Jacqueline Klosek and Andrew Lurie
Now that the Democratic Party has control of Congress after 12 years of Republican rule, gonzo pundits to armchair politicians are predicting big changes in the next two years. While it is likely that the new Congress will spend a considerable portion of its time debating the Iraq war, the proposed minimum wage and other high-profile issues, privacy is expected to be among the issues Congress confronts. The recent transitions in power have led privacy experts to expect that the new Congress will push through at least a few new measures designed to stabilize the privacy landscape.
Recent Trends in Privacy
After years of scale-backs of personal privacy rights, especially in the aftermath of 9/11, the outgoing 109th Congress did make some progress in certain aspects of privacy regulation. Toward the end of 2006, just before it adjourned, Congress passed a few measures of interest to those in the privacy realm. In the waning days of the session, the House and Senate each passed measures that were intended to address the problems of obtaining telephone records through the use of pretexting. On Jan. 12, 2007, President Bush signed into law the "Telephone Records and Privacy Protection Act of 2006." The new legislation establishes criminal penalties for the fraudulent or unauthorized acquisition or disclosure of confidential phone records information. In addition, during its final week in Washington, the 109th Congress passed the US SAFE WEB Act, a law designed to enable the Federal Trade Commission to better protect consumers from spam, spyware and Internet fraud on a global scale.
Overview of Significant Changes in the Legislature
Except for a brief period in 2001-2002 when the Democrats narrowly held sway over the Senate, the Republicans have maintained control of both houses of the legislature since 1994. The recently departed 109th Congress continued this trend, with the 55 Republicans in the U.S. Senate, 44 Democrats and one Independent. The House was comprised of 230 Republicans, 202 Democrats and one Independent. After the swearing in of the 110th U.S. Congress on Jan. 4, 2007, the House now is made up of 233 Democrats and 202 Republicans, while the Senate is split between 49 Democrats and 49 Republicans, with two Independents who plan to caucus with the Democrats, giving the Democrats a slight edge.
AREAS OF POTENTIAL FEDERAL LEGISLATIVE FOCUS
The abrupt switch in party leadership in both houses of the legislature has pundits predicting that the First Session of the new Congress will witness a swing to the political left, and the ripple effects could lead to a newfound focus on privacy rights. The new Democratically dominated political arena will likely be more receptive to privacy concerns, and privacy advocates, such as Sens. Dianne Feinstein, D-Calif., and Patrick Leahy, D-Vt., and U.S. Rep. Ed Markey, D-Mass., will be emboldened and empowered to push forward their mandates with a new sense of vigor. Leahy has been particularly critical of various acts of the current administration that he views as invasive to individual privacy rights, including wiretapping and compiling of databases regarding consumers. Leahy already has been publicly advocating changes in these measures. Significantly, Leahy was recently selected to oversee to the Senate Judiciary Committee, which presides over the writing of laws on topics ranging from criminal justice and wiretapping to intellectual property. The Committee's first hearing last month centered on the administration's data mining efforts, which sent a clear message about Leahy's priorities.
Data Security Breaches
One area of particular interest to federal lawmakers is the issue of what organizations should be required to do in the event of a data security breach. As a result of the numerous highly publicized security breaches that occurred during 2006, the majority of states have already enacted legislation that compels entities to notify their residents in the event of certain types of data breaches. Most of these measures have been modeled after California's ground-breaking law. However, Congress was unable in 2006 to reach consensus on how to protect individuals from the effects of data security breaches.
With the beginning of the current congressional session, there already has been some movement on the issue in the Senate. On January 10th, Feinstein reintroduced a bill aimed at protecting individuals from identity theft by requiring federal agencies and businesses to notify consumers in the event of a data breach. The proposed measure, entitled, the "Notification of Risk to Personal Data Act" (S. 239) had been introduced in the 109th Congress but was not passed. The measure, if passed, would preempt the numerous state security breach notification laws and provide for uniform federal protection in the event of a data security breach.
Collection and Use of Information by the Government
Leading Democratic Party members have called for a formal investigation into the myriad data mining activities that the government has undertaken - almost always under the guise of national security - in the past few years. While much of the concern about these issues has centered around the government's use of new technology, such as retinal scans and tracking systems, very recently, the concerns shifted to familiar territory, after, in connection with a Postal Service reform bill signing statement, President Bush claimed the right to open domestic mail in exigent circumstances, such as national security reasons. A bipartisan group of senators is seeking a resolution reaffirming that the privacy of the U.S. mail will be protected.
Regulation of Data Brokers
Data brokers also may be the subject of much focus in 2007. After the ChoicePoint breach in early 2006, the recently departed Congress took a long look at data brokers last year but was unable to push any of the proposed measures through to passage. For his part, Leahy has spoken out on the issue, asserting that the increasing proliferation of data brokers and the burgeoning market for collecting and selling personal information is a particularly troublesome topic. In the opening days of 2007, Leahy has assured privacy advocates that he will push again for legislation that establishes stronger penalties designed to deter identity theft and requires companies to notify individuals when their information has been compromised.
Social Networking Sites
It is also expected that social networking sites will garner some attention in 2007. In early December 2006, Sens. Charles E. Schumer, D-N.Y., and John McCain, R-Ariz., issued a joint press release to announce that they planned to introduce a bill that would require registered sex offenders to submit their active email addresses to local law enforcement organizations. It is anticipated that such a measure would help to protect users, especially older children and teens, of social networking sites like the popular MySpace.com from registered sex offenders. The legislation would enable these social networking sites to cross-check new members against a database of registered sex offenders and block predators from signing up for the service. Under the proposed measure, registered sex offenders would be required to provide an email address to their probation or parole officers and keep such officers apprised of any changes to such email address. Any sex offender submitting a fraudulent email address in an attempt to circumvent the law would face criminal penalties, including possible imprisonment, and any offender caught using an unregistered email address would automatically be in violation of probation or parole terms and face a return to prison.
Use of Social Security Numbers
It is likely that legislative action is likely around protecting Social Security numbers (SSNs). Given the immensely valuable nature of SSNs and their status as a sought-after target in identity theft operations, much thought already has been given to this issue at the state level. The result of this deliberation has been a slew of differing requirements and considerable compliance challenges for companies operating in more than one state. A federal measure would guarantee a minimum level of protection for all individuals, regardless of their state of residence. In addition, if a federal measure passes that includes a preemption provision, it would provide businesses with a more harmonized and less complex framework for them to more easily comply.
There already has been some activity in this area in the Senate. In early January, Feinstein introduced the "Social Security Number Misuse Prevention Act" (S. 238). The proposed measure, which is a reintroduction of a measure that failed to pass last term, would bar the sale or public display of a SSN without an individual's consent. The primary target of the proposed measure would be governmental agencies. The bill would prohibit federal, state and local government agencies from displaying SSNs on public records posted on the Internet or available to the public on CD-ROMs or other electronic media. It also would prohibit government agencies from printing SSNs on checks. While directed mainly at governmental authorities, the measure also would place limitations on the circumstances under which businesses can lawfully request SSNs from their customers.
The First Days of 2007 -Stay Tuned
Early indications suggest that privacy laws will be a hot topic in 2007. When the First Session of the 110th Congress began on Jan. 4, 12 privacy- and security-related bills were introduced on the first day. While it remains too soon to accurately predict what will occur with respect to privacy rights in 2007, the recent political shift has given privacy advocates reason to believe that significant changes are in the works.
The authors are attorneys with Goodwin Procter LLP in New York. They may be reached for comment at