The Senate Commerce, Science, and Transportation Committee heard testimony today detailing the workings of data privacy laws in Europe and California–specifically the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)–amid a growing groundswell for Congress to work on a national data privacy law for the U.S.
When the committee held a hearing met last month featuring technology companies and internet service providers, committee Chairman Sen. John Thune, R-S.D., made a point to mention that the industry will not write Federal data privacy legislation, and that the industry cannot be trusted to regulate itself.
“A national standard for privacy rules of the road is needed to protect consumers,” he said.
Sen. Edward Markey, D-Mass., filling in for committee Ranking Member Bill Nelson, D-Fla., who was returning to his home state ahead of Hurricane Michael, said he was glad that during last month’s hearing AT&T, Amazon, Google, Twitter, Apple, and Charter Communications all agreed that Federal data privacy regulations are needed.
However, he said senators shouldn’t be under any “delusions” as to why tech companies are suddenly on board with Congress taking action on data privacy, and credited companies having to conform to GDPR and CCPA for the industry’s change of heart.
Andrea Jelinek, chair of the European Data Protection Board, unsurprisingly, stressed the importance of regulation in her testimony.
“The volume of digital information in the world doubles every two years, artificial intelligence systems and data processing deeply modify our way of life and the governance of our societies,” she said. “If we do not modify the rules of the data processing game with legislative initiatives, it will turn into a losing game for the economy, society and for each individual.”
Both Jelinek and Alastair Mactaggart, chair of Californians for Consumer Privacy, discussed the basic principles that form the foundation of GDPR and CCPA.
For Jelinek, it was putting individuals at the center of privacy practices, accountability, and using a risk-based approach to data collection. Mactaggart similarly explained that CCPA is based on transparency, control, and accountability. Essentially, both pieces of legislation prioritize the individual’s right to know what information is being collected and how it will be used, while also making those collecting data responsible for securing and using the information responsibly.
Both Jelinek and Mactaggart addressed concerns that privacy laws will hurt businesses and will stymie innovation–arguments frequently leveled by those opposed to stricter data privacy regulations.
“It is often said that the U.S. approach to data protection promotes technological innovation and economic growth, which is important for people living on both sides of the Atlantic,” Jelinek said. “Let me give you my opinion on that: without trust, there is no economic growth and no innovation at the end of the day. Companies should be allowed to continue to use and share data, as long as they do so in a transparent and lawful manner, respecting the rights of individuals.”
“CCPA is not anti-business,” said Mactaggart. “It was, on the contrary, written and proposed by businesspeople concerned that regulations were needed; that as in so many previous situations, whether of the giant trusts of a century and more ago, or of the telephone and related wiretapping concerns, or cigarettes and health, or autos and safety, this latest technology too, has outpaced society’s ability to fully comprehend it yet, or its impact on all of us.”
Laura Moy, executive director at the Center on Privacy & Technology at Georgetown Law, had a different perspective on the importance of data privacy. While other witnesses focused on the importance of data privacy for the individual, Moy focused on the societal implications of unregulated data collection.
“This is about our country–and the world–grappling with the implications of unbridled data collection, storage, and use–things that give the holders and users of data more power to influence society than we could have imagined before the digital era,” she said. “This is about confronting the ways in which the data-driven economy is contributing to extreme wealth disparity, extreme political polarization, extreme race- and class-based tension, and extreme information manipulation. We need to come together to rein in the problematic ways in which Americans’ data is being collected and stored without meaningful limitations, and used in ways that harm not only individuals, but our broader society.”
While her perspective may have differed from the other witnesses, the six recommendations Moy offered to the committee closely aligned with their basic policy prescriptions.
Moy stressed that: there are appropriate and inappropriate collections and uses of Americans’ information; privacy protections should be strongly enforced by an expert Federal agency; privacy protections should also be enforced by state attorneys general; privacy and data security protections should be forward-looking and flexible; protections for Americans’ private information should take into account the context in which information is shared; and Congress should not eliminate existing protections for Americans’ information.
Nuala O’Connor, president and CEO of the Center for Democracy & Technology, agreed with Moy’s recommendations and stressed in her testimony the importance of regulation and enforcement on a Federal and state level.
“Instead of relying primarily on privacy policies and other transparency mechanisms, Congress should create an explicit and targeted baseline level of privacy protection for individuals,” she said. “[L]egislation should enshrine basic individual rights with respect to personal information; prohibit unfair data processing; deter discriminatory activity and give meaningful authority to the FTC [Federal Trade Commission] and state attorneys general to enforce the law.”