US House and Senate Debate New Data Privacy Law
Most people in the US – 91%, according to the Pew Research Center – feel they’ve lost control over their data.
Lawmakers feel your pain, citizens. They’re not interested in hearing your thoughts, though.
This week, both the House and the Senate are holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations.
But it’s not the consumers whose data gets fumbled, or quietly pickpocketed, who are sitting in on those meetings.
Rather, it’s mostly tech companies, the Electronic Frontier Foundation (EFF) points out. From the EFF’s India McKinney and Katharine Trendacosta:
Last year, the US Senate held a hearing about consumer privacy without a single voice for actual consumers. At the time, we were promised more hearings with more diverse voices. And while a hearing a month later with consumer advocates did seem to be a step forward, this week’s two hearings – only mostly full of witnesses from tech companies – make us worried about a step back.
House disses GDPR, California’s CPA
At the mostly consumer-free House hearing on Tuesday, the Consumer Protection and Commerce subcommittee agreed that we need a new, single federal privacy law. At this point, we’ve got a hodgepodge of state laws and a slew of proposed federal laws. Lawmakers are now considering one such: the Data Care Act (PDF).
Other bills: In September, Rep. Suzan DelBene introduced a privacy bill that would require information transparency and personal data control. In November, Senator Ron Wyden proposed a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy. Senator Marco Rubio announced yet another bill in January, titled the American Data Dissemination Act.
CNET quoted Rep. Jan Schakowsky, who spoke at the beginning of Tuesday’s House hearing:
Reports of the abuse of personal information undoubtedly give Americans the creeps. Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves, and this has to end.
Overall, the committee was none too thrilled with the notion of modeling a new law on the laws we now have: either the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).
Rep. Cathy McMorris Rodgers, for one, argued that the GDPR is detrimental to the free market and has tipped the scales in favor of large tech companies. Legaltech News quoted her:
Millions of dollars in compliance costs aren’t doable for startups and small businesses, and we have already seen this in Europe where GDPR has helped increase the market share of tech companies while forcing smaller companies offline.
Other reps accused the GDPR of burying consumers in a blizzard of required notices and privacy policies they don’t read. Other committee members or witnesses said that the law stops people from getting to certain newspapers, such as the Chicago Tribune, and to the WHOIS domain registration database in the EU.
Given how negative the committee was about the GDPR, it’s not surprising that many members didn’t cotton to the notion of modeling a new law on the CCPA.
Roslyn Layton, visiting scholar at conservative think tank American Enterprise Institute:
It’s not fair that one state gets to dictate [privacy] for everyone else.
Dave Grimaldi, executive vice president for public policy at Interactive Advertising Bureau, said that businesses could be swamped by fines due to the CCPA’s requirement that businesses have to hand over consumers’ data when requested:
[If a business doesn’t meet the timeline], it is in the violation of the law. [Given the potential for thousands of requests,] that’s something smaller companies wouldn’t be able to deal with.
Of course, a new law doesn’t have to hew to what’s already been done in California or in the EU.
Meanwhile, industry and interest groups are bending Senatorial ears
On Wednesday, the Senate Committee on Commerce, Science, and Transportation were scheduled to hold a hearing titled “Policy Principles for a Federal Data Privacy Framework in the United States” in order to examine what Congress should do to address risks to consumers and implement data privacy protections for all Americans. The Commerce Committee exercises jurisdiction over the Federal Trade Commission (FTC), which is the primary enforcement agency for consumer privacy and information security protections.
Earlier this month, House Energy and Commerce Chairman Frank Pallone, Jr. released a Government Accountability Office (GAO) report (PDF) that suggests Congress should consider “developing comprehensive legislation on internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving internet environment.” He requested that report two years ago and said in a statement that the need has only grown more apparent.
What do the privacy people want?
The EFF may not have gotten a seat at the table, but it’s got ideas that it wants lawmakers to mull over when it comes to crafting privacy legislation.
The EFF is calling for the creation of “Information Fiduciaries” for large internet companies that collect user data. Such a rule would impose a “duty of care and loyalty on large internet companies,” it says.
For such a rule, it would be “essential” for people to be able to sue companies that violate their privacy rights, the EFF says.
We see a persistent lack of federal enforcement regarding consumers’ private data. For years the FCC has looked the other way while wireless carriers have allowed bounty hunters (or anyone) to purchase consumers’ geolocation data. The FTC ignores Facebook and Google continuing to flaunt their consent decree, even after a litany of privacy scandals in the last year alone. It is long past time to allow individuals to protect their own privacy rights.