The legislative dance around a federal data privacy law continued on Wednesday at a Congressional hearing where a range of former FTC officials and California’s Attorney General were quizzed on how to make it a reality.
Even the title of the Senate's commerce committee hearing indicated how many times around the roundabout this effort has gone: “Revisiting the need for federal data privacy legislation.”
It didn’t take long for everyone to agree on one thing: the US needs a single data privacy law. In the modern internet world, no company can avoid international commerce, and even if they somehow manage to do that, they can’t avoid inter-state commerce.
Since a huge number of people are online and exchanging information in an almost seamless fashion, it makes sense to have a single nationwide law to cover it all rather than a “patchwork of state laws” – a phrase put in quote marks because it was used so frequently during this hearings – and every other previous hearing – that we might as well as start referring to its as POSL.
As usual, things have split largely down party lines. To simplify: Democrats think American citizens should have the right to their own personal data, including telling companies what they can gather and whether they can sell it; Republicans believe companies should have the data because it’s worth money and money is good.
But it didn’t take long for the pervasive issue of data to go beyond just Facebook’s and Google’s business models: Senator Ed Markey (D-MA) noted that facial recognition can be bound up into the same laws and noted, correctly, that that technology and its related databases can have a disproportionately negative impact on non-white people, in large part because the technology has been built from databases of largely white people.
Let's have a law
Before things got too far away from data privacy however, it was pulled back when Markey noted that Microsoft, for example, had vowed not to use facial recognition tech until there a single federal law covering its use.
It’s not clear that a data privacy law would also have to cover facial recognition, rather than two separate laws, but since the hearing had become about Congress’ failure to agree to anything even when everyone was agreed it needed to do something, it seemed fitting to point out that facial recognition has also fallen on the scrapheap.
Hey, remember that California privacy law? Big Tech is trying to ram a massive hole in itREAD MORE
Microsoft was used an example, incidentally, since ex-FTC Commissioner Julie Brill was on the panel and she is the software giant’s chief privacy officer and a key voice in the messy data privacy debate. She confirmed that Microsoft had called for legislation.
Brill was also quizzed from the other side of the spectrum – Senator Ted Cruz (R-TX). Cruz was worried (though not really) about the impact of a data privacy law on smaller businesses. It could be too onerous, he argued, for the kind of privacy law some people were pushing to be applied across the country.
He disparaged Europe’s equivalent – GDPR – and noted that it has caused some American businesses to simply shut up shop to Europe customers in order to avoid have to deal with the complexity of the law.
Brill wasn’t taking the bait: she argued that not only will a company want to have the option to trade with Europe at some point, but that a stronger and clearer data privacy law across the US would be beneficial: it would enable companies to “engage more respectfully and increase trust in those companies.” It would increase competitiveness.
You could almost hear Cruz snort before he overreached and argued some companies would end up deciding which state laws they would have to break, or which customers in which states not to serve.
That's a No, then
No one thought much of that argument, including former FTC chairman Jon Leibowitz, who noted that interstate data flows were so ubiquitous that it wasn’t realistic. Another former FTCer Maureen Ohlhausen joined in and said the same thing. And everyone settled down again to agree fiercely that what we didn’t want was a patchwork of state laws: POSL.
The elephant in the room, of course, was California Attorney General, Xavier Becerra. California has created somewhat of a problem for everyone by passing the California Consumer Privacy Act (CCPA) which finally came into force earlier this year.
Becerra was good enough not to point out that the law was only passed because Californian voters were going to force through their own data privacy legislation through the ballot box regardless, having grown fed up of constant stasis in Sacramento thanks to the lobbying power of tech giants. Becerra also failed to mention the efforts to undermine the CCPA, and the fact that his own office’s approach is under fire again by Californian voters who aren’t happy with how he’s applying – or, rather, not applying – the law, and have threatened to pass a stronger version.
In Washington, Becerra is under pressure from the other side of the spectrum: those who don’t want data privacy legislation to actually give people data privacy, or at least not at the expense of companies.
Even Becerra wants a new federal privacy law. Although his version would be – literally using an American football metaphor – a “playbook” rather than a strict set of laws. “Then, like a good quarterback, we adapt to what we see coming at us,” he told the committee. “Give us a playbook. But don't preempt smart, nimble privacy protections that let states meet the varying challenges coming at us.”
More not less
He then listed all the ways in which Californians aren’t happy with the current California law and claimed to want them to, such as a private right for action where citizens can sue, say, Facebook for data privacy breaches.
“We also need greater transparency on how algorithms impact people's fundamental rights in health care, housing, employment, and how they may perpetuate systematic racism and bias,” he said.
“Businesses that dive deep into collecting our data should also disclose specifics of the data they collect. They should minimize the collection of personal data and use that data for the purpose the consumer allowed. Finally, consumers should have the ability to correct errors in personal data.”
Surely, former FTC chair under President George W Bush, William Kovacic, had something good to give them. His pitch was to give the FTC additional power to deal with privacy issues, and to go State Rights with everything else. The federal government could come up with a “framework” onto which states mapped their own rules and laws.
But even under that bare bones approach, Kovacic noted that it would take a long time and “cost a lot” to pull in “economists, attorneys, technologists, socialists” and he suggested that they all get paid extra – 20 per cent more than normal the normal civil service pay scale – and that Congress provide an extra billion dollars a year to the FTC to oversee it all.
So, yeah, everyone agrees we need a federal privacy law as soon as possible. And after today’s hearing, everybody knows why it’s not going to happen. ®