The federal privacy bill: Intel gets the ball rolling

Amid all the hype that surrounded the recent US mid-term elections – health-care reform, the migrant caravan, and the ensuing deployment of US troops to the Mexican border – a number of important policy areas seem to have been forgotten.

One such area is federal privacy law, about which there now seems to be a surprising level of consensus. Lawmakers on both sides of the aisle, commentators, and even tech companies themselves seem convinced that replacing the current patchwork of state-level privacy laws with a single federal framework is the future.

In addition, Democrat control of the house means that a federal privacy bill is likely to be a priority for this legislative session. This is partially because passing a federal privacy law is simply good PR for politicians. In the last few years there have been several high-profile security breaches, affecting such titans as Facebook, Google, and Amazon. In some cases, these breaches have led to tech CEOs being hauled before congress, stoking pubic anger around an issue that was, until quite recently, a fairly niche concern.

Such breaches also mirror that classic political story: the little guy vs. the corporate giant, and many in Washington now seem convinced that there is political capital to be made in being seen to protect consumers from faceless tech companies. There is a growing consensus, in short, that if the industry will not self-regulate, the federal government will do it for them. As a result, the idea of a federal bill, at least, has bipartisan support.

Another concern driving the discussion is that the current situation in the US, when it comes to privacy law, is a mess. Several states have passed laws that contain vastly different levels of consumer privacy protection, meaning that many companies that operate across the country (i.e. all of them) must work towards compliance with several distinct standards. Of particular concern for tech companies is a new state-level privacy law in California, the state many of them are based in. The state has passed a law that is arguably the strongest in the country, and which is due to come into force in 2020.

The content of a federal bill, however, remains a source of much speculation. Similar legislation in Europe, the GDPR, took effect in May, and is seen by many in the industry as the gold standard of consumer privacy protection. Tech companies in the US, however, are concerned that a similar bill needlessly limits their ability to develop new technologies, and may have an effect on their profitability.

Intel weighs in

Last week, Intel became the latest company to weigh in on this debate. Their newly-drafted privacy bill is based, they say, on a set of “fair information practice principles” that the industry will be willing to accept.

At the core of the draft, and likely to be the most controversial part of any coming legislation, are the consequences of non-compliance with privacy protection rules. Much of this structure is already in place, contained in an overlapping network of industry guidelines and voluntary codes of practice. CISOs and other employees are well experienced in meeting these criteria, not least because customer complaints, let alone large-scale data breaches, can cost tech companies large amounts of revenue. The industry is willing, by and large, to follow a set of centralized guidelines, and to allow the federal government to police compliance with them. A large part of the coming argument will be over what happens if companies are found to be non-compliant.

In some ways, Intel’s proposal is relatively bold. It proposes that executives be held personally responsible for lying about data privacy compliance, for example. In other ways, the draft is significantly weaker than both the GDPR and even existing state-level law. It does not require companies to inform customers about data leaks, where both the GDPR and state-level laws require this within 45 days, 30 days, or (for the GDPR) 72 hours. Intel’s draft also provides a “safe harbor” scheme for companies, enabling them to avoid any civil actions that result from a data breach, at least in the first instance.

Intel is an unlikely candidate to be proposing privacy legislation. It is a corporation, after all, and one that does not collect any personal information itself. The purpose of the draft, it seems, is to get ahead of the upcoming discussion on what a federal privacy law should contain, and present lawmakers with a example of what tech companies will accept. It is also a response to a fear that several of Intel’s largest customers – think Facebook, Google, et al – will be adversely affected by overly draconian privacy legislation.

Setting the terms of the debate

In addition, the issue is particularly pertinent for tech companies based in Silicon Valley, because of the California privacy law is set to come into force in 2020. Both Apple and Amazon have told congress that they would support a federal law overriding the California one, which they see as unnecessarily strict. In this context, Intel’s proposed bill can be seen as a wish-list for tech companies: a proposal for a federal law that tech companies are happy to accept, as long as it doesn’t get in the way of their business.

Similarly, the way in which the draft has been presented appears designed to appeal to consumers who are increasingly wary of the way in which tech companies use their data. Recent years have seen an explosion in the usage of technologies that used to be the sole domain of hackers and infosec professionals: encryption, anti-tracking software and privacy protecting tools are becoming increasingly sought after by entreprises as well as individuals. A bill which provides legal protection would likely be welcomed by a large proportion of them.

Whether Intel’s ideas make it anywhere near the House remains to be seen. It might be that lawmakers have already developed a thorough and technically adept draft of a federal privacy bill, but this reported doubts it. The questions that were put to Mark Zuckerberg during April’s Senate hearing suggest that, clever though they might be, our elected representatives lack the necessary technical knowledge of infosec to make informed policy decisions. In fact, the current bipartisan support for the bill might be indicative of a underestimation of complex digital privacy is: a bill to regulate the way that tech companies use data certainly seems straightforward enough, until you look into the details.

In addition, this bipartisan support does not mean that the bill will be easy to pass. There are many arguments to be had about what will appear in such a bill, and Intel’s interpretation is just one set of ideas. Rather than this argument being had in the House, however, it will likely be waged between tech companies and lawmakers. This means that the discussions will largely be hidden, conducted in smoky rooms in Washington rather than in public, but no less vicious for that.

One thing, at least, is clear: in the coming argument, Intel has got in the first word.