The Senate Commerce Committee waded into the longstanding issue of a national privacy law Wednesday (Sept. 23) with an assist from four former top Federal Trade Commission members and through the new lens of the COVID-19 pandemic.
The committee was holding a hearing on "Revisiting the Need for Federal Privacy Legislation." The revisit was driven in part by the increased use of broadband data during the pandemic, including for telehealth and contact tracing.
Related: Republicans Introduce COVID-19 Tracing Privacy Bill
Sen. Roger Wicker (R-Miss.), chairman of the committee, has joined with other Republicans to introduce the American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act).
That bill is a revise of the United States Consumer Data Privacy Act, a draft of which was released in November 2019.
At the hearing, Wicker said that legislation was two years in the making, with input from a variety of stakeholders, and came even as California adopted its own privacy legislation, the California Consumer Privacy Act. Wicker said that CCPA is difficult to understand and could become more so, arguing that was one reason that federal legislation was needed.
Related: CCPA Enforcement Begins Without Final Rules
Wicker said that the pandemic has shown that national privacy legislation is more necessary than even, including as more data is collected to do contract tracing.
Wicker said the bill gave them a chance to pass privacy law. He asked his colleagues to look seriously at the bill and work together to pass it.
Ranking member Sen. Maria Cantwell (D-Wash.) agreed COVID-19 had put a spotlight on privacy and Congress needs to establish privacy protections. Her version of that is the Consumer Online Privacy Act. She suggested Republican legislation would maintain the status quo, with loopholes that weaken rights by preempting state laws, like the CCPA--California Attorney General Xavier Becerra appeared at the hearing in defense of the law. He said it was the first time people in the state had the ability to tell businesses not to share their information. He called the states "laboratories of democracy."
One of the things she said needs to be in privacy legislation is a private right of action, which the Wicker bill does not include.
Wicker pointed out that other important national privacy litigation including COPPA (the Children's Online Privacy Protection Act) and HIPPA (the Health Insurance Portability and Accountability Act) contain no private rights of action and that CCPA's right is only for a breach. He said that the push for that private right of action is a stumbling block that may prevent overarching national legislation from being enacted.
The divergence that still remained between Cantwell and Wicker on what should and should not be in a privacy bill is emblematic of the divide between political parties on the issue despite the fact that both agree a national privacy bill is necessary.
But there were signs of a thaw. Former FTC commissioner Julie Brill said there were enough similarities among various privacy bills that she was hopeful a bipartisan national privacy law was achievable. Former Chairman Jon Leibowitz agreed that he was heartened by the similarities.
Sen. Wicker said he agreed there is much to be said for Sen. Cantwell's approach and appreciated Brill and Leibowitz for praising both approaches. He said they needed to remember those similarities as they try to iron out "what differences remain."
Among the takeaways from the hearing:
1. Sen. Cantwell said that the committee Democrats would be issuing a minority report next week on the value of local journalism, particularly in the time of COVID-19.
2. Cantwell also said that whether/how the government violates privacy rights is something the committee should also be looking at.
3. Sen. Wicker said he planned to hold a hearing on the invalidated Privacy Shield, the regime that had allowed U.S. companies to meet the EU's data protection standards, but was thrown out by the EU Court of Justice because it did not feel that the U.S. could hold up its end of the data protection agreement to protect data transferred from the EU to the U.S. given the current state of privacy protections, or lack of them.
4. The FTC either needs more authority, or perhaps a new data privacy protection agency should be created. Currently the FTC can not impose civil penalties for first-time offenses and little rulemaking authority, instead enforcing through lawsuits and settlements.
5. Former FTC chairman Jon Leibowitz said that the fact that he is opposed to preempting state laws does not mean it passing a weaker federal law. He said any new federal law should be at least as strong as the CCPA. Wicker agreed that preemption did not mean weaker protections.
6. Asked by Sen. John Thune (R-S.D.) whether they think that greater transparency from internet platforms about how they filter content is something congress should "address," all four of the former FTC officials said "yes."
