Momentum stalls for federal privacy bill
01 Apr 2019 12:00 am by Dave Perera
The already small chances of a bipartisan federal privacy bill becoming law this year have shrunk even further in recent weeks.
No single issue has emerged as an unmovable obstacle. The House and Senate still plan data-privacy hearings. The bipartisan privacy working group of four Commerce Committee senators who are drafting a bill plans to hold a meeting of principals in the coming days.
But a drip-drip-drip accumulation of complications has led to an unavoidable conclusion: things are going slower than anticipated.
Among the drips: The working group hasn't met its self-imposed deadline of circulating a discussion draft before April. The new Senate Commerce Committee ranking Democrat, Maria Cantwell of Washington — who is not a member of the group but will influence legislation going through the committee — said she doubts anything can be done quickly. South Carolina Senator Lindsey Graham, the Republican chairman of the Senate Judiciary Committee, has signaled that he wants his committee to be involved, almost inevitably slowing progress.*
In the House of Representatives, empowered Democrats want to pass their own privacy bill, a process that has only just begun.
Hanging over everything is the issue of preemption, which has flipped the usual red-blue divide by turning Democrats into defenders of states’ right to pass strong privacy restrictions without being preempted by federal law. Not coincidentally, Democratic stronghold California has the nation’s toughest and most comprehensive privacy bill to date.
“Are we here just because we don’t like the California law, and we just want the federal preemption law to shut it down?” asked Cantwell during a March hearing.
No one MLex spoke with, including members of Congress, industry lobbyists and privacy advocates, was willing to say a federal privacy bill is as good as dead. Neither is it in robust condition, at least not if "robust" is defined as having a high probability of quick passage. Paradoxically, that’s actually fine with many privacy advocates, who are worried that haste is a congressional cloak for weakening California-level protections.
Bipartisan Working Group
News trickled out in late summer 2018 that four senators — Republicans Jerry Moran of Kansas and Roger Wicker of Mississippi, and Democrats Richard Blumenthal of Connecticut and Brian Schatz of Hawaii — formed a working group dedicated to writing a privacy bill.
How much progress the working group has made is a matter of speculation and hints. “They’ve been keeping it very close to the vest,” said a congressional observer.
Drafting has reached a point where senators must “sit down and make sure we understand what the remaining issues are, and then we begin the give-and-take of what we can accomplish,” Moran said after a data-privacy hearing this week.
In other words: the really difficult part is just beginning. “I don’t think the differences are insurmountable,” Moran said.
Further complicating the group’s work is Cantwell’s ascension to the post of Senate Commerce ranking member. Her predecessor, Senator Bill Nelson of Florida, gave the working group his approval, but Cantwell has been more guarded.
“The many challenges that we will face … cannot simply be decided today,” she said during a March committee hearing. Cantwell also has yet to appoint her own committee staff director, a powerful position meant to represent her interests inside committee operations.
Admittedly, crafting a privacy bill is difficult stuff, particularly one that covers data privacy practices across the entire economy.
Even consumer rights that have broad support from industry and advocates, such the ability to access, correct and delete data, resist easy commitment to regulation.
An exacting definition of “access” would require all the data that consumers transmit to companies: the metadata, the clicked-on advertisements and the inferences companies make from the data. It could even require them to disclose data originating with third parties.
Not all companies want to give up those details. And if they do, they might not want to do so frequently, or for free, setting up a debate about scope, ease and cost of access.
Do consumers have a right to access their data after it’s been anonymized? If the answer is “no,” then how to pitch the exemption so that it doesn’t create a corporate loophole?
What about shared data? Should one household member be allowed to hear every request to Alexa and tally the exact time of every front door entry?
Each of these wicked problems has an answer but any solution means trading off one interest against another.
Here’s how Graham kicked off a mid-March Senate Judiciary Committee hearing on privacy: a declaration that a privacy bill has to go through him.
“There are some cross-over jurisdictions. But the content stuff seems to be mostly us. How you protect the platforms seems to be mostly us. Most of the privacy issues, I think, are in Commerce, some in Judiciary,” he said.
Some welcome Graham’s involvement, noting his reputation as a dealmaker among Senators. Others cringe at how far behind Judiciary Committee senators appear to be on the privacy debate.
“I’m still on ‘opt in’ versus ‘opt out,’ ” announced Senator Dianne Feinstein, the Democratic ranking member from California.
Requiring companies to present consumers with a choice about data collection might seem to protect consumer privacy, particularly if the default setting is to get express permission (“opt in”).
But its real-world application has turned opt-in or opt-out into a false choice. Companies have become expert at extracting consent and often resort to denying online services if the consumer decides not to grant permission. The privacy debate has moved on from whether privacy should hinge on consent about data collection.
Notably, the California Consumer Privacy Act — the state law subject to so much Beltway hand-wringing — eschews the debate all together. Its solution is for consumers to limit companies’ ability to sell their data.
“If you say, ‘Yes, you can process my information, then it’s business as usual, nothing’s changed,” said Alistair Mactaggart during the Judiciary hearing. Mactaggart is the wealthy Bay Area real estate entrepreneur who was a major force behind the push for the CCPA.
Seeing this retrograde level of debate in Congress can be frustrating for privacy experts. Politicians get a pass on subject matter expertise since they have staff for digging into the policy weeds. But to some observers, hearing the Judiciary Committee debate the merits of opt-in was a step backward.
“We should stop debating how exactly people can be tricked into signing their rights away,” said Michelle Richardson, who manages the Center for Democracy and Technology’s privacy advocacy efforts.
If the congressional federal privacy debate seems caught in one place, that’s also because the topic of preempting state laws persists with "Groundhog Day" resilience. California’s first-in-the-nation privacy law goes into effect next year.
Big Tech wants a national law, preferring a single national standard and, say critics, a weak one at that. Republicans also want Congress to prevent states from writing their own consumer privacy laws, and the two combined have kept the focus of the privacy debate on that topic.
It all makes Democrats exasperated. “The issue of preemption comes at the end of the discussion, not at the beginning,” said Representative Jan Schakowsky of Illinois after hearing Republicans decry the California law during a February hearing of a House Energy & Commerce subcommittee.
Schakowsky heads the House Energy and Commerce Committee's consumer protection subcommittee. She and committee Chairman Frank Pallone of New Jersey plan to introduce their own privacy bill this year.
It’s a particularly vexing obstacle for members of the mostly-Democratic California delegation, which has taken to defending the law.
Moran hopes to entice Democratic support with a bill offering California-like levels of privacy. “Can we reach an agreement on what the law is that’s sufficient for Senator Blumenthal to agree that preemption is a good thing?” Moran asked reporters as Blumenthal stood by his side this week.
Urgency is only felt by one side, however — the side trying to replace the California law. For Democrats, the countdown clock can only bring about offers of additional compromise or maybe even a checkerboard of state
laws, with the strongest of them becoming the de facto national standard.
Time is on their side, which means it’s not on the side of a federal bill, at least not anytime soon.
03 Aug 2020 9:29 pm by Ana Paula CandilCompanies are pressuring Brazilian lawmakers to delay implementation of the nation's data-protection law from Aug. 16 until next May.
Biggest cyberattack ever caused $15 billion loss to customers of companies directly hit, though banks softened impact, study says31 Jul 2020 12:00 pm by Neil RolandThe most damaging cyberattack ever in 2017, caused a $15 billion loss to customers of companies directly hit, a federal study said.
International companies more prepared than local companies for Brazilian data protection law, Alves says30 Jul 2020 11:00 am by Ana Paula CandilInternational companies are much more prepared for Brazil's new data protection law than Brazilian firms because they already comply with similar legislation.