Silicon Valley trade groups are consistent in their hope that a federal data privacy law will preempt the growing thicket of state regulations, including one that mirrors onerous new European rules.
Among their reasons for hoping for national regulation is the difficulty of conducting Internet-based commerce, which inherently spans state boundaries, when the rules for buyer and seller are different.
But there is a second justification, according to several of those who testified before a Senate committee on Feb. 27 about the need for a nationwide standard: They believe Congress can craft a law that’s better, and perhaps even stronger, than the rigorous standard in California.
It was an argument that was greeted with skepticism by some Democrats and flummoxed one Republican.
Noting that international technology companies already have to follow Europe’s General Data Protection Regulation, a strict policy that was greeted with dismay in the U.S., Sen. Shelley Moore Capito, R.-W.Va., questioned whether it wouldn’t be simpler for affected firms to continue operating under that regime.
“All of you advocated for better and more stringent, the way I heard it, than what’s offered under California law,” said Capito.
Such a resolution “might be simpler,” said Jon Leibowitz, a partner at the law firm Davis Polk & Wardwell who is the co-chairman of the 21st Century Privacy Coalition and was chairman of the Federal Trade Commission for much of former President Barack Obama’s first term. “It wouldn’t be better.”
Europe’s law, which carries a maximum penalty of 4 percent of annual revenue or €20 million and requires businesses to notify customers of any data breach within three days, is so strict that some businesses have pulled out of the region, he explained.
Congress shouldn’t risk a similar result, Leibowitz said. “You want to design legislation that’s going to allow for innovation while also protecting information.”
He suggested a 2012 report from the Obama-era FTC as a starting point for a bill that has gained momentum after high-profile hacks such as the theft of identification data for more than 300 million people from Marriott Hotels’ Starwood division last year, as well as a breach at credit bureau Equifax in 2017 that exposed similar data for more than 145 million people.
The report called for greater consumer control over data, heightened transparency, a requirement that consumers be allowed to choose up front whether to share sensitive information with companies, a so-called “opt-in right”; and allowing the opposite for non-sensitive information, an opt-out right.
“Privacy shouldn’t be about who collects consumer data, it should be about what data is collected and how it’s protected,” Leibovitz said. “Strong protection should be backed up by strong enforcement authority for the FTC. Congress should provide my former agency with the ability to impose civil penalties for violators for first offenses so malefactors don’t get a second bite at the consumer-deception apple.”
A federal law that included such provisions and incorporated the best portions of existing state legislation would merit preemption of lower-level rules, he said.
“You don’t want a cacophony or crazy quilt patchwork of 50 different state laws,” said Leibowitz, whose organization spent $1.1 million lobbying on behalf of the telecommunications industry last year, according to the Center for Responsive Politics. “If someone is driving from Biloxi, Miss., to Bellevue, Wash., they don’t want to go from state to state and have different regimes.”
That patchwork of regulations exists in part because of the tech and telecommunications industries’ lobbying against a comprehensive federal measure, said Sen. Amy Klobuchar, D-Minn., who is seeking her party’s nomination to run against President Trump in 2020 and has co-sponsored a privacy bill of her own.
“What I have found in getting involved in this is that the reason all the states are doing all this is that we have done nothing here,” she told the industry groups. “Companies that you represent have been lobbying against legislation like this for years, and it’s never right enough.”
Her colleague, Sen. Maria Cantwell, D-Wash., the highest-ranking Democrat on the committee, was openly dubious about the industry’s motivation for a federal bill, which the Internet Association hopes to see signed by President Trump this year. The group represents firms from Airbnb to Facebook, Amazon, and Google.
“I find this effort somewhat disturbing,” said Cantwell. “Are we here just because we don’t like the California law and we just want federal preemption law to shut it down?”
That’s precisely the concern of privacy advocates, including Shane Green, the head of Digi.me, a platform designed to give users more control over their data. Critics have compared the California Consumer Privacy Act, signed by former Gov. Jerry Brown last year, to Europe’s rule because of similar principles on consumer control of data.
The measure, which doesn’t take effect until 2020, allows Californians to review the data that companies hold on them and block firms from selling that information. Enforcement of its provisions is largely limited to the state’s Department of Justice, but its attorney general is backing a bill that would allow consumers to sue on their own.
“The federal government has been very slow in moving in this space,” he said. “Thank God, California did not wait. Thank God, most of the other states haven’t waited for the federal government.”
Should Congress act now, he added, it would be unfortunate if lawmakers “reduce protections, not increase them. We hope that if they decide to move at the federal level that they will look at what’s been done that’s good and that, to the degree they are interested in seeing what are best practices, that they will turn to places like California.”
