Data privacy experts and advocates encouraged federal lawmakers at a Senate Commerce Committee hearing Wednesday to draft strict data protection regulation that would give consumers vastly more control over their personal data.
During the hearing, the second of several scheduled before the Senate Committee on Commerce, Science and Transportation, Republican and Democratic senators expressed grave concern about recent data breaches reported at Facebook and Google, and they asked witnesses about the features of the European Union’s General Data Protection Regulation and the California Consumer Privacy Act that should be included in any federal data privacy regulations.
Laura Moy, the executive director and adjunct professor of law at the Georgetown Law Center on Privacy and Technology, told federal lawmakers they should set “a floor” that would establish baseline federal data privacy protections that would not impede states from enacting additional, more stringent privacy rules.
“This is not a time to be shy about data regulation,” Moy said. “Now is the time to intervene.”
Moy and Nuala O’Connor, the CEO and president of the Center for Democracy and Technology, pushed for the federal government to give the Federal Trade Commission rule-making authority and finding authority, which would grant the FTC more power to pursue and enforce federal data protection violations.
The major thrust of the testimony was that U.S. consumers should be at the center of any regulations that are considered, not the corporations that have been collecting consumer data and leveraging it for marketing opportunities. Advocates urged lawmakers to consider rules that would require consumers to give free consent before their data was collected, meaning that consumers should not be unduly penalized if they do not agree to having their data collected. The panelists also urged lawmakers to consider drafting clear guidelines regarding prohibited uses of data, including for discriminatory practices, and determine limits for how long corporations can hold on to consumer data for various uses.
“Privacy is about people,” O’Connor said. “Privacy is about the digital and real-world data breadcrumbs we leave behind, the things we say and do, the choices we make, the way we spend our time, and how the data about all of these things can affect what we see and know and achieve in the future. …It is time to consider the impact of ubiquitous data collection and to provide greater clarity and constraint on the use of this information.”
Andrea Jelinek, the chair of the European Data Protection Board, said the GDPR was “not revolution, but an evolution” of privacy guidelines. She said federal regulation was key to reestablishing trust, and said that investments in privacy can create new commercial opportunities for businesses.
“If we do not modify the rules of [the] data processing game with legislative initiatives, it will turn into a losing game for the economy, society and for each individual,” Jelinek said.
Alastair Mactaggart, the chairman of the board for the consumer group that advocated for the California Consumer Privacy Act, Californians for Consumer Privacy, said it was urgent for federal lawmakers to consider comprehensive data privacy rules like CCPA, which allows consumers to know the data corporations have on them and to opt out of data collection, as well as require companies to adhere to data security requirements.
“Data collection has gotten out of control, and that’s one of the reasons why we’re here,” Mactaggart said, mentioning that a kiosk at the hair salon Super Cuts required him to enter personal information when he arrived. “Americans have no certainty of where it’s going, and who is buying, it. We do know it’s getting stolen with regularity.”
The discussion, as expected, took a much different tone and focus than a panel convened before the same committee two weeks prior, during which representatives for major tech companies like Google, Amazon, AT&T and Twitter pushed for lax federal privacy regulations and said existing regulations like GDPR and the CCPA were too burdensome for their businesses.
On Wednesday, Mactaggart said that concerns expressed by those companies’ representatives that privacy regulation would hurt business were overblown, and that CCPA was not “anti-business” legislation. Mactaggart also emphasized that CCPA had widespread bipartisan support in California.
“Privacy is not a partisan issue,” Mactaggart stressed.