TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | US Senate hearing covers COVID-19, the need for a federal privacy law and familiar roadblocks Related reading: Consolidating US privacy legislation: The SAFE DATA Act

rss_feed
GDPR-Ready_300x250-Ad

The U.S. Senate Committee on Commerce, Science and Transportation held a hearing last December on what Congress should consider when crafting a federal privacy law. Nearly a year later, another hearing was held to revisit the topic, but in a world wholly unrecognizable from when the committee adjourned last year.

It's an understatement to say the COVID-19 pandemic dramatically altered life as we knew before. Countless people are working from home, students have shifted to remote learning, and the words "contact tracing" have been burned into the collective lexicon. 

The witnesses for the hearing explained why the pandemic has brought forth a renewed need for federal legislation; however, there is still disagreement over a familiar set of roadblocks that have impeded progress to date.

Microsoft Corporate Vice President Deputy General Counsel Julie Brill said data will play an important role in helping the U.S. respond to and recover from the COVID-19 pandemic. To get the populace to get behind the collection of potentially sensitive data, Brill believes federal rules must help restore a level of faith for those endeavors to succeed.

"It is vital for people to trust how their personal information is used. What was merely urgent when I spoke here 10 months ago is absolutely critical now," Brill said. "Privacy legislation that protects people’s right to own their personal data, that requires companies to collect and use consumers’ data responsibly and that provides enforcement through a strong regulator will build trust and will allow companies to unlock the value of data to solve the most critical problems that we face."

Davis Polk & Wardell Counsel Jon Leibowitz shared a similar sentiment. Leibowitz looked back to when Committee Chair Sen. Roger Wicker, R-Miss., held a hearing to informally discuss the possibility of a federal privacy law two years earlier.

Leibowitz said the participants walked way confident a federal rule would be passed soon. Since the committee is still holding hearings on the same topic, the goal remains unfulfilled, and Leibowitz reflected on what could have been.

"Consumers across the country would be protected by the same consistent privacy regime, regardless of where in the United States they lived, where they work and where they sign on," Leibowitz said. "Our nation’s children, who are taking classes over Zoom and sharing information with their peers on TikTok, would be at less risk from privacy predators, and with clearer rules of the road, Americans would feel more confident about sharing information about contact tracing and more effectively come to together to fight the pandemic."

The COVID-19 pandemic may be another example of why the U.S. needs a federal privacy bill, but there's still plenty to be ironed out before a proposal becomes law. One of these wrinkles is the increased enforcement authority of the Federal Trade Commission.

George Washington University Professor of Global Competition Law and Policy William Kovacic was a former commissioner at the FTC (as were Leibowitz and Brill). When looking over potential options for enforcement, Kovacic told the Senate committee that either a national data protection authority should be established or the FTC should be given greater power. 

Kovacic said a national DPA is not a bad idea, as it would symbolize the nation's commitment to federal data protection. In the end, Kovacic believes the FTC's vast experience makes it better suited to take on the enforcement of privacy violations.

"I think it would be very useful to build on that experience to build and implement national policy. I also think there’s a close nexus between privacy and data protection and the other areas of the FTC’s responsibilities, such as antitrust and consumer protection," Kovacic said. "I think not just for privacy and data protection, but the big issues involving big platforms in the future will be solved at the intersection of these policy domains."

The witnesses agreed on giving more enforcement authority and resources to the FTC. The disagreements on any potential privacy law's provisions stemmed from the two points of contention that have been commonly cited as the sticking points between Republicans and Democrats: state preemption and the private right of action.

Baker Botts Partner and former Acting FTC Chairman Maureen Ohlhausen and Leibowitz both support federal rules that are tech neutral and preempt state laws. Both said the "interstate nature" of the internet does not support a patchwork of state laws. Leibowitz said citizens should not live under different privacy laws when moving around the country, while Ohlhausen focused on the impact a patchwork effort has on businesses.

"Although privacy legislation is often justified by concerns about big online players having large amount of consumer information, regulatory complexity actually works in the favor of large well-established companies and hampers smaller entities," Ohlhausen said. "While legislation should provide a national and uniform set of protections and consumer rights throughout our digital economy, preempting state laws should not mean weakening protections for consumers."

California Attorney General Xavier Becerra, whose state now has the strongest privacy law on the books with the California Consumer Privacy Act, disagreed with state preemption. Becerra called state laws the "backbone of consumer privacy" in the U.S. and federal legislation "the glue that ties to our communities together." He added the optimal federal privacy law would recognize that privacy protections must keep up with innovation.

To keep pace with such innovation, the right approach must be flexible enough to adapt to real-world circumstances as they occur. Becerra said this is where states have a distinct advantage over their federal counterparts and urged the committee not to consider state preemption.

"Every day, states tackle these challenges. We use federal laws as our playbook, and like a good quarterback, we adapt to what we see coming at us," Becerra said. "As you consider enacting a federal privacy law, give us a playbook, but don’t preempt smart, nimble privacy protections that let states meet the varying challenges coming at us, from Mississippi, Washington state or California."

Becerra also stood in favor of a private right of action, while Ohlhausen said a federal private right of action should not be included in a federal law, as it would only result in class-action lawsuits that pay out attorneys and give little to actual victims, in her view.

The attorney general doesn't see it that way. Instead, Becerra sees a private right of action as an avenue for consumers to take power into their own hands when his office cannot.

"My office is working hard to hold companies accountable for violating privacy laws, but defending the privacy rights of 40 million Californians is a massive undertaking," Becerra said. "Consumers need the authority to pursue remedies themselves. They deserve their data in court. As California State Sen. Hannah-Beth Jackson, D-19th district, explained, "a right without a remedy is no right at all."

The Senate committee has its fair share of proposed privacy bills to work with, whether it's Wicker's Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act or Sen. Maria Cantwell's, D-Wash., Consumer Online Privacy Rights Act. The debate over the private right of action and state preemption will likely continue for the foreseeable future, and the passage of one of these laws in the foreseeable future seems unlikely.

It does not mean all hope is lost. Members of the panel said on several occasions the proposed privacy bills in the committee share a lot of common ground, and there is plenty of hope for those differences to be bridged and a federal bill to become the law of the land.

"I believe we must start from the perspective that people have the right to own and control their personal data and that companies have a legal obligation to be responsible stewards of that data," Brill said. "The bills this committee has put forward share these important principles and contain, frankly, more similarities than they do differences. The similarities between all of the bills we have before us make me increasingly hopeful something can get done."

Photo by Alejandro Barba on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.