With all of the hubbub swirling around Capitol Hill last week with the Michael Cohen hearings, you can’t be blamed if you missed the fact that two important congressional hearings on privacy and data protection took place as well, one in the House and one in the Senate.
First, on February 26, the House Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing titled, “Protecting Consumer Privacy in the Era of Big Data.” It was the first hearing on the topic in the 116th Congress. Committee members expressed bipartisan support for enacting comprehensive legislation that would set a national standard for data protection, but differed on what that standard might be. Republican committee members expressed concern that overly strict standards could burden and disadvantage small businesses. They focused on how the European Union’s General Data Protection Regulation (GDPR) has advantaged companies with the largest market shares at the expense of smaller businesses. Democrats, meanwhile, expressed concern over the discriminatory effects of a data marketplace without strong enough standards.
In opening statements, Representative Frank Pallone (D-NJ), Chairman of the full committee, said that dense and lengthy privacy polices mean that we can no longer rely on a system of notice and consent and advocated for a shift toward a strong, comprehensive model of data protection. Representative Greg Walden (R-OR), Ranking Member of the full committee, expressed a desire to work toward federal privacy legislation that focuses on 1) transparency and accountability, 2) protecting innovation and small businesses, and 3) setting a single national standard. A number of witnesses testified before the subcommittee, including representatives from Color of Change, the largest online civil rights organization in the U.S., the American Enterprise Institute, and the Center for Democracy and Technology.
Then, on February 27, the Senate Commerce Committee held a hearing titled, “Policy Principles for a Federal Data Privacy Framework in the United States.” Committee members from both parties expressed support for strong, comprehensive legislation to protect the privacy of consumer data. They differed, however, on what preemptive effect any federal privacy law should have. Republican committee members tended to support the idea of preemption to avoid the potential burden of complying with a patchwork of state laws with varying standards. Democrats, on the other hand, expressed concern that passing a preemptive federal law could lead to a lower overall standard of data protection by nullifying stricter state laws. The preemption issue is sure to remain a hot topic as at least some of the push to pass comprehensive federal privacy legislation is being driven by concerns over the California Consumer Privacy Act (CCPA), which is scheduled to become operative on January 1, 2020.
In opening statements, Chairman Roger Wicker (R-MS) advocated for a data privacy framework that is “uniquely American.” This framework, he said, should preempt state law and interoperate with international laws to reduce the burdens of compliance. He made it clear that “a national framework does not mean a weaker framework than what’s being developed in the states.” Ranking Member Maria Cantwell (D-WA) described recent data breaches as part of a larger trend rather than one-off incidents. She suggested that the GDPR and the CCPA could provide valuable insights to congressional efforts to create comprehensive federal data protection legislation. She stated her position that “we cannot pass a weaker federal law at the expense of the states.” Witnesses from several organizations testified before the committee, including representatives from the 21st Century Privacy Coalition, the Retail Industry Leaders Association, and the Interactive Advertising Bureau.
While potential comprehensive federal privacy legislation has gotten a lot of attention lately, any move from the current sectorial model of U.S. data protection to a comprehensive model will be a heavy lift and will require careful analysis and balancing of privacy rights and regulatory burden. And all the while, technologies and techniques for exploiting security vulnerabilities will continue to evolve. Therefore, statutory and regulatory regimes must provide ample protections while also remaining flexible enough to be applicable to evolving technologies. As expressed by Senator Cantwell, it will be no easy task.
Gregory is a Research Professional with the firm and is not an attorney.
