On January 20, 2015, President Obama will address Congress with his annual State of the Union report. On Monday, the president spoke at the Federal Trade Commission, providing a “sneak peek” of the privacy and cybersecurity agenda that he intends to set.
Of the United States, the president remarked:
“We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”
The president’s proposals were set forth in additional detail in a fact sheet.
The proposals include introduction of a “Personal Data Notification & Protection Act” to set a national, pre-emptive standard for data security notification. Aside from a change of the deadline to notify from 60 to 30 days after discovery, the proposal sounds similar to that proposed by the president in May 2011.
However, bills setting forth pre-emptive national data security breach notification requirements were put before the Senate and the House in the 113th Congress, and never got beyond committee.
While the case for a national, pre-emptive data security breach notification law is sound, we would expect state attorneys general to resist full pre-emption of their authority and to press for preservation of a significant enforcement role, as they have under HIPAA and COPPA. The attorneys general offered significant resistance to prior pre-emption efforts in other similar legislation.
The president also intends to introduce another so-called “Consumer Privacy Bill of Rights.” The administration has floated the idea of a “Consumer Privacy Bill of Rights” since the Commerce Department issued a green paper on privacy in 2012. A Consumer Privacy Bill of Rights was most recently introduced in May 2014, with S.2378 – the Commercial Privacy Bill of Rights Act of 2014. S.2378, like its predecessor S.799 in the prior Congress, was read twice and referred to committee. No further action was taken in either Congress. Notably, both S.2378 and S.799 were introduced to Senates controlled by the president’s own party, an advantage the White House no longer enjoys.
The White House also described its efforts to lead the creation of voluntary codes of conduct for privacy matters in the energy industry, and to push for stricter safeguards for information in the education sector. These smaller, less categorical initiatives may have a better chance of coming to fruition. However, the State of the Union, and Republican response to it, will provide a useful gauge of whether, as the president told Monday’s audience, the privacy and security of consumer information is really an issue that “transcends politics, transcends ideology” in the Washington, D.C. of 2015.