'GDPR-US' - the lobbying gets underway with financial penalties conspicuously absent

Profile picture for user slauchlan By Stuart Lauchlan September 19, 2018
Summary:
GDPR-US remains a theoretical concept, but there's a growing acceptance that some form of Federal law is looming. Cue the lobbying!

GDPR etched on base of padlock, data protection © EtiAmmos - Fotolia.com
We’ve written about the idea of a ‘GDPR-US’ several times this year since the European Union’s own General Data Protection Regulation (GDPR) kicked in in May.

Since then the State of California has signed off on its own California Consumer Privacy Act (CCPA), which, as we noted, is a step in the right direction, but not the journey’s end.

But the knock-on effect of both of those has been to put the question of Federal-level data privacy legislation on the US national agenda, with activists from all sides upping their game in anticipation of Congress taking action.

There’s certainly some signs of increased interest in Washington in the idea of doing ‘something’, although what that something would be remains a highly moot point. But the meter is running - the CCPA doesn’t come into force until 2020 which gives a useful timeline. And if there’s to be a Federal law in place, that may deter other states from following California’s lead, resulting in a patchwork of legislative regimes.

Next week, six major online firms, including Twitter, Amazon and Google, will be grilled by the US Senate Committee on Commerce, Science, and Transportation, in a hearing entitled 'Examining Safeguards for Consumer Data Privacy’. They will be asked to testify how they plan to tackle GDPR and CCPA requirements, but Committee Chair Senator John Thune also wants this to be an occasion on which they explain their wider approaches to privacy:

Consumers deserve clear answers and standards on data privacy protection. This hearing will provide leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.

The six tech firms at this session are sending some senior people along: Len Cali, Senior Vice President—Global Public Policy, AT&T Inc;. Andrew DeVore, Vice President and Associate General Counsel, Amazon.com; Keith Enright, Chief Privacy Officer, Google; Damien Kieran, Global Data Protection Officer and Associate Legal Director, Twitter; and Guy (Bud) Tribble, Vice President for Software Technology, Apple.

These are all people who have a data privacy brief and will be questioned as expert witnesses who are expected to be on top of that brief. In other words, the wriggling-on-the-hook obfuscation of Facebook CEO Mark Zuckerberg isn’t going to fly on this occasion - assuming the Committee members do their prep and ask some decent questions, of course.

Lobbying

Elsewhere, there are clear signs of manoeuvering from lobbyists and trade associations in order to influence the shape of any future Federal-level legislation and in particular to get ahead of how robust it would be in terms of penalising miscreants. GDPR is very tough an imposing punishment in financial form and while this has yet to be tested in any significant way, it’s clear that there’s a lot of nervousness among vested interests in the US that a similar tack might be taken there.

So what is now happening is that everyone’s making all the necessary ‘good idea, but only if...’ noises and offering up their own ideas of what the principles and terms of any putative legislation should look like. For example, the Internet Association, which represents around 40 firms, including Facebook and Amazon, came out in support of a national approach. Internet Association President and CEO Michael Beckerman said:

Internet Association members understand that people’s trust in online platforms is essential to the success of the internet. The internet industry is a leader in protecting privacy and providing people with control, access, and transparency on how their information is shared, seen, and used online. IA member companies understand that continuous improvement to both products and regulation are important and necessary for a thriving internet. Data has revolutionized every part of our economy and our lives, both online and offline. Businesses and nonprofits of all sizes, in every sector of the economy, have integrated data into their products and services to the benefit of consumers, which is why internet companies support an economy-wide, national approach to regulation that protects the privacy of all Americans.

The Association wants any future legislation to be based around principles of transparency, controls, access, correction, deletion and portability. It also calls for rules that foster privacy and security innovation; clarity on data breach notification law; support tech and sector neutrality; take a performance standard-based approach; are built around a risk-based framework; and are enforced equally across the US.

Note - nothing said about financial penalties for offending companies...

Meanwhile BSA/The Software Alliance has chipped in with its own ‘to do’ list for legislators, again prefaced with the necessary ‘keen to help’ statement. Victoria Espinel, President and CEO of BSA/The Software Alliance, said:

We understand and acknowledge the importance of privacy to every consumer/ The US has had mechanisms in place to protect privacy for more than twenty years. The world has since changed, and data is critically important to the global economy. We need to ensure clear, consistent, and transparent privacy rules. Now is the time to modernize the law.

The BSA wants Congress to support a “user-centric approach to privacy” that will provide consumers with mechanisms to control personal data. There should be consumer transparency and choice around how data is used by third parties and with specificity of purpose, stating:

Organizations should provide clear and accessible explanations of their practices for handling personal data, including the categories of personal data they collect, the type of third parties with whom they share data, and the description of processes the organization maintains to review, request changes to, request a copy of, or delete personal data.

Organizations should have to be able to employ “reasonable and appropriate” security measures designed to prevent unauthorized access, destruction, use, modification, and disclosure of personal data. (Define “reasonable and appropriate”.)

As for enforcement, BSA wants the Federal Trade Commission (FTC) to be charged with this. The FTC’s track record with Privacy Shield here may not inspire that much confidence from those outside the US, but that’s another matter. And there’s once again no mention made of having financial penalties in place to hit offenders on the bottom line.

Second chances

Surely the US Chamber of Commerce will take financial punishments seriously in its own set of principles? Er…not so much. Tim Day, Vice-President of the Chamber’s Technology Engagement Center, said:

Advances in technology have empowered businesses and consumers alike, and policies to address these changes should reflect both the significant impact of the tech ecosystem on the economy and the importance of the responsible use of consumer data. [The Chamber’s suggested principles] are at the intersection of these priorities, and are an effort to ensure businesses and consumers can make the most of the modern economy knowing regulatory certainty and privacy protections are a priority.

So what’s included in those principles? Well, there’s more of the same really - a national privacy framework to pre-empt state law and risk-focused privacy protections that are “contextual” and “match the risk associated with the data and be appropriate for the business environment in which it is used”. The tick boxes of transparency and industry neutrality are also duly checked.

As for enforcement, the Chamber of Commerce talks in terms of ‘harm-focused enforcement. This, it seems, means that enforcement of the law should only apply “where there is concrete harm to individuals”. (How do we define “concrete harm”?). And enforcement should be driven by a desire to improve rather than punish. Or as the Chamber puts it:

Congress should encourage collaboration as opposed to an adversarial enforcement system. A reasonable opportunity for businesses to cure deficiencies in their privacy compliance practices before government takes punitive action would encourage greater transparency and cooperation between businesses and regulators.

In other words, rather than sting us with a hefty fine, give us a second chance. (And a third. And a fourth. Rinse and repeat.)

My take

There are some nakedly self-serving aspects to the principles outlined by all three of the above vested interests. But on the plus side, the fact that they’ve gone to the effort of producing them at all suggests that there’s an awareness that even if it’s not an admission that ‘the game’s up’, at least it acknowledges that the direction of travel is set.

There’s going to be some ferocious lobbying going on in Washington over the coming months and years. A big factor will be the outcome of the mid-term elections in November - Democrat attitudes toward data privacy legislation will look very different to Republican ones. Whatever Congress looks like, this is a debate that needs to be taken very, very seriously.