Microsoft Corp., Hewlett-Packard Co. and other high-tech companies are preparing to push for data-privacy legislation next year to replace what they consider an outdated patchwork of state and federal laws that are inconsistent and burdensome.
"We think the time has come for a comprehensive privacy bill that would protect consumers' personal information while still allowing the flow of information needed for commerce online," Ira Rubinstein, a Microsoft lawyer, said this week. (MSNBC.com is a Microsoft-NBC Universal joint venture.)
Several recent high-profile breaches of consumers' personal information have made consideration of privacy proposals more likely, Rubinstein said. The Social Security numbers and medical data of approximately 930,000 people were compromised this June, for example, when computer equipment belonging to insurance provider American International Group Inc. was stolen.
Microsoft, HP and eBay Inc. earlier this year formed the Consumer Privacy Legislative Forum to lobby for privacy legislation. Google Inc., Intel Corp., Oracle Corp. and other companies later joined.
The forum supports legislation that would set standards for what notice must be given to consumers about personal information collected on them and how it will be used, Rubinstein said. The companies are aiming for a law that would override any existing state laws and standardize privacy rules across industries.
The group's efforts will likely face some opposition, however.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, a consumer advocacy group, said the proposals, if adopted, would amount to an industry drafting its own regulations.
Rotenberg also argued that the notices to consumers preferred by Microsoft and other companies are insufficient to protect online privacy. Instead, consumers should have access to the data that companies have on them and have more control over how they are used, he said, similar to the way consumers can currently access their credit reports.
Rotenberg also opposes the pre-emption of state laws, which he said in many cases have better protections than federal rules. Many anti-spam experts complained when Congress in 2003 approved a measure that did not let individuals sue spammers and that pre-empted most state laws that did.
Meanwhile, Stuart Ingis, a partner at the law firm Venable LLP, said that a broad privacy measure is unnecessary.
"Comprehensive privacy legislation already exists in this country," he said, citing existing laws and regulations governing financial and health-care privacy.
Those rules took decades to develop and provide strong protections for consumers, said Ingis, whose firm represents several companies and trade groups that track privacy issues.
Although high-tech companies have been seeking comprehensive federal privacy legislation, Congress has focused on the steps companies should take to protect data and when companies should notify consumers of data security breaches.
But several data security bills failed to pass during the soon-to-end congressional session, largely because of jurisdictional struggles between different congressional committees, said Steve Adamske, spokesman for Rep. Barney Frank, D-Mass.
Frank, incoming chairman of the House Financial Services Committee, said Wednesday that he plans to consider the issue of data security next year. To avoid a repeat of the jurisdictional struggle, Frank says he plans to propose to incoming House Speaker Nancy Pelosi that she appoint a task force of members from committees with oversight on privacy matters to work on the issue.