By: Samuel Roth

With the emergence of COVID-19, Americans are investing unprecedented amounts of time and effort adjusting to a new daily routine of internet-dependency. Reliance on the consistent use of web communication services and project organization tools is a new standard for remote work, with school systems experiencing a similar shift. Although services provided by major corporations like Zoom, Citrix, and Amazon aid millions of American businesses, the increase in online traffic has raised concerns from data privacy advocates in the US Senate.

As a result, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (“SAFE DATA Act”), introduced in September 2020, detailed a comprehensive federal plan to provide Americans with more choice and control over their data. The functionality and necessity of federal privacy legislation is a growing discussion in American regulatory law, but doubts from voting officials and persistent lobbying have stifled the enactment of every proposed bill. The SAFE DATA Act stands out because it combines three previous proposals into one expansive package with bipartisan support. In doing so, its introduction led some data privacy analysts to believe that it could remain at the forefront of the federal privacy legislation debate for years to come, prompting others to question its ability to achieve its intended effect.

Before delving into the treatment of the SAFE DATA Act, it is crucial to understand the key tenants of its construction as well as the data privacy proposals that it is comprised of. The first, and most substantial component of the SAFE DATA Act, is Senator Roger Wicker’s (R–Miss.) draft for the US Consumer Data Protection Act (“USCDPA”), released in late 2019. Informed by over a year of bipartisan negotiations and feedback from consumer advocates, state and local governments, and stakeholders from various sectors of the economy, the USCDPA focused on protecting individual consumer data rights, increasing data collection transparency, and holding corporations accountable.

The USCDPA provided users similar rights to that of the California data privacy regulation, the California Consumer Privacy Act (“CCPA”), including the rights to access, correction, deletion, and portability. Notably, the USCDPA also included requirements for companies to obtain “affirmative express consent” before processing or transferring individuals’ sensitive data, as well as requiring them to transparently publish their privacy policies. Further, the draft imposed “reasonable data security practices” enforced by the FTC, protecting consumers from the denial of goods and services if they choose to exercise their privacy rights. Finally, the USCDPA also required certain companies to minimize data collection, processing, and retention, taking after the EU’s GDPR by designating privacy officers and data security officers to conduct annual privacy impact assessments.

Title II of the SAFE DATA Act includes provisions from Senator John Thune’s (R–S.D.) proposed Filter Bubble Transparency Act (“FBTA”), a piece of legislation that would make it easier for internet platform users to understand the potential manipulation that exists with hidden online algorithms. Primarily, the FBTA seeks to illuminate complicated and often secret data processing tactics by defining and regulating the use of two kinds of data processing algorithms: “opaque algorithms” and “input-transparency algorithms.” Opaque algorithms are an algorithmic ranking system that utilizes user-specific data, not expressly provided by the user, to determine how information is presented to that individual. Input-transparent algorithms are algorithmic ranking systems that do not utilize user-specific data to determine how information is presented unless an individual expressly provides it to the platform for such purposes. Incorporating the proposed tenants of the FBTA, Title II requires that web-based platforms notify users when an opaque algorithm processes their personal data, and if so, must provide an alternative version of their platform that only uses an input-transparent algorithm.

Title II of the SAFE DATA Act also includes bipartisan provisions from Senator Mark Warner (D–Va.) and Senator Deb Fischer’s (R–Neb.) proposed Deceptive Experiences to Online Users Reduction Act (“DETOUR Act”). The DETOUR Act aims to protect online consumers against deceptive user interfaces known as “dark patterns,” a subliminal way of structuring websites to coerce users into divulging more personal data than they would otherwise. Although the term “dark patterns” is not explicitly mentioned in the SAFE DATA Act, Title II prohibits companies from deceptively receiving consent or user data through means of obscuring, subverting, or impairing user autonomy, decision-making, or choice. Additionally, Title II focuses on protecting children, preventing web interfaces from engaging in tactics of “compulsive usage,” which induce individuals into repetitive, purposeful, and intentional behavior to provoke continued use of the platform.

Yet, there are legitimate concerns regarding the SAFE DATA Act’s implementation. The two chief barriers to passing federal privacy legislation are whether a proposed act will include a private right of action and whether the act will preempt state laws that offer more robust privacy protections. To the disdain of many U.S. privacy advocates, the SAFE DATA Act, in Section 405(a), preempts all state laws regulating data collection practices and fails to acknowledge a private right of action. These key issues, along with others, foreshadow the prospect of the SAFE DATA Act’s rocky road to enactment.

In a scathing criticism of the proposed bill, Eric Null, a U.S. Policy Manager at Access Now claims, “[t]he SAFE DATA Act would do almost nothing to improve privacy protections in the United States. It would, however, broadly undermine civil rights and privacy protections that exist at the state level because of its preemption provision. This means it would preempt the [CCPA], Illinois’ Biometric Information Privacy Act, and Maine’s broadband privacy law, among others, even though parts of the bill are weaker than these state laws. What is more, the bill’s enforcement provisions lack a significant increase in FTC authority or funding, and it does not create a private right of action. It might as well be called the Unsafe Data Act.”

Access Now, a furious defender of digital rights for users at risk around the world, drafted a letter to the U.S. Senate Committee on Commerce, Science, & Transportation claiming that the SAFE DATA Act fails to consider four crucial principles: (1) privacy protections must be strong, meaningful, and comprehensive, with a focus on implementing Fair Information Practices, (2) data practices must protect civil rights, prevent discrimination, and advance equal opportunity, (3) governments at all levels should play a role in protecting and enforcing privacy rights, and (4) legislation should provide redress for privacy violations beyond those causing financial harm, and should recognize and include intangible harms.

However, despite the backlash received from disapproving parties, the SAFE DATA Act’s greatest threat is its immateriality in the face of a global pandemic, a national call for environmental disaster relief, online censorship hearings, a turbulent U.S. Presidential election, and a recent Supreme Court Justice confirmation. More and more consumers are concerned that their privacy rights are jeopardized by the lack of transparency from tech giants, but the SAFE DATA Act will still likely stall for a considerable amount of time due to more controlling issues in the Senate.

Yet, there is a silver lining for the SAFE DATA Act. The unfortunate timing of the bill’s introduction may stall its enactment, but it also allows Senator Wicker to address the proposal’s failures and redraft it accordingly. The impact of the COVID-19 pandemic is still unpredictable, but a federal data privacy act is not, in and of itself, an unpopular proposal. If the bill were to reach a vote in its current form, it would be met with far too much resistance to proceed. Senator Wicker and the bill’s co-sponsors would stand to benefit from incorporating more previous ideologically diverse proposals into its substance. By including more progressive senators with their own data privacy proposals like Maria Cantwell (D–Wash.), Brian Schatz (D–Hawaii), Amy Klobuchar (D–Minn.), and Edward Markey (D–Mass), the SAFE DATA Act would achieve far stronger bipartisan support than it currently has, and embody a positive future for American federal privacy legislation. Until then, the SAFE DATA Act may suffer the same fate as the proposals it is comprised of, failing to muster a conversation that America desperately needs to have.

Student Bio: Samuel Roth is a second-year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law and a member of the Business Law Association. Samuel received a Bachelor of Arts Degree in History from the University of Rochester.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.