Tuesday's much-anticipated federal privacy law hearing hosted by the U.S. House Energy and Commerce Committee's Subcommittee on Consumer Protection and Commerce had a different vibe than what onlookers have become accustomed to when Congress discusses privacy matters.
Past hearings — they've come in waves at the same time of year over the last three-or-so years — brought clear divides, separate agendas and no consensus among lawmakers on how to arrive at a solution. The proposed American Data Privacy and Protection Act is changing that tune. The discussion draft has been touted for its bipartisan and bicameral development, and such cooperation showed Tuesday with subcommittee members picking the brains of an eight-witness panel.
The subcommittee took more than three hours with its questioning, which ranged from discussion on the need to add or improve certain provisions to the draft or requests to be guided through workability. The attitudes of subcommittee members, including bipartisan piggybacking on certain themes, showed there's understanding around the brief but enormous opportunity to get federal privacy legislation on the books.
"This topic has had its ups and downs to get to this point," Subcommittee Ranking Member Gus Bilirakis, R-Fla., said, calling the discussion draft "a delicate balance" of consumer and business considerations. "To be clear, this is historic. We need to keep moving together and build on the constructive feedback while rejecting tactics that may seek to derail our bipartisan work."
Energy and Commerce Committee Ranking Member Cathy McMorris Rogers, R-Wash., said, "This is the best opportunity we've had to pass a comprehensive privacy law in decades."
Draft co-authors chime in
Tuesday marked the first remarks — other than press statements — from House commerce leaders Frank Pallone, D-N.J., and Rodgers since the primary co-authors and U.S. Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., made the discussion draft public June 3.
Pallone and Rodgers are among a faction of lawmakers who have been working to make a federal privacy framework a reality in recent years. That once farfetched reality isn't so distant in Pallone's mind as he noted the discussion draft represents "a real chance to begin doing what many in Washington have said was impossible."
"This legislation represents a fundamental shift in how data is collected, used, and transferred. It rejects the coercive 'notice and consent' system that has totally failed to protect Americans’ data privacy and security," Pallone added, highlighting the draft's provisions for enhanced consumer controls, protections against targeted advertising and third-party data sales, and algorithmic impact assessments. With an eye to "ensure innovation continues," Pallone touted the draft's business-specific approach to covered entities and how "steps are taken to limit the compliance burden."
Rodgers also took note of the long road to forming a unified framework, saying the discussion draft "includes policies that have been in the public and received comment over several years." While arriving at appropriate consumer protections is the ultimate goal with the draft, Rodgers explained how the proposed legislation "stops an unworkable patchwork" of state privacy laws and helps bring the U.S.'s digital policies up to speed with the rest of the world.
"We're strengthening America's position in setting global standards. Not China or Europe," Rodgers said. "It's about promoting innovation with next-generation technologies like (artificial intelligence) and (augmented realities). We must remain focused on creating the best possible standard to protect people's privacy and promote America's leadership."
Common themes raised
A majority of the 24-member subcommittee were on hand to take part in questioning witnesses on a wide range of topics raised in the discussion draft. The lines of questioning varied, but areas of overlap within lawmakers' probing unveiled the priorities and sticking points driving efforts to pass a law.
Bilirakis and Reps. Kathy Castor, D-Fla., Lori Trahan, D-Mass., and Tony Cárdenas, D-Calif., were among a handful of lawmakers who focused a portion of their five minutes of questioning to the draft's provisions on children's privacy. Castor and Trahan aren't new to the the dialogue around protecting kids online, having proposed bills in recent years that modernize and enhance the Children's Online Privacy Protection Act.
"On day one (if the bill becomes law), we'll be able to ban companies from processing, collecting and sharing data about children under the age of 17. Section 204 (of the draft) clearly prohibits any company from doing that unless a parent provides affirmative express consent. I think that's fantastic," Common Sense Media Senior Counsel for Privacy and Technology Policy Jolina Cuaresma said in response to a Castor question on the importance of children's provisions. Castor also had Cuaresma address the need to clear the loophole with COPPA's definition of "actual knowledge" for processing minors' data, which Castor said companies are "using to claim ignorance" over their activities.
Pallone and Cárdenas were among those who posed questions regarding the draft's data minimization requirements. The Congressional summary of the draft bill said data minimization is "a baseline duty" and the proposed law would mandate the U.S. Federal Trade Commission, the draft bill's potential enforcer, to issue detailed guidance on what constitutes characterizations for "reasonably necessary, proportionate, and limited” collection.
"Data minimization is absolutely critical because it makes privacy the default," Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald said to Pallone's data minimization query. "It takes the onus off individuals to protect their privacy and instead requires companies to be the one to think about collection and use of personal data. It would better align with what consumers expect."
Potential impacts on small businesses, an argument often heard during state-level privacy law hearings in recent years, was a piggybacked topic as well from Rodgers and Reps. Brett Guthrie, R-Ky., and Fred Upton, R-Mich. Their questions sought impacts in a broader sense while Guthrie wondered how the proposal's limited PRA would work with small companies. In the broader context, ACT | The App Association Senior Director for Public Policy Graham Dufault said the discussion draft carries more sensitivity to small businesses than the EU General Data Protection Regulation.
"The difficulty with the GDPR approach is when you start with a presumption of it being illegal to process data, it presents some uncertainties but especially for companies that are trying to figure out what they are going to be and what they're going to do," Dufault said, adding the discussion draft also offers compliance resources specific to SMEs rather than a one-size-fits-all approach.
For all the positivity around whether this draft bill and its process could result in a law, Tuesday's hearing brought a fair share of potential hurdles to the forefront. Each of the eight witnesses outlined improvements they'd like to see to various facets of the draft. Those comments reflect the proposal's imperfections, but it also demonstrates the reality of the ongoing stakeholder process lawmakers are working through despite consultations that led to the bipartisan draft.
On the limited PRA proposal, National Association of Convenience Stores General Counsel Doug Kantor said the potential for litigation is "worrisome" if "additional safeguards" aren't put into place, including a better definition for compensatory damages that doesn't allow lawyers to "jam into that concept to make dollar values pretty high." Meanwhile, Baker Botts Partner and former FTC Commissioner Maureen Ohlhausen said state preemption as currently constituted in the draft could be "highly problematic" because the exceptions may "unduly limit" the application of preemption.
There's also general pressure points that remain unresolved for lawmakers. Rep. Kelly Armstrong, R-N.D., was candid regarding his doubts that the proposal's preemption language strikes the right tune.
"We are trying to compromise, but our number one job moving through this should be to provide clarity and decrease litigation," Armstrong said. "Anti-preemption doctrine is relatively undeveloped in federal courts. And not withstanding any unsettled questions of law surrounding attempts to remove state law actions to federal court, anti-preemption leaves substantive questions. Without further clarity, I'm worried this will evolve into further litigation and, more importantly, potentially lack of action by state governments."
This white paper examines the progress made in Congress toward bipartisan agreement on privacy rights over the current legislative session, analyzing the 18 bipartisan federal privacy bills introduced in the 117th Congress.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
If you want to comment on this post, you need to login.