GAO gives Congress go-ahead for a GDPR-like privacy legislation

An independent report authored by a US government auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU's General Data Protection Regulation (GDPR).

The 56-page report was put together by the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. Its reports are used for hearings and drafting legislation.

The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law.

If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US.

"Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation," GAO officials said.

They recommended that the Federal Trade Commission (FTC) be put in charge of overseeing internet privacy enforcement.

The FTC has already been doing this, but its authority and enforcement abilities have been limited, intervening in only 101 internet privacy-related cases in its entire history, despite rampant abuse reported by users and media. The new law should give the FTC more teeth in hunting user privacy abusers, GAO argued.

Supporting its conclusions for a though internet privacy law, GAO investigators cited the Facebook Cambridge Analytica scandal, but also its own previous reports about:

• The dangers to user privacy due to the lack of regulation and oversight in the ever-growing Internet of Things (IoT) sector where devices collect massive amounts of information without users' knowledge.
• Automakers collecting data from smart cars owners.
• The lack of federal oversight over companies that collect and resell user information.
• The lack of protections for mobile users against secret data collection practices.

For its report, GAO analyzed the FTC's previous 101 user internet privacy investigations but also took into consideration feedback from the private sector, academia, advocacy groups, other government agencies, and nine former FTC and FCC top-ranking officials, including seven former commissioners.

"This detailed GAO report makes clear now is the time for comprehensive congressional action on privacy that should include ensuring any agency that oversees consumer privacy has the tools to protect consumers," said House Energy and Commerce Chairman Frank Pallone, Jr. (D-NJ), the official who requested the report in 2017.

"These recommendations and findings will be helpful as we look to develop privacy legislation in the coming months," he said.

The GAO report came just one day before news broke that the FTC is mulling a multi-billion dollar fine against Facebook for a series of privacy violations, including the Cambridge Analytica scandal named in the GAO report.

Last year, Apple CEO Tim Cook urged the US to copy the EU's user data privacy regulation, the GDPR. Also last year, Oregon Democrat Senator Ron Wyden also introduced a bill that would jail company execs for lying or not reporting privacy violations.

Facebook's worst privacy scandals and data disasters

Related coverage:

• US Senators ask DHS to look into US government workers using foreign VPNs
• Swiss government invites hackers to pen-test its e-voting system
• Microsoft and Google expand security tools to political parties in Canada, Europe
  
• Russia to disconnect from the internet as part of a planned test
  
• Facebook broad data collection ruled illegal by German anti-trust office
• China's cybersecurity law update lets state agencies 'pen-test' local companies
  
• California governor signs country's first IoT security law CNET
  
• The Japanese government plans to hack into unsecured IoT devices TechRepublic