Getty Images/iStockphoto
Data privacy legislation delayed as backlash grows
Multiple stakeholders raised issues with the American Privacy Rights Act, including removal of protections against algorithmic auditing.
Listen to this article. This audio was generated by AI.
The U.S. House Committee on Energy and Commerce canceled Thursday's markup of the American Privacy Rights Act of 2024 due to intense criticism from civil liberties groups.
Earlier this week, more than 50 civil liberties organizations petitioned the committee to postpone the markup of the data privacy legislation and restore civil rights protections against algorithmic auditing that had been removed from the draft legislation. A committee markup is when lawmakers debate and amend bills before possibly sending them on to the full House for action.
A letter signed by organizations including the Leadership Conference on Civil and Human Rights, the American Civil Liberties Union (ACLU), the Center for Democracy and Technology, and the Electronic Privacy Information Center asked for more time for stakeholder input on the federal data privacy legislation.
"The deletion of these provisions is an immensely significant and unacceptable change to the bill and its scope," the letter said. "Failing to include sufficient safeguards means Congress will leave all people in America unprotected from harmful AI technology."
Indeed, the civil rights protections cut from the most recent American Privacy Rights Act (APRA) draft would have prohibited the use of AI or algorithmic systems from discriminating against people in housing, credit or financial decisions, said Cody Venzke, senior policy counsel for surveillance, privacy and technology at the ACLU.
Cody VenzkeSenior policy counsel, American Civil Liberties Union
"One of our chief goals would be to ensure that those civil rights provisions are restored so that the bill can be as strong in protecting people as possible," he said.
Following the markup hearing's cancellation, Committee Chair Rep. Cathy McMorris Rodgers (R-Wash.) said the committee will continue its pursuit to provide U.S. residents with data privacy rights. McMorris Rodgers said in a statement that commercial data surveillance is fueling the data privacy problem and points to the need for federal data privacy legislation.
"Nearly every data point imaginable is being collected on us with no accountability," McMorris Rodgers said. "They are using our data against us, sowing division, manipulating truth, and diminishing our personal identities. We cannot continue down this path. The American people are asking Congress to step up and pass a privacy bill. It is foundational to our future and the next generation."
The APRA markup has yet to be rescheduled.
Stakeholders raise multiple issues
The APRA aims to establish foundational data privacy rights for Americans, as well as create oversight and enforcement mechanisms. The draft data privacy legislation also wants to implement transparency, privacy by design and data minimization requirements for companies.
However, the APRA not only leaves out protections against data discrimination, but also creates a loophole exempting data collected and processed on devices, said Alexandra Reeve Givens, president and CEO of the Center for Democracy and Technology, in a statement.
The ACLU's Venzke said the new carve-out in the draft data privacy legislation for on-device data could be problematic by ultimately sidestepping protections the bill is trying to establish.
"A company could very easily place an advanced algorithmic system on your phone and use the data on your device already to make decisions," he said. "That exception would not eliminate harms -- it would simply move where they're occurring."
Some organizations also questioned how the data privacy legislation would preempt stronger state laws like those in Colorado and Illinois. The Electronic Frontier Foundation issued a statement that said federal data privacy legislation should not roll back state privacy laws, a sentiment echoed by the ACLU.
"We are very concerned about the ways APRA will displace state privacy laws," Venzke said. "States have an important role in identifying areas that need slightly stronger protections."
However, some support a federal data privacy law preempting the patchwork of state privacy laws that create varying rules for businesses to follow. In a report published earlier this month, Ash Johnson, senior policy manager at the Information Technology and Innovation Foundation, said the APRA needs to go further in its state preemptions, noting that it doesn't fully preempt all state laws.
"This Swiss cheese approach to preemption fundamentally undermines the purpose of keeping compliance costs low, reducing confusion, and ensuring all Americans have equal data privacy protections," Johnson said in the report. "Allowing states to legislate on niche data-privacy and security issues instead of addressing those issues in a federal law will, in fact, do the opposite, increasing costs and confusion."
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.