Analysis Everyone is in agreement: the United States needs a new federal privacy law, and it needs to be put in place in 2021.
That was the main upshot of a congressional hearing on Wednesday morning looking at the death of Privacy Shield and what America needs to do about it. Privacy Shield, if you can recall, was the doomed regulatory framework governing the way in which companies in the US and European Union shared people's personal information.
The Senate Commerce Committee heard from no fewer than five experts: FTC Commissioner Noah Phillips; president of tech pressure group BSA – The Software Alliance, Victoria Espinel; two law professors, Neil Richards of Washington University and Peter Swire of Georgia Tech; and finally the US Commerce Department’s international trade pointman James Sullivan.
Panelists are usually chosen for those opposing views – and there was plenty of that – but on the issue of getting a new federal privacy law on the books, they were unanimous.
California recently upped the ante by passing an extra piece of data privacy legislation, making it more likely that a range of different laws will emerge across the 50 states. And that, everyone agreed, was a recipe for disaster given that data flows across states are not only constantly occurring but are essential for doing business.
In the context of transatlantic data flows however – something that is worth an estimated $300bn a year to the US – that privacy law is a vital first step to getting back to the previous status quo, where data traveled freely and companies only had to pay tiny sums to be covered by the agreement.
While the experts were enthusiastic over getting a federal law passed, however, the senators were more restrained: a sign of just how paralyzed Congress has become thanks to partisanship. They heard and they agreed but actually passing a law? That’s something that only happened in the past.
Local shop for local people
Another issue that prompted unanimous agreement was data localization: namely, that it is a bad idea. If the US doesn’t figure out how to reach agreement with the EU over a new version of the Privacy Shield that can survive another legal challenge, it will almost certainly lead to companies having to store data on their European customers in Europe and their American customers in the US.
That may sound relatively simple in theory but in reality, the experts noted, it is an extremely costly and ineffective option. The DoC’s Sullivan called data localization a “very significant concern” and “exceeding expensive” and warned it would effectively freeze small and medium sized enterprises out of the European market altogether.
How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussionsREAD MORE
How expensive? “Upwards of $1m,” per company, according to him. By contrast, the Privacy Shield cost a company making less than $5m in revenue a year just $250. It’s not a direct comparison but you get the idea.
The BSA’s Espinel also warned of “greatly increased cost” or the likelihood that many businesses will simply not be able to operate within the EU. Washington University’s Richards said simply that data localization “would be bad.” The issue is also much bigger than individual companies – enforced data localization would effectively stop the global financial system from functioning as it does today and require a complete overhaul.
So there is real pressure for the US to get a new Privacy Shield agreement in place. Which isn’t exactly news but it was good to hear agreement on that point across the board.
You'll like this bit
The system is called “notice and choice” but everyone agreed that there is no real choice – you have to agree to terms you haven’t read if you want to use anything. One senator chimed in that literally that morning he had set up an AppleTV and not read a word of the terms and conditions before stating, legally, that he had read every word. It’s a nonsense and everyone has stopped pretending otherwise.
What was also refreshing to hear was an apparent end to the Trumpian alternate-universe approach to policy making. Committee chair Roger Wicker (R-MS) was under no misapprehension that the Privacy Shield is dead and something concrete had to be done to create a new transatlantic data agreement.
Both the US and EU fought desperately to retain Privacy Shield, even going to the trouble of running three annual reviews of it between 2017 and 2020, declaring each time that it was fine and legal. Both groups had also fiercely fought for the previous agreement – the Safe Harbor agreement – which stood for 15 years. But both were overturned by the European Court of Justice on very clear principles and the reality that political fudges and weasel words were no longer going to work has finally dawned on everyone.
Well, nearly everyone. FTC Commissioner Noah Phillips, who was put on the regulator by President Trump in 2018, still hasn’t got the memo, and argued – or tried to argue – that actually the European Court of Justice had decided wrongly and that everything was fine.
He also used a depressingly familiar tactic of claiming that there were “a number of studies” that showed there were “just as many if not more rights given to US citizens as domestic citizens in the EU.” Of course he wasn’t able to cite any of those studies and life is too short to go into the semantic games being played around the rights granted to US and EU citizens but suffice to say his argument was nonsense and – amazingly for a Congressional hearing – the lawmakers made it plain they were not going to waste any time going down rabbit holes.
Chair Wicker repeatedly shot down Phillips’ assertions as did ranking member Senator Maria Cantwell (D-WA) and for a moment it felt like we finally had Congress back: smart people asking informed questions on topics of importance, cutting through the chaff to come up with real world solutions.
Big fat nope
But then we hit the real problem: surveillance.
The Privacy Shield agreement was struck down in July for two main reasons: it doesn’t let EU citizens challenge a US company if they misuse their personal data; and US surveillance law doesn’t meet data protection requirements.
The previous Safe Harbor agreement was also shot down because of mass surveillance programs that had been exposed by CIA whistleblower Edward Snowden – several of which were subsequently deemed unconstitutional. This led to an Austrian activist shooting down not one but two cross-Atlantic data agreements.
And we're back with the third review of Privacy Shield: Meh, sighs the European CommissionREAD MORE
The biggest hurdle to a transatlantic data flow agreement is the fact that the US spy agencies, most notably the NSA, insist on being given access to pretty much every data bit that flows into and out of the United States.
Even after the spotlight that was put on the various spying programs that the US government runs, which included new laws and reauthorizations, the truth remains that a very extensive spying apparatus still exists in the US with some of it covered by secret laws that not even Congress is aware of. It’s not just US spy programs that are under fire either; Europe has also been told to shape up.
The good news was that nobody at the hearing today was pretending otherwise. While everyone agreed that a new federal privacy law was needed and needed soon, they also all acknowledged that it wasn’t enough in itself to get a new Privacy Shield agreement. The language that everyone pretty much settled on was that a federal privacy law would be “very helpful” in building trust with Europe and a “positive signal.”
But when it came to discussing the actual issue of spy programs, the previously candid and open panelists and lawmakers suddenly clammed up. Most forthcoming was Senator Cantwell: she stated plainly that the Commerce Committee could help push a new privacy law, but when it came to surveillance, its members had no more than a single vote in the larger Senate.
She was, she noted, unable to do anything about executive orders from the president. And she added quickly: “We need way more transparency in the FISA court” – referring to the secret court that presides over the spying programs and approves their use.
No one else wanted to touch the subject beyond vague references to the “national security issue” when it came to a replacement for Privacy Shield. The BSA’s Espinel came closest when she said felt it should be possible – and was necessary – for there to be a “long term solution and agreement to intelligence gathering.”
But that issue aside, after several years of excruciating Congressional hearings on tech issues, punctuated by ignorance and political showboating, today's hearing on resolving transatlantic data flow issues was a welcome dose of sanity. ®