Privacy was the topic du jour on the Hill today. In its first hearing in the new Congress, the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce heard testimony from privacy rights activists and technology industry groups on how to protect consumer privacy in the era of big data. All witnesses before the Subcommittee agreed that the Federal government needs to enact Federal data privacy legislation, though witnesses disagreed on what exactly the legislation should cover.
While all the witnesses supported privacy legislation, the motivations behind their support were different. For the privacy rights activists, they were motivated by a desire to enact stronger protections for consumers. However, for industry groups, their motivation appeared to be a desire to avoid states passing their own data privacy laws, creating regulatory headaches and confusion. Likely weighing on their mind is California’s incredibly strict data privacy legislation which was passed in June of 2018 and will go into effect in January of 2020.
Denise E. Zheng, VP of technology and innovation at the industry group Business Roundtable, stressed the importance of avoiding patchwork regulations.
“Talk to any economist, and he or she will tell you that innovation thrives in stable policy environments, where new ideas can be explored and flourish within a well-understood legal and regulatory framework,” she said. “It is in fact because of our stable policy environment that the United States is the top global destination for developing and bringing to market innovative technologies. But fragmentation of privacy regulation threatens to undermine that stable environment and is, therefore, a threat to innovation.”
However, Brandi Collins-Dexter, senior campaign director of the civil rights organization Color Of Change, had a very different perspective and encouraged Federal legislation that does not inhibit states from passing stricter laws.
“What we need is clear, federal baseline legislation that does not preempt innovative state policy laws but ensures basic rights for everyone in the United States,” she said.
Collins-Dexter also tied privacy rights and protection to civil rights and said legislation was needed to protect civil liberties.
“Ultimately, privacy as a concept in its most aspirational sense is not merely about the freedom and ability to close your ‘digital curtains’ so no one can peek in,” she said. “Instead, I would respectfully challenge all of us to consider privacy and digital rights for all as a necessary framework crucial to ensuring that our human, civil and constitutional rights are not confined to our offline lives but are also protected online where so much of our daily life occurs. I would even say that if we fail in the mission to ensure our rights online are protected, we stand to render many of our offline rights meaningless.”
During her testimony, Collins-Dexter offered up basic tenets that Federal privacy legislation should include. She said it must “establish limits on the collection, use, and disclosure of sensitive personal data; establish enhanced limits on the collection, use, and disclosure of data of children and teens; regulate consumer scoring and other business practices that diminish people’s physical health, education, financial and work prospects; prohibit or prevent manipulative marketing practices; and establish a data protection agency that is empowered to ensure that privacy rights are protected through enforcement mechanisms.”
In a similar vein to Collins-Dexter, Nuala O’Connor, president and CEO at the Center for Democracy and Technology, also offered up five tenets that the legislation should include. She said that the legislation should “provide individual rights to access, correct, delete, and port personal information; require reasonable data security and corporate responsibility; prohibit unfair data practices, particularly the repurposing or secondary use of sensitive data, with carefully scoped exceptions; prevent data-driven discrimination and civil rights abuses; and provide a robust and fair enforcement mechanism including original fining authority for the FTC.”
David F. Grimaldi, Jr., executive vice president of public policy for the industry group Interactive Advertising Bureau, also offered up tenets for Federal legislation, though the issues he focused on were quite different than the ones Collins-Dexter and O’Connor addressed.
He said that the legislation should “impose clear prohibitions on a range of harmful and unreasonable data collection and use practices specifically identified in the law.” He also stressed that the legislation must “distinguish between data practices that pose a threat to consumers and those that do not.” Additionally, he believes that the law should “incentivize strong and enforceable compliance and self-regulatory programs.” He also addressed the concerns of patchwork regulations by saying the law “should reduce consumer and business confusion by preempting the growing patchwork of state privacy laws.”
