WASHINGTON — Almost two years after the Equifax breach led to a congressional uproar but minimal policy change, the protracted fight to enact data security and privacy reform has a new flashpoint: Facebook's cryptocurrency plan.
A data security bill has eluded lawmakers for years. Criticism of Equifax was fierce after the credit bureau disclosed that the personal information of roughly 148 million Americans had been compromised. Lawmakers pushed measures from breach notification standards to penalties for companies targeted by a breach. But despite the loud calls for federal data protections, little came to fruition.
Yet Libra, the digital currency Facebook says will be on its platform within a year, has reinvigorated the issue.
"Libra and Facebook provides a new catalyst” for Congress to get back into the data privacy and security fight, said Edward Mills, a policy analyst at Raymond James.
During a Senate Banking Committee
Sen. Sherrod Brown, D-Ohio, said in a brief interview outside the hearing that despite the Equifax breach, "this committee has done virtually nothing on dealing with those issues."
“We should have done it with Equifax much more quickly,” Brown said. “We don’t really know how to do it yet with Facebook, but we will.”
Speaking to reporters, Sen. Tina Smith, D-Minn., said the "scale" of Libra worries her as well as "the many, many questions it raises about personal privacy, how they are going to use this data."
"We know their whole business model is using data in order to make money," Smith said. "I think the issue of data privacy is really huge and we need some sort of a standard."
Independent of Facebook's cryptocurrency project, stronger privacy protections has been a particular area interest for Crapo, who despite leading the committee's agenda is at times muted about his policy priorities.
Both he and Brown have recently focused on the ability of
"Individuals are the rightful owners of their data. They should be granted a certain set of privacy rights, and the ability to protect those rights through informed consent, meaning full disclosure of the data that is being gathered and how it is being used," Crapo wrote in an op-ed for Fox News. "We need to establish obligations for data collectors, brokers and users, and implement an enforcement system to ensure the collection process is not abused, and that data is appropriately protected."
However, the likelihood of Congress enacting sweeping data security or privacy protections anytime soon is small. But observers say Crapo could be preparing for a future legislative push.
Crapo's comments show "his leadership interest in working in a bipartisan way," said Quyen Truong, a partner at Stroock & Stroock & Lavan. "I think that there is an interest in crafting a bill soon, but it essentially is to pave the way for adoption maybe in the next session. It would be ambitious to try to get to the finish line in this session.”
Truong said a reaching broad agreement is difficult among lawmakers spread across multiple committees.
“There is a lot of effort on all fronts from members of Congress and stakeholders advocating for federal legislation,” said Truong. “But the challenge is coming to a consensus position, because you have such a wide range of views and different formulations for the legislation.”
One of the debates still surrounding data privacy legislation has been whether a federal standard to protect consumers' information should preempt state protections. Consumer advocates fear that if Congress were to set a federal standard for consumer privacy and data protection, it would weaken standards in states such as California.
“When we’ve seen advances in consumer protection they usually start from the states, and oftentimes it is California,” said Chi Chi Wu, a staff attorney at the National Consumer Law Center. “The states are the laboratories of democracy. They are the ones who are more on the ground and more responsive to the needs and desires of consumers.”
Republicans, on the other hand, likely won’t support any bill without a single, federal standard.
“I think it will make it a lot easier for people and businesses to comply with if we have a single standard as opposed to 50 different standards,” Sen. John Kennedy, R-La., told American Banker Thursday. “It’s just common sense to me that if you have a single standard, it’s easier, cheaper, more efficient and more effective.”
Amanda Lawrence, a partner at Buckley who has counseled clients on California’s consumer privacy laws, added that preemption will be necessary in order to pass any bills in the data privacy arena.
“The issue is important enough to Republicans that preemption language will likely be necessary to pass any bill through Congress,” she said.
Even some Democratic senators are warming to the idea of a federal consumer privacy standard with preemptive power.
Sen. Doug Jones, D-Ala., said the differences between state laws surrounding data privacy and consumer protection warrant consideration of federal standards.
“I think given the differences, it’s something we ought to seriously look at,” Jones said in an interview Thursday.
Sen. Brian Schatz, D-Hawaii, told American Banker he is creating a federal standard that would ensure strong consumer protections. But he warned that federal data privacy and security standards should not weaken strong state laws.
“I am working on that. … I think the balance with preemption is relatively straightforward,” Schatz said Thursday. “The question becomes, is the federal law strong enough to justify the preempting of legislatures? If it’s strong enough, I’m all for it. If it’s weak, I would rather see individual legislatures empowered to make policy.”
Sen. Chris Van Hollen, D-Md., echoed Schatz’s sentiment.
“There are benefits to a uniform system but you also want to make sure that you have adequate protections,” Van Hollen said Thursday. “So I worry about preemption in some cases. Again, it all depends on how you write the federal standard.”
The issue is likely to come up at hearings next week focused on Facebook's cryptocurrency project in both the Senate and House. David Marcus, head of the Facebook digital wallet known as Calibra, is scheduled to testify.
Lawrence said lawmakers will likely debate whether consumers should be able to opt out of having their data sold to third parties.
“I think the first issue is whether consumers can opt in or opt out of having their data sold to third parties, with attention also paid to whether consumers have the right to know what information is being collected about them,” Lawrence said.
Wu added that there will likely be a debate over how consumers can seek redress if their information is misused.
“Without the ability for consumers to seek redress by themselves, [data security standards] can often be toothless,” Wu said.
Some lawmakers say it is still too early to determine the best legislative approach to give consumers more control over their data and more privacy protections.
“I am glad Chairman Crapo and Ranking Member Brown are having the hearing next week,” Sen. Catherine Cortez Masto, D-Nev., said Thursday in an interview with American Banker. “We are just starting the discussion. So I want to see how it plays out and we need to have further discussion on this issue. It is an important topic.”
Even with the bipartisan interest in addressing data privacy and security concerns in the wake of Facebook’s Libra proposal, some analysts are still skeptical that it will be enough for Congress to come to an agreement on a solution.
“I think we are still a scandal or two away from Congress actually acting,” Mills said.
He added that House Speaker Nancy Pelosi, D-Calif., likely wouldn’t allow for a vote on any data privacy and security protections that weaken rules in her home state.
“Nancy Pelosi as speaker of the House is not going to pass legislation that weakens consumer protections in her home state,” Mills said. “There is also the fact that we are headed into a political season. Members of both parties are usually reluctant to give a victory to either side in an election season. They’d rather have the issue than the solution.”