The United States faces a data-privacy crisis and this crisis has created a groundswell of support for new data-protection laws, witnesses told members of the Committee on House Administration on Feb. 16.
Data privacy is one of the critical challenges of the digital age; consumers are frustrated by the frequency of data breaches and the lack of accountability in the misuse of personal information, technology companies are overwhelmed by the tsunami of new data-protection obligations and growing restrictions on personal information usage, and all are confused by the multitude of ever-changing laws and regulations.
“Without clear and enforceable data protection rules, there has been widespread overcollection, abusive data practices, and targeting that threatens our rights and institutions. Robust data privacy standards are essential to ensure the protection of human rights, human dignity, and the healthy functioning of our democracy,” said Caitriona Fitzgerald, the deputy director for the Electronic Privacy Information Center.
Comprehensive data-privacy legislation places responsibilities on organizations that collect personal data and to give rights to the individuals whose data is collected. Fitzgerald told Committee members that privacy legislation should include:
- Strict data collection and use limitations
- Data minimization and deletion requirements
- Transparency about business practices
- Purpose specification
- Access, correction, and deletion rights
- Data accuracy
- Confidentiality and security requirements
- Compliance and accountability
“Privacy legislation should [also] protect against discriminatory uses of data and extend civil rights protections online. The law should also prohibit predatory data collection practices and uses that target marginalized communities,” Fitzgerald said.
Some witnesses acknowledged that several state lawmakers, largely in response to Congressional inaction, have proposed various privacy laws to regulate the collection and use of personal data.
However, these laws “create confusion for consumers and impose significant costs on businesses … and undermine their ability to responsibly use data to innovate and deliver value to consumers,” Daniel Castro, vice president for Information Technology and Innovation Foundation, said.
Congress needs to establish a national privacy framework, he added.
Additionally, Castro advised Committee members that although the United States needs a comprehensive Federal data-privacy law, “it should not back away from the light-touch approach it has historically taken to regulating the digital economy.”
“Instead of pursuing a broad, European style data-privacy law that would impose significant costs on the U.S. economy, Congress should craft targeted legislation that creates a national privacy framework that establishes basic consumer data rights, preempts state laws, ensures reliable enforcement, streamlines regulation, and minimizes the impact on innovation,” Castro said.
Castro told members that a Federal Data-Privacy Legislation should:
- Establish basic consumer data rights,
- Establish uniform privacy rules for the entire nation by preempting state and local privacy laws,
- Ensure there is robust and reliable enforcement of Federal privacy law,
- Repeal and replace potentially duplicative or contradictory Federal privacy laws, and
- Minimize the impact on innovation.
GPO’s Approach to Protecting PII
As the official source for producing, preserving, and distributing official Federal publications for Congress, Federal agencies, and the public, the Government Publishing Office (GPO) understands firsthand concerns regarding privacy, especially as they continue to digitize every Federal document in their archives.
“Because we have made this information more accessible, the threat from the use of that information has also exponentially increased,” said Hugh Halpern, director of the GPO. “Changes in technology continue to drive concerns about the ease with which personal information is available.”
For GPO it creates a dual challenge; keeping current with the most effective strategies to protect personally identifiable information (PII) while also devising flexible solutions to PII disclosure challenges. Especially when dealing with PII that was not protected during the initial publication of documents already in circulation and or digitized.
GPO has devoted a considerable amount of time, attention, and resources to securing and protecting that information, especially as they continue to digitize every Federal document in their archives.
“While we haven’t caught every single instance of PII appearing in the electronic copies of congressional publications before making them available to the public in electronic form, we have the infrastructure in place to systematically discover and remediate PII on an ongoing basis,” Halpern said.
However, he emphasized that even when GPO is “immensely successful in redacting PII … it is unlikely that sensitive PII information will vanish completely from the Internet.”