Senate Commerce, Science, and Transportation Committee Chairman John Thune (R., S.D.) today said that “it is increasingly clear that industry self-regulation” in the area of consumer data privacy “is not sufficient,” and he pledged that “the next federal privacy law will not be written by industry.” However, he added that “passing onerous requirements that do not materially advance privacy would be a step backward.”
Speaking at a hearing held to gather input from witnesses who supported, at least in principle, recent European Union and California efforts to protect consumer data privacy, Chairman Thune recalled the recent testimony from tech company and Internet service providers that the European Union’s General Data Protection Regulation (GDPR), which took effect May 25, has imposed heavy compliance burdens (TR Daily, Sept. 26), and that other companies have said that the California Consumer Privacy Act (CCPA) enacted this summer (TR Daily, June 29) could prevent them from offering customers loyalty reward programs.
“As we continue to work toward possible legislation, I encourage my colleagues to challenge what industry told us at our first hearing, but also to examine both the benefits as well as the potential unintended consequences of the new rules put forth by the European Union and the state of California,” Chairman Thune said.
Sen. Roger Wicker (R., Miss.), the chairman of the communications, technology, innovation, and the Internet subcommittee, sought support from witnesses for the idea that a national privacy law should preempt a “patchwork” of state laws.”
Several Democrats suggested that current industry support for federal comprehensive privacy legislation will evaporate if they are successful in court challenges of the California law.
Several senators, including Sen. Ed Markey (D., Mass.), emphasized the need for protections for minors, or at least younger teenagers, who are not protected by the Children’s Online Privacy Protection Act, which cuts out at 13 years of age.
In his opening statement, Sen. Markey said that tech and Internet sector companies “hope … that Congress will pass legislation that will preempt California’s and perhaps future even stronger state legislation.”
He said that the proposed Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act that he introduced earlier this year with Sen. Richard Blumenthal (D., Conn.) has provisions that should be included in any federal comprehensive consumer privacy legislation including a ban on “take-it-or-leave-it” offerings that require consumers to consent to data collection and use or to forgo the service.
Witness Andrea Jelinek, head of the Austrian Data Protection Authority and chair of the European Data Protection Board, said, “Both the U.S. and the EU are more vocal about their right to data protection than ever before. The Facebook data breaches or misuse of data and other revelations have caught people’s attention, up to a point where it is necessary to reestablish trust. Trust has always been at the core of the economy and this is even more true in today’s digital society.”
She added, “Accountability is one of the GDPR’s core principles and the EU was inspired in this aspect by some of the principles stemming from your common law system. It relies heavily on businesses’ capacity to self-regulate. Organisations are responsible for complying with the GDPR and must be able to demonstrate their compliance.”
She emphasized the benefit to companies of the GDPR’s “‘one-stop-shop’ mechanism, which means a single lead supervisory authority [SA] is responsible for drafting a decision in a cross-border case. International or multinational companies operating in different countries have only one interlocutor to deal with: the Lead SA is in the country in which the company has its main EU establishment. Any decisions taken by the lead supervisory authority are valid across the EU.”
Witness Alastair Mactaggart, chair of the board of Californians for Consumer Privacy, which backed the CCPA, pushed back against the idea that the legislation is a threat to business and the economy, saying that “as a businessman, … I have no wish to hurt our state or country’s economy.”
“We implore you not to weaken or undo” the protections of the CCPA, which enjoys 80% support in polls and passed the California legislature unanimously, Mr. Mactaggart said.
Laura Moy, executive director and adjunct law professor at the Georgetown Law Center on Privacy & Technology, said that the issue goes beyond data privacy to the ways that data collection is contributing to “extreme wealth disparity, extreme political polarization, extreme race- and class-based tension, and extreme information manipulation.”
She said that Congress should empower an expert agency such as the FTC with authority to fine violators, and should also allow for enforcement by state AGs. Congress should also consider creating a private right of action, she added.
She said that legislation will need a mechanism for adapting to future threats, which should be done be creating a floor, not a ceiling.
Nuala O’Connor, president and chief executive officer of the Center for Democracy & Technology, said that legislation should recognize an individual’s right to his or her own data and should “declare it to be unfair” under section 5 of the FTC Act “to use highly sensitive data for secondary purposes.”
She agreed that the legislation should empower state AGs to enforce the federal law.
During the question period, Chairman Thune asked about the suggestion by some companies that the CCPA would prohibit loyalty cards that reward their consumers.
Mr. Mactaggart said, “This mystifies us. Nothing in the law would prevent that.”
Sen. Markey asked whether legislation should include an “erase button” for children to have information about themselves taken down from the Internet.
Mr. Mactaggart said that there are some First Amendment implications in such an approach. Ms. Moy said an erase button could be squared with the First Amendment. Mr. Mactaggart said that it “absolutely” could be but that it would be “thornier than it looks.”
Sen. Blumenthal said he would be calling for an FTC investigation of the Google data breach revealed yesterday (TR Daily, Oct. 9).
Sen. Jerry Moran (R., Kan.) asked witnesses whether they support regulating on the basis of the sensitivity of data, rather than regulating on the basis of the type of business handling the data.
Mr. Mactaggart said yes.
Sen. Moran also asked about the impact of privacy legislation on small entrepreneurial businesses with smaller legal departments.
Sen. Todd Young (R., Ind.) asked about the impact of the GDPR on start-ups.
Ms. Jelinek said that “for start-ups, the GDPR is a chance. If they are just at the start of business, they can take into account privacy by design.”
Ms. Moy said that laws giving consumers control of their information for data portability from one company or service to another help new entrants.
Ms. O’Connor said, “I would like to remind the committee that Cambridge Analytica was a small company. The damage that can be done by a small company holding vast amounts of data is certainly equal to large companies holding vast amounts of data.”
Cambridge Analytica harvested data from tens of millions of Facebook users without notification, Facebook revealed earlier this year.
Sen. Tom Udall (D., N.M.) said that federal privacy legislation “must prioritize protecting children in this increasingly online world.”
Sen. Maria Cantwell (D., Wash.) asked whether witnesses thought fining authority should cover the misuse of data.
Ms. O’Connor said, “We are particularly concerned about secondary uses of data … especially if that data is sensitive” and “uses of data that is outside what consumer expected.”
Ms. Moy said, “Information about consumers should not be used to discriminate against them” and “information about consumers should not be used to deny opportunity or access to information about opportunities.”
Sen. Tammy Duckworth (D., Ill.) said, “The federal government has fallen behind in the realm of protecting online consumer rights.” She asked the witnesses, “Is it too soon to measure the value of privacy improvements from GDPR,” given that it only took effect in late May.
Ms. O’Connor said, “That’s a fair comment.”
Sen. Amy Klobuchar (D., Minn.), who noted that she introduced a privacy bill with Sen. John Kennedy (R., La.) earlier this year (TR Daily, April 24), asked about the GDPR’s concepts of a 72-hour window for notifying authorities of a data breach, withdrawal of consent, and the role for state AGs in prospective federal legislation.
Chairman Thune asked about provisions of the GDPR and CCPA that Congress ought to include or avoid as it considers its own legislation.
Ms. Moy again supported fining authority, as well as “the idea that consent given on part of consumer must be freely given, … because it recognizes that where a service is essential and unavoidable for a consumer, that consent might not be freely given.” She added, “Of course, the data purpose and minimization [in the GDPR] is great, too.”
Ms. O’Connor supported the GDPR’s approach to portability. However, she suggested a problem in the “lack of bright lines on the kind of data that can be collected.”
In a statement after the hearing, Roslyn Layton, a visiting scholar at the American Enterprise Institute, said, “The Senate Commerce Committee’s second hearing on data protection was critical to continue the dialogue on America’s need for a comprehensive federal privacy bill that protects consumers and supports our rapidly evolving digital landscape. This must be a steadfast, bipartisan objective in 2019 as it’s clearly top-of-mind for American consumers and policymakers, and it is what today’s digital economy demands. Moreover the Senate demonstrated their commitment to engaging a range of stakeholders with today’s hearing featured a panel of regulatory advocates, following an earlier panel of industry representatives.” —Lynn Stanton, [email protected]
Interested in submitting an article?
Submit your information to us today!Learn More