A newly enacted consumer data privacy law in California and the European Union's General Data Protection Regulation have prompted industry and policymakers to begin thinking again about what a federal data privacy law would look like.
On September 26, the Senate Commerce, Science, and Transportation Committee held a hearing, "Examining Safeguards for Consumer Data Privacy." The session primarily focused on the ways in which large players in the technology and communications sectors approach data privacy internally, with senators appealing to witnesses to provide their insights on what Congress should consider in constructing a federal policy governing data privacy.
For those tracking data privacy policy and related compliance, the hearing comes on the heels of a busy past six months; the European Union implemented the General Data Protection Regulation (GDPR) [https://eugdpr.org/] and the state of California enacted its own consumer privacy law. The latter reflects a growing appetite on the part of states to regulate consumer data in the absence of federal action on the topic—a reality that threatens to create a regulatory patchwork across the country similar to what already exists with breach notification. Some point to this concern as the impetus prompting many tech giants, such as Google, to call for a federal privacy law, which is an interesting development in a sector known for opposing government regulation whenever possible.
The panel of witnesses included Len Cali, senior vice president of Global Public Policy at AT&T; Andrew DeVore, vice president and associate general counsel at Amazon; Keith Enright, chief privacy officer at Google; Damien Kieran, global data protection officer and associate legal director at Twitter; Guy Tribble, vice president for software technology at Apple; and Rachel Welch, senior vice president of policy and external affairs at Charter Communications.
All witnesses voiced support for a federal privacy law, but further consensus remains elusive for the time being. Chairman John Thune (R-SD) began by asking witnesses what provisions senators should emulate from GDPR and California's law in possibly developing a federal policy. Notably, Cali stated that both GDPR and the law in California apply to all companies evenly, which AT&T believes to be a positive aspect. Cali also opined that California's law sets the default as "opt-out," which he believes underscores the fact that there is value in the use of data, recognized in that default setting. When asked where policymakers should depart from the frameworks set forth in GDPR and California's law, Cali noted that GDPR is extremely burdensome and overly prescriptive. Regarding the California statute, Cali indicated that it contains a problematic nondiscrimination provision that could serve to deny a consumer's ability to receive benefits for sharing data, potentially impacting programs as seemingly innocuous as a grocery store loyalty program.
All witnesses agreed that the Federal Trade Commission (FTC) should be the executive agency tasked with regulating industry under a federal privacy policy; however, Tribble suggested that a renewed effort to develop a national privacy law could present an opportunity to examine additional regulatory mechanisms. Ranking Member Bill Nelson (D-FL) asked witnesses whether they believe the FTC's legal authority should be enhanced to better protect consumer data privacy, citing the agency's current limitations as evidenced by its inability to take action against companies except when they violate their own internal policies. The witnesses all expressed a willingness to work with senators on what an expansion of the FTC's legal authority would look like, but they all fell short of actually endorsing the concept. Also on the topic of FTC authority, Senator Brian Schatz (D-HI) asked whether the agency should be given rulemaking authority, while stating his belief that lawmakers will only be able to preempt a "progressive" California law with an equally progressive federal policy. All of the witnesses were somewhat hesitant to give a direct answer and responded with a qualified yes, noting that the details around such a development would matter greatly.
While it is unlikely that lawmakers will be able to produce legislation before the 115th Congress adjourns, the Commerce Committee is committed to continuing to explore the issue. It recently held another hearing on data privacy, this time soliciting feedback from consumer privacy advocates rather than the regulated community itself. EDUCAUSE will continue to keep members apprised of consumer data privacy legislation developments at the federal level.
Kathryn Branson is an associate with Ulman Public Policy.
© 2018 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.