The latest version of the Cyber Intelligence Sharing and Protection Act was adopted by the House Intelligence committee and now moves to the House floor for a vote.
Ironically, the House Intelligence committee discussed and voted on CISPA – a
bill that could significantly diminish citizen privacy protections – in
private.
What’s more interesting are the privacy protection amendments that were left out of the recently adopted bill. Two of the left-out amendments touch on issues we’ve seen in
other privacy laws: liability for private entities that use information to discriminate and obligating particular entities to de-identify certain data.
I find it interesting that these two safeguards were
overwhelmingly defeated. As a bill that is already contentious for its
potential to undermine the current privacy law framework regarding personal
information in cyberspace, I would think basic protections against unnecessary
identification and unauthorized discrimination would be appropriate to include.
Additionally, in considering other laws like the Fair Credit Reporting Act and
Genetic Information Nondiscrimination Act where similar discrimination and
identification concerns are addressed, it would seem that these familiar
safeguards would be welcomed. Interesting arguments have also been made about
how personally identifiable information would not even aid the purpose of CISPA.
Also, it seems quite clear that any information obtained through CISPA’s
information sharing regime would be inappropriate to use for anything beyond
threat identification. That said, not including a robust non-discrimination provision
seems insufficient.
The reluctance toward including these two amendments likely
stems from the burden of compliance and the difficulty of enforcement.
De-identifying data would no doubt be costly and burdensome. Non-discrimination violations are
difficult to establish because the burden of proof inevitably lies with the
aggrieved individual trying to establish how the alleged wrong stemmed from
unauthorized access/use. Despite these reasonable justifications for excluding
such provisions, I would think CISPA needed some extra juice so as not to
suffer the same defeat in the Senate that it did last year. No doubt Pres. Obama’s executive order addressing cyber security will also influence how the legislature deals with
CISPA.
The next few months seem likely to provide some interesting developments
regarding the government’s access to personal information that is communicated
to private entities.
No comments:
Post a Comment