One strange story to emerge as part of the recent midterm elections was Intel’s release of a piece of federal legislation. This story got somewhat buried amid all the talk of migrant caravans, healthcare reform and the Democrats gaining control of the house. However, it is worth reflecting on why, exactly, a company devoted to making microchips feels it necessary to weigh in on a political debate.
Intel’s document, to be precise, is a ‘draft’ Federal Privacy Bill, proposing a number of principles for information management that can be applied to tech companies across the US and outlining mechanisms for the enforcement of them. It is intended, Intel has stated, to spark debate about what such a bill could contain.
On the surface, the release of the draft seems very strange. Federal bills are not typically drafted by private companies, after all. Then there is the fact that Intel’s primary business is manufacturing chips, and as such, the company doesn’t actually collect much customer data itself. Why, then, is a company that’s unlikely to be affected by a federal privacy bill releasing ideas as to what could be in it?
Explaining the decision to release the draft bill requires looking at the broader context of privacy in US law and society and at the companies that Intel does most of its business with.
At the broadest level, it is worth noting that in recent years privacy has been a growing concern for many consumers. Even five years ago, technologies such as encryption, TOR browsers and VPN services were regarded as niche, subject to vulnerabilities like zero-day exploits. Now, even a quick Google search for privacy protection solutions will return thousands of websites and service providers, offering a wide range of tools both commercial and open source.
These concerns have also been stoked by a number of high-profile data breaches in recent years, affecting everyone from Facebook to Google to Amazon. In some cases, tech CEOs have been brought before Congress to answer questions on the protections they have in place, though the basic level of this questioning has raised concerns that Congress does not understand the companies and technologies it is charged with regulating.
These factors mean that passing a Federal Privacy Bill is widely seen as an easy win in Washington: if the tech companies cannot regulate themselves, it is felt, then it is up to the federal government to do so. By passing such a bill, in addition, US lawmakers can be seen to be protecting the little guy – ordinary consumers – against abuse and manipulation by corporate giants.
For this reason, the idea (at least) of a Federal Privacy Bill has gained widespread support in Washington and is one of the few pieces of currently proposed legislation that has genuine bipartisan support. Cynics have noted that it is easy for representatives to agree on an issue that they do not properly understand. However, the fact remains that the passing of a Federal-level Privacy Bill will likely be one of the priorities of the upcoming legislative session, and (as noted by Wired) this is made even more likely by the fact that the Democrats now control the House.
More imminently, Intel’s release of the draft comes at a time when many tech companies are concerned that privacy legislation could affect their profitability. A stringent privacy law, the GDPR, has recently been introduced in Europe, and several US states have passed, or are looking to pass, privacy legislation in the coming years. Of particular concern to tech companies are laws in the state that many of them are based in — California, where a particularly strict (by US standards) privacy law is due to come into force in 2020.
What is in the Draft Federal Privacy Bill?
All these factors mean that a long (and possibly bitter) argument about what a federal-level law should look like is about the begin. Intel, in releasing a proposal first, is clearly hoping to get ahead of the curve because although they are unlikely to be affected directly by such a bill, their biggest customers will be. The release of the draft also follows similar interventions by other tech giants: though Apple and Amazon have told Congress that they would welcome a federal privacy bill, the content of such a bill remains to be discussed.
The proposal is somewhat strange. In some ways, it acknowledges the importance that consumers have now bestowed upon data privacy, proposing that executives be held personally responsible for lying about data privacy compliance, for example. In other ways, the draft is significantly weaker than both the GDPR and even existing state-level law. It does not require companies to inform customers about data leaks, where both the GDPR and state-level laws require this within 45 days, 30 days or (for the GDPR) 72 hours. Intel’s draft also provides a “safe harbor” scheme for companies, enabling them to avoid any civil actions that result from a data breach, at least in the first instance.
Whether Intel’s proposal will make any difference to the eventual Federal Privacy Bill remains to be seen, but clearly they hope that by getting the first word in they may help to shape it. The draft, therefore, is perhaps best seen as an industry ‘wish-list’, containing a set of mechanisms that tech companies are willing to abide by.
Whatever happens, however, it will be worth following the bill through the political process because it is likely to have global ramifications for data privacy in at least two ways. On a basic level, many of the companies which will be regulated through such a bill are based in the US, and so a US bill will affect the way that they interact with customers worldwide. More generally, whatever form the eventual bill takes is likely to be emulated by countries outside the US, who will look to it as a model for protecting the data of their own citizens.
About the Author: Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.