US lawmakers opened a debate Tuesday over privacy legislation in the first step by Congress toward regulation addressing a series of troublesome data protection abuses by tech firms.
Most companies have said they would accept new federal legislation in the wake of bombshell revelations about Facebook and other online platforms’ mishandling of users’ personal data.
Lawmakers face several key choices, including whether to adopt the model in the European Union’s data protection rules, and whether to pre-empt the strict privacy rules adopted by California.
A House of Representatives committee hearing on Tuesday is to be followed by a Senate panel Wednesday where industry and interest groups will make recommendations on US legislation.
Legislators are likely to find broad agreement on the need for greater transparency regarding the collection and sharing of data, and on tougher enforcement for violations.
Beyond that, sharp differences exist on how tightly tech firms should be reined in.
“A federal law must include basic rights for individuals to access, correct, delete and port their personal data,” said Nuala O’Connor, president of the Center for Democracy and Technology, a digital rights group, in testimony prepared for the House Energy and Commerce panel.
O’Connor said any bill must also enshrine the right to know how and with whom personal data is shared, and go beyond the confusing “notice and consent” currently offered by many internet firms.
Roslyn Layton, a visiting scholar at the American Enterprise Institute, said the US should steer clear of Europe’s General Data Protection Regulation (GDPR) model, claiming that it created complex compliance mechanisms that benefit the largest online firms.
“To do business in the EU today, the average firm of 500 employees must spend about $3 million to comply with the GDPR,” Layton said in her prepared remarks. “Thousands of US firms have decided it is not worthwhile and have exited.”
Layton said GDPR has done little to increase trust in the online ecosystem or help consumers better understand how their data is used.
“The US does not need to copy the European Union on data protection,” she said. “It can fundamentally improve on the GDPR by making a policy that actually works — promoting privacy without destroying prosperity.”
– Ad targeting in focus –
Dave Grimaldi, executive vice president of the Interactive Advertising Bureau, cautioned against legislation that would ban any form of targeted online marketing.
Grimaldi said that in Europe, “programmatic advertising,” the most common ad system used by online platforms, has dropped between 25 and 40 percent following the implementation of GDPR.
“The GDPR has also directly led to consumers losing access to online resources, with more than 1,000 US-based publishers blocking European consumers from access to online material in part because of the inability to profitably run advertising,” he said in his testimony.
“Congress should look to a new paradigm for digital privacy that will not threaten the goods and services that consumers seek on the internet.”
The Electronic Frontier Foundation said in a statement that Congress should designate large internet firms as “information fiduciaries” in charge of protecting user data and giving consumers a right to sue for breaches.
“Laws that impose legal duties on large technology companies that monetize consumer data, coupled with strong enforcement such as a private right of action, will give users back control,” EFF’s India McKinney and Katharine Trendacosta wrote.
Wednesday’s hearing is to be chaired by Senator Roger Wicker of the Commerce Committee, who was criticized for failing to include consumer groups in the session.
Wicker said in a statement he is seeking “to develop a federal privacy standard to protect consumers without stifling innovation, investment, or competition.”
The two hearings are part of a process expected to result in bills drafted in both chambers, which could face hurdles in winning passage and reconciliation, if separate bills differ.