Senate and House Continue Privacy Hearings Before Drafting a Bill

Privacy hearings continued in Washington, DC this week as key committees in the US Senate and House took testimony from individuals as they consider crafting a new federal privacy law. We have provided a brief summary and highlights here for those that are following this process with us here at Clarip.

House Energy Committee

The US House Energy and Commerce Committee held a hearing this week with all five members of the Federal Trade Commission (FTC) as part of its oversight obligation. The hearing was titled Strengthening Protections for Americans’ Privacy and Data Security.

House Representative Jan Schakowsky (D-IL) expressed a focus on privacy legislation and what Congress can do. She said that a large fine in a single case will not be adequate for consumers. She expressed support for APA rulemaking in this area for the FTC. She also called out the Commission’s inability to seek fines for and the small staff on data privacy and security compared to the European Union.

Representative Ben Lujan (D-NM) also called for comprehensive data privacy and security legislation in light of several high profile privacy and security breaches.

Representative Cathy Rodgers (R-WA) called for a national standard for data privacy that (1) avoids a patchwork (2) increases transparency; (3) improves data security; and (4) is workable for the nation’s innovators and small businesses. She said that we deserve to know what data is being collected, how it is being used, and who it is being shared with regardless of the state where an individual is located. However, Congresswoman Rodgers expressed skepticism about any grant of additional authority around rulemaking to the FTC. She said that the FTC could have protected Americans through the current rulemaking authority if they had started years ago.

Representative Frank Pallone (D-NJ) said that Congress needs to give the FTC the tools and resources to protect Americans. He said that companies should have clear consent to use their information in ways that persons would not expect or to share it with other companies. He indicated the House Energy Committee intends to pass such legislation.

Representative Greg Walden (R-OR) said that they are ready to tackle crafting a bipartisan federal privacy bill. He also said that the FTC is the right agency with appropriate safeguards to enforce new privacy laws but there is no quick fix.

The FTC statement to Congress once again asked them to enact privacy and data security legislation enforced by the FTC which grants civil penalty authority, APA rulemaking and jurisdiction over additional parties (nonprofits and common carriers).

It highlighted their efforts to enforce the Children’s Online Privacy Protection Act (COPPA), which does allow the Commission to seek civil penalties, including a record $5.7 million dollar civil penalty for the collection of children’s personal information without parental consent.

The FTC also mentioned their recent order to explore the privacy practices of internet service providers under its Section 6(b) authority in the FTC Act.

It also emphasized its enforcement around the Privacy Shield in its prepared statement. The Privacy Shield is a voluntary framework whereby organizations agree to comply with certain data protection obligations for consumer data transferred to the United States from the European Union.

Each FTC Commissioner also presented an oral opening statement. Chairman Simons focused his remarks on data security and privacy noting that the FTC has expanded its focus on this area in light of acts over the years and called on Congress to pass privacy legislation enforced by the FTC.

The first question from Chairwoman Schakowsky was about asking how the FTC could enforce privacy rules with so few attorneys. Simons said that they would need a substantial increase in personnel with a new federal privacy law, pointing to the gap between the size of EU DPAs and the FTC.

Chairwoman Schakowsky also asked how the FTC makes sure companies comply with orders for comprehensive privacy and security protections. Simons said that the privacy team is still young and they are learning from what has happened. In response they are making changes including requiring a senior executive to make a certification around their efforts.

Rep. Rodgers asked about specific privacy harms learned in the recent FTC hearing so that Congress can construct the law to address them. The things that were most recommended in the hearing according to Chairman Simons were assessments, accountability and deidentification of data.

Commissioner Chopra described fines as parking tickets for some companies and said that the Commission needs to find out who at the company was responsible for making the decision and holding them accountable where there is clear evidence of a violation.

Representative Kelly asked about the use of clear, concise and consistent disclosure rather than the current policies which practically require a law degree to understand. Representative Chopra agreed but suggested that we think about situations where there is no real choice. He added concerns about dark patterns and other tricks used to get consumers to hand over their data or make it hard to delete data.

One of the other highlights was that Chairman Simons expressed substantial concerns with Congress giving the FTC broad rulemaking authority on privacy. He asked instead for targeted rulemaking authority similar to COPPA. He said that the FTC can keep such a law up to date, and update for changes in technological methods, but wants elected officials to address the broad question of what privacy law it wants to enact.

Representative Walden also asked about the possibility of patchwork legislation. Some members of the FTC panel agreed about the importance of preemption with enforcement by the State Attorney Generals. Commissioner Slaughter was concerned however about Congress rolling back protections already created by the states as well as giving them the ability to fill in gaps in the legislation. Commissioner Chopra expressed concern that there was the potential for broad preemption to eliminate laws that were complementary similar to the Illinois biometric laws.

Senate Banking Committee

The US Senate Committee on Banking, Housing and Urban Affairs took testimony from three witnesses in a hearing on Privacy Rights and Data Collection in a Digital Economy at the beginning of the week.

Chairman Mike Crapo (R-ID) said that consumers deserve to know what type of information is being collected about them, what the information is being used for and how it is being shared. He asked specifically for information about the challenges US financial institutions have faced in implementing and complying with GDPR, how privacy practices evolved, what the EU did right and wrong, and how individuals have responded to this additional information and rights with respect to their data.

Ranking Member Sherrod Brown (D-OH) expressed concerns that “we don’t even know all there is to know about what happens when personal information is collected on a large scale.” She used the aggregation of data in a fitness tracking app as an example, which revealed the locations of secure military facilities around the world when it made public aggregated fitness tracking information in heatmaps. Senator Brown hoped that the conversation would also include the possibility of the government stepping in and creating rules around the appropriate use of data in addition to conversations around data ownership and control.

The witnesses testified about the history of data protection in the European Union, the rights provided by the new law and the implementation challenges for US financial institutions and other businesses. For organizations looking for insight into improving privacy practices and GDPR compliance efforts, there is definitely some important takeaways from the written testimony.

For example, the PwC representative identified seven GDPR implementation challenges:
1. Completing a data inventory.
2. Operationalizing data-subject rights.
3. Completing DPIAs.
4. Updating third-party contracts.
5. Appointing a DPO.
6. Preparing to notify breaches within 72 hours.
7. Engaging the first line of defense (privacy by design).

Among the other insights for businesses:

1. DSRs are not created equal. The ones that have the most implementation challenges were the rights to access and erasure.

2. Erased doesn’t mean forgotten. For the financial industry, there are extensive regulations that will limit or deny many deletion requests. Financial institutions also “tend to keep a log of completed erasure requests that retain basic contact information”.

3. DSRs need strong authentication. There are substantial privacy risks if files are delivered to the wrong individual.

4. The distinction between primary and secondary data controllers. Organizations without direct access to the data subjects have a tougher time providing information about their privacy and breach notifications.

5. Board visibility matters. The lack of major enforcement actions has reduced efforts at some organizations but those requiring high level reporting of the status of the privacy program have maintained more organizational support.

6. Data Governance is critical. Personal data moves horizontally and vertically within an organization and strong controls are needed throughout its lifecycle.

7. GDPR did not fully harmonize EU privacy regulation. There are still regulatory differences between jurisdictions that must be respected and increase the costs of compliance.

Check out the guide Clarip has written on the California Consumer Privacy Act and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.