Talks to create the US’s first national data privacy law have ground to a halt, according to those close to the process, as senators argue over how strict the bill should be.
People briefed on the talks have told the Financial Times the handful of senators drafting what could become the US version of the EU’s General Data Protection Regulation are struggling to agree on key terms of the bill.
The technology industry is keen for a bill to be passed before the end of the year, when a separate data privacy act comes into force in California. Companies have warned that it will be difficult to comply with some of the stronger elements of the California act, and had been hoping Congress would pass a bill to override it before it becomes law on January 1.
But following months of talks among members of the Senate Commerce Committee, the draft bill is still yet to be published. Those close to the process had hoped to release it several months ago, but say the negotiations between Republicans and Democrats have now all but stalled.
One Democrat adviser said: “If the industry simply wants a bill that is going to water down California, they haven’t got a hope. There is no way the Democrats will agree to anything like that.”
The person added: “Talks are at a standstill now. I wouldn’t be surprised if we don’t manage to come up with a draft at all.”
A national data privacy bill would be a landmark step in technology regulation in the US, forcing companies for the first time to allow customers to access their data and potentially to stop them collecting or selling it on.
Many analysts have given the bill a better chance than most of passing, given that both Democratic and Republican politicians have voiced concerns about the behaviour of large technology companies, especially in the wake of the Cambridge Analytica controversy.
In the absence of a federal law, the industry faces the spectre of tough provisions in California becoming a de facto national standard, so tech companies have also been pushing hard for progress on Capitol Hill.
The Internet Association, which represents companies including Facebook and Google, said: “This is a unique moment when all stakeholders share the goal of providing consumers with more rights and control over the data they share. Congress has a real, bipartisan opportunity to pass legislation that provides meaningful protections for consumers and strengthens responsibilities for companies.”
However, according to those briefed on the talks, they have hit an impasse in particular over the issue of whether individual citizens should have the right to sue companies for data breaches.
The so-called private right of action is enshrined in the California act, but companies and some Republicans are keen to make sure it is not replicated in a national bill.
One technology industry lobbyist said: “A private right of action simply encourages people to sue, rather than making sure there is proper enforcement of any new rules. It would make more sense to have a well-funded regulator who was empowered to enforce the new rules.”
Senators are still hoping they will be ready to publish a draft bill before they break for summer, but advisers admitted that the odds are lengthening. “We are running out of time if we want to get this all passed by the end of the end year,” said one.
Get alerts on Technology regulation when a new story is published
