The U.S. Senate Committee on Banking, Housing, and Urban Affairs held a hearing Tuesday on "Privacy Rights and Data Collection in a Digital Economy," in which a somewhat disjointed assortment of witnesses testified on the existing gaps related to financial institutions and consumer privacy. And while, yes, the hearing was held at the Banking Committee, it really focused more broadly than on financial institutions, with discussion ranging from social media companies' troves of data to the secretive world of ad tech. That's likely because many of the senators on the subcommittee serve on other committees trying to figure out a consumer privacy bill, including Sen. Mark Warner, D-Va., Sen. John Kennedy, R-La., and Sen. Jon Tester, D-Mont., among others.
Interestingly, none of the committee's witnesses actually works in financial privacy, nor did they represent the kind of vulnerable group the committee aims to protect under its "urban affairs" title.
The committee leaned on Peter Chase, a senior fellow at the German Marshall Fund of the United States, to inquire about how the EU General Data Protection Regulation works and in which ways the U.S. might copy its model on things like user consent, ramifications for industry misbehavior and transparency on the ways in which data is used. Lawmakers in the U.S. are looking to update privacy regulations in the country and must determine whether to follow the EU's lead in creating an omnibus, comprehensive law or revising sectoral laws in areas like finance.
As Chase said in his written testimony, "This is one of those instances where the United States, while not having the first mover advantage, may also benefit from moving second."
Jay Cline, CIPP/US, privacy and consumer protection leader at PricewaterhouseCoopers, was on hand to discuss his clients' experiences in aiming to comply with the GDPR, what Cline called their "largest-scale privacy program initiatives in two decades," rivaling only preparations for the Gramm-Leach-Bliley Act back in 1999. Cline testified GDPR compliance was most difficult for financial institutions in areas such as appointing a data protection officer, updating third-party contracts and preparing for 72-hour breach notification, among others.
Maciej Ceglowski, founder of Pinboard, a social bookmarking site, provided the most impassioned testimony of the day. He called for sweeping reforms to privacy law in the name of restoring integrity to the industry — one in which he said is ashamed at itself at present, or should be.
"People are being asked to make irrevocable decisions about their online lives over and over again. The pattern that I've seen in my industry is one of deceipt. We are not honest about what we collect, the uses we put it towards and we are shamed frankly of our business models. ... You'll never get someone from Google or FB to speak honestly about what they're actually doing with their data and the uses they're putting it to. Instead, what Silicon Valley seeks to do is evade the regulation and they find a way around it. We don't like banking regulations so we invent cryptocurrency and we're going to disrupt the entire financial system. We don't like limits on discrimination and lending, so we're gonna use machine learning, which is a form of money laundering for bias, a way to blame mathematical algorithms for desires to simply avoid rules that everybody else has to play by in this industry."
He said this worries him because Silicon Valley is one of the great success stories of American capitalism, and "we're putting it at risk right now by not having sensible regulations in place that create the conditions for innovation."
Lawmakers at the hearing shared Ceglowski's concerns about user privacy and were especially focused on the privacy risks inherent in behavioral targeting, credit reporting agencies and location tracking — in fact, Tester, often one to add color to a hearing, held up his cellphone and said, "When I get out of this job, this baby's going away. I hate that it's tracking me."
Sen. Elizabeth Warren, D-Mass., wanted to talk credit-reporting breaches. The presidential contender and Warner introduced, earlier that day, the "Data Breach Prevention and Compensation Act of 2019," which would impose monetary penalties for data breaches at credit-reporting agencies. Had her bill existed during the 2017 Equifax breach, which affected almost 150 million individuals, the agency would have paid at least $1.5 billion.
"There's nowhere for consumers to say 'no thanks, leave me out of this," Warren said, and so Equifax has an advantage. "For companies like Equifax, hardworking Americans are products. It doesn't matter if the customer gets hurt, as long as the consumer data are still there and they can sell it. Unless companies actually take a financial hit when there's a breach, there's no incentive for them to invest in cybersecurity. So we are now one-and-a-half years out from the Equifax breach ... and the company suffered no major defections of clients, and within a year was on track to make record profit ... and the FTC and [Consumer Financial Protection Bureau] have done nothing."
Lawmakers at the hearing wanted to know whether the GDPR had, in fact, helped to engender trust among users.
Said Chase, "Trust in the internet is going down since the implementation of the GDPR, probably because people are more aware of what companies do. The question will be whether they start acting or not, and I think there's some indication they are."
So what to do, asked Ranking Member Sherrod Brown, D-Ohio?
Ceglowski said it comes down to regulating on three major components. First, it's about data retention limits. "There's something deeply inhuman about saying something you did one day is going to be forever in a computer system you don't have any visibility into," he said. "I think we ought to bring humanity back to how data is retained" so that "things are forgotten unless you request specifically for them to be remembered."
In addition, there should be fines that amount to more than a slap on the wrist for bad actors. And finally, he called for visibility.
"We have no visibility right now into what is being collected, and what do they get from data brokers? How does the advertising economy work?" Ceglowski said. "All of these are things we can't regulate unless we have some sense of how they look under the hood. If you're a user of the site you should be able to get all of the information that site has about you."
Find the written testimonies of all three witnesses here.
Photo by Etienne Martin on Unsplash