October 10, 2018

Senate Committee on Commerce, Science, & Transportation “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act”

Key Topics & Takeaways

  • Data Breaches: Senators asked about the data breach notification requirements under the GDPR. Jelinek explained that companies must notify within 72 hours, noting that the first notification does not have to comprise all details of the breach, because companies need to be afforded some time to continue investigating.
  • Preemption: O’Connor said that a patchwork of regulations would create uncertainty and lack of clarity about what the rules are that would negatively impact consumers, adding that it is important for our global standing for Congress to show leadership on the issue. She noted it is too early to discuss preemption, but the cost would likely be high.
  • Data Minimization: Senators asked if companies should only collect information that is essential. Moy agreed that they should only collect information that is necessary to provide the service. Mactaggart said that “data collection has gotten out of control” and consumers have no certainty about where their information is going or who is buying it, and the CCPA provides a “meaningful approach” to that. 

Witnesses

Opening Statements

Sen. John Thune (R-S.D.), Chairman, Senate Committee on Commerce, Science, & Transportation

In his opening statement, Thune noted the importance of developing a national data privacy framework, and that the panelists would provide useful examples of existing frameworks to examine their benefits and unintended consequences. Thune said it was essential to hear from all stakeholders but made clear that any future privacy legislation would not be written by industry. Thune said that although Congress has passed laws regulating privacy for children, as well as in the healthcare and financial sectors, it has failed to enact comprehensive privacy legislation that extends to all Americans. Thune added that passing “onerous” requirements that do not advance privacy protection would not be worthwhile, and Congress “needs to get this right.” 

Sen. Ed Markey (D-Mass.), Senate Committee on Commerce, Science, & Transportation

In his opening statement, Markey said customer personal information is used as a commodity, often shared and sold without the consumer’s knowledge or permission and without any reasonable means to stop the mining and use of personal data for “intrusive” purposes. Markey said that Congress needed to agree on a strong set of standards that give Americans true privacy protections while maintaining a thriving competitive data ecosystem that fosters innovation. Markey noted a privacy framework should include limits on how companies can use personal information, a ban on “take it or leave it” offerings that force the forfeit of privacy in order to use a product, the ability for consumers to access, correct, and delete their personal information held by a private company, “robust rulemaking authority,” and strong enforcement powers.

Testimony

Dr. Andrea Jelinek, Chair, European Data Protection Board

In her testimony, Jelinek described the work of the European Data Protection Board (the Board) in implementing the EU’s General Data Protection Regulation (GDPR), saying the key task of the Board is ensuring the consistent application of the GDPR, which was the result of a lengthy consultation and collaboration process with all stakeholders. Jelinek said that the volume of digital information in the world doubles every two years, adding that if we do not modify our rules governing data processing, it “will turn into a losing game.” Jelinek noted that consumers are more vocal about their right to data protection now than ever before, and it is necessary to reestablish consumer trust. Jelinek noted that the GDPR is based on a set of core principles including that data only be kept as long as necessary, that the consumers are empowered to access and erase their data when it is incorrect or processed unlawfully, that businesses must be able to demonstrate compliance, and that enforcement fines must be effective, proportionate, and dissuasive. 

Mr. Alastair Mactaggart, Board Chair, Californians for Consumer Privacy

In his testimony, Mactaggart said the development of the California Consumer Privacy Act (CCPA) involved years talking to stakeholders and thousands of hours of careful drafting. Mactaggart noted that the CCPA only covers large businesses with at least $25 million in annual revenue, as well as data brokers who buy and sell information. He added there are certain principles governing the CCPA, including the right to know what information corporations have about you, and the right to tell a business to stop selling your personal information. He also stressed the importance of data security, and that businesses are taking basic measures to keep the data they collect safe. He implored the committee not to weaken the safeguards the CCPA has put in place, because privacy is a nonpartisan issues that all voters “care deeply about.” 

Ms. Laura Moy, Executive Director and Adjunct Professor of Law, Georgetown Law Center on Privacy & Technology

In her testimony, Moy discussed the need to “grapple with the implications of unbridled data collection and use,” saying that data collection holds more power than could have been imagined before the digital era. Moy said there are certain things data should not be used for, including discrimination, amplifying hate speech, and targeted misinformation that “compromises the social fabric.” Moy called for “robust enforcement” and rulemaking authority by an expert agency, including fines for those who violate the law. Moy added that we don’t yet know what the next data breach will be, but we do know there will be one, and we must be able to respond to shifting threats. Moy said we need a “floor, not a ceiling” for data privacy rules, so states can pass laws on their own in additional to federal law. 

Ms. Nuala O’Connor, President & CEO, Center for Democracy & Technology

In her testimony, O’Connor said that privacy is about people and how the data about our lives can affect what we see, know, and achieve in the future. O’Connor said it is not only a question for the tech sector, but for every company that uses data; O’Connor said a privacy framework should apply broadly to all personal data and all commercial entities whose data use is currently unregulated. O’Connor added that it should include the right to access and delete your personal data, and should prohibit the collection, use, and sharing of certain types of data when it is not necessary for the immediate provision of service.

Question & Answer

Data Breaches

Sen. Maggie Hassan (D-N.H.) and Sen. Amy Klobuchar (D-Minn.) asked about the data breach notification requirements under the GDPR. Jelinek explained that companies must notify within 72 hours. She noted that the first notification does not have to comprise all details of the breach, because companies need to be afforded some time to continue investigating. Hassan asked how we balance the need to hold data with the risk that it will be harmed in a breach. Jelinek said if data is stored longer than it is needed, it is in violation of the GDPR.

GDPR Cases

Thune asked about the GDPR caseload. Jelinek replied that there have been 272 cases opened which involve determining identifying which jurisdiction will be the lead agency on a case, 243 cases that involve mutual assistance, and 23 cases with a data protection impact assessment. Thune asked which company practices have generated the most complaints from consumers, and Jelinek replied the most complaints have been about consent.

Financial Incentives for Privacy

Markey asked about financial incentives for data. Mactaggart said one of the concerns is whether companies should offer different pricing mechanisms to put premiums on privacy, and that under the CCPA companies are able to, but the increased price for privacy cannot be “unjust or unreasonable,” allowing companies to create different arrangements with consumers who want privacy. Moy said she “supports skepticism” towards financial incentives for certain data practices, because often the incentives or penalties against those who decline are not commensurate with the value the company realizes from the data. Moy added that financial incentives encourage companies to keep information for as long as they can, creating a need for limits on data retention.

Data Minimization

Markey asked if companies should only collect information that is essential. Moy agreed that they should only collect information that is necessary to provide the service. Markey asked if companies should be able to tell consumers that if they don’t agree to share nonessential information, that they cannot use the product. Moy replied they should not, saying this issue is something the GDPR addresses.

Sen. Catherine Cortez Masto (D-Nev.) asked about data minimization and whether companies should only collect as much data as is required, and not repurpose it for something else without further consent. Mactaggart said that “data collection has gotten out of control” and consumers have no certainty about where their information is going or who is buying it, and the CCPA provides a “meaningful approach” to that.

Consumers’ Rights to Access

Markey asked if consumers should have the right to access, correct, and delete their personal information collected by companies. Moy responded they should. Mactaggart added that parents should also have the ability to delete information collected about their children. 

Preemption

Sen. Roger Wicker (R-Miss.) noted that under EU policy, there could have been a regulation or a directive rather than the GDPR, but the goal was to have one set of privacy rules interpreted in a uniform way across the continent. Jelinek said that though the EU already had a data protection directive from 1995, it had to be set into the national laws of 28 member states, so the laws were diversified, even if they had the same fundamentals. She continued that the EU decided it would be better to have one law for the whole continent. Wicker asked about preemption, if the US should have one privacy standard for the entire country, and if a patchwork of state regulations would negatively affect consumers. O’Connor said that uncertainty and lack of clarity about what the rules are would impact consumers, adding that it is important for our global standing for Congress to show leadership on the issue. She noted it is too early to discuss preemption, but the cost would likely be high. 

Harm to New Entrants

Sen. Jerry Moran (R-Kan.) and Sen. Todd Young (R-Ind.) asked if certain privacy and consent requirements would harm startups and new entrants to the marketplace. Jelinek said that the GDPR only issues fines as a last step, so all companies have opportunities to correct, and noted that fines are proportional to the company, making it impossible to fine a small company the same as a large company. Mactaggart said that the CCPA has a revenue threshold of $25 million, which by definition would exclude startups, new entrants, and “mom and pops.” O’Connor noted that while it is important to protect small businesses, Cambridge Analytica was a small business; small businesses “should not be exempt from baseline privacy laws” but it is important to provide clear guidance. 

Fining Authority

Moy said that the enforcement agency should have “substantial fining authority” to provide the right incentives for companies to comply with the rules.

For more information on this event, please click here.