2016 Year in Review: Privacy + Security

This post is one in a series of reports on significant issues for startups in 2016. In the past year, the startup community's voice helped drive notable debates in tech and entrepreneurship policy, but many of the startup world's policy goals in 2016, such as immigration and patent reform, remain unfulfilled. Check back here for more year-end updates and continue to watch this space in 2017 as we follow policy issues affecting the startup community.

Privacy and security issues were top of mind for policymakers once again in 2016: the Apple-FBI battle pushed questions around encryption to the forefront; massive data breaches and cyberattacks called attention to cybersecurity issues; uncertainty around data transfers between the U.S. and EU persisted; and the heated debate around government access to digital communications thrust electronic privacy reform back into the spotlight. But even with all of these prominent debates, 2016 did not see much actual legislative movement. It’s unclear what will come to pass next year, but we are hopeful that any policies Congress or the new Administration pursue take into account the unique needs and realities of the evolving startup ecosystem.


The debate over encryption dominated headlines again in 2016, beginning in February when a U.S. federal court ordered Apple to unlock an iPhone linked to last year’s San Bernardino attack. Apple challenged the order and the FBI eventually backed off after figuring out that—contrary to its hyperbolic claims—it could access the contents of the phone without Apple’s help. Nonetheless, the case re-ignited the heated policy debate over government access to encrypted data and prompted hearings, the formation of a bipartisan working group to explore solutions, and the introduction of a number of legislative proposals.

Some proposals were relatively reasonable. Congressman Michael McCaul (R-TX) and Senator Mark Warner (D-VA) introduced a bill that would create a Commission comprised of experts and stakeholders from the law enforcement, technology, intelligence, and privacy and civil liberties communities to discuss encryption issues and offer recommendations on the best path forward. However, other proposals blatantly ignored technological reality and common sense. In particular, a draft bill was floated by Senators Richard Burr (R-NC) and Dianne Feinstein (D-CA) that would require tech companies and startups to build backdoors into encryption technologies. The legislation reflected a serious misunderstanding of the underlying technologies at issue and a disregard for the potentially disastrous consequences that ill-conceived encryption policies could have on the startup community.

In an effort to educate policymakers on the complex issues surrounding encryption (and in a response to some of the more egregious proposals), 40 startups joined an Engine-led letter to Congress explaining why encryption is essential to their business operations and their users’ digital security and trust. As we noted in the letter, “startups face unique challenges that make...anti­-encryption proposals particularly dangerous.”

Looking to 2017, there remains considerable uncertainty around how the encryption debate will play out. President-elect Trump vocally supported backdoors on his campaign, calling for a boycott of Apple unless it helped the FBI crack the San Bernardino iPhone. However, recent developments in the House signal that policymakers in Congress may be moving away from the anti­-encryption rhetoric that dominated much of the conversation in DC this year. A report published right before the holidays by the bipartisan House Encryption Working Group rejected calls for inserting backdoors into encryption, arguing that “any measure that weakens encryption works against the national interest.” We are hopeful that as policymakers continue to debate encryption in 2017, they take the concerns of startups and entrepreneurs into account and avoid policy solutions that would undermine strong encryption.

ECPA Reform

The startup community was encouraged early in the year when the House voted unanimously to pass the Email Privacy Act, which would modernize the outdated Electronic Communications and Privacy Act (ECPA). ECPA is the privacy law that governs our communications over the internet. However, the law was passed in 1986 (before most people even had a computer in their home) and allows law enforcement to access any electronic communications that are older than 6 months without a warrant. The Email Privacy Act would bring our digital privacy laws into the 21st century, clarifying that law enforcement must obtain a warrant—except in certain clearly defined emergencies—before accessing individuals’ electronic communications. However, the bill stalled in the Senate after passing the House due to controversial amendments that were non-starters for the technology industry and privacy advocates. Still, with such broad, bipartisan support, ECPA reform will undoubtedly come up again in 2017, and we are hopeful that Congress can pass a robust modernization bill.

EU Privacy Shield

2016 also saw major privacy changes across the pond. For the first six months of the year, startups hung in legal limbo, awaiting a revised trans-Atlantic data-transfer framework following the European Court of Justice’s (ECJ) October 2015 decision to throw out the the so-called EU-U.S. “Safe Harbor” agreement that had allowed for the legal transfer of data between the two entities. The rejection of the Safe Harbor cast uncertainty over the business practices of thousands of U.S. startups that were importing EU user data pursuant to the agreement. Finally, in July, the European Commission approved the new EU-U.S. “Privacy Shield” framework, allowing for companies to legally move EU data across the Atlantic once again. Questions still remain as to whether the new Privacy Shield will pass ECJ muster if challenged in court, but the wheels of justice move slowly and any such outcome isn’t expected in the near term.

Securing Devices and Data

Data and cybersecurity remained top of mind for policymakers in 2016, especially in light of a number of high-profile breaches that compromised billions—yes, you read that right, billions—of Americans’ personal information. While 2015 saw a number of legislative proposals addressing how companies should handle security breaches broadly, the focus in 2016 increasingly turned to protecting and securing the growing internet of things (IoT). In April, the Senate Commerce Committee approved the DIGIT Act (S. 2607), which created a working group of federal and private stakeholders to explore the possibilities of IoT. Then in June, the House created its own working group to educate members on IoT.

Interest turned to concern in October, when a massive DDoS cyberattack that was executed by exploiting vulnerable IoT devices shut down a number of websites. In response, a number of members of Congress urged the Federal Trade Commission and other agencies to press IoT manufacturers to implement more robust security practices. The following month, both the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) published policy principles for securing connected devices. Looking to 2017, the debate will continue over whether voluntary guidelines like these are sufficient, or if further regulatory intervention will be necessary. We’re tracking.