With a bipartisan data privacy bill recently progressing out of a House committee, prospects to legislate data privacy seem to be gaining traction. While the current version of the bill would benefit from some improvements, recent developments in the United Kingdom could stand as a learning example for Congress on how to improve the proposed federal package.
The American Data Privacy and Protection Act (ADPPA), which advanced out of the House Energy and Commerce Committee in July by a 53-2 vote, represents a hopeful sign that Congress will finally address privacy issues after years of delays and discussion. While the bill has been mostly received as a welcome development, it still needs some major improvements.
Meanwhile, the UK has recently announced its plan to replace the European Union’s 2018 General Data Protection Regulation (GDPR) data privacy regime with its own system. While no specific details about the proposal have been outlined yet, the regime will be “[…] be simpler, it will be clearer, for businesses to navigate. No longer will our businesses be shackled by lots of unnecessary red tape,” according to Michelle Donelan, British Secretary of State for Digital, Culture, Media and Sport.
The UK’s proposed departure from the overly-burdensome GDPR should send a strong signal to Congress, especially since ADPPA has incorporated many of the GDPR’s policies.
While implementing more rigorous data protection requirements is generally good policy, the effects of the GDPR in Europe have been damaging for innovation. The high compliance costs associated with it have made operations expensive, especially for small businesses. These costs have been so punitive for small businesses that the Financial Times reported “tech startups, video games makers and advertising businesses…pulling out of Europe” rather than paying the compliance costs. The National Bureau of Economic Research has also highlighted the significant damage GDPR has inflicted on innovation, particularly in the mobile app market. In their recent working paper, NBER found that GDPR “precipitated the exit of over a third of available apps; and following its enactment, the rate of new entry fell by 47.2 percent, in effect creating a lost generation of apps.”
This chilling effect has not gone unnoticed by the British policymakers who are now pushing efforts to redress the issue. It should also not go unnoticed by Congress.
In general, the ADPPA dramatically improves upon the GDPR with regard to safeguarding the interests of small businesses, but problems remain, especially when it comes to preemption. For example, the bill makes an attempt to preempt state privacy laws, but includes a number of exclusions including the Illinois Biometrics Information Privacy Act and parts of the California Privacy Rights Act. State preemption should not include these carveouts to be effective, otherwise it undermines the whole purpose of state preemption.
For small businesses, navigating differences between state and federal laws can be costly. A federal law should supersede state regulation to increase simplicity and lower the compliance burden for small businesses.
Continuing the balkanized system of data protections would create a massive disadvantage for small businesses. The Information Technology and Innovation Foundation estimates that small businesses would have to spend $20-23 billion annually provided there was no federal legislation that would replace state laws.
Establishing a comprehensive federal privacy law should be a high priority for Congress. But it has to be done in a way that avoids conflicting laws and unnecessary costs that would disproportionately burden small businesses. Congress should seek to establish basic consumer data rights while minimizing the impact on innovation and setting a baseline of state preemption.