Data Privacy Legislation Stalls in DC

Over the past few weeks, there has been a lot of activity related to the Congressional push to establish a national data privacy/data security standard that all industries would be required to meet.

As you know, GoWest credit unions have been long-term, consistent advocates for the establishment of a strong, national data security, data privacy, and consumer notification standard. That decade-long effort has influenced the leadership shown by Senate Transportation & Commerce Chair Senator Maria Cantwell (D-WA) and House Energy & Commerce Committee Chair Rep. Cathy McMorris Rodgers (R-WA-5) and their collective efforts to develop bi-partisan legislation that would establish a nationwide standard and eliminate the current patchwork of different data standards that are required from state to state.

As previously reported, the Chairs of the germane committees, Cantwell and McMorris Rodgers, have presented thoughtful draft legislation entitled the American Privacy Rights Act (APRA), which includes several of the components sought by credit unions. However, the legislation comes up short in establishing a truly single, national standard and may require industries with Gramm-Leach-Bliley (GLBA) data standards requirements, like credit unions, to now meet two data standards under APRA and GLBA. Additionally, it includes some components that need to be addressed before the bill could strike the right balance for the credit union movement.

For APRA to meet the goal of weaving together a truly comprehensive, national standard, several adjustments will likely need to be made, which include:

  • Clear preemption of current state data security and data privacy laws so that a single point of reference and reporting can be established at the federal level.
  • Adding an institutional level GLBA exemption for financial institutions who are already subject to and examined to this national data security standard, while ensuring merchants and technology companies have an equal data security/data privacy standard that they must meet under APRA.
  • Establishing reasonable limitations or standards on any private right of action (PRA) or standing for individuals who are harmed by a breach, ransomware or denial of services currently included in the bill; while also providing financial institutions with legal standing if a merchant or external breach impact members or the individual credit union, bank or other GLBA regulated financial institution.

Ensuring federal and state-chartered credit unions are treated equally as it relates to the enforcement provisions that are given to the Federal Trade Commission, but do not appear to provide equal or differential treatment to the federal banking regulators. Last Thursday, the House Energy and Commerce Committee was preparing to move forward with a full Committee markup of the APRA legislation, along with two other data privacy bills, before Chairwoman McMorris Rodgers canceled the hearing due to questions and pushback by House Leadership and Republican committee members. The main concern from Republicans centered around the expansive PRA components of the bill.

GoWest credit unions and advocacy team values Rep. McMorris Rodgers’ continued support of credit unions and we are supportive of her efforts to address this significant policy area in a timely manner. We are hopeful that the APRA draft will continue to evolve into a more balanced and comprehensive solution for data security and data privacy that will result in a focused and singular standard on this important issue; however, time is running short in the 118th Congress and hurdles continue to mount against this specific bill.

GoWest is in the process of finalizing comment letters to both committees with our specific concerns and solutions for making the legislation more workable for financial institutions. ACU has sent comment letters and will continue to collaborate with GoWest on advocacy to improve this legislation in hopes that a balanced bill can be finalized. We will continue working with the Chairs and staff of both germane committees and monitor any changes in the discussions around APRA or the data privacy/security landscape in Congress.

Please stay tuned to our Advocacy Blog for further updates and reach out to Ryan Fitzgerald if you have any specific feedback.






Posted in Advocacy on the Move, Federal Advocacy.