Grading on a Curve: Privacy Legislation in the 116th COngress



The United States is now considering several bills to protect privacy. These bills are intended to address growing public concern about the absence of adequate legal protection in the United States for personal data. EPIC’s report Grading on a Curve reviews recent developments, identifies key characteristics of privacy laws, and assesses pending legislative proposals. The EPIC Report finds that all of the bills lack the basic elements of a comprehensive privacy law, such as a federal baseline for privacy protection, an opportunity for individuals to enforce their rights, and an independent data protection agency. However, Senator Ed Markey’s (D-MA) Privacy Bill of Rights Act, S. 1214, is comprehensive and responds directly to many of the current privacy threats Americans face. EPIC ranks the Privacy Bill of Rights Act as the #1 bill in Congress.

A survey of privacy legislation in the 116th Congress also reveals that many bills have been referred to the Senate Commerce Committee, but the Committee has yet to schedule a public hearing on any of the legislative proposals. The House Energy & Commerce Committee has also not yet scheduled hearings on legislative proposals. Congress will need to hold hearings, invite experts, and seek comments from the public before acting on these proposals.

Elements of a Privacy Law

The key elements for privacy legislation identified in EPIC's Report Grading on a Curve follow from commonly recognized national and international standards for data protection. For example, the OECD Privacy Guidelines of 1980 are widely viewed as a baseline standards for privacy rights and responsibilities and have been adopted in U.S. law and international agreements. More recently, the General Data Protection Regulation of the European Union has emerged as the most comprehensive approach to privacy protection in the modern age. The modernized Council of Europe Privacy Convention has also shaped the modern day understanding of the right to privacy.

  • Strong definition of personal data
  • Establishes an Independent Data Protection Agency
  • Individual Rights (right to access, control, delete)
  • Strong data controller obligations
  • Algorithmic transparency requirements
  • Data Minimization and Privacy Innovation Requirements
  • Prohibits take-it-or-leave-it or pay-for-privacy terms
  • Private right of action
  • Limits Government Access to Personal Data
  • Does Not Preempt Stronger State Laws
EPIC Report Card