Media Law Resource Center

Serving the Media Law Community Since 1980


Senator Brian Schatz and Democratic Co-Sponsors Introduce Data Care Act

By Naomi Sosner

In December, the day after Sundar Pichai, Google CEO, testified before the House Judiciary Committee on data privacy issues, Hawaii Senator Brian Schatz introduced legislation that he later described hopefully as the foundation of a future and "big privacy package on a bipartisan basis."

The Data Care Act of 2018, a 14-page bill, sketches out fiduciary duties of online service providers to the humans generating the data. Senator Schatz is the Ranking Member of the Sentate Communications, Technology, Innovation, and the Internet Subcommittee. The Bill, which has not yet been introduced in the new Congress, introduces several important concepts into the expected 2019 legislative debate over federal consumer privacy legislation.

The Bill proposes three main duties. The first is a duty of care to reasonably secure "individual identifying data" and alert individuals of breaches of their "sensitive data," as both terms are defined. The second duty is of loyalty: to use neither individual identifying data, or data derived from that data, in a way that benefits the online service provider "to the detriment of an end user" and "will result in reasonably foreseeable and material physical or financial harm to an end user" or would be "unexpected and highly offensive to a reasonable end user." Third, the duty of confidentiality, forbids an online service provider from disclosing or selling individual identifying data to other parties unless those entities are contractually obliged to abide by the first two duties.

The idea of imposing fiduciary duties on online data collectors was floated earlier by law professor Jack Balkin, including in an Atlantic article co-authored with Harvard's Jonathan Zittrain in 2016. There, Balkin and Zittrain discussed the concept of "information fiduciaries," people and businesses—doctors, for example, and law firms—who are privy to sensitive information by virtue of their positions and obligated, by law, to protect that information in certain ways.

Technology has birthed new entities that are analogous to old-school information fiduciaries, they thought, but legally untethered to the same sort of ethical requirements:

There is an opportunity for a new, grand bargain organized around the idea of fiduciary responsibility. Companies could take on the responsibilities of information fiduciaries: They would agree to a set of fair information practices, including security and privacy guarantees, and disclosure of breaches. They would promise not to leverage personal data to unfairly discriminate against or abuse the trust of end users. And they would not sell or distribute consumer information except to those who agreed to similar rules.

Schatz and the other senators deliberately avoided the term "fiduciary"—to avoid confusion with its existing legal connotations, he told Mother Jones in late December—but in the main the Data Care Act tracks these broad principles.

An exception is enforcement, and preemption. In the Atlantic article, Balkin and Zittrain imagined that companies would be willing to take on the responsibilities of information fiduciaries as part of a federal act that preempted state and common law regulations. Then as now, there was no federal privacy bill; and since 2016 every state has passed a state breach notification law, which frequently joins a diffuse cloud of other state laws impacting business data practices.

California's Consumer Protection Act, passed in August of 2018, epitomizes, and sharpens, industry's dilemma. In various ways modeled after the GDPR, the CCPA is the most stringent state privacy law, and its hand, in practice, will stretch out of California. There was no CCPA when Balkin and Zittrain presumed companies would like to trade state checkerboards for a federal game. Faced with the CCPA, companies are lobbying for it. See Tech Industry Pursues a Federal Privacy Law, on Its Own Terms, New York Times Aug. 26, 2018.

The Data Care Act, however, preempts nothing. Schatz, in an interview in late December with Mother Jones, alluded to vectors of pressure on the preemption question.

Tech is not sure what to make of this. But I think that they're highly motivated to get a federal law. Their initial position was "please do a federal law in order to preempt California law," and I've been loud and clear: we're not doing non-progressive federal law to preempt a progressive state law. The only thing that will replace and preempt California's statute is a strong progressive federal privacy framework.

The Data Care Act empowers the Federal Trade Commission to enforce the Act, but explicitly provides a right of action (subject to various caveats) for state regulators. It does not preempt any state law. Based on Schatz's comments, if it passes its sponsors envision it as one of a few federal laws—a "privacy package"—that interlock.

Naomi Sosner is an associate at Hunton Andrews Kurth focusing on Internet law, privacy and security. She was MLRC's 2017-18 Legal Fellow.

Joomla Templates from JoomlaShack