Data privacy took center stage in yet another Congressional hearing today, as the Senate Committee on Banking, Housing, and Urban Affairs met for a hearing on privacy rights and data collection in a digital economy.
During the hearing, senators heard from Peter Chase, senior fellow at The German Marshall Fund of the United States; Jay Cline, privacy and consumer protection leader and principal for PwC U.S.; and Maciej Ceglowski, founder of Pinboard.
A look across the pond dominated today’s discussion, with a focus on the European Union’s General Data Protection Regulation (GDPR). The legislation, which was implemented in May of 2018, spurred interest in creating similar Federal legislation in the United States. However, in the absence of such legislation, some states have taken matters into their own hands and passed their own legislation.
Sen. Mike Crapo, R-Idaho, focused on the length and complexity of privacy statements that websites are required to use under GDPR, calling them “phenomenally long,” “incomprehensible,” and said the description of the data being collected is “meaningless” to the average user. Chase responded to Crapo’s concerns and explained that GDPR requires privacy statements to be presented in “clear language” upfront with a deeper explanation available if users want more information. Chase also spoke about the importance GDPR puts on “specific, informed, and unambiguous consent.”
Sen. Jon Tester, R-Mont., who called himself old school and said the second he “gets out of this job, this baby [his iPhone] is going away,” focused his questioning on the importance of maintaining the public’s trust. Sen. Mark Warner, D-Va., reached across the aisle and agreed with Tester, saying that “first party consent isn’t enough,” as well as addressed what he described as “psychological manipulation” used by social media companies. In the same breath, he promoted his own legislation, the Deceptive Experiences to Online Users Reduction (DETOUR) Act. According to a statement from Warner’s office, the Act will “prohibit large online platforms from using deceptive user interfaces, known as ‘dark patterns’ to trick consumers into handing over their personal data.”
Warner continued to lay into social media platforms, such as Twitter and Facebook, saying that though they may appear free, they are actually “giant sucking sounds” siphoning off users’ personal data. He also pushed the idea of data portability, interoperability, and the ability to delete personal data. Warner specifically addressed his comments to Ceglowski, who said that data portability is challenging and said that while it’s a good idea, in theory, it could create additional complications. Cline discussed the impact that giving users the right to delete their data would have on financial institutions and called it a “customer experience issue.” However, aside from acknowledging that his clients are preparing to comply with GDPR and other privacy regulations, he didn’t offer any additional insights.
Next up to bat was Sen. Elizabeth Warren, D-Mass., who led off with how citizens cannot opt out of credit reporting agencies (CRAs) and how using credit scores is essential to operating in modern society. She highlighted the impact of Equifax data breach that occurred 20 months ago. She asked if there is any way to help those impacted by the data breach to re-secure their data to put them back to the same place they were before the hack. Ceglowski said, “no, that ship has sailed.” He also said that holds even truer for the Office of Personnel Management breach, saying that will have an impact for “decades.”
Warren further argued that Equifax “routinely” didn’t patch known security weaknesses and argued that unless companies take a “financial hit” as a result of a breach that there is no “incentive to prioritizing security.” As with her colleague, Warren also took time to promote her own legislation, the Data Breach Prevention and Compensation Act, which was introduced today. The legislation will, according to a statement from Warren’s office, “give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs for data breaches to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.”
Sen. Chris Van Hollen, D-Md., zeroed in on the California Consumer Privacy Act of 2018 (CCPA) and asked if there is anything from GDPR missing in CCPA that Congress should consider for Federal legislation. Ceglowski said that the idea of automated decision making isn’t well addressed in CCPA, but should be in any Federal legislation in the future. Cline said that CCPA is missing a provision for non-discrimination and urged Congress to include such a provision in any legislation it develops.
This isn’t the end of data privacy hearings on the Hill this week. On May 8, the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce on the role the FTC plays in strengthening protections for Americans’ privacy and data security. During the hearing, the House will hear from FTC commissioners.