SAN FRANCISCO——There are signs Congress will tackle privacy legislation again this year, and technology companies such as Google have a keen interest in shaping the federal privacy law. While there are several points of disagreement on what the law should cover, interest is high on both sides of the aisle in Congress to do something on the federal level to protect consumers, said a panel of policy executives from Google, Microsoft, and Twitter at RSA Conference.
The likelihood of a federal privacy law passing in the next year is higher than in years past—Julie Brill, corporate vice president and deputy general counsel at Microsoft, optimistically pegged the odds at 30 percent—and the time is ripe for this discussion.
The European Union’s General Data Protection Regulation (GDPR) went into effect a little less than a year ago, and companies in the United States with European users have been overhauling their policies to ensure they were in line with the new stringent data privacy requirements. The California Consumer Privacy Act (CCPA), which would give California residents significant control over their data, is set to go into effect on January 2020.
Recent incidents—including Cambridge Analytica collecting information of millions of Facebook users and the massive Equifax breach where personal data for millions of Americans were stolen—clearly illustrated the lack of protections for consumers on the federal level. The House Energy and Commerce Committee and the Senate Judiciary Committee have held hearings and the Federal Trade Commission scheduled privacy hearings for April.
There wasn’t this much interest among lawmakers and industry groups two years ago. The fact that the Chamber of Commerce released model privacy legislation calling for a federal privacy law last month was a “sea change,” Brill said.
“It’s no longer a question of if there will be a privacy bill, but what that bill would look like,” Brill said.
Most technology companies agree that a federal law governing the collection and use of consumers’ data is essential. Brill said the federal law needs to include three important elements: Users should have a strong control over what data is being collected; Companies should be transparent in their data collection and usage; A strong enforcement mechanism should be in place to hold companies accountable.
The disagreement lies in the details, such as whether companies should start data collection after the user has given permission to do so (opt-in) or stop data collection after the use rescinds permission (opt-out). Consumers should know what kind of data is being collected but the question is whether companies should have to disclose every piece of data they’ve collected on a person, or if they can just list categories of data. And the list goes on.
With CCPA, the tech companies lobbied hard against giving individuals the right to sue companies for privacy violations. It would be interesting to see if this provision makes it to the federal law.
GDPR or Not GDPR?
The U.S. Government Accountability Office recommended Congress develop internet privacy legislation similar to GDPR to enhance consumer protections in a report released mid-February.
"Recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation," GAO said in the report.
The U.S. law does not need to be as prescriptive as GDPR, said Sarah Holland, public policy manager at Google. A better approach would be a “risk-based/outcome-based framework” that defines the overall requirements or objective and let the businesses figure out the appropriate processes, Holland said. The law should allow users to decide how much privacy controls they want to exercise, so some would take greater controls and others would be lax. This would be very different from GDPR.
“There are a lot of laws on the books already and apply to a comprehensive baseline federal legislation,” Holland said.
Holland repeated concerns that regulations would stifle innovation, as complying with strict rules would be onerous for small businesses. Nithan Sannappa, associate legal director of product at Twitter, agreed with Holland, noting that GDPR’s right-to-access provisions require companies to let users know what data they have on them. When Netflex was asked to provide a user’s Bandersnatch viewing log history, it was able to do so, but most small businesses don’t have the resources to build systems and processes needed to provide that level of granular information upon request, Sannappa said.
“Any federal regulation should make careful consideration of the benefits and burdens and the tradeoffs between the two,” Sannappa said.
There is some self-interest here for Google, as well. Any kind of data privacy law would potentially affect at least 50 products at Google. “We want to make sure that we can meet user requirements for functionality as well as control and privacy,” Holland said.
Sannappa said it was important to balance the “harms we’re trying to prevent” and the “benefits regulation will enable.” Brill noted that the U.S. and Europe discuss harm differently as the Europeans view privacy as a fundamental right.
“Thinking about privacy as a right will start orienting U.S. businesses towards what’s happening around the world and may create a true paradigm shift,” Brill said.
GDPR Around the World
GDPR’s stringent requirements have paved the way for other countries, and “over the next five to 10 years, you can see that standards in Europe will be operable in a great deal of the world,” Microsoft's Brill said.
Under GDPR’s adequacy requirement, data about European users can be transferred only to “a market compliant with European standards,” so countries are beginning to pass laws that align with the EU regulations. Brazil has passed legislation and India and South Korea are considering proposals. The United States will also have to do the same thing with its privacy law, as well. The U.S. will need to include user control over data; accountability and transparency in how companies are using data; and strong enforcement in its version of the law, Brill said, noting that all three are components of GDPR and two are in CCPA.
However, Brill cautioned that “it would be difficult to translate GDPR” in its entirety.
State vs Federal
Pro-business groups such as the Chamber of Commerce and tech companies would like to see a federal law that is more industry-friendly than CCPA. Privacy advocates worry that being industry-friendly means the federal law would be weaker than CCPA, and that the federal law would preempt California, removing those strong consumer protections.
Preempting CCPA won’t be easy, especially since California has 53 members in Congress. Aside from that, there is a sense among lawmakers that discussion should focus on what kind of protections are needed and not on how states are trying to protect consumers.
"We're not going to get 60 votes for anything and replace a progressive California law, however flawed you may think it is, with a non-progressive federal law," Sen. Brian Schatz (D-Hawaii) said during a recent hearing of the Senate Commerce Committee where executives from Amazon, Apple, AT&T, Google, Twitter, and Charter Communications testified.
Schatz introduced the Data Care Act of 2018 to require companies to “reasonably secure” identifying information and promise not to use it in harmful ways. Users would be notified in case of a data breach and third-parties with access to the data would also have to adhere to the same standard. The bill also expanded the FTC’s enforcement powers.
“A federal law needs to be worthy of preemption,” said Brill. “It needs to be a strong federal law. That conversation should be at the end, not the beginning.”
Existing Privacy Laws
If the U.S. law decides to model itself on GDPR or CCPA, there is a clear definition of what constitutes personal information. GDPR defines personal information as anything that relates to an identified or identifiable person either directly or indirectly. CCPA goes even further, covering the individual and data belonging to the household. Personal information under CCPA also includes inferences that can be drawn from mining different data sets.
GDPR and CCPA overlap on the major points to give consumers some control over the data collected by online companies: The right to know what is being collected; To access such data; To delete, correct, or erase data; To carry one’s data from one company to another.
CCPA also gives the consumer the right to opt out of one’s information being sold to other entities.
While Congress has been talking, and talking, and talking about what needs to go into the privacy law, states have been moving. Bills similar to CCPA are being considered in 11 state legislatures and some state agencies are weighing developing privacy rules for specific industries. Washington state is considering a law that would give consumers new rights and impose restrictions on companies using personal data for profiling and facial recognition.
“We’ve worked with the states on their laws – working with legislators to make improvements,” Microsoft’s Brill said. “We feel there needs to be something on the books because we need to engender trust with consumers–we recognize the moment that we’re in, and know we need to address it.”
Brill compared the current situation to what happened with the data breach notification laws. Absent a federal breach notification law, states enacted their own, with California enacting the most comprehensive one that acted as a model for several other states.
“If it weren’t for the states, we would know so much less about what’s happening with breaches. There would be a lot less information to go on. That has been important and it happened at the state level, starting with California but almost every other state followed,” Brill said.