Privacy Advocates Expected To Engage in Cybersecurity Act Programs Implementation
New legislation that would repeal the Cybersecurity Act information sharing language included in the FY 2016 omnibus spending bill isn’t likely to gain much traction, but its introduction signals that critics of the Cybersecurity Act will continue pushing for further privacy and civil liberties protections as federal agencies begin writing new information sharing program rules, stakeholders said in interviews. Rep. Justin Amash, R-Mich., filed his repeal bill (HR-4350) Friday as expected (see 1512290044). Congress retained the Cybersecurity Act in the FY 2016 omnibus despite concerns from digital rights groups and privacy advocates that the legislation didn’t retain the same level of privacy and civil liberties protections included in earlier House and Senate legislation (see 1512160068).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Amash filed HR-4350 with co-sponsorship from five House members: House Judiciary Committee ranking member John Conyers, D-Mich., and Reps. Zoe Lofgren, D-Calif., Tom Massie, R-Ky., Ted Poe, R-Texas, and Jared Polis, D-Colo. Massie and Poe voted for the omnibus. Amash, Conyers, Lofgren and Polis voted against it. Eight House committees have jurisdiction over HR-4350, including House Judiciary, the House Intelligence Committee and the House Homeland Security Committee. House Intelligence and House Homeland Security leaders led development of information sharing legislation in that chamber.
Several industry lawyers and lobbyists gave HR-4350 long odds of gaining any traction in the House, particularly since the presidential election further compressed Congress’ legislative calendar for the year. “I think both the House and Senate have moved on” and aren’t interested in revisiting provisions in the omnibus, said former FCC Public Safety Bureau Chief Jamie Barnett, a Venable cybersecurity and telecom lawyer. “I wouldn’t be sad to see [the Cybersecurity Act] go, but I don’t think the support is there to go back and excise that particular piece of the omnibus,” said Ryan Hagemann, technology and civil liberties policy analyst at the libertarian think tank Niskanen Center. Fight for the Future Campaign Director Evan Greer was more optimistic about HR-4350’s chances, saying Amash “has surprised people before.” HR-4350’s filing shows Amash and other House members are recognizing “public sentiment” against the Cybersecurity Act, Greer said.
Fight for the Future is “going to be tracking [HR-4350] very closely” but is still examining how it will move forward on engaging with the government on implementing the Cybersecurity Act, Greer said. “We’ll also be looking to put pressure on companies” to publicly “make a corporate commitment to safeguard data,” he said. Hagemann and other stakeholders said they expect Fight for the Future and other Cybersecurity Act critics will engage with the Department of Homeland Security and other federal agencies as those agencies begin to flesh out the rules for information sharing programs set up by the Cybersecurity Act. “We’ll probably see privacy advocates continue to be involved every step of the way to ensure” that the need for enhanced privacy protections is emphasized throughout the implementation process, Hagemann said.
“I don’t think [enactment of the Cybersecurity Act] cuts off the debate at all,” Barnett said. “Privacy groups will likely submit studies and letters. They’ll probably get other coalitions to write in to push for strong privacy rules” as part of implementation. "I’d expect [the groups] will stay on point with the agencies and say they want clarity in terms of how” information collected through the new programs is being scrubbed of personally identifiable information and how it’s being circulated among other agencies, said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy. Some agencies may follow NTIA’s model of using multistakeholder processes to engage on privacy issues for information sharing, Tews said. Hagemann said he also anticipates many multistakeholder meetings associated with Cybersecurity Act implementation, though other meetings are likely to happen “in the back channels.”