Senate Commerce Chairman Thune Expects Draft for Data Privacy Bill Before 2019
Senate Commerce Committee Chairman John Thune, R-S.D., expects to finalize draft data privacy legislation before year-end, he told reporters. Earlier Wednesday, the committee heard testimony (see 1809250049) from Amazon, Apple, AT&T, Charter Communications, Google and Twitter that edge providers and ISPs should be subject to the same pre-emptive federal privacy legislation.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Responding to criticism for the all-industry witness list, Thune said in opening remarks the committee plans a follow-up hearing with privacy and consumer groups in early October. California privacy activist Alastair Mactaggart, instrumental in advancing the state’s new privacy law, agreed to testify, as did EU chief data privacy regulator Andrea Jelinek, who will provide perspective on the general data protection regulation. Mactaggart's statement urged lawmakers to model their bill after California’s new law. Any legislation from the committee, regardless of whether the chairman is promoted to Senate majority whip, will have to balance Democrats’ regulatory agenda and Republicans’ light-touch approach, Thune told reporters.
Officials for Amazon, Google and Twitter agreed with AT&T and Charter Communications that edge providers and ISPs should be governed by the same core privacy principles. Google Chief Privacy Officer Keith Enright told the committee transparency and data control are key in this regard.
Witnesses signaled their companies aren't considering “pulling out” of California or Europe given the new privacy laws, responding to Sen. Richard Blumenthal, D-Conn. He said that suggests industry concerns about new privacy laws can be accommodated. Witnesses all agreed with Blumenthal that Americans deserve the same level of privacy as Europeans, and he asked why the U.S. shouldn’t adopt the same standards as California that are consistent with the GDPR.
Pressed about Google’s reported plan to launch a “censored version” of Search in China by Sens. Maggie Hassan, D-N.H., and Ted Cruz, R-Texas, (see 1808060037), Enright said he isn't “clear on the contours.” If the company were close to launching, he said, he would be actively engaged to ensure it’s in line with Google’s privacy principles released this week.
Ranking member Bill Nelson, D-Fla., suggested the FTC, which all witnesses agreed is the proper privacy regulator, needs more authority to protect consumers. The agency can bring action only if a company violates its own public policies, Nelson said. Senior Vice President-Global Public Policy Len Cali said AT&T doesn’t support “unfettered discretion from any agency” but the telco supports the FTC being able to do its job. Twitter supports more dialogue about further accountability, said Global Data Protection Officer Damien Kieran.
Sen. Brian Schatz, D-Hawaii, said FTC reliance on consent decrees to penalize violators means there are no consequences for violating existing rules. If the committee is crafting a new law, the FTC needs privacy rulemaking authority under the Administrative Procedure Act, said Schatz. Laws that “stand the test of time” have broad principles the agency is allowed to flesh out over time, he said, asking witnesses if they support such rulemaking authority. All offered a “qualified yes,” with Cali again citing worries about “unfettered discretion.” Amazon Vice President Andrew DeVore said details matter “tremendously,” and key is protecting innovation and customer trust.
Enright estimated Google spent “hundreds of years” of human time complying with the GDPR, and “orders of magnitude higher” than the “millions” of dollars in cost Sen. Mike Lee, R-Utah, suggested. This doesn’t mean all regulations are bad, Lee said, but expenses should be taken into account when considering a new law. Increasing the government’s regulatory footprint costs consumers one way or another, Lee said.
Sen. Amy Klobuchar, D-Minn., asked witnesses about elements of her bill with Sen. John Kennedy, R-La. (see 1808280039). None supports the 72-hour data breach notification requirement.
Cruz also pressed Enright about anti-conservative bias claims against Google (see 1808280055), saying “millions of Texans” believe it's censoring conservatives voices. Because the topic isn't in his “domain,” Enright wouldn’t speak to the claims, but “I’ve never seen any evidence of bias.” Cruz asked him if the platform is assessing whether there is bias, and Enright said he’s not “aware of such efforts."
There's more broad consensus on data privacy legislation at the federal level than ever, Internet Association CEO Michael Beckerman blogged Wednesday: “All stakeholders must work with urgency to modernize a national privacy framework in a way that protects Americans and allows for future innovation.”