Data Privacy Gains Steam in Congress as GAO Publishes Report Urging Federal Law

February 15, 2019

The Government Accountability Office called on Congress to “consider developing comprehensive legislation on Internet privacy” as a major business group released draft data privacy legislation that would not apply to HR data.

The GAO interviewed EEOC and OSHA officials on their regulatory processes, despite the report being geared towards consumer data.  (The EEOC and OSHA enforce laws concerning workers). The Office also drew on input from tech and telecom companies and groups in writing the report, but not sources from other industries.

The report suggested that Congress should consider:

  • Which agency or agencies should oversee Internet privacy;

  • What types of authority an agency or agencies should have to oversee Internet privacy, including notice-and-comment rulemaking authority and first-time violation civil penalty authority; and

  • How to balance consumers’ need for Internet privacy with industry’s ability to provide services and innovate.

Meanwhile, the U.S. Chamber of Commerce released model legislation that defines a consumer as a "natural person, in his or her personal capacity (but not as an employee)" and proposes superseding state data privacy statutes as well as a number of federal statutes.

Numerous hearings are set in Congress, with the Senate Commerce Committee geared to consider the matter on February 27 and the House Energy and Commerce Committee planning to discuss the GAO report on February 26.

Outlook: The GAO’s report, various hearings, and model legislation are preludes to what is likely to be a flurry of legislative activity on the issue in the coming months.  If legislation moves forward that preempts state privacy laws, the employer community will need to determine whether HR data should be excluded from federal protections, or whether preemption of state laws would be more desirable.