The Senate Commerce Committee held its first hearing of the 116th Congress on a potential new, comprehensive federal privacy law, but disagreements around whether a federal statute should preempt state laws governing consumer data privacy reemerged, raising the possibility that passing such a law may be well down the road.
On February 27, 2019, the US Senate Committee on Commerce, Science & Transportation held a hearing, "Policy Principles for a Federal Data Privacy Framework in the United States." The session, which is a continuation of the committee's previous focus on developing a federal law governing consumer data privacy, is the committee's first official action on the issue in the 116th Congress. EDUCAUSE posted a blog last fall about a similar hearing held by the committee in the previous Congress.
To recap, 2018 was an eventful year for consumer data privacy policy. The European Union implemented the General Data Protection Regulation (GDPR) [https://eugdpr.org/], and the State of California enacted its own consumer privacy law. The latter reflects the states' growing interest in regulating consumer data in the absence of federal action in the space—a reality that could lead to a regulatory patchwork across the country similar to what currently exists with breach notification standards. Concern about such a possibility has been cited as the impetus behind calls from many large tech companies and industry groups for a comprehensive federal privacy law, which runs counter to their historical reluctance to support government regulation generally. The US Chamber of Commerce has even gone so far as to release their preferred version of national data privacy legislation.
The panel of witnesses included Jon Leibowitz, co-chairman of the 21st Century Privacy Coalition and former commissioner and chairman of the Federal Trade Commission (FTC); Michael Beckerman, president and chief executive officer of the Internet Association; Brian Dodge, chief operating officer of the Retail Industry Leaders Association; Victoria Espinel, president and chief executive officer of BSA—The Software Alliance; Woodrow Hartzog, professor of law and computer science at Northeastern University School of Law and Khoury College of Computer Sciences; and Randall Rothenberg, chief executive officer of the Interactive Advertising Bureau.
Committee chairman Roger Wicker (R-MS) joined his democratic counterpart, Senator Maria Cantwell (D-WA), in calling on Congress and the committee to act on a comprehensive, meaningful data privacy bill. Chairman Wicker made clear from the outset that he believes any federal law should preempt statutes enacted by the states, noting that "a national framework does not mean a weaker framework, but a preemptive framework that ensures consumers will have the same level of protection across the United States." Ranking Member Cantwell acknowledged previous congressional successes in addressing rules pertaining to personal information—including health (HIPAA), financial data (GLBA), and children's information (COPPA)—but expressed concern with lawmakers' inability thus far to address challenges consumers face with respect to "corporate practices that allow for collection, storage, analyzing, and monetizing their personal information."
The issue of federal preemption remained the primary sticking point between lawmakers throughout the hearing. Wicker continued to stress his support for a federal statute that would preempt state laws like California's, and all of the witnesses with the exception of Hartzog, who did not represent an industry group, agreed with Wicker's position. They cited the need to avoid a patchwork of compliance schemes, as well as the belief that a federal law could ultimately be more effective than California's, as the basis for their view. Hartzog hit back on his fellow panelists' compliance patchwork assertions, however, arguing that such a landscape is not "insurmountable" and thus should not be the focus of the conversation or a major obstacle to a bill becoming law. Ranking Member Cantwell agreed with Hartzog's comments.
The hearing did yield some bipartisan consensus on the issue of enforcement; all seemed to agree that the FTC should be the principal enforcement agency for a comprehensive federal privacy law, with state attorneys general having enforcement authority within their respective states as well. Currently, the FTC derives its statutory authority from the FTC Act to address instances in which consumers experience harm related to a misuse of their personal data as a result of unfair and deceptive practices. Section 5 of the act gives the FTC the authority to enforce instances where data stewards are guilty of such malfeasance or violate what is sometimes referred to as the "notice and choice" framework.
Witnesses and Senators alike signaled support for directing additional resources to the FTC, authorizing the agency to levy civil penalties for first-time offenses and conferring traditional notice-and-comment rulemaking authority on the agency under section 553 of the Administrative Procedures Act (APA). While federal agencies typically use section 553 rulemaking to promulgate regulations implementing statutes, the FTC generally must follow a rulemaking procedure as set forth in the Magnuson-Moss Warranty Act (Magnuson-Moss), which requires additional steps beyond those set forth in section 553 of the APA. Proponents of giving the FTC section 553 authority contend that the additional requirements make it difficult for the agency—which many argue is already understaffed and under-resourced—to effectively engage in the rulemaking process. In addition to these enforcement aspects, witnesses seemed to agree that moving federal data security and breach notification rules as part of—or alongside—a federal privacy law would be optimal.
Theoretical agreement on high-level pieces of potential privacy legislation aside, areas of disagreement materialized as lawmakers began to peel back the layers of the proposals in question. For example, Senator Mike Lee (R-UT) voiced concern around the delegation of broad regulatory authority to the FTC and expressed apprehension that overly prescriptive privacy regulation could have "a GDPR-like impact on competition by insulating big market incumbents" and "imposing additional barriers on entry." Liebowitz responded by recommending that lawmakers carefully craft a statute that places "guardrails" around any rulemaking authority, similar to the approach Congress took in writing COPPA. Some witnesses also shared differing viewpoints with respect to the question of whether a privacy law should be sector- and technology-neutral. Liebowitz advocated for such an approach, and Espinel of BSA – The Software Alliance stated that, while all companies should have strong obligations, "their responsibilities should fit their role." Hartzog, however, cautioned lawmakers against a "ceaseless commitment toward technological and sector neutrality," citing danger in the belief that all industries share the same incentives.
While lawmakers and witnesses largely characterized the current "notice and choice" framework as deficient, exactly how a federal privacy law would empower consumers while ensuring the accountability of companies remains unsettled. In acknowledging that notice and consent is "no longer enough," Cantwell expressed her belief that transparency is not the only solution. Similarly, Hartzog argued that while transparency is critical, the appropriate audience may be regulators rather than the consumer, as dumping volumes of data practices on a user may be counterproductive. In fact, in his testimony, Hartzog urged lawmakers to resist an approach to data that emphasizes transparency through notice to users and choice through user consent. Instead, he advocated for a new model of "trust rules" for data stewards to ensure they are honest, discreet, protective, and loyal. Senator Brian Schatz (D-HI) also took interest in the question of transparency and control, arguing that those two principles alone are insufficient, and thus any privacy law should include "an affirmative obligation" for entities possessing data to not harm the consumer.
Michael Beckerman of the Internet Association argued that "companies need to make it clear what data is being used, and how it's being used," but he pointed to California's law as an example of a framework that places too much onus on the consumer with respect to holding companies accountable for their data practices. He suggested that giving strong enforcement authority to the FTC could help balance this dynamic. Espinel similarly noted that giving the FTC authority to levy fines in the first instance of a violation could, in practice, function as a deterrent and ultimately prove capable of producing internal cultural shifts.
While the issue of data privacy is receiving consistent bipartisan, bicameral attention, it seems reasonable to predict that lawmakers have much more work to do to reach a broader consensus. EDUCAUSE will continue to actively monitor the issue and keep members apprised of relevant developments.
Kathryn Branson is an associate with Ulman Public Policy.
© 2019 Kathryn Branson. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.