Testifying before the U.S. Senate, advocates for Big Tech and consumer rights agreed that, when it comes to protecting consumer privacy, the key words are “accountability,” “responsibility,” “security” and “transparency.” But that’s where their agreement comes to an abrupt halt–including over what those words actually mean. Which means it’s going to be very difficult for Congress to craft a compromise internet privacy law.
Take, for example, the two sides’ perspective on the European privacy law, GDPR. Industry advocates at a Sept. 26 hearing — which included representatives from Apple, Amazon, AT&T, Charter Communications, Google and Twitter — largely disapprove of GDPR and find its requirements “burdensome.”
Consumer advocates present at a second hearing on Oct. 10 — including representatives from the European Data Protection Board, Californians for Consumer Privacy, the Georgetown Law Center on Privacy and Technology, and the Center for Democracy and Technology (CDT) — largely approve of GDPR and consider it a workable model for the U.S.
Alastair Mactaggart, board chair for Californians for Consumer Privacy, even discussed how the California privacy law — the CCPA — was modeled on GDPR.
At the industry hearing, AT&T’s Senior Vice President of Global Public Policy Leonard Cali said, “Protecting our customers’ privacy is a fundamental commitment at AT&T, and we understand the great responsibility that comes along with our customers’ trust in allowing AT&T to collect and use their data,” but then added later, “GDPR is overly prescriptive and extremely burdensome.”
Industry representatives told senators a federal consumer data privacy law is necessary and they welcome such a legislative effort. However, they don’t want a law that may restrict their business interests. Their idea of a privacy law that built on the priciples of accountability, privacy, responsibility, security and transparency, but is still flexible enough to all for profitability and innovation.
“Consumers need understandable rules of the road,” Cali told senators at the Sept 26 hearing. “Restrictions should be risk-based depending on the sensitivity of the data. Consumers should be able to choose how their data is used. Consumers and businesses would be better served by greater clarity and heightened levels of consumer consent.”
The problem is how Big Tech actually does business. As Google’s Chief Privacy Officer Keith Enright noted, Google’s consumer data-driven ads are essential to the company’s business model.
“Google’s approach to privacy stems directly from our founding mission: to organize the world’s information to make it accessible and useful,” Enright said at the hearing. “Ads help make that happen. With advertising, users expect us to keep their personal information confidential and under their control. We do not sell personal information. We acknowledge we have made mistakes in the past. We understand that our business foundation is trust. We strive to be upfront about the data we collect, why we collect it and how we use it. A healthy data ecosystem requires that people feel comfortable … [that we will] be responsible for protecting [personal data].”
Enright’s comments fuel the debate over whether tech companies should be allowed to collect personal data beyond what they need to offer a service. Tech companies say this additional personal data allows them to further personalize and enhance the consumer’s experience. Consumer advocates, on the other hand, think this is a violation of consumer privacy.
Laura Moy, executive director of the Center on Privacy & Technology at Georgetown Law, thinks tech companies shouldn’t collect data on consumers that isn’t necessary to provide their service. She cites Google scanning users’ Gmail for ad fodder as an example.
“Heightened standards should apply when information sharing is unavoidable or less avoidable by consumers,” her prepared testimony reads. “This is consistent with several existing laws that protect consumer information in specific contexts in which sharing is unavoidable — such as the information shared by students in an educational context, by consumers in a financial context, by customers in a telecommunications context, and by patients in a medical context.”
Another sharp disagreement between the industry and consumer advocates is their stance on whether a federal agency should regulate consumer data privacy.
Almost all the consumer advocates at the October 10th hearing said Congress should pass a privacy law and then hand over regulatory authority to an agency.
But when Sen. Brian Schatz (D-Hawaii) asked industry leaders whether an agency should have “unfettered discretion” over privacy regulation, all the industry leaders answered with a “qualified yes,” with Cali being the most hesitant.
Given the differences, a federal privacy law may be a long time coming.
Roslyn Layton, visiting fellow at the American Enterprise Institute (AEI), told InsideSources that bipartisan cooperation is key in order to produce a holistic privacy law that doesn’t stifle innovation or hurt consumers.
“This must be a steadfast, bipartisan objective in 2019 as it’s clearly top-of-mind for American consumers and policymakers, and it is what today’s digital economy demands,” she said. “We can develop better privacy regimes through science, technology, and innovation.”