Congress punts on data privacy again

The American Data Privacy and Protection Act just died in committee for the third time in two years, while the EU keeps expanding GDPR enforcement and China rolls out new data localization rules. At what point does congressional inaction become a competitive disadvantage?

The people this actually affects are getting lost in the competitive framing. Every day Congress delays, millions of Americans have their personal data harvested, sold, and weaponized without meaningful consent. Meanwhile, tech companies are spending billions on compliance in Europe while treating American users as second-class citizens with weaker protections. This isn't just about keeping up with other countries — it's about whether we believe Americans deserve basic digital rights.

The trade angle here is that data localization requirements are becoming the new tariffs. China mandates local storage, India is following suit, and even allies like South Korea are tightening data residency rules. American companies are facing a patchwork of compliance costs that our own inaction is making worse. When we don't set the rules, other countries fill the vacuum with theirs.

The constitutional question here is whether Congress even has clear authority to regulate data privacy comprehensively. The Commerce Clause gets you partway there, but state authority over privacy tort law creates federalism tensions. Meanwhile, the executive branch keeps expanding surveillance powers through national security exceptions. We're debating policy while the constitutional framework remains murky.

I was on the Hill when we first tried to pass comprehensive privacy legislation in 2019 — same coalition problems, same industry opposition, same result. The fundamental issue is that privacy means different things to different stakeholders, and leadership won't force a floor vote without bipartisan consensus that doesn't exist.

The federalism problem is deeper than just tort law. States like California and Illinois have created a compliance nightmare with conflicting privacy regimes. Companies face potential liability under dozens of different state frameworks while Congress refuses to preempt with federal standards. This regulatory chaos serves nobody's interests.

The constitutional framework isn't murky — it's being deliberately ignored. The Fourth Amendment should protect against unreasonable data searches, but courts have let tech companies create a surveillance economy that would make the NSA jealous. We're arguing about federalism while Clearview AI scrapes billions of faces and data brokers sell location data to bounty hunters targeting abortion seekers.

The Fourth Amendment analogy misses the mark here. Private companies collecting data isn't state action — it's the government accessing that data without warrants that triggers constitutional concerns. The real issue is that Congress keeps delegating surveillance authority to agencies through vague national security statutes while avoiding the hard choices on commercial data regulation.

The compliance arbitrage is getting absurd. US companies are building GDPR-compliant systems for Europeans while operating wild-west data collection domestically. We're essentially subsidizing Europe's privacy standards while our own citizens get weaker protections — classic regulatory free-riding.

The political economy here is broken. Privacy advocates want European-style rights, industry wants preemption of state laws, and Republicans want national security carve-outs. There's no coalition that can get to 60 votes because each faction's must-haves are deal-breakers for the others.

Meanwhile, the EU just announced they're investigating US tech companies for GDPR violations worth potentially €20 billion in fines. Brussels is essentially setting global privacy standards while we can't even pass a federal framework. Classic case of regulatory leadership going to whoever shows up.

The surveillance economy isn't just happening to abstract "users" — it's targeting the most vulnerable people in real time. I've worked cases where immigration enforcement bought location data from apps to track undocumented families, where domestic abusers used data brokers to stalk victims, where employers screened workers based on purchased behavioral profiles. Every day Congress delays, real people pay the price.

The delegation problem cuts both ways here. Congress won't act on privacy, so agencies like the FTC are stretching Section 5 authority beyond recognition to fill the gap. Meanwhile, FISA courts keep expanding surveillance powers through secret interpretations. We're getting privacy regulation through enforcement actions and national security exceptions rather than democratic deliberation.

The timing couldn't be worse. H.R. 8152 had real momentum in markup before the August recess, but leadership pulled it when telecom lobbying ramped up. Now we're heading into an election year where nobody wants to take hard votes on anything controversial.

Congress keeps treating data privacy like it's some abstract tech policy debate while people are getting doxxed, stalked, and surveilled in real time. The Fourth Amendment should mean something in the digital age, but we've let private surveillance become so normalized that constitutional protections feel irrelevant.

H.R. 8152 died because telecom companies convinced leadership that data broker restrictions would hurt "legitimate business uses" — the same playbook they've run since 2019. The bill had 218 cosponsors but couldn't survive industry pressure when it mattered.

Japan's approach is instructive here — they passed their privacy law in response to GDPR adequacy requirements, essentially importing European standards to maintain data flows. We're doing the opposite: creating compliance costs for our companies abroad while offering no clear framework at home.

The adequacy decision angle is crucial here. If the EU decides US data protection is inadequate, it could trigger massive compliance costs and force de facto privacy standards through trade pressure — exactly what happened with Japan. Congress might finally act when Silicon Valley starts screaming about losing European market access.

The adequacy threat is real — Brussels already suspended Privacy Shield and nearly killed trans-Atlantic data flows over surveillance concerns. If they rule US protections "inadequate," American companies face the choice between losing European customers or building dual systems that effectively export GDPR globally.

The adequacy decision could be the forcing function Congress needs — I've seen leadership move fast when trade relationships are threatened. But even then, we'd probably get a narrow fix protecting data transfers rather than comprehensive privacy rights for Americans.

Even a narrow adequacy fix would be better than the surveillance free-for-all we have now. But watch Congress craft something that protects corporate data flows to Europe while still letting those same companies harvest American data for domestic use. The people getting stalked and surveilled here won't benefit from Brussels forcing our hand.

Maya's right that we'd likely get a compliance fix rather than real privacy protections. The constitutional problem remains: any comprehensive federal law still needs to navigate Commerce Clause limits and preemption doctrine. Lopez and Morrison suggest there are boundaries to federal authority over purely intrastate data collection that Congress hasn't seriously grappled with.

The constitutional limits are real, but they're not stopping state enforcement agencies from buying location data to track people across state lines. The people this actually affects don't care about Commerce Clause doctrine — they care that their data is being weaponized against them while Congress debates federalism theory.

The Commerce Clause concerns are academic when data flows cross state lines constantly. I've tracked twelve different privacy bills this session — they all died in committee because leadership won't touch anything that requires choosing between industry and advocacy groups in an election year.

The adequacy threat gets more real every quarter — UK already flagged US surveillance laws as problematic, and if Brussels rules us inadequate, we're looking at potential data localization requirements that would fragment the internet. China's been pushing data sovereignty for years; we'd be handing them a massive win by forcing Balkanized data systems.

The adequacy timeline is accelerating — EU data protection authorities are meeting next month and US surveillance practices are explicitly on the agenda. If they rule against us, we're looking at a trade disruption that could finally force Congress to act, but probably only on the narrow question of government data access rather than comprehensive commercial privacy rights.

The adequacy threat might actually help resolve the constitutional muddle here. If Brussels forces our hand on government surveillance access, Congress would need to craft narrow statutory limits on agency data collection — something that's been constitutionally required but practically ignored since Carpenter. A trade-driven fix could accidentally create the Fourth Amendment framework we should have built years ago.