The past several weeks, Congress introduced several amendments and bills that impact how data privacy and security is examined and promoted throughout the United States. The “HR” acronym is for bills introduced in the House of Representatives and the “S” is for bills introduced to the Senate. Some of these are:
- H.R.847: Supporting research on privacy-enhancing technologies and promote responsible data use (Introduced in the Senate as S.224)
- H.R.846: Protection of certain whistleblowers seeking to ensure accountability and oversight of the Nation’s COVID-19 pandemic response.
- H.R.831: Amend the Public Health Service Act to encourage the rapid development of certain public health data standards and authorize data linkage, among other initiatives.
- H.R.651: Protections of the privacy of health information during a national emergency (This was also introduced in the Senate under S.81).
- S.113: Requiring providers of broadband internet access service ad edge service to notify users of the privacy policies of those providers and to give users the right to opt-in or opt-out of data collection and use by providers.
- H.R.21: The FedRAMP Authorization Act aims at enhancing the innovation, security, and availability of cloud computing products and services used by the Government. This will include a risk-based approach to make cloud computing in the Federal Government consistent with FISMA 2014.
H.R.847/S.224
How does this apply to you and me?
There is currently no text for this bill, however, as the name implies, this would be an opportunity to research and decide on privacy-enhancing techniques and technologies (PET). PET’s provide a great security mechanism to further protect personal information beyond just encrypting the data. If data is encrypted, it can still be exposed if the encryption keys are compromised. Some PET’s that could be used are pseudonymization practices, data minimization, data retention schedules, and enforcing the principle of least privilege across organizations.
This wouldn’t necessarily apply to us at the moment. However, if this is pushed through, future acts will be introduced to require some of these PET’s to become standard practice at all agencies and organizations domiciled within the United States. IT may take a little wile, but enabling these PET’s is currently being done by many organizations and we do not need to wait for lawmakers to require us to do this. If you work in consulting or in the Information Security/Privacy field, doing this and researching these PET’s should be a high priority for you and enable you to take a proactive approach to privacy once additional bills are introduced and passed.
H.R.846
How does this apply to you and me?
There is currently no text for this bill to be addressed, however, this would, based on its name, protect whistleblowers who disclose inappropriate practices by individuals and organizations abusing their permissions as it pertains to responding to the COVID-19 pandemic. This includes how data is collected and presented to the public.
This only applies to us if we blow the whistle on inappropriate activity related to COVID-19 responses. The protections are not detailed, but they should be similar to what is currently in place for whistleblower protection rights.
H.R.831
How does this apply to you and me?
Currently, no text has been adopted for this specific action, but during the 116th Congress, the H.R. 6866 was introduced, which is the actual text for the new introduction. This act details the covered entity’s (CE) restrictions on collection and use of health data and would require them to take appropriate measures to protect that data. This does not supersede HIPAA, but enhances the current requirements.
There are several additional paragraphs, but what we, the average consumer, need to know is that under this act, we have the rights to give and revoke consent of collection of our data by CE’s, be completely informed on how our data is collected and processed/used, to review what a CE lists as “our rights” to our data in their privacy notice, and to request that our dat be destroyed and receive confirmation that it has been.
Additional criteria is that data that is not needed to fulfill the initial purpose of the collection must be destroyed, or all unique identifiers be completely removed so as to no longer be able to identify an individual, 60 days after the conclusion of the COVID-19 pandemic. This act has not been through all levels of voting to become an actual law just yet, but there’s a lot of bi-partisan support.
H.R.651/S.81
How does this apply to you and me?
Similar to H.R.831, S.81 has been read twice to Congress and is currently with the Committee on Health, Education, Labor, and Pensions for review. Additionally, H.R.651 has been referred to the House Committee on Energy and Commerce.
There is currently no text for either bill. H.R.651 has 22 cosponsors in the House and S.81 has 11 cosponsors in the Senate, indicating moderate support. It is my opinion as the United States becomes more aware of the importance of protecting data and keeping our information private, these bills will be passed and the Public Health Emergency Privacy Act will become law at some point.
S.113
How does this apply to you and me?
This bill relates to internet service providers (ISP) and requires them to provide notice of how data is collected and processed, as well as data subject rights related to opt-out and opt-in requirements. I would like to include that this bill should allow for the individual to opt-out as easily as they opted in.
This will give you and I a better handle on what data is collected and processed, as well as the ability to consent to this action. There is currently no text for this bill ad it is currently with the House Committee on Commerce, Science, and Transportation for review. I believe the definition of “sensitive data” will be heavily detailed and reviewed prior to the bill’s introduction to the Senate for a vote. This means that we, the consumer, should have a much more tightened fist around what information belongs to us and how we can manage it.
H.R.21
How does this apply to you and me?
The Federal Risk and Authorization Management Program (FedRAMP) was passed by the House of Representatives and will be voted on by the Senate soon. There isn’t a lot related specifically to privacy of data in this bill, however, as cloud computing becomes more engrained in the day-to-day operations of the Government, more scrutiny will need to be placed on the ownership, management, and security of federal data.
Two critical areas to highlight in this act are in section 3616(a)(2)(B), which explains that before cloud providers are agreed upon and used by the Government, they, the CSP, must provide a privacy plan and a privacy control assessment. This plan would detail how the CSP maintains data privacy, its privacy mission and objective(s), and what privacy controls are in place. This will include a third-party attestation around the effectiveness of the privacy controls of the CSP.
This doesn’t apply to you and I as consumers. If you work at a CSP and help support the controls of the CSP, you will need to become more educated around the goal of the privacy control and how to ensure its effectiveness since this will directly affect Government contracts once this bill becomes a law.
I hope this information has helped you understand what is coming through the pipeline with our Government and what impact it may have on you! If you’d like more detail, please visit the bills in the links above and learn about everything, beyond privacy, that is playing into these decisions.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.