SAN FRANCISCO – With the advent of General Data Protection Regulation in Europe and state measures like the California Consumer Privacy Act (CCPA) of 2018 talk about a comprehensive U.S. privacy law has grown louder.
However, some privacy advocates fear that any such federal legislation will be a weaker version of existing state law (and that it would preempt that law). Add to that, industry stalwarts who warn how a GDPR-like US law would impact their business models and their ability to innovate.
In a panel at the RSA Conference 2019 on the feasibility of federal regulation a la the GDPR, policy execs from Google, Microsoft and Twitter took to the stage to lay out their positions on the subject. Regardless of the details, there was consensus on the fact that the U.S. will somewhat be forced to come in line with global privacy standards.
The GDPR is widely considered the world’s most stringent set of data privacy requirements; and while it’s a European regulation, it affects any organization that handles data on E.U. citizens. That means any entity in the U.S. is subject to the regulation’s significant enforcement actions, such as fines of up to 4 percent of its annual turnover.
It’s strict, but “over the next five to 10 years, you can see that standards in Europe will be operable in a great deal of the world,” said Julie Brill, corporate vice president and deputy general counsel at Microsoft, during the panel. “The adequacy requirement that says data about Europeans can only be transferred to a market compliant with European standards writ large will drive others to implement those standards.”
She referenced legislation in Brazil and proposals in India and South Korea as evidence that countries and jurisdictions are interested in adopting laws that will align with GDPR – however, she also admitted that “it would be difficult to translate GDPR [wholesale]” The important aspects of GDPR that belong in any federal U.S. law include user control over data; accountability and transparency in how companies are using data; and strong enforcement.
“You see all three of these in the GDPR and two in CCPA,” she said.
Sarah Holland, public policy manager at Google, which has already been fined $57 million for violating the GDPR (Holland said the company is appealing this), took a slightly different tack. She noted that not only are “there are a lot of laws on the books already and apply to a comprehensive baseline federal legislation,” but that Google advocates what she termed a “risk-based/outcome-based framework” rather than something as prescriptive as the GDPR.
“We believe that you need to define the requirement, not what the process is to get there,” she said, acknowledging that there’s a culture shift around data collection and “how companies are using it and the responsibility that they have to their users.” But she said that an important consideration is how to make a regulation work for small companies and big companies alike – the processes to ensure data accountability could be onerous for some.
“It will quite literally will affect everyone who’s processing data, and we don’t want to hurt the smaller companies,” she said. She also noted concerns over regulation hamstringing innovation, given that data privacy regulation would affect at least 50 products at Google. “Some data processing is required to make [our] products function, so we want to make sure that we can meet user requirements for functionality as well as control and privacy,” she said. “We believe a federally harmonized approach makes sense, but it’s an opportunity to think about what we want to see in a fair and balanced privacy law.”
In a similar vein, Nithan Sannappa, associate legal director of product at Twitter, said that it’s important to consider “what harms we’re trying to prevent and what benefits regulation will enable.”
He cited the right to access provisions in the GDPR, which requires that companies have a mechanism in place to let E.U. citizens know what data they have on them, if queried. For instance, he cited an example of “a data subject in Europe that requested their Bandersnatch viewing log history from Netflix – Netflix compiled it.” But any federal privacy law should take into account the burdens placed on smaller businesses with fewer resources to build systems and processes needed to actually make it possible to provide that kind of granular information back to consumers.
“Any federal regulation should make careful consideration of the benefits and burdens and the tradeoffs between the two,” he said.
Brill, for her part, noted in reaction to those comments that “If you believe that privacy is a fundamental human right as they do in Europe, the conversations around harm are different. Thinking about privacy as a right will start orienting U.S. businesses towards what’s happening around the world and may create a true paradigm shift.”
The panel also discussed the issue of preemption – i.e., when a federal law attempts to supersede any similar state law on the books.
“A federal law needs to be worthy of preemption,” said Brill. “It needs to be a strong federal law. That conversation should be at the end, not the beginning.”
However, she also noticed that the main action may continue to be on the state level.
“We’ve worked with the states on their laws – working with legislators to make improvements,” she said. “We feel there needs to be something on the books because we need to engender trust with consumers – we recognize the moment that we’re in, and know we need to address it.”
Looking at the related area of data breach notifications, she noted the importance of state action on that front.
“If it weren’t for the states, we would know so much less about what’s happening with breaches, there would be a lot less information to go on. That has been important and it happened at the state level, starting with California but almost every other state followed.”
For now, the conversations around the federal role in data privacy remain somewhat theoretical – the panel agreed that the odds on a federal privacy law passing in the next year remain low (Brill pegged it at only at 30 percent).
However, the panel agreed that there’s more consensus, on both sides of the aisle, than there ever has been before that something should be done at the federal level to protect consumers.
“A privacy bill could attach itself to must-pass budget legislation, perhaps,” Google’s Holland said. “That’s more likely than a standalone bill. But the conversation is very different now. We’re seeing model legislation; the Chamber of Commerce is releasing draft privacy legislation, which is a sea change. The FTC just rescheduled privacy hearings for April. The time for getting involved is here.”