WASHINGTON (Legal Newsline) - At least two experts who participated in a House Committee on Energy and Commerce subcommittee hearing Tuesday testified that the Private Right of Action (PRA) in proposed data privacy legislation could potentially do more harm than good.
“While it is true neither punitive nor statutory damages are permitted under the PRA, the availability of attorney’s fees could encourage the filing of borderline meritorious cases by specialized attorneys charging exorbitant hourly rates,” said John Miller, senior vice president of policy and general counsel of Information Technology Industry Council.
The hearing, Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security, was held before the Subcommittee on Consumer Protection and Commerce to discuss the American Data Privacy and Protection Act (ADPPA).
The proposed legislation would establish a national standard to protect consumer data privacy, impose obligations on covered entities, and allow for federal, state, and individual enforcement.
“Several key definitions in the discussion draft are broad and unclear, such as the key terms sensitive data, covered entity, and service provider,” Miller said. “The problem with these unclear terms will only be exacerbated by the availability of a PRA because lawsuits will inevitably be required to clarify which entities have what obligations under the law unless the definitions are substantially tightened.”
Although the ADPPA requires that plaintiffs provide 60 days’ notice to the Federal Trade Commission (FTC) or their state Attorneys General to allow them to take over a case, Miller argued that could lead to less meritorious cases being pursued by private litigants in court.
“The committee should consider other reasonable limits on a PRA in order to allow consumers the ability to enforce their rights without subjecting industry to broad class action liability in lawsuits where there is no demonstrable harm to consumers,” he added.
Other experts testifying were Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), David Brody, managing attorney of the Digital Justice Initiative Lawyers' Committee for Civil Rights Under Law, Bertram Lee, senior policy counsel in Data Decision Making at the Artificial Intelligence Future of Privacy Forum, Doug Kantor, general counsel with the National Association of Convenience Stores, Jolina Cuaresma, senior counsel for privacy and technology policy at Common Sense Media, Maureen Ohlhausen, partner at Baker Botts law firm, and Graham Dufault, senior director for public policy with ACT | The App Association.
“We urge negotiators to consider limiting the PRA to a subset of injury types,” Dufault said. “For example, instead of any injury giving rise to a PRA, it could be limited to substantial privacy harms resulting from a given violation, providing a more meaningful deterrent to lawsuits that impose disproportionate costs on small companies for relatively minor issues.”