InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Pelosi cites preemption concerns in federal privacy bill
On September 1, Speaker of the House Nancy Pelosi (D-CA) released a statement commending the House Energy and Commerce Committee’s work on advancing the American Data Privacy and Protection Act (ADPPA) to the House floor (covered by InfoBytes here). However, Pelosi also recognized preemption concerns raised by the California governor, the California Privacy Protection Agency, and other top state leaders. “With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights,” Pelosi said. “California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians—and states must be allowed to address rapid changes in technology.” Praising measures in the ADPPA that would give consumers the right, for the first time, to seek damages in court for violations of their privacy rights, Pelosi said the House “will continue to work with Chairman Pallone to address California’s concerns.” As previously covered by InfoBytes, the ADPPA also received criticism from several state attorneys general who argued, among other things, that “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation.
California Privacy Protection Agency opposes federal privacy bill
On August 15, the California Privacy Protection Agency (CPPA) sent a letter to House Speaker Nancy Pelosi (D-CA) and House Minority Leader Kevin McCarthy (R-CA) opposing H.R.8152, the American Data Privacy and Protection Act (ADPPA). The CPPA expressed concerns that the proposed legislation “could nearly eliminate” the agency’s ability to fulfill its responsibility to protect Californians’ privacy rights and claimed that the bill’s provisions are “substantively weaker” than the California Privacy Rights Act. “ADPPA represents a false choice, that the strong rights of Californians and others must be taken away to provide privacy rights federally,” the CPPA stressed in its letter. “Americans deserve, and the Agency could support, a framework that offers both: a floor of federal protections that preserves the ability of the states to continue to improve protections in response to future threats to consumer privacy.”
Last month the U.S. House Committee on Energy and Commerce voted 53-2 to send the ADPPA to the House floor with amendments that would enable the California agency to enforce the federal law (covered by InfoBytes here). However, the CPPA noted that “the language in the bill still raises significant uncertainties for the Agency were it to seek to enforce the federal measure.” Additionally, the bill, which has been revised from its initial draft (covered by a Buckley Special Alert), would preempt the current patchwork of five state privacy laws—which “would be an anomaly,” the CPPA said, given that current federal privacy laws such as the Health Information Portability and Accountability Act, the Gramm Leach Bliley Act, and the FCRA all contain language allowing states to adopt stronger protections. Pointing out that the bill’s “preemption language is especially concerning given the rate at which technology continues to advance and evolve,” the CPPA stressed the importance of states being able to build on their existing laws and allowing voters to seek out additional protections.
Biden signs bills providing 10-year SOL on PPP and EIDL fraud
On August 5, President Biden signed the Paycheck Protection Program and Bank Fraud Enforcement Harmonization Act (see H.R. 7352) and the COVID-19 Economic Injury Disaster Loan Fraud Statute of Limitations Act (see H.R. 7334). H.R. 7352 provides a 10-year statute of limitations for fraud by borrowers under the SBA’s Paycheck Protection Program, while H.R. 7334 establishes a 10-year statute of limitations for fraud by borrowers under the SBA’s Covid-19 Economic Injury Disaster Loan programs.
House committee advances comprehensive consumer privacy bill
On July 20, the U.S. House Committee on Energy and Commerce voted 53-2 to send H.R. 8152, the American Data Privacy and Protection Act, to the House floor. As previously covered by a Buckley Special Alert, a draft of the bill was released in June, which would, among other things, require companies to collect the least amount of data possible to provide services, implement special protections for minors, and allocate enforcement responsibilities to the FTC. The bill has been revised from its initial draft to allow consumers to bring lawsuits after notifying certain state and federal regulators beginning two years after the law takes effect, which is different from the four-year wait period proposed in the draft. Additionally, the current patchwork of five state privacy laws would be preempted, although under the revised bill California's new privacy agency would be allowed to enforce the federal law. The revised bill also includes a provision that narrows the scope of algorithmic impact assessments required of large data holders to focus on algorithms that pose a “consequential risk of harm.” Additionally, the revised bill includes a more expansive definition of “sensitive data” to include browsing history, race, ethnicity, religion and union membership. It also sets a tiered system of responsibility depending on the size of companies for data related to people under 17.
Coalition of state AGs release comment letter in opposition of federal privacy bills
On July 19, a coalition of state attorneys general, led by the California AG, released a comment letter in opposition to the American Data Privacy and Protection Act (ADPPA), H.R. 8152 and the Consumer Online Privacy Rights Act (COPRA), S. 3195. In the letter, the state AGs argued that, “Congress should adopt a federal baseline, and continue to allow states to make decisions about additional protections for consumers residing in their jurisdictions,” instead of preempting areas of state privacy regulation. The AGs expressed concern that the bills, as drafted, “appear to substantially preempt many states’ ability to investigate” federal privacy law violations. Specifically, the AGs argued that while the bills purport to preserve “state consumer laws and causes of action, they also provide that “a violation of this Act shall not be pleaded as an element of any such cause of action.’ The state AGs noted that usually, “a violation of a federal law or standard could also be a violation of state consumer protection law. But [the bills] would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims.” The state AGs consider this language to "unnecessarily interfere with robust enforcement capabilities.”
Rep. McHenry introduces draft privacy legislation based on GLBA
On June 23, House Financial Services Ranking Member Patrick McHenry (R-NC) released a discussion draft of new federal legislation intended to modernize financial data privacy laws and provide consumers more control over the collection and use of their personal information. (See overview of the discussion draft here.) The draft bill seeks to build on the Gramm-Leach-Bliley Act (GLBA) to better align financial data protection law with evolving technologies that have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. “Technology has fundamentally changed the way consumers participate in our financial system—increasing access and inclusion. It has also increased the amount of sensitive data shared with service providers. Our privacy laws—especially as they relate to financial data—must keep up,” McHenry said, emphasizing the importance of finding a way to “secure Americans’ privacy without strangling innovation.”
Among other things, the draft bill:
- Requires notice of collection activities. The GLBA currently requires that consumers be provided notice when their information is being disclosed to third parties. The draft bill updates this requirement to require financial institutions to provide notice when consumers’ nonpublic personal information is being collected.
- Recognizes the burden on small institutions. The draft bill stipulates that agencies shall consider compliance costs imposed on smaller financial institutions when promulgating rules.
- Amends the definition of a “financial institution.” The draft bill will update the definition to cover data aggregators in addition to financial institutions engaged in financial activities as described in 4(k) of the Bank Holding Company Act of 1956.
- Expands the definition of non-public information. The draft bill expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Publicly available information is not included in this definition. The definition of “consumer account credentials” will mean “nonpublic information (including a username, password, or an answer to a security question) that enables the consumer to access an account of the consumer at a financial institution.”
- Provides consumers access to data. The draft bill provides that financial institutions must, upon an authorized request from a consumer, disclose the data held, entities with which the financial institution shares consumer data, and a list of entities from whom the financial institution has received a consumer’s non-public personal information.
- Allows consumers to stop the collection and disclosure of their data. When a financial institution is required to terminate the collection and/or sharing of a consumer’s nonpublic personal information, the draft bill provides that a financial institution must notify third parties that data sharing is terminated and must require the third parties to also terminate collection and disclosure. Additionally, upon request from a consumer, the financial institution must delete any nonpublic personal information in its possession, and if required by law to retain the data, the financial institution may only use the data for that purpose.
- Minimizes data collection. The draft bill requires that financial institutions notify consumers of their data collection practices in their privacy policies, including the categories collected, how the information is collected, and the purposes for the collection. Consumers must be allowed an opportunity to opt-out of the collection of their data if not necessary for the provision of the product or service by that entity.
- Provides informed choice and transparency. Under the draft bill, privacy terms and conditions must be transparent and easily understandable. The draft bill requires the disclosure of a financial institution’s privacy policies in a manner that provides consumers meaningful understanding of what data is being collected, the manner in which the data is collected, the purposes for which the data will be used, the right to opt-out, who has access to the data, how an entity is using the data, where the data will be shared, the data retention policies of the entity, the consumer’s termination rights, and the rights associated with that data for uses inconsistent with stated purpose, among others.
- Stipulates liability for unauthorized access. The draft bill states that “[i]f the nonpublic personal information of a consumer is obtained from a financial institution (either due to a data breach or in any other manner) and used to make unauthorized access of the consumer’s account, the financial institution shall be liable to the consumer for the full amount of any damages resulting from such unauthorized access.’’
- Requires preemption. The draft bill will preempt state privacy laws to create a national standard.
The draft bill was introduced days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (covered by a Buckley Special Alert here).
Special Alert: House subcommittee hears testimony on privacy bill
The House Subcommittee on Consumer Protection and Commerce held a June 14 hearing, “Protecting America’s Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security,” to listen to testimony from consumer advocates and industry representatives on the recently proposed American Data Privacy and Protection Act (ADPPA).
The bipartisan initiative faces new headwinds following June 22 remarks by Senate Commerce Chair Maria Cantwell (D-WA), who cited “major enforcement holes” in the legislation on preemption issues — but expressed hope that the sponsors could offer revisions.
Special Alert: Congress releases draft privacy bill
A comprehensive federal privacy law drew one step closer to reality earlier this month when a bipartisan group of representatives and senators released a draft of the proposed American Data Privacy and Protection Act.
Passage of the ADPPA, which combines elements of prior proposals in an effort to reach a legislative compromise, is still far from assured. But it represents a meaningful starting point for further discussions, and is already shaping the long-running debate on national privacy standards. This alert looks closely at the proposed statutory text that seeks to define the breadth and scope of a federal privacy regime that policymakers have contemplated for years.
Greater clarity about bill text and its overall prospects for passage are likely to emerge at the House Energy and Commerce Committee’s hearing scheduled for tomorrow at 10:30 a.m. ET.
Biden signs $1.5 trillion omnibus package
On March 15, President Biden signed H.R. 2471 the “Consolidated Appropriations Act, 2022” (Act) into law. According to House Appropriations Committee Chair Rosa DeLauro’s press release, the Act is an omnibus spending measure that provides $1.5 trillion in discretionary resources across the 12 fiscal year 2022 appropriations bills. Among other things, the Act includes the “Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which establishes requirements for reporting ransomware incidents on critical infrastructure to the DHS Cybersecurity and Infrastructure Security Agency (CISA). Specifically, Division Y Section 2242, establishes that companies must report incidents to CISA 72 hours after the covered entity reasonably believes that a cyber incident has occurred, or within 24 hours if a ransomware payment has occurred. If a company fails to meet the reporting requirements, the Act permits the cyber security director to “obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.” The Act also establishes that if CISA determines that the incident requires regulatory enforcement action or criminal prosecution, such information may be provided to the Attorney General or the appropriate regulator, who may utilize such information for a regulatory enforcement action or criminal prosecution. Within 24 months, CISA is directed to publish a notice of proposed rulemaking (NPRM) in the Federal Register to implement the Act, followed by the issuance of a final rule within 18 months of the NPRM. The final rule will outline the criteria of reporting and provide the effective dates for the reporting requirements. The Act also directs CISA to carry out an outreach and education campaign to inform covered entities about the rule’s requirements. Though the bill establishes that a court shall dismiss a cause of action against a person or entity for submitting a report, the liability protections “shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the [Sector Risk Management] Agency.”
The Act also includes the “Adjustable Interest Rate (LIBOR) Act,” which establishes “a clear and uniform process, on a nationwide basis, for replacing LIBOR in existing contracts the terms of which do not provide for the use of a clearly defined or practicable replacement benchmark rate, without affecting the ability of parties to use any appropriate benchmark rate in new contracts,” among other things. Additionally, the Act includes rental assistance programs and climate restoration grants, which, according to a statement by HUD Secretary Marcia L. Fudge, “provides funding to improve the energy efficiency of housing and increase resilience to climate impacts.”
House passes America COMPETES Act
On February 4, the U.S. House passed, by a vote of 222-210, the “America Creating Opportunities for Manufacturing Pre-Eminence in Technology and Economic Strength (COMPETES) Act” H.R. 4521, which aims to strengthen the competitiveness of the U.S. economy and U.S. businesses, and counters anti-competitive actions taken by the People’s Republic of China. The COMPETES Act includes provisions affecting financial services, such as:
- U.S. Policy on World Bank Group and Asian Development Bank Loans to China. This provision would, among other things, direct Treasury to vote against any loans to China from the World Bank or Asian Development Bank under certain circumstances, and allow borrowing countries to seek restructuring of China loans in official multilateral debt relief forums.
- Prohibitions or Conditions on Certain Transmittal of Funds. This provision would streamline the process by which special measures may be introduced and modernizes the authorities granted to the FinCEN by permitting the agency to pursue bad actors.
- Study on Chinese Support for Afghan Illicit Finance. This provision would direct Treasury’s Office of Terrorism and Financial Intelligence to brief Congress on the identification and analysis of Chinese economic, commercial, and financial connections to Afghanistan, to include illicit financial networks involved in narcotics trafficking, illicit financial transactions, official corruption, natural resources exploitation, and terrorist networks.
- Support for Debt Relief for Developing Countries. This provision would direct the Treasury secretary and U.S. representatives at the International Monetary Fund and the World Bank to engage with international financial institutions, official creditors, and relevant commercial creditor groups to advocate for the effective implementation of the G-20’s Common Framework.