The Senate took its turn at a federal data privacy law Wednesday (Feb. 27) and the same political divide emerged over how to reach the bipartisan goal of strong, federal data privacy legislation, as in the House hearing the day before.
That divide was in evidence early on over the issue of any new federal privacy law preempting what Republicans and industry witnesses characterize as a "patchwork" of potentially conflicting state privacy regimes, perhaps most notably the California privacy law that takes effect in 2020.
Sen. Roger Wicker (R-Miss.), chairman of the Senate Commerce Committee holding the hearing is in that preemption camp, as are most Republicans, while ranking member Maria Cantwell (D-Wash.) made it clear she thought the focus on preemption was
Wicker and various witnesses from the telecom and computer industries talked throughout about needing strong federal regulation, addressing the other side's concern that stronger state regs would be preempted by weaker federal law based on giving consumers a clearer picture of how their data was being harvested and commoditized, rather than focused on the consumer first and the internet economy second.
Both sides of the aisle appear to agree that the notice and choice regime doesn't work and that companies are incentivized to make privacy policies complicated so that users will overshare, as it were. But Republicans were talking up making those policies clearer, combined with more consumer control over the data--rights to correct or delete--for example.
On one side was Jon Leibowitz, former chair of the Federal Trade Commission and current co-chair of the telecom-backed 21st Century Privacy Coalition, who invoked a "crazy quilt patchwork" of state laws that would make consumers numb to notifications and confuse them with conflicting standards. Wicker also pointed out that California's law had itself preempted municipal privacy regs, and that the EU's General Data Protection Regulation privacy regime, often cited by fans of privacy regs, preempted member state regimes.
Republicans and some industry reps talked about a "uniquely American " privacy regime, which appeared to be a call for not simply following the EU into a GDPR model.
On the other side of the preemption issue was Dr. Woodrow Hartzog of Northeastern University, who said that while consistency is nice, that "patchwork" of state laws is part of the nation's history and hardly insurmountable. "We are pretty good at dealing with that," he said, adding that it would not be what he would be focusing on in the legislation, suggesting also that it was not clear that every state would fit neatly into a national framework. Cantwell agreed, adding that she did not expect California would be acquiescing to federal preemption in any event.
When pressed, the witnesses all generally agreed that a federal law should be at least as tough as the California law it would be preempting. California Attorney General Xavier Becerra had made that argument earlier in the week."What we hope they [the federal government] doesn't do is try and undermine privacy rights that exist whether it's in California or in any other state, should the federal government decide to act," he said. "What would be one of the truly unfortunate circumstances here is if the federal government acts to reduce protections, not increase them. And so we hope that if they decide to move at the federal level that they will look at what's been done that's good and that to the degree they are interested in seeing what are best practices, that they will turn to places like California and other states that have moved in that direction.”
Sen. John Thune (R-S.D.), chairman of the Communications Subcommittee, said Congress "ought to" be able to come up with a bipartisan privacy law. But there appears to still be a lot of room between "ought" and "will."
Another of the big differences between the two parties is over "transparency and control," which Republicans say is a key to new legislation, and Democrats see as important, but still putting too much onus on consumers rather than the companies collecting and using the data.
There was some agreement on enforcement of any new privacy regime. There is support for additional resources for the FTC; giving it the authority to levy fines for first offenses, which the FTC can't do now; and at least some rulemaking authority (though "with guardrails," said Leibowitz). All also agreed that the FTC should be the primary enforcer, but that state attorneys general could also enforce the law, and that there should be an "eraser button" for children's information.
Sen. Marsha Blackburn (R-Tenn.) and Amy Klobuchar (D-Minn.) were also in agreement that data collection was big business, and that while that those companies had been talking a good privacy case for years, she was not seeing action.
Sen. Richard Blumenthal (D-Conn.) said Congress will need convincing that Big Tech really wants change, saying the overwhelming evidence is that they are willing to look the other way. "We have a trust gap that we need to bridge," he said.
Michael Beckerman, president of the Internet Association, said that his industry had made mistakes, but was owning up to them and improving on a daily basis.