TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Washington state’s consumer privacy act takes next step toward passage Related reading: Notes from the IAPP, May 17, 2019

rss_feed

""

""

On Wednesday, the Washington Senate Ways & Means Committee held a public hearing on the Washington Privacy Act (SB 5376). This was the second time the bill had come before a committee for a public hearing, after previously enjoying support from Microsoft General Counsel Julie Brill, during a public hearing in front of the Senate Environment, Energy & Technology Committee.

Comments from the speakers at the Ways & Means Committee hearing varied from proposals for clarifying amendments to opposition of specific provisions to support for the “strongest privacy protections of any law in the U.S.”

The hearing featured several public commenters who generally expressed support for the goals of the bill. Key areas became clear during the comments: The issue of facial recognition and law enforcement surveillance should be an area of concern with which the legislature continues to engage; without more resources, the state attorney general may not be the robust privacy regulator required under the bill; and the bill’s interaction with existing federal statutes can be further clarified.

Staffers first briefed the committee on key aspects of the bill, including obligations for controllers, the scope of jurisdiction, enforcement responsibilities, and a description of unique facial-recognition provisions. The staffers also included comment that personal information is protected in other areas of Washington state law, outside the Washington Privacy Act.

Sen. Reuven Carlyle, D-Wash., a member of the committee, then provided introductory remarks to his colleagues. He described the bill as a “multi-year effort,” including “multiple stakeholders” that provide for a balanced approach to consumer privacy “that works for our civil liberties” without depriving Washington residents or businesses the benefits of technology.

Washington State Chief Privacy Officer Alex Alben described SB 5376 as a “landmark act” and that Washington has a “rare window to draw upon the lessons of European law and synchronize it” with American laws. Microsoft representative Ryan Harkins echoed Alben’s effusive tone, applauding the bill as the “strongest privacy protections of any law in the U.S.” that incorporates elements of both the EU General Data Protection Regulation and the California Consumer Privacy Act. Harkins welcomed critics of the bill to offer substantive comments to improve any areas ripe for improvement.

The bill is not without opposition, however. The nine remaining commenters expressed opposition to specific aspects of the Washington Privacy Act in its current form; though, all supported the general goals of the act.

Mark Johnson, representing Washington Retail, opposed the statute as written and said his association prefers a federal solution to a state-by-state approach to protecting privacy. Yet, he and his members support the act’s goal of providing Washington residents with the same level of privacy protections EU citizens enjoy.

Other industry representatives — including Cliff Webster, of the Consumer Data Industry Association, Diana Carlen, of Relx Inc., and Brad Tower, of Toy Association — expressed a desire for greater clarity regarding the act’s federal statute exemptions. Webster asked for clarifying corrections to the bill’s Fair Credit Reporting Act exemptions, and Carlen highlighted possible problems for banks under the current federal exemptions in the bill. Tower stated that his association would like the final version of the bill to grant the Children’s Online Privacy Protection Act exemption treatment similar to that currently bestowed on the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act in the current version of the bill.

Eric Gonzalez, of the American Civil Liberties Union, and Jevan Hutson, a student at the University of Washington Law School, opposed what they regarded to be weak protections against the potential harms of facial recognition found in the bill. Gonzalez suggested that the bill lacks teeth without a designated privacy regulator (as exists in the EU) and decreed that the definition of facial recognition had been watered down from its original language. More importantly, he opposes SB 5376 because it does not go far enough to protect individuals from facial surveillance by the government and does not adequately address the risks of racial profiling. Hutson advocated for the facial recognition and surveillance protections found in the House’s version of the bill (HB 1655) and labeled the act’s allowance for law enforcement’s use of facial recognition for surveillance purposes “dangerous and unacceptable.”

The final three commenters each expressed concerns about law enforcement’s ability to use body cameras under the bill.

James McMahan, representing the Washington Association of Sheriffs & Police Chiefs, came out against Section 15’s perceived restriction on law enforcement officers to use body cameras in public spaces. He described the provision as incompatible with precedent regarding the expectation of privacy in public spaces and creating an overbroad and “unattainable” threshold for officers to obtain a warrant. Cody Arledge, representing Motorola Solutions, emphasized that many schools include body cameras as one layer of a multifaceted approach to building security and that the current language of the bill may prevent the use of such technology. Michael Transue, representing Axon Enterprises, sought clarification from the legislature on the use of body camera footage and asked for clarifying amendments that made more explicit protections of trade secrets and other intellectual property from release in response to a consumer request.

The bill is now scheduled for an executive session with the Ways & Means Committee. It will continue to move through the committee process before being read on the Senate floor. The companion house bill (HB 1655) is also in committee, having recently passed from the House Innovation, Technology & Economic Development Committee to the House Committee on Appropriations. Both bills will need to pass their respective chambers before the governor will have the opportunity to sign the Washington Privacy Act into law.

2 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Feb 28, 2019
    On the point that the bill incorporates elements of GDPR, this may be the first time that a U.S. proposal, either state or federal, has incorporated the EU concepts of Controller and Processor.  The bill incorporates almost verbatim GDPR definitions of: Consent, Controller, Processing, Processor, Profiling, and Sensitive data [EU = Special data] excluding only trade union membership.  Can EU concepts work in a U.S. context? Are they consistent with existing U.S. concepts?
  • comment Mitchell Noordyke • Mar 6, 2019
    The workability of EU concepts in the U.S. is an important point, John. In comments I have heard from the Washington state CPO, who was intimately involved in this bill, the drafters were purposeful about what they borrowed from the EU. They were cognizant that EU data protection laws are built on different values, decades of precedent, and a different enforcement structure, so they could not simply lift the EU model and drop it into a state in the U.S. That does not answer the question you raised, whether EU concepts can work in the U.S., but I hope it provides valuable context.