Please consider supporting us by disabling your content blocker.
loader

This analysis is in response to breaking news and subject to change. Please reach out to [email protected] to speak with the author.

The House of Representatives has received most of the attention around data privacy this Congress, especially regarding a federal privacy law, but a July 11th Senate Commerce hearing provided insight into where the other chamber stands. While many senators expressed broad support for the American Privacy Rights Act (APRA), ranking member Sen. Ted Cruz (R-Tex.) notably does not support it.

The hearing delved into how the rise of artificial intelligence (AI) heightens the need for federal data privacy laws to protect individuals and guide businesses in AI development and use. The committee’s chair, Sen. Maria Cantwell (D-Wash.), is a key contributor to the APRA. Several themes emerged during the hearing: the significance of data minimization for AI, ensuring small businesses can innovate in the AI space, the need for data security guardrails, and the national security implications of not having a federal privacy law.

AI needs a federal data privacy and security law

The pressing need for federal data privacy and security laws in the context of AI cannot be overstated. Four main areas of concern must be considered: privacy, security, mis/disinformation, and bias. However, it is essential that a federal privacy law remains focused on substantive data privacy provisions and avoids bloating it with provisions about emerging technologies like AI. For example, APRA originally contained sections that prohibited the collection and use of data in a manner that discriminates against individuals, required impact assessments for covered algorithms, and instituted algorithm design evaluations. However, these provisions were removed entirely in APRA’s updated version as it aimed to be more privacy-centric legislation.

Data minimization

Large language models (LLMs) rely on massive amounts of data and can derive sensitive insights about consumers and businesses. There are concerns about AI’s ability to infer sensitive information from data, which could cause societal harm. Many witnesses conveyed that one benefit a federal data privacy law would bring is a data minimization standard. Calo stated data minimization rules could help address AI’s insatiable appetite for data. Kak emphasized the benefits of data minimization because “data never collected is data that is never at risk.” However, it is important not to limit valid use cases outright from AI systems, like sensitive data. There are important cases in which sensitive data and AI systems are used in medical research or for safety reasons. For example, while people might agree that children’s data should receive heightened protection, taking a nuanced approach is essential. What if an autonomous vehicle company trains its AI systems to detect humans in the roadway? We should allow them to use adults’ and children’s images or videos to ensure autonomous vehicles can adequately detect all humans.

Small business

Many members and witnesses mentioned the importance of small businesses in the AI technology space. Reed explained that APRA exempting small businesses from its requirements might not be the correct approach because small businesses would not benefit from APRA’s preemption and instead expose them to the growing complex patchwork of state privacy laws. While large companies might have the resources to navigate these complex laws, small businesses do not. Reed also highlighted that small businesses rely on the LLMs created by large AI companies, so disrupting LLM innovation would also negatively affect small businesses.

Data security

Data privacy and security are intricately linked. The APRA included data security requirements that businesses would have to comply with. There were also other provisions, like data minimization, that bolster data security. Technology also plays a role in data security. In his written testimony, Tiwari explained that “[w]hile legislation is essential, technical advances must work hand-in-hand with them to create a more safe and private future.” One of those advancements is developing and deploying privacy-enhancing technologies (PETs), which must play a key role in data security and privacy protection for consumers in general.

National security

R Street has extensively researched the intersection of data privacy and security, AI, and national security. The concerns about AI’s potential for consumer privacy abuse are valid, which is why R Street has championed the need for a federal data privacy and security law. However, as Sen. Eric Schmitt (R – Mo.) did, it is important to note that AI plays a large role in our national security and defense systems. Privacy legislation must not needlessly hinder innovation, especially as other nations seek to get ahead of us in the AI race.

As policymakers contemplate federal data privacy and security legislation, it is important to note that these protections are crucial not just for AI but apply to all technological developments. Thus, privacy law provisions should not be specific to any emerging technology, including AI. This approach allows for responsible innovation while ensuring privacy protection is applicable across the broad technological landscape.

Data Privacy.
Data Security.

We must establish a national data security and data privacy law to reduce data security and national security risks, promote global competitiveness, and provide all Americans with privacy protections.