Executives at six of the nation’s largest internet and technology companies gathered Wednesday on Capitol Hill for a data-privacy hearing called in response to growing concerns over the comparatively inadequate protections offered to consumers under U.S. law.
Understanding that a national law not too dissimilar from Europe’s General Data Protection Regulation (GDPR) might one day be a reality, the hearing presented an opportunity for the companies—AT&T, Apple, Google, Amazon, Twitter, and Charter Communications—to show off their support for the drafting of comprehensive privacy legislation and their willingness to participate in that process.
That support, however, may come at a cost to consumers and their privacy. When and if a national law is introduced, one might be concerned, rightfully, that a company like AT&T has a hand in drafting it.
In opening remarks, Len Cali, AT&T’s senior vice president for global public policy, laid out the company’s expectations in regard to a federal law—chiefly among them that the federal government should enjoin state governments from passing consumer privacy laws of their own. (Notably, California’s recently passed data act allows consumers to “opt-out” of allowing companies to sell their personal data to third parties.)
The demands don’t end there. AT&T, at least, also wants any regulation to be overseen exclusively by the Federal Trade Commission, narrowing the number of enforcers down to a handful of executive appointees. Any breach-notification law should be “reasonable” and “flexible,” AT&T’s Cali said, and consistent nationwide. While consumers may ultimately benefit from a single data-breach law covering all 50 states, not all notification laws are equal. Some, for instance, impose penalties on companies for violating notification rules, while others are comparatively lax. In some areas, companies are required to notify the press in the event of a significant breach. In others, a simple statement on their home page will do, whether consumers actually visit the site or not.
Still, the patchwork of breach-related laws across the U.S. remains confusing for both businesses and consumers, who, depending on their physical location and the location of the breach itself, may or may not have access to legal protections. “For these protections to be effective,” Charter Vice President Rachel Welch said, “there should be a single national standard that protects consumers’ online privacy regardless of where they live, work, or travel.”
What Welch didn’t say is that, for such protections to be effective, they cannot be entirely toothless. Companies that act in bad faith and negligently expose private consumer data need to be appropriately penalized or there’s little incentive to comport with the law, beyond a few days or weeks of bad publicity. Of course, none of the companies testifying Wednesday were there to argue in favor of financial penalties.
Intentionally or not, Sen. John Thune, chairman of the Senate Commerce Committee, made that point himself in his opening remarks, recalling the Equifax breach of one year ago, an incident that has become the very symbol of corporate neglect and disrespect for consumer privacy. Yet, a year on, the company’s stock has rebounded. No U.S. authority ever made any move to punish the executives responsible. And any legislation that would have ensured companies like Equifax get punished for similar oversight in the future is collecting dust.
While none of the companies came to argue in favor of harsher punishments, all sought to differentiate between violations of privacy and the ways in which each uses private data to further enhance their products. “Strong privacy protections and innovation are not mutually exclusive goals,” said Cali on AT&T’s behalf. “Legislation should affirmatively allow innovative uses of data, subject to effective safeguards.”
In a blog published ahead of the hearing, Google’s new privacy chief, Keith Enright, wrote that the company welcomes the idea of developing “baseline rules of the road for data protection” and supports “comprehensive” regulation to enforce it. “People deserve to feel comfortable that all entities that use personal information will be held accountable for protecting it,” he wrote.
Enright’s sentiment was echoed by nearly all who testified. Of the proposed collaboration between the government and industry, to craft a “robust privacy framework,” Twitter’s data protection officer, Damien Kieran, told the panel: “The time is right.”
“A decade from now, we may look back and view this past year as a watershed with respect to the issue of consumer data privacy,” said Thune, citing both the GDPR as well as the California Consumer Privacy Act, which none of the companies present support.
“We have arrived at a moment,” he said, “where, I believe, there is a strong desire by both Republicans and Democrats, and by both industry and public interest groups, to work in good faith to reach a consensus on a national consumer data privacy law that will help consumers, promote innovation, reward organizations with little to hide, and force shady practitioners to clean up their act.”
That moment should have arrived a year ago. Americans should enjoy, today, privacy protections equivalent to those adopted by dozens of other developed nations. But we don’t, and it’s unclear if we will, even if given another year’s time, especially if the companies that profit off the use and trade of consumers’ private data are the ones helping to write the law.