This week featured back-to-back privacy hearings on Capitol Hill to discuss principles for federal privacy legislation. With the one-year anniversary of the European Union’s General Data Protection Regulation implementation coming in May and the California Consumer Privacy Act taking effect in 2020, industry players that have fiercely lobbied against federal privacy legislation in years past are now suddenly calling on Congress to pass a comprehensive privacy bill this year. Here’s a quick look at what happened in each hearing and a few key takeaways.
The House Hearing
The House Energy and Commerce Consumer Protection Subcommittee members kept the discussion at a high level as both sides of the aisle laid out their privacy priorities at Tuesday’s hearing. Despite the fact that data-centric companies have been doing just fine navigating a multitude of different state data breach laws, employment laws, and privacy tort laws, the minority members focused on their desire for a federal privacy bill to preempt laws at the state and local level.
Republicans also prioritized protecting small and medium-sized businesses from what they would deem to be “unnecessary” or “burdensome” regulations. Questions from the Democrats largely centered on whether a privacy regime based on notice and choice was sufficient to protect consumers (spoiler alert: it’s not) but covered a much wider range of topics from the need for privacy impact assessments to protecting children’s privacy to prohibitions on data uses that lead to redlining or unfair discrimination. Importantly, Brandi Collins-Dexter, Senior Campaign Director at Color of Change, was invited to testify on the panel. She provided critical representation for communities of color in the privacy debate and highlighted the privacy harms that can result from data misuse, arguing that “bipartisan legislation should be written through an anti-discrimination lens.”
The Senate Hearing
The Senate Commerce Committee invited five industry witnesses and a law professor to testify at a hearing dedicated to consumer privacy on Wednesday. In response to a lack of representation from civil society, privacy advocacy organizations, and civil rights groups on the panel, Public Knowledge joined several organizations, led by Access Now, to provide real-time reactions to the panel discussion on Twitter using the hashtag #RealPrivacy. In many ways, the discussion mirrored the House hearing with Republicans calling for the need to preempt state laws and the Democrats pushing to move the debate beyond notice and choice.
Unlike in the House however, the Senate Committee devoted some time to enforcement and the proper role of both the Federal Trade Commission and state attorneys general in enforcing a federal privacy law. Data security was also a more high-profile topic at the hearing, with panelists agreeing that security is an important component of privacy but cautioning against cybersecurity becoming the dominant issue. Professor Woodrow Hartzog, the lone non-industry witness, pushed for significantly stronger and more novel privacy protections than the industry representatives, including a private right of action for individuals and classes (via class action lawsuits) to enforce violations of their privacy. He also argued that companies must adhere to a “duty of care” to remove the burden of privacy control from consumers’ shoulders.
A few takeaways:
1. Senate Republicans have gotten slightly further along than their House counterparts in moving beyond the issue of preempting state laws, but the debate is still devoting too much time to it.
It’s critical for Congress to grapple with the challenging questions surrounding what should be included in a comprehensive federal privacy law and how those inclusions would be written into law before even getting to the preemption issue. To the extent that preemption is discussed, what does it mean in practice? Do the tech, telecom, and ad industries want to preempt state consumer protection laws in addition to similar privacy laws? What about the fact that numerous federal privacy laws like Electronic Communications Privacy Act and the Cable Communications Privacy Act exist that do not preempt state law?
2. Democrats in both chambers are eager to move the conversation beyond notice and choice.
This is a promising development in the privacy debate on Capitol Hill. Professor Hartzog described the problem with thinking of privacy as control in the Senate hearing: “If we are given our wish for more privacy, it means we are given so much control that we choke on it.” Requirements for meaningful consumer notice and choice at the point of data collection is certainly an essential component of any comprehensive privacy bill. But giving consumers meaningful control over their data cannot prevent many of the problems and harms that can result from data misuse such as reputational harm, lost opportunity, and disparate impacts on marginalized communities.
3. This debate still has a long way to go.
Based on the hearings, a few high-level issues are getting the most air time, namely transparency, access, correction, and deletion rights, as well as giving the FTC more staffing and resources, rulemaking authority under the Administrative Procedure Act, and the authority to impose civil penalties on first-time privacy offenders.
While it’s tempting to think there is agreement on the problems that federal privacy legislation should address, many questions are left unanswered. For example, will Congress craft FTC and state AG civil penalty authority free of caps and restrictions? Will the bill recognize consumers’ fundamental privacy rights with language devoid of loopholes that can let companies skirt their obligations? In the Senate hearing, Former FTC Commissioner Jon Leibowitz called for “guardrails” around FTC rulemaking authority. What does this mean? There was some indication during the Senate hearing that industry might accept an FTC rulemaking regime that resembles the one in the Children’s Online Privacy Protection Act, but it’s far from clear whether Congress will provide the lead privacy enforcement agency with a broad grant of regulatory authority that is necessary to ensure that the law is as flexible and future-proof as possible. For this reason, some have even called for a new data protection agency. It is critical that the devilish details are thoroughly debated with the involvement of all stakeholders — including privacy advocates — as this process moves forward.
Further, other key issues in the privacy debate such as data minimization and granting consumers a private right of action to seek legal redress for violations of their privacy in court were only mentioned in passing during this week’s hearings. While lawmakers are feeling the pressure from industry to rush through legislation during this Congress before the California Consumer Privacy Act takes effect, this shouldn’t happen. Consumers deserve a comprehensive federal bill that has been carefully crafted and built upon thoughtful and inclusive debate.
Image credit: Wikimedia Commons