The Commerce Manufacturing and Trade Subcommittee approved legislation yesterday that would strengthen the security of consumer data, while also making two important changes crucial to the conduct of marketing research in the United States.
At the urging of the Marketing Research Association (MRA), Representatives Marsha Blackburn (R-TN-07), Pete Olson (R-TX-22), Cliff Stearns (R-FL-06), and Mike Pompeo (R-KS-04) made amendments to the "Secure and Fortify Electronic (SAFE) Data Act", H.R. 2577, during yesterday's markup.
The Act, sponsored by Subcommittee Chairwoman Mary Bono Mack (R-CA-45), would establish uniform national standards for data security and data breach notification. It would regulate both for-profit and non-profit organizations, forbid private lawsuits, and preempt the patchwork of 47 different state data security laws. (MRA members can read extensive cross-comparisons of federal data security bills here).
The Subcommittee markup session started late and with partisan acrimony, but the Members eventually turned to two amendments strongly supported and endorsed by MRA.
Reps. Olson and Blackburn proposed an amendment to limit the Federal Trade Commission's (FTC) ability to modify the Act's definition of "personal information". (See a copy of MRA's letter of endorsement for the Olson-Blackburn amendment). The Act as introduced would give the FTC extraordinary rulemaking powers under the Administrative Procedures Act (APA), which the FTC leadership has stated they would use to dramatically expand the definition to include anything personally-identifiable, including most research data. The Act’s definition, in Sec. 5(7), already includes the common standard data and combinations that could lead to criminal abuse of consumers and it is very difficult to go beyond that standard without sliding down a slippery slope where almost any piece of information could ultimately be included in the FTC's definition of “personal information”.
Subcommittee Ranking Member G.K. Butterfield (D-NC-01) spoke in opposition, saying that the FTC needs "discretion" not restrictions in grappling with privacy and data security. Rep. John Dingell (D-MI-X) further stated that the FTC's regular Magnuson-Moss rulemaking procedures would not be able to protect consumers from "sharpshooters and rascals" and Rep. Bobby Rush (D-IL-01) contended that it would take the FTC at least 10 years under their regular rulemaking procedure to write regulations for the Act.
In response, Rep. Blackburn pointed to a Wall Street Journal article saying that federal regulatory agencies are already overburdened with rulemakings and cannot begin to grapple with their existing load. She proposed that it was important that, instead of adding to the FTC's regulatory burden, "Let's be definitive".
After giving a shout-out to MRA for endorsing the amendment, Rep. Olson pointed out that the definition of "personal information" in the Act is consistent with 46 different states' definitions in their data security laws.
The Olson-Blackburn amendment passed by voice vote.
Later, the Subcommittee considered another amendment MRA helped with and endorsed, from Reps. Stearns and Pompeo, to prevent FTC rulemaking authority on the "data minimization" provisions in the Act. (See a copy of MRA's letter of endorsement for the Stearns-Pompeo amendment). As a broad principle, not collecting or maintaining more data than necessary to fulfill a given purpose makes sense. However, data collection limits and retention periods specifically directed by the FTC could be intensely problematic. Reps. Stearns and Pompeo agreed with MRA that such decisions are best left to businesses themselves, at least for now.
Ranking Member Butterfield complained that the amendment sought to hamper an already hampered agency in doing its job. He also questioned the need for the amendment since the bill doesn't specify that the FTC should write such rules. Rep. Stearns countered that the FTC testified during the last hearing on the SAFE Data Act that the agency would plan to write such rules and felt that the Act gave them such authority.
The Stearns-Pompeo amendment on "data minimization" also passed by voice vote.
In dealing with the remaining amendments, Subcommittee Chairwoman Mary Bono Mack said she was trying to reach the "sweet spot where you try to do the right thing but don't want to go too far":
- An amendment from Rep. Waxman, which would have added online-posted photos and videos to the definition of "personal information", including those posted on facebook and twitter, failed bya vote of 5 to 10.
- Rep. Kinzinger offered two amendments, which would have added the combination of email and password to the definition of "personal information" and exempted small businesses from the Act. He withdrew both amendments.
- Ranking Member Butterfield offered an amendment which would have added children's location data to the "personal information" definition and encouraged the FTC to expand the definition to include all manner of related information regarding minors. Chairwoman Bono Mack pointed out that location and minors data would be bedtter addressed during a longer data privacy debate. The amendment failed by a vote of 4 to 11.
- An amendment from Rep. Rush added paper records to the data covered by the Act, instead of just electronic data. His amendment was agreed to unanimously.
- Another Rush amendment would have eliminated the exemption for "public information". The Chairwoman pointed out that such an exemption is standard, even in the privacy-leading state of California. Rep. Rush retorted that "I love California, but it isn't the gold standard" for data security and data privacy. Rep. Stearns pointed out that the data is available to everyone and asked, "What's the harm?" And after Rep. Rush pointed out that such data can be illegally obtained, Rep. Stearns clarified the definition of public information in the Act for him, noting that it "information about an individual that is lawfully made available to the general public from Federal, State, or local government records." Rep. Rush's amendment failed by voice vote.
- Rep. Stearns offered and then withdrew an amendment to clarify when notice of a breach should be given. It will be further discussed behind closed doors.
- Rep. Rush's amendment in the nature of a substitute, which would have replaced the SAFE Data Act entirely with Rush's most recent data security bill, H.R. 1707, was defeated by a 9 to 10 vote.
- Rep. Jan Schakowsky (D-IL-09) offered an amendment to add over-the-counter drug purchases and other healthcare-related data to the definition of "personal information". Chairwoman Bono Mack asked "How could combining my name with the fact that I bought an over-the-counter drug result in identity theft?" The Schakowsky amendment failed by a 6 to 10 vote.
While the SAFE Data Act was originally expected to swiftly go to markup at the full Energy & Commerce Committee next week, it may be delayed until sometime in September, given the divisions and concerns exposed at the hearing.