The SAFE Data Act passed out of the House commerce, Manufacturing & Trade Subcommittee Wednesday after procedural wrangling and partisan divisiveness over an issue everyone agrees on: there need to be more uniform laws on data privacy protection and breach notification.
The big divide is over what personally identifiable information (PII) should trigger those heightened protections and how much authority the FTC should have to enforce them and expand on the PII category. There was also a difference of opinion on the difference between privacy and data protection issues.
Democrats argued that the FTC should get enhanced rulemaking authority and the ability to expand the PII definition, while Republicans wanted a narrower definition and did not want the FTC to have the freedom to add to that list.
The bill defines PII as name, address, or phone number if it is associated with a Social Security number, drivers license number, credit or debit card number or security codes.
Waxman points out that it does not cover a lot of the information that could be accessed. By excluding public records from PII, he said, the bill does not cover aggregators who put together that information and sell it. He said that when that information is combined with other information and sold, it should be subject to some regulation.
Various Democrats tried unsuccessfully to amend the bill to expand the definition to include personal e-mails or videos and photos stored on line, information about book and video rentals, information about over-the-counter drug information--like pregnancy tests--or geolocation info in phones pertaining to children.
Rep. G. K. Butterfield (D-NC) pointed out that the reason that Congress passed The Video Protection Privacy Act, which protects video rental records, was after the video rental records of failed Supreme Court nominee Robert Bork were made public.
If there is a breach of this information, said Waxman, people should be informed. He said the bill was full of loopholes and he could not support it.
He also took issue with a carve-out for service providers--subcommittee counsel called it a limited exemption--that would create an exemption for cable operators that exempts them from the data protection and notification requirements for transmission or transient storage of information.
Rep.Bobby Rush (D-Ill.) suggested that was a blanket exemption, while committee counsel said it was limited and would not necessarily cover everything they did, like long-term storage.
Democrats pointed out that unless the FTC gets broader rulemaking authority, any action it would take to boost data privacy protections could take a decade, which is the FTC's own handicap of how long it takes it to complete a rulemaking under its current authority.
Mary Bono Mack (R-Calif.), chairman of the committee, said that questions about protecting children and health information and other information were all important issues, but were off the topic of the bill, which was about data security rather than privacy. Rep. Charles Bass (R-N.H.) agreed that the discussion of those belonged in a "different venue."
Waxman said privacy was about what information can be gathered, while data security was about how to protect what information had already been relayed, which he suggested should include the expanded definition of PII, especially since the SAFE Act preempts state laws on the books, including possibly preempting a law in his state that classifies over the counter drug purchase information as sensitive.
Bono Mack said there should be a robust discussion of the Democrats' issues before the bill is voted on in the full Energy & Commerce Committee.