The State of Play of Tech Legislation In U.S. Congress

The State of Play of Tech Legislation In U.S. Congress
Photo by Harold Mendoza on Unsplash

This is the week' edition of The Wavelength. Enjoy, and consider joining those who subscribe and receive all the content we produce.

Microwave

Halfway through this mid-term election year in the United States, it’s time to assess tech legislation pending before the Congress.

Shortwave

The closer the election looms, the more politics and posturing will complicate legislating even with broadly supported, bipartisan legislation like the bill to revamp U.S. policy towards the People’s Republic of China (PRC). As is common, the minority party appears poised to flip both the Senate and House, meaning their incentives to cooperate with Democrats will decrease slowly over the summer. Perhaps there will be a productive lame duck session as sometimes happens.

Longwave

There are a number of technology-related policy areas in which the Congress may pass significant legislation, including data privacy and data protection, antitrust and competition, research and development (R&D), regarding the PRC and domestic semiconductor production, government cybersecurity and information security, and others.

As recently featured in The Wavelength, Congress is now closer to passing data privacy/data protection legislation at any time in the recent past. The last time Congress was close on these issues was in 2009 when the “Data Accountability and Trust Act” (H.R.2221) passed the House by voice vote. Of course, much has happened since then, but three of the four top Members on these issues have coalesced around the “American Data Privacy and Protection Act” (ADPPA) (H.R. 8152). ADPPA has begun moving in the House, being changed along the way with even more changes likely to come as Members are still negotiating the language on the limited private right to sue and the preemption of state privacy laws. The draft had convoluted language on both, and talks are ongoing. And yet, this is not the biggest issue. Senate Commerce, Science, and Transportation Committee Chair Maria Cantwell (D-WA) has introduced at least on new draft of her “Consumer Online Privacy Rights Act“ (COPRA) (S.3195) first introduced in 2019 and subsequently revised lightly in 2021. It is unclear if Cantwell can reach agreement with House Energy and Commerce Committee Chair Frank Pallone (D-NJ), and Ranking Member Cathy McMorris Rodgers (R-WA) and her counterpart, Senator Roger Wicker (R-MS), on the Senate Commerce Committee. Nonetheless, it is likely that ADPPA keeps moving through the House, but what happens in the Senate is anyone’s guess at this point.

And there have been a raft of bills introduced lately that would address other aspects of data privacy and protection. For example, last month, Senators Ron Wyden (D-OR), Sheldon Whitehouse (D-RI), Cynthia Lummis, (R-WY), Marco Rubio (R-FL) and Bill Hagerty (R-TN) introducedthe “Protecting Americans’ Data from Foreign Surveillance Act” (S. 4495) that would “create new protections against Americans’ sensitive personal information being sold or transferred to high-risk foreign countries.” This bill would address data brokering that has national security imlications. There is also the “My Body, My Data Act” (S. 4434) introduced after the U.S. Supreme Court overturned Roe v. Wade, which the Democratic sponsors characterizedas “the first Congressional action to strengthen digital privacy and protect personal reproductive health information specifically.” They asserted the “bill would create a new national standard to protect personal reproductive health data, enforced by the Federal Trade Commission (FTC).”

On technology antitrust and competition issues, legislation seems stalled in the Senate. In January, the “American Innovation and Choice Online Act” (S. 2992), a bill that would penalize big online platforms for preferencing their products and services to the detriment of competitors, (see here for more detail and analysis on the bill as introduced) was amended and reported out of the Senate Judiciary Committee by a 16-6 vote. The committee next marked up the “Open App Markets Act” (S. 2710), (see here for more detail and analysis) in February. Companies covered by the bill would be prohibited from requiring companies using their app stores to also use the former’s in-app payment system, demanding that companies offering apps give them more favorable terms than other app stores, or taking action to impose less favorable conditions if an app developer offers its app on a different platform under better terms.

However, tech industry lobbyists and stakeholders have pulled out all conceivable stops and some no one thought were coming to halt both bills. Their message to lawmakers, Congressional staff, and the public is that should either of these bills pass, the era of U.S. technological dominance and innovation will end (E.g. like this or this.) There have also been reports that some Senate Democrats have cold feet regarding these bills, and Senator Amy Klobuchar (D-MN) has floated an altered version of S.2992 to allay the concerns of some Members.

But it bears some emphasis that should either bill make it through the Senate, it would face what may be an uphill battle in the House given the size and opposition of the California delegation to legislation targeting the largest companies in their state. The same may prove to be true of some Washington Members given Microsoft and Amazon’s presences there.

Another bipartisan bill lurking in the background would address Google and Facebook’s domination of the online advertising markets. Senators Mike Lee (R-UT), Amy Klobuchar (D-MN), Ted Cruz (R-TX), and Richard Blumenthal (D-CT) introduced the “Competition and Transparency in Digital Advertising Act” (S.4258), a bill that “would restore and protect competition in digital advertising by eliminating conflicts of interest that have allowed the leading platforms in the market to manipulate ad auctions and impose monopoly rents on a broad swath of the American economy” according to their press release.

Turning to U.S. competitiveness with the PRC, legislation that seemed destined for easy passage has gotten held up. Even though a rare conference committee was convened, the impetus to combine the two competition bills has dissipated. The “United States Innovation and Competition Act of 2021” (S.1260) (see here and herefor more detail and analysis) and the “America Creating Opportunities for Manufacturing, Pre-Eminence in Technology and Economic Strength Act of 2022” (aka the America COMPETES Act of 2022) (H.R.4521) (see here, here, and herefor more detail and analysis) would both revamp and increase funding for a range of technology programs in order to address what is seen in Washington as the growing threat the PRC poses to U.S. dominance. Negotiations have been ongoing, and the White House has been eager for the Congress to pass a bill.

And yet, in the last week, Senate Minority Leader Mitch McConnell (R-KY) said that S.1260/H.R.4521 will die if the Democrats proceed with using reconciliation to try to revive parts of the “Build Back Better Act.” In a tweet, McConnell stated: “Let me be perfectly clear: there will be no bipartisan USICA as long as Democrats are pursuing a partisan reconciliation bill.” Thus, Democrats may be faced with a choice as to which bill they would prefer to pass. In any event, McConnell’s threat is likely not helping Members reach a deal on the bill.

All this being said, I have heard there may be a deal on S.1260/H.R.4521 unveiled as soon as next week.

In any event, the impetus for legislation is succinctly explained in the U.S.-China Economic and Security Review Commission’s recent annual report to Congress:

In China’s most recent industrial policy wave, set by the 2016 Innovation-Driven Development Strategy, which includes the Made in China 2025 plan, policymakers have promoted the development of China’s digital ecosystem and accompanying regulatory architecture. The CCP believes China faces a rare historic opportunity to establish control over a cluster of revolutionary, networked technologies, including high-speed internet, sensors, telecommunications, artificial intelligence, robotics, and smart city infrastructure. Doing so could allow Beijing to leapfrog the United States and other powerful competitors and lead in the next generation of global innovation.

Both bills would appropriate over $50 billion over five years for the “Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Fund Act” included in the FY 2021 National Defense Authorization Act (P.L. 116-283), a measure designed to create incentives and provide assistance to revitalize the U.S. semiconductor industry. According to a recent U.S. Department of Commerce press release, “TSMC, Intel and Global Foundries all issued public warnings that continuing to delay chipmaking incentives could cause them to scale back their plans to make semiconductors in the U.S.” The agency continued “[t]heir announcements come days after GlobalWafers announced a CHIPS Act-dependent multi-billion investment that will fill a hole in the U.S. chip manufacturing supply chain.” And if there were any question of how badly Commerce wants this bill passed, the first thing a visitor to their website sees is:

The other major realm in which Congress may legislate pertains to the U.S. government’s cybersecurity and information security. In early March 2022, the Senate passed by unanimous consent the “Strengthening American Cybersecurity Act of 2022” (S.3600) that combines revised versions of the Senate’s Federal Information Security Modernization Act (FISMA) reform, cyber incident reform legislation, and a codification of the Federal Risk and Authorization Management Program (FedRAMP). Of course, “The Cyber Incident Reporting for Critical Infrastructure Act of 2022” was pulled out of S.3600 and tacked onto the FY 2022 omnibus appropriations bill (see here for more detail and analysis.) Consequently, there is much less urgency to move the Senate’s package.

Having said that, Senate and House stakeholders may reach a deal on both FISMA reform and FedRAMP codification. The House’s bill, the “Federal Information Security Modernization Act of 2022” (H.R.6497) is very similar to the Senate’s FISMA revamp. Additionally, the “FedRAMP Authorization Act” (H.R.21) was one of the first bills the House sent the Senate at the beginning of the current Congress. The issues bigger than agreement on language will be floor time and political will given the above higher priority, higher profile legislation. And it bears note that it is not unprecedented for U.S. government cybersecurity legislation to get added to must pass legislation as was the case about a decade ago when the “Federal Information Technology Acquisition Reform Act” was added to a National Defense Authorization Act. Perhaps the same could happen with these bills.

And, then there are the seeming multitude of more targeted bills that stand a chance at enactment like the recently signed “Better Cybercrime Metrics Act” (P.L. 117-116), “State and Local Government Cybersecurity Act of 2021” (P.L. 117-150), and the “Federal Rotational Cyber Workforce Program Act of 2021” (P.L. 117-149). Accordingly, these bills have been passed by one chamber of Congress, among others:

“Cybersecurity Grants for Schools Act of 2022” (H.R.6868)

“DHS Roles and Responsibilities in Cyber Space Act” (H.R.5658)

“American Cybersecurity Literacy Act” (H.R.4055)

“Secure Equipment Act of 2021” (H.R.3919)

“Understanding Cybersecurity of Mobile Networks Act” (H.R.2685)

“National Cybersecurity Preparedness Consortium Act of 2021” (S.658)

“Promoting Digital Privacy Technologies Act” (H.R.847)

Finally, there are FY 2023 appropriations. The House Appropriations Committee has completed work on all 12 FY 2023 Appropriations Acts, and these bills are now poised to come to the House floor. Nonetheless, even if the House passes all 12 bills before the August recess, it will not change the odds of a long-term continuing resolution (CR) to run through early next year. In the first place, the Senate is unlikely to pass a single bill given the filibuster and the incentives for the Republicans to stall these bills. Secondly, in years with mid-term elections Congress has usually passed a few month long CR in September to fund the government until the inevitable lame duck season. And should one, if not both of the chambers, flip, then another CR is often passed so the soon to be majority party can pass appropriations of their liking. With Republicans poised to take control of both houses of Congress if current polling trends hold steady, it is likely FY 2023 appropriations do not get enacted until late next winter.

That being said, House Democrats are set down their markers on funding levels they would like. The FY 2023 Financial Services and General Government funding package provides $490 million for the FTC, $113.470 million more than the FY 2022 enacted funding. In the committee report, the committee listed as the first reason for the increase in funding that it “is highly concerned by increasing instances of fraudulent or deceptive data collection practices and other violations of consumer protection laws, as well as by increasing con- centration in technology and other markets.” The committee also directed the FTC to address the right to repair, online misinformation, children’s online privacy, health information privacy, and online hate.

The Federal Communications Commission (FCC) would receive a bit more than $390 million with “a cap of $132,231,000 for the administration of spectrum auctions.” This level of funding is $8 million more than FY 2022. The committee listed Broadband Maps as its first concern and directed the agency “to provide an updated spend plan and status report on Broadband Data Act spending no later than 60 days after enactment of this Act, including an updated timeline for release of the broadband maps required by the Act.”

The FY 2023 Homeland Security Appropriations Act, “includes $2.93 billion for the Cybersecurity and Infrastructure and Security Agency (CISA), an increase of $334.1million above the FY 2022 enacted level and $417.1 million above the request, including increases above the request of:

§  $ 235.4 million for cybersecurity.

§  $46.1 million for infrastructure security.”

The FY 2023 Agriculture-Rural Development-FDA Appropriations Act “invests over $560 million for the expansion of broadband service [via Department of Agriculture programs] to provide economic development opportunities and improved education and healthcare services” including “$450 million for the ReConnect program.”

Other Developments

The United States (U.S.) Consumer Financial Protection Bureau (CFPB) issued “a legal interpretation to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act…[and] makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy.”

The United Kingdom’s Competition and Markets Authority (CMA) announced that it “is investigating the anticipated acquisition by Microsoft Corporation of Activision Blizzard, Inc.” and also announced it “is investigating Amazon’s conduct in relation to the way that non-public third-party seller data may be used within Amazon’s retail business, how Amazon sets criteria for selecting which product offer is placed within the ‘Buy Box’ and which sellers can list products under Amazon’s ‘Prime label’ on its Marketplace in the UK.”

In three right to repair actions, the United States (U.S.) Federal Trade Commission announced “proposed settlements with grill maker Weber-Stephen Products LLC, motorcycle manufacturer Harley-Davidson Motor Company Group, LLC, and MWE Investments, LLC, which manufactures Westinghouse outdoor power equipment, alleging they violated the Magnuson-Moss Warranty Act and the FTC Act by including warranty provisions that unlawfully conveyed that their warranties would be voided if a customer used third-party parts or, in the case of Harley-Davidson and Westinghouse, independent repairers.”

In remarks with the United Kingdom’s (UK) MI5 Director General Ken McCallum, United States (U.S.) Federal Bureau of Investigation Director Christopher Wray stated that “[w]e consistently see that it’s the Chinese government that poses the biggest long-term threat to our economic and national security, and by “our,” I mean both of our nations, along with our allies in Europe and elsewhere.”

According to their press release, the European Union Parliament and Council “negotiators reached a provisional deal on a new bill aiming to ensure that crypto transfers can always be traced and suspicious transactions blocked.”

Seven Republican United States (U.S.) Senators received a reply from TikTok to their late June letter prompted by a mid-June BuzzFeed article about engineers in the People’s Republic of China accessing TikTok user data. TikTok claimed the BuzzFeed article “contains allegations and insinuations that are incorrect and not supported by facts.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury (Treasury) released “a joint Cybersecurity Advisory (CSA) that provides information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations” that “provides technical details and indicators of compromise (IOC) observed during multiple FBI incident response activities over a period of more than a year and obtained from industry analysis” per their press statement.

Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL) “urged the Federal Trade Commission (FTC) to formally investigate TikTok and its parent company, ByteDance” in a letter to FTC Chair Lina Khan.

Four United States (U.S.) industry groups wrote U.S. Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra, asserting that “examination manual ”update” and announcement on March 16, 2022 that it would begin examining financial institutions for alleged discriminatory conduct that it deems to be “unfair” under its “unfair, deceptive, and abusive acts or practices” (UDAAP) authority” “and conclude[d] that it is contrary to law and is subject to legal challenge and Congressional action under the Congressional Review Act.”

The United States (U.S.) Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued new guidance “to help protect patients seeking reproductive health care, as well as their providers” “[o]n the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away.”

The United States (U.S.) Department of Defense (DOD) said it “is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies.” The DOD stated it “has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.”

The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) published the government’s response to its consultation regarding a rewrite of the “Data Protection Act 2018” in light of the UK’s exit from the European Union and the inapplicability of the General Data Protection Regulation going forward.

The United States (U.S.) National Institute of Standards and Technology (NIST) published for comment the “initial public draft of NIST IR 8323r1, Foundational PNT Profile: Applying the Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and Timing (PNT) Services” per Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services.

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) announced “the establishment of a Post-Quantum Cryptography Initiative to unify and drive agency efforts to address threats posed by quantum computing.”

The European Union Agency for Cybersecurity (ENISA) unveiled a “cybersecurity threat landscape methodology” that “aims at promoting consistent and transparent threat intelligence sharing across the European Union.”

Tweet of the Day

Further Reading

Europe faces Facebook blackout” By Vincent Manancourt — Politico EU

Marriott confirms latest data breach, possibly exposing information on hotel guests, employees” By AJ Vicens — Cyberscoop

Racist videos about Africans fuel a multimillion-dollar Chinese industry” By Viola Zhou — Rest of the World

Parents Sue TikTok, Saying Children Died After Viewing ‘Blackout Challenge’” By Michael Levenson and April Rubin — New York Times

Twitter sues India’s government over its control of online speech” By Mathew Ingram — Columbia Journalism Review

Leaked Videos Show Disney Is the Biggest Ad Tech Giant You've Never Heard Of” By Joseph Cox — Vice

Society wants you to feel ashamed of yourself” By Allison Arieff — MIT Technology Review

Cybersecurity experts question Microsoft's Ukraine report” By Suzanne Smalley — Cyberscoop

FBI and MI5 leaders give unprecedented joint warning on Chinese spying” — The Guardian

Marriott suffers at least its seventh data breach since 2010” By Kris Holt — Engadget

The next frontier for drones: Letting them fly out of sight” By Matt O'Brien and Nathan Ellgren — Associated Press

Smaller Companies Are Urged to Adopt Multifactor Authentication” By James Rundle — Wall Street Journal

Online Safety Bill amendment targets state-backed disinformation” By Martyn Landi — Evening Standard

Apple to add ‘lockdown’ safeguard on iPhones, iPads, Macs” — Associated Press

Coming Events

§ 12 July

o   The European Data Protection Board will hold a plenary meeting.

§ 14 July

o   The United States (U.S.) Senate Banking, Housing, and Urban Affairs Committee will hold a hearing titled “Advancing National Security and Foreign Policy Through Export Controls: Oversight of the Bureau of Industry and Security.”

o   The United States (U.S.) Senate Homeland Security & Governmental Affairs Committee will hold a hearing titled “Protecting the Homeland from Unmanned Aircraft Systems.”

§ 19 October

o   The United States (U.S.) Federal Trade Commission (FTC) will hold a virtual event “to examine how best to protect children from a growing array of manipulative marketing practices that make it difficult or impossible for children to distinguish ads from entertainment in digital media.”

§ 1 November

o   The United States (U.S.) Federal Trade Commission (FTC) will hold PrivacyCon.