A highly anticipated hearing was held by the Senate Commerce Committee Wednesday, in which privacy and legal executives from some of America's top technology companies testified on the prospects of a national privacy law. With agreement among industry that a federal law should preempt stricter state laws, the sticking point for stakeholders and lawmakers alike will involve the strength of, and details in, that potential law.
At the outset of Wednesday's industry hearing, Committee Chairman John Thune, R-S.D., announced that "early next month" a second hearing will take place, confirming that Alastair Mactaggart, one of the main forces behind the CCPA and keynote speaker at IAPP Privacy. Security. Risk., and European Data Protection Board Chairwoman Andrea Jelinek "will attend" the next hearing, as well as some privacy advocates.
In the wake of the EU General Data Protection Regulation and driven by the surprise passage this summer of the California Consumer Privacy Act of 2018, momentum behind a federal baseline privacy law has been a new force on Capitol Hill, something that seemed unimaginable even earlier this year.
In parallel with Wednesday's hearings, the White House, through the Commerce Department's National Telecommunications and Information Administration, issued a Request for Comment on a national privacy framework, with a deadline set for Oct. 26. This call also comes on the heels of several industry stakeholder blueprints for a national privacy standard, including, in recent days and weeks, from the U.S. Chamber of Commerce, the Internet Association, the Interactive Advertising Bureau, and the National Credit Union Association.
Though representatives from AT&T, Amazon, Google, Twitter, Apple, and Charter Communications all backed federal preemption during Wednesday's Senate hearing, there were some nuanced differences. AT&T Senior Vice President for Global Public Policy Len Cali warned that a federal bill without preemption "would be of little help if it becomes the 51st bill" with which companies would need to comply. Apple, however, differentiated itself on several occasions by calling for a strong federal law. Apple Vice President of Software Technology Bud Tribble said, "it would be helpful to prohibit a patchwork, but it's important for consumers that the bar be high enough to ensure the law is effective."
Sen. Brian Schatz, D-Hawaii, didn't mince words during his round of questioning, warning, "I understand not navigating 50 frameworks, but the law should be meaningful. The holy grail is preemption, but I want you to understand that it's got to be meaningful. You won't get anywhere if it's not."
"I understand not navigating 50 frameworks, but the law should be meaningful. The holy grail is preemption, but I want you to understand that it's got to be meaningful. You won't get anywhere if it's not." -Sen. Brian Schatz, D-Hawaii
The backbone of a meaningful law would be enforcement, and panelists agreed that duty should go to the Federal Trade Commission. Ranking Member Bill Nelson, D-Fla., pointed out the agency's limited staff and resources as the default privacy cop on the beat, asking, "Could each of you tell us, will your companies support Congress supplying the FTC with more resources to do its job?"
All five industry representatives agreed.
"Our experience with the FTC is a positive one," said newly appointed Google Chief Privacy Officer Keith Enright. "It is a rigorous and effective agency that deserves a reasonable allocation of resources." Charter Communications Senior Vice President, Policy & External Affairs Rachel Welch said, "If they need more tools we should help them get them."
The witnesses did not reach consensus, however, on whether the agency should be granted additional enforcement authority, though some were willing to engage in further dialogue on what that authority would entail. Apple's Tribble noted the FTC has a good track record and that it would be worth exploring whether its existing legal authority is enough for them to do their job effectively.
Schatz countered that the current enforcement process, one in which the FTC sets up a consent decree prior to levying any financial penalties, "seems absurd." AT&T's Cali gave a "qualified no" to any additional fining authority to the FTC on a first pass. Amazon Vice President and Associate General Counsel Andrew DeVore said it shouldn't be ruled out, while Google's Enright pointed out that some consent decrees already do have civil penalties. Twitter Global Data Protection Officer and Associate Legal Director Damien Kieren suggested stakeholders could draw specific ideas from the GDPR or the CCPA, such as fines for not reporting a significant data breach, for example.
Breach notification was also touched upon by Sen. Amy Klobuchar, D-Minn., who recently released a draft privacy bill of her own. Klobuchar queried whether witnesses were in favor of a 72-hour data breach notification rule. No one answered, though panelists did back a law requiring plain-language privacy notices. Twitter's Kieren said the company takes pride in its recently revised privacy notice, saying the company shared its own with "non-lawyers and asked them what issues they had with it." The team then went back, added graphics and pop ups to be clear and concise.
Klobuchar also pressed the panelists on whether they'd back a bill that would allow consumers to withdraw consent. No one disagreed. Similarly, Sen. Catherine Cortez Masto, D-Nev., queried whether the bill should provide a definition of personal information. All panelists agreed that clarity and consistency would be needed with such a definition. Charter's Welch went further, though, saying the company would support a definition of what is sensitive and nonsensitive information.
A political divide was also apparent among committee senators during the hearing.
On the one hand, Democrats, including Klobuchar, Schatz and Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., support a robust consumer privacy regulation. On the other hand, several Republican senators seemed concerned about state versus federal authority, as well as paths for small and medium-sized companies to enter a highly regulated market.
Sen. Mike Lee, R-Utah, for example, asked Google's Enright how much the company spent on its compliance efforts with the GDPR. Though Enright could not provide a figure, he said it began its efforts "multiple years in advance ... a massive cross-functionary effort was mobilized" and huge amounts of capital expenditures were employed to build a compliance regime. He also estimated GDPR-compliance required "hundreds of years of human time" to achieve.
Google's Enright estimated GDPR-compliance required "hundreds of years of human time" to achieve.
Lee expressed concern about such costs and resources required by "expanding the regulatory footprint," noting, "It gets expensive," and, in turn, could prevent smaller companies with less capital and resources to effectively compete in the market.
Lee also compared federal regulation of privacy to air traffic control. "It's important for us to regulate trade between states. One could argue states should do the regulating, but one could also argue the internet is like the airways, which is subject to federal authority."
AT&T's Cali said, "It's always important to respect state authority, but digital data moves at the speed of light. Industry will be forced to comply with the strictest parts of each state's law. Interstate services should be regulated by Congress."
Sen. Blumenthal took a more direct approach on consumer privacy.
"Many of you have been critical of the GDPR and, let me be very blunt, fought [the CCPA]," Blumenthal said. "I'm seeking assurance you will put your money where your mouth is. ... You are companies that have lots of [personal data] and that's a principle means for your profit making." Noting that self-regulation has "proved insufficient" for privacy, Blumenthal asked why the U.S. shouldn't adopt the same standards set forth in the GDPR and California.
Blumenthal asked: Would any company testifying Wednesday exit the EU or California markets because of the GDPR and the CCPA? Though Charter noted it does not do business in the EU, none of the companies said they would pull out of either market.
"What that tells me," Blumenthal said, "is that the opposition that you've expressed to these rules, recognizing the devil is in the details, is one that can nonetheless be one that can accommodate the kinds of rules that we've seen in Europe and California. Correct?"
There was no answer.
Sen. Markey finished the hearing off with a hope and a warning: "I look forward to working with all of you on a strong federal privacy law before we talk about preemption."