Privacy Law Showdown Between Congress and Tech Looms in 2019
Credit to Author: Issie Lapowsky| Date: Thu, 27 Dec 2018 12:00:00 +0000
The global conversation around data privacy changed dramatically in March of 2018. That’s when Cambridge Analytica made international headlines. It was the story of a shadowy political firm misappropriating the data of tens of millions of Facebook users without their knowledge. But really, the story was how Facebook, keeper of 2 billion users' private messages, photos, and social connections, let it happen.
Washington spent the better part of the year talking tough to tech companies and threatening a crackdown on the wanton collection, dissemination, and monetization of personal data. But all of that was just prelude. The real privacy showdown is slated for the year ahead.
Companies like Amazon, Apple, Facebook and Google are pushing hard for federal digital privacy legislation in 2019, and not quite out of the goodness of their hearts. This summer, California's state legislature passed a groundbreaking bill that would give residents unprecedented control over their data. The law, which has been widely criticized by pro-business groups like the Chamber of Commerce and the Internet Association, is set to go into effect on January 1, 2020.
So tech giants are racing the clock to supersede California’s law with a more industry-friendly federal bill. Given the bipartisan backlash to Big Tech in 2018, it seems possible that a deal on regulation could be reached, even in a divided Congress. “You have a bipartisan sense that some type of privacy legislation needs to happen, and at the same time, you have industry pushing for it,” says Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “We’re certainly in a moment that’s been different from moments in the past.”
The exact contours of that legislation will no doubt be the subject of debate among lawmakers, lobbyists, and privacy advocates in the months to come.
What would it look like if Silicon Valley got its way? Tech giants have offered some hints in numerous policy papers released over the last few months. The Internet Association, which represents companies like Amazon, Facebook, Google, and Twitter, released its own framework for a federal bill, as did the Chamber of Commerce. Intel went so far as to draw up a draft bill, tentatively titled the “Innovative and Ethical Data Use Act of 2018.” Central to all these proposals is the notion that a federal bill should preempt any statewide legislation—like, say, California's—from taking effect. "A strong national baseline creates clear rules for companies and ensures that individuals across the United States can expect consistent data protections from companies that hold their personal information," the Internet Association's proposal reads.
This will likely be a point of contention between industry lobbyists and consumer rights groups like the ACLU, which argue that states should be free to pass stricter rules if a federal bill doesn't go far enough. "Any federal law should be a floor, not a ceiling," Guliani says.
The topic of preemption came up repeatedly during a recent hearing of the Senate Commerce Committee, where executives from Amazon, Apple, AT&T, Google, and Twitter, as well as Charter Communications all testified. Senators were predictably split on the matter. Republicans Mike Lee and Jerry Moran underscored the need to avoid a patchwork of privacy laws in different states, while Democrats like Brian Schatz called out the industry for trying to undercut the California law with a weaker federal one.
"I understand that from the standpoint of some of the companies, the holy grail is preemption. And I want you to understand that you're only going to get there if this is meaningfully done," Schatz said. "We're not going to get 60 votes for anything and replace a progressive California law, however flawed you may think it is, with a non-progressive federal law."
The Trump administration's National Telecommunications and Information Administration has released its own point-by-point proposal, describing in unspecific terms a set of "privacy outcomes" the administration would like to see. It too proposes a bill that would "harmonize the regulatory landscape" to "avoid duplicative and contradictory privacy-related obligations." The goal of the proposal, says NTIA spokesperson Anne Veigle, is to "serve as a point of information if Congress decides to move forward with privacy legislation."
“You have a bipartisan sense that some type of privacy legislation needs to happen, and at the same time, you have industry pushing for it.”
Neema Singh Guliani, American Civil Liberties Union
Another key question is how any sort of federal legislation would be enforced. In California, tech giants lobbied hard against giving individual consumers the right to sue the companies for violations of privacy. They half-won: The new law holds that state residents can sue only in the event of a data breach. Otherwise, it's up to the state's attorney general to investigate. In Washington, industry groups hope to leave enforcement to the Federal Trade Commission. Critics of that approach say that the FTC has too little authority to impose meaningful penalties on companies, and that it's failed to act on what authority it does have.
Case in point: When Facebook was accused of misleading customers about their privacy in 2011, the company entered a consent decree with the FTC promising not to do it again. But when Facebook found out about Cambridge Analytica, executives didn't report their findings to the commission. The FTC is now investigating Facebook, but the incident suggests that the agency's existing enforcement mechanisms are at best flawed.
That's one reason Democratic senator Ron Wyden, one of Congress's best-known privacy hawks, has begun circulating a draft bill that would expand the FTC's powers. The bill would establish privacy and cybersecurity standards, while giving the FTC the power to fine companies for the first offense, which is not currently within its purview. “It’s time for some sunshine on this shadowy network of information sharing," Wyden said in a statement introducing the bill.
Schatz, the senior senator from Hawaii, introduced his own bill, co-authored with 14 other Democrats, in December. The Data Care Act of 2018 would require companies to "reasonably secure" identifying information and vow not to use it in harmful ways. It would require them to notify users in case of a data breach and hold third parties with access to the data to the same standard. Like Wyden's bill, it gives the FTC expanded powers to fine violators.
So far, the bill has received limited support from both the Electronic Frontier Foundation and the Internet Association, which suggests there is some consensus around what should be included in any federal legislation. Parties on all sides of the privacy argument, for instance, say that people should be able to see what data is collected about them and how it's being shared. They also agree that companies should be required to get consent before processing user data, and that consumers should be able to request that their data be corrected or deleted.
But there are a range of opinions on how those ideas should be implemented. Should companies be required to disclose every single piece of data they've collected on someone, or is sharing the categories of data enough? And what constitutes consent? Must consumers opt in to having their data processed, or is it sufficient to let them opt out? "If at the end of the day all we get is a bill where people have to check another box, that’ll be a sign to consumers that we didn’t address the concerns they had," according to Guliani.
As these debates take shape, it's important to note that not even the tech giants are unanimous on every policy question. During October's Senate hearing, Charter Communications pulled away from the pack, advocating for a bill that would require people to opt in before their data can be collected. Apple CEO Tim Cook, meanwhile, has sought to distinguish his company from other Silicon Valley players that trade in user data. During a keynote speech in Brussels this fall, he called for a law that would prevent data from being "weaponized against us with military efficiency." It was a far more full-throated endorsement than, say, Facebook CEO Mark Zuckerberg gave in April when he told Congress that Facebook would support regulation "if it's the right regulation."
The task of reconciling the differences between businesses, advocacy groups, and members of Congress will likely fall to the leadership of the Senate Commerce Committee and the House Energy and Commerce Committee. Just who will run those committees is still an open question. John Thune, the Republican from South Dakota, who serves as chair of the Senate committee, is set to step down from the role, while Florida Democrat Bill Nelson recently lost his reelection bid, opening up his seat as ranking member of the committee. And now that Republicans have lost the majority in the House, Democrats who have recently been critical of Big Tech will be taking the big chairs. On the House Energy and Commerce Committee, that will fall to Frank Pallone Jr., from New Jersey, while Jerry Nadler of New York is poised to lead the House Judiciary Committee.
"We all know the cycle by now: Our data is stolen and the company looks the other way," Pallone said in his opening remarks when Zuckerberg appeared in Congress. "Eventually reporters find out, publish a negative story, and the company apologizes. Congress then holds a hearing and then … nothing."
That could change in 2019—but not without a fight.