Senate Privacy Hearing: Apologies, Explanations, And Weak Support

 You’re reading the Benton Foundation’s Weekly Round-up, a recap of the biggest (or most overlooked) telecommunications stories of the week. The round-up is delivered via e-mail each Friday.

Round-Up for the Week of September 24-28, 2018

Robbie McBeath

On September 26, 2018, executives from six major U.S. tech and communications companies testified before the Senate Commerce Committee at a hearing titled Examining Safeguards for Consumer Data Privacy. Representatives from Amazon, AT&T, Google, Twitter, Apple, and Charter were there to help lawmakers as they all discussed “possible approaches to safeguarding privacy more effectively.” Tech companies, on the whole, followed the trend that has emerged out of Silicon Valley when they testify before Congress: Apologize, explain, and offer to work with lawmakers on a regulatory solution. And what they buffered their offer with was this: we support federal laws that would safeguard user privacy — if those laws aren’t as stringent as rules recently adopted in Europe and California.

Are We Moving Towards a National Consumer Privacy Law?


In the wake of Facebook’s Cambridge Analytica and other data-privacy scandals, lawmakers are pushing for a legislative solution. “The question is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take,” Senate Commerce Committee Chairman John Thune (R-SD) said

It’s important to note the “federal” in the previous sentence. One of the main goals of the hearing was to examine the nation’s "patchwork of state privacy laws" and determine whether Congress should act to strengthen (or federalize) them.

Underlying the conversation was a concern over the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), California’s sweeping privacy law, which is set to go into effect in 2020 that could usher in a wave of new state-level rules. 

Large tech companies have opposed the GDPR and CCPA because of compliance costs, expensive penalties for violations, and the restrictions on collecting data. The CCPA mandates that all consumers be able to see which businesses are using their data and be able to decline the sale of that information, among a host of other protections.

Executives told the panel that the United States needs federal legislation to protect personal data. “If other states follow suit, we’ll be facing a patchwork of rules and fragmentation that will just be unworkable both for consumers as well as mobile companies and Internet companies,” said Leonard Cali, AT&T’s senior vice president for global public policy.

But importantly, executives told lawmakers not to emulate California and Europe. They said restrictions on data collection would diminish user experience. Personal data are needed to determine which ads and services are most useful to each user, the executives said.

The executives also said the European law would only strengthen incumbent companies such as theirs, given the costs of complying. “We’re concerned about the small and medium-sized business,” said Guy Trimble, Apple’s vice president for software technology.

“We’re urging for comprehensive federal law that looks at both these laws and learns from them, but does better than them,” said AT&T’s Cali, who called the European law “overly prescriptive and burdensome.”

Privacy advocates, notably absent from the hearing (more on that below), say the companies’ preference for a federal law is guided by fear that other states could adopt California’s strict rules. “What they mean is that they want weak federal privacy legislation that preempts stronger state laws,” said Christine Bannan, an attorney for the Electronic Privacy Information Center.

Some senators did not share the views of the industry representatives. Senator Ed Markey (D-MA), a founding co-chair of the bipartisan Congressional Privacy Caucus, said he hopes any discussion about preemption would come after lawmakers agreed on stronger federal rules. “Congress should not make weak laws to preempt strong laws,” he said.

Senator Brian Schatz (D-HI) -- the Ranking Member of the Committee’s Communications, Technology, Innovation and the Internet Subcommittee -- echoed Sen. Markey’s concerns. “We’re not going to get 60 votes for anything and replace a progressive California law — however flawed you may think it is — with a nonprogressive federal law.” 

Heavy on Support, Light on Specifics

While the industry representatives agreed on wanting to work with lawmakers, few concrete recommendations were offered. “[O]verall they avoided discussing specific proposals in depth,” Derek Hawkins writes in the Washington Post.  For example, when Sen. Amy Klobuchar (D-MN) asked whether companies should be required to notify customers of data breaches within 72 hours, they shook their heads silently. “I’m going to take that as a no,” Sen. Klobuchar said. 

The companies’ divergent data collection practices, business models, and attitudes toward consumer privacy highlight how complicated it is going to be for Congress to hammer out a single, sweeping bill, let alone pass it.

For example, Apple’s vice president for software technology, Bud Tribble, said the company supports a comprehensive bill that would meet the high bar set by the California legislation. Apple’s definition of privacy goes beyond just giving users the right to decide what information they don’t want to share with the company, Tribble said. The company, he said, believes it should automatically be walled off from its customers’ information.

“We want your device to know everything about you,” Tribble said. “We don’t think that we should.”

Hawkins writes that witnesses hedged during the hearing when senators asked them whether there was anything in those policies that is worth emulating nationally. The witnesses were mum except for AT&T's Cali, who said only that he was pleased both laws applied uniformly to all both broadband internet access service providers and internet-based companies.

Which Agency Should Handle Privacy?

A point of contention came over which federal agency should have authority to regulate consumer data. That role currently belongs to the Federal Trade Commission — an arrangement that executives at the hearing said should stay in place.

The Electronic Privacy Information Center proposes the creation of a separate regulatory agency to oversee the handling of consumer data. EPIC says the FTC is woefully understaffed and lacks the authority to set rules. The FTC’s main deterrence tool is consent decrees, with which it can fine companies only after they have been caught violating rules. “It seems absurd,” said Sen. Schatz about the reactive, rather than proactive, enforcement tools Congress has provided the FTC.

Criticisms and Next Steps

Before the hearing even began, some criticized the industry-only representation. Consumer advocacy groups were absent; so, too, were start-ups. "Big tech loves to argue that any regulation will stifle innovation, but no small companies were present to talk about whether GDPR or the California privacy law have created major burdens that hurt their businesses. Academics who study privacy and who can offer empirical evidence on these topics weren't in attendance," wrote Hawkins. 

But Chairman Thune responded to these concerns. “Let me reassure anyone who thinks we’re going to be rushing through legislation without the benefit of alternative views that things don’t work that way here. Early next month, we intend to convene a second hearing that will include privacy advocates as well as other key stakeholders. Alastair MacTaggert, the California privacy activist, and Andrea Jelenik, the head of GDPR enforcement for the European Union, have already agreed to testify.” 

MacTaggart assured people of his intentions. "To be clear: We will fight back against any attempts to undermine [California's] ability to provide these fundamental rights to California consumers, and will support further efforts to provide these rights to all Americans," he said. “We are on the right side of history here. Europe has just made huge strides forward in consumer privacy. And as goes California, so goes the nation.”

Ultimately, lawmakers say these discussions will probably continue past the midterm elections into 2019, when they plan to pass privacy legislation. Which is great -- and the same message we've been hearing since 2000. Don't hold your breath.

Quick Bits

Weekend Reads (resist tl;dr)

ICYMI from Benton

Upcoming Events October 1-5

Oct 2-- Public Safety Answering Points (PSAPs) Education Day: Real-Time Text, FCC

Oct 3 -- FCC Disability Advisory Committee

Oct 3 -- Oversight of the Enforcement of the Antitrust Laws, Senate Antitrust Subcommittee

Oct 4 -- FCC Intergovernmental Advisory Committee

Oct 4 -- Scaling Innovation: Why We Should Preserve the Consumer Welfare Standard in Antitrust Policy, ITIF

Oct 4 -- LikeWar: The Weaponization of Social Media, New America panel

By Robbie McBeath.