With GDPR, California Law, Senate GOP Members Open to Privacy Legislation
Given the patchwork of state and international privacy laws developing with the EU general data protection regulation and California’s new measure (see 1806290043), Senate Republicans told us they are open to legislating. And that chamber's Democrats seek such a regime.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Sen. Ron Johnson, R-Wis., said the U.S. “probably” needs federal pre-emption to govern internet privacy: “I’m not a fan of the federal government, but these are things the federal government must do, and that’s why you have the [International Chamber of Commerce] and have these things that streamline interstate commerce.”
Chairman John Thune, R-S.D., said the Senate Commerce Committee is watching the impacts of the GDPR in Europe closely, and lawmakers are weighing proposals floated for internet privacy. “We’d prefer obviously not requiring and mandating everything if possible, but we’re looking at different legislative options,” he said.
Sens. Amy Klobuchar, D-Minn., and John Kennedy, R-La., introduced a response to data privacy, the Social Media Privacy Protection and Consumer Rights Act (S-2728) (see 1804240046). Sen. Richard Blumenthal, D-Conn., introduced privacy legislation with Sen. Ed Markey, D-Mass. (see 1804100054).
Kennedy told us he doesn’t “know the particulars” of California’s bill, to take effect in 2020, but it’s important for Congress to speak as one voice about digital privacy. “People have a property right in their data, a right that’s going to become more and more important,” he said. Technology like artificial intelligence has benefits, but the U.S. should “be aware of the downside and the dangers as well, and they’re considerable,” he said. Sen. Cory Gardner, R-Colo., said lawmakers need to do a better job of understanding where states are headed on privacy “so that we can get a handle on the right policy” at the federal level.
Blumenthal told us the GDPR and California’s law are a good starting point, but a patchwork of state laws could make it more difficult for companies because of the need to comply with different standards. “Congress should certainly adopt a privacy bill,” he said. Vermont in May adopted the first U.S. law mandating security standards for data brokers (see 1805140060). The bill requires data brokers to report annually to the Vermont secretary of state.
Markey described Europe and California as in “the vanguard of recognizing that privacy is something that is important.” American, multinational companies now have to provide a level of privacy to European citizens that they had been denying U.S. citizens, he said, and this is going to provide a “glide path” toward ultimate adoption of federal rules. “This is the beginning, not the end,” Markey said. “The companies should support a national privacy [bill]. You have states adopting privacy measures, Europe adopting the same.”
Center for Democracy & Technology Vice President-Policy Chris Calabrese said the Facebook-Cambridge Analytica privacy breach “kick-started” the conversation, which was “turbo-charged” by the onset of the GDPR and California law. Platforms like Facebook, Google and Twitter now have much more incentive to reach some kind of legislative compromise, he said, saying the last thing tech companies want is a state patchwork of privacy laws.
Electronic Privacy Information Center President Marc Rotenberg said there's a clear need to update U.S. privacy law, given the rise of data breaches, identify theft and financial fraud: “We need a technology-neutral, industry-neutral approach that limits the collection and use of personal data.” Electronic Frontier Foundation Legislative Counsel Ernesto Falcon emailed that legislative prospects aren't good unless Congress is willing to "take on" Google, AT&T, Comcast and Facebook. "Each have an interest in not having a law that empowers users if it contradicts their current or intended surveillance business models," he said.