President Barack Obama’s rollout of privacy and data security policies Monday offered big promises to protect consumer information online, but the reality is his legislative ideas are a long shot in Congress and his voluntary industry initiatives lack enforcement teeth.
The package of proposals — including a data-breach notification law and a privacy bill of rights — are mostly a rehash of previous administration proposals. While some lawmakers have expressed interest in data breach and student privacy bills, such legislation has made little progress in the past. Congress has even less enthusiasm for the base-line privacy bill that Obama says he will release in coming weeks.
The president’s announcement comes on the heels of the high-profile Sony hacking case and after a year of major retail hacks that compromised millions of Americans’ credit cards. But the glacial progress of privacy and data security legislation shows just how difficult it has been for Washington to come up with workable new laws in this area.
In a 15-minute speech at the Federal Trade Commission, Obama previewed proposals that will be part of his State of the Union address on Jan. 20. Pressing Congress to take action, the president led his speech with recent headlines from the Sony hack.
“This mission, protecting our information and privacy in the information age, this should not be a partisan issue,” Obama said. “It’s one of those new challenges in our modern society that crosses the old divides — transcends politics, transcends ideology. Liberal, conservative, Democrat, Republican, everybody is online, and everybody understands the risks and vulnerabilities as well as opportunities that are presented by this new world.”
White House press secretary Josh Earnest later put it more bluntly. “I do think that, certainly, in the aftermath of some of the more recent cyberattacks we’ve seen that have been carried out against a number of private companies, including most recently Sony, hopefully that got the attention of people on Capitol Hill,” he said.
Obama’s data-breach proposal would impose a national standard for companies to notify consumers, in the event their information is stolen or compromised, within 30 days of the discovery of an incident. His student privacy bill, modeled on a California measure, would impose new restrictions on companies that collect or store student data while providing products and services to K-12 schools.
The president also announced that JPMorgan Chase and Bank of America are joining a list of firms making credit scores available for free to consumers to combat identity theft, the top consumer complaint for 14 years running at the FTC.
Some privacy advocates, while bullish for laws that will tighten consumer privacy, remain skeptical that Obama’s push will have any oomph behind it, seeing it more as a public relations maneuver designed to reassure European privacy officials as they work to complete a trade deal by the end of the year.
“An unannounced but intended audience for the administration’s plan is to remove a serious obstacle to its plans for a U.S.-EU trade deal, known as TTIP,” or the Transatlantic Trade and Investment Partnership, said Jeff Chester, executive director of the Center for Digital Democracy. Consumer privacy has been one of the sticking points with EU officials who worry that the U.S. doesn’t have a comprehensive privacy framework.
There is some support for a data-breach bill in the new Congress, and industry groups and the FTC have long pressed for a federal law to streamline the 49 different state breach rules they have to follow. Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) say they are already working on a data-breach bill.
“There has been consensus and a call from many in the business community several years running for data-breach legislation,” said Stu Ingis, a partner at Venable and counsel to the Digital Advertising Alliance, which represents several marketing and advertising groups.
But such legislation has repeatedly run into fears that a federal standard would weaken stricter rules enacted by states — a theme some privacy advocates hit again Monday.
“The Personal Data Notification and Protection Act would pre-empt stronger state laws and contains no private right of action,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said the president’s student privacy plan “looks promising,” adding the country ultimately needs a more comprehensive approach to online privacy issues.
“The White House announcement is a step in that direction. But more needs to be done,” Rotenberg said.
Obama touted the 75 education tech companies that have voluntarily committed to keeping student data private, including Microsoft. Apple, which did not sign on initially, has now committed to the pledge. But other major players in the ed tech market, including Google and Pearson, are still not listed as signatories.
Concerns over student privacy have grown steadily as the use of online tools has exploded in classrooms. Ed tech companies can scoop up millions of data points on each child by monitoring them as they click through digital textbooks, educational games and online homework assignments. They can build detailed profiles of students’ academic ability — and also of their cognitive skills, including their learning styles.
The prospect of such intimate information being mined for possible commercial gain has mobilized parent privacy activists from across the political spectrum.
The administration has eyed privacy and data security measures since the president’s first term and proposed a national data-breach standard as part of a cybersecurity proposal in 2011. It unveiled a blueprint for a consumer privacy bill of rights in 2012.
Some parts of the tech industry said the president should have broadened his proposal to include surveillance reform, a key issue for Internet companies following Edward Snowden’s leaks about the National Security Agency.
“The president missed an opportunity to address the continued push by law enforcement and intelligence agencies to weaken security for the purpose of surveillance,” said Daniel Castro, senior analyst for the Information Technology and Innovation Foundation. “These actions threaten the competitiveness of the U.S. tech sector and discourage consumer confidence in digital products and services.”