Draft data privacy legislation needs improvements before advancing

Draft data privacy legislation addresses several areas of interest for America’s Credit Unions, but it falls short of addressing many credit union concerns, President/CEO Jim Nussle wrote to a House Energy and Commerce subcommittee. The letter was sent ahead of a hearing on the legislation unveiled last week.

“Credit unions strongly support the idea of a national data security and data privacy regime that includes robust security standards that apply to all who collect or hold personal data and is preemptive of state laws,” Nussle wrote. “We firmly believe that there can be no data privacy until there is strong data security.”

America’s Credit Unions has outlined three tenets to be addressed in any new national data privacy law and believes the draft legislation falls short in these areas:

  • A recognition of Gramm-Leach-Bliley Act (GLBA) standards in place for financial institutions and a strong exemption from new burdensome requirements. The bill does not have an entity-level exemption for those complying with GLBA, instead it has an “data-level” exemption that could leave credit unions subject to burdensome new rules and regulations;
  • A strong federal preemption of varying state laws. The draft legislation generally preempts state laws, but there are many carveouts for existing state laws, some of which are concerning to America’s Credit Unions; and
  • Protection from frivolous lawsuits created by a private right of action. The bill generally establishes a broad private right of action covering most parts of the bill.

America’s Credit Unions urges the addition of a strong data security section to strengthen requirements for those handling personal financial data that are not already to GLBA provisions.

heelo