal legislation, states have stepped into the breach. In early February, Massachusetts state lawmakers progressed a digital privacy bill that aims to give residents more autonomy over their online personal information. If it passes, it’ll become the fourth state after California, Colorado and Virginia to push through its own comprehensive privacy legislation. Dozens of other states have bills waiting in the wings.

In the absence of a cohesive federal policy […] the US is going to continue to be missing from the thought leadership table on data protection and privacy issues

Julie Brill
Chief Privacy Officer and Corporate Vice-President for Global Privacy and Regulatory Affairs, Microsoft

Brill is encouraged by states’ efforts to fill the gap left by the federal government. ‘It’s really noteworthy that what they’re doing is precisely what I think the federal government needs to get better at, which is understanding that they’re not going to get it perfect right away and that this is a process – especially when you’re dealing with something that is so central to the rights that individuals have – which is around privacy.’

She praises the particularly bold moves by Californian lawmakers to experiment and revise legislation. ‘In California, there was actually an iteration improvement upon the California law by enacting a second law before the first one ever became effective,’ says Brill. ‘That’s how quickly the states are thinking and moving and how impactful they will be as they continue to think about iteration. It’s just a great example of the state perspective that this isn’t “one and done”.’

Adam Rose, Chair of the IBA Data Protection Governance and Privacy Subcommittee and a partner at Mishcon de Reya in London, agrees that the moves by California and other states are promising. ‘California has adopted a law, which in some regards is more European than the [GDPR] in terms of giving rights to individuals,’ says Rose. ‘If you think of California, its economy is about as big as Europe and it’s the birthplace for loads of technology companies. California has turned around and said [the GDPR provides] a decent balance and it ought to have something like that.’

However, Lee says the state-by-state approach so far has not been in the best interests of companies or consumers. ‘Your right to privacy and access to privacy rights should not depend on the state that you’re located in,’ she says. ‘Leaving privacy to the states may result in different, varying definitions for personal information, different business obligations, and privacy rights that share common themes, but that differ across states. It’s inefficient and burdensome for businesses that will struggle to create a “one size fits all approach” and it creates confusion for consumers.’

Keen to avoid this compliance patchwork headache, Big Tech has been broadly supportive of recent proposals for a harmonised national approach. Growing concerns over data privacy and security have also swayed public opinion on the matter. In a recent poll by Morning Consult and Politico, 56 per cent of registered voters supported the prospect of federal privacy legislation.

In light of upcoming political events and competing priorities, neither Brill nor Lee hold out much hope of the federal government passing privacy legislation this year. However, Brill is already encouraged by the increased level of bipartisan support in this area. ‘I am seeing more bipartisan collaboration and cooperation in privacy than I’ve really seen in my entire career in this space.’

Image: US Flag and cyber security concept PixelHunter/

Download the IBA Global Insight app

Access expert analysis on international rule of law, business and human rights