Senate Commerce, Science and Transportation Chairman Roger Wicker is aiming to have a federal data privacy bill written and passed by Congress this year as technology companies, privacy advocates and civil rights groups press lawmakers to act decisively to avoid a patchwork of state legislation.
“It would be nice to have it on the president’s desk this year,” the Mississippi Republican told reporters Wednesday after leading a hearing on how Congress should approach a federal data privacy bill. Wicker said the bill that emerges from the discussions is likely to be a “good strong bill” that will garner bipartisan support and also avoid a 50-state grab bag of laws.
Lawmakers in both chambers of Congress held hearings this week on federal data privacy legislation. Tuesday’s hearing before the House Energy and Commerce Subcommittee on Consumer Protection and Commerce chaired by Illinois Democrat Rep. Jan Schakowsky, included witnesses who pressed for recognizing that African Americans and other minorities faced greater online discrimination than other Americans.
Watch: Six experts tell Senate committee what’s what on data privacy
The Senate hearing on Wednesday included a panel of experts drawn mostly from technology industry groups and academics, and the discussion centered on whether federal law should pre-empt state laws including the California Consumer Privacy Act, which is set to take effect January 2020.
“You don’t want a cacophony or a crazy quilt patchwork of 50 different state laws,” Jon Leibowitz, co-chairman of the 21st Century Privacy Coalition, an industry group that represents cable and phone companies, told the Senate Commerce panel. “It’ll make consumers numb to notifications” about companies’ data privacy policies.
Instead there should be “one strong, federal privacy regime,” Leibowitz, who served as chairman of the Federal Trade Commission during the Obama administration, said. “If you do that then I think the right approach is to preempt state laws and make sure everyone is protected, wherever you go you’re protected under the same rule.”
While four other panelists agreed with Leibowitz that a federal data privacy bill should pre-empt state laws, Woodrow Hartzog, a professor at Northeastern University, told the committee that having a 50-state patchwork of laws is not insurmountable for technology companies. Drafting a federal bill that would pre-empt or overrule state laws is not necessary, he said, and could even be “actively harmful.”
Washington Democratic Sen. Maria Cantwell, the top Democrat on the panel, said making sure that industry groups and privacy advocates and others come together first to agree on how to protect consumers’ data is more likely to yield a strong federal bill than trying to write legislation that is aimed at negating laws passed by California and other states.
Victoria Espinel, president and CEO of The Software Alliance, said a federal bill also ought to make a distinction between companies that control data and those that process data.
A bill that doesn’t draw a distinction between the two types of companies could undermine consumers’ privacy because controllers of data make decisions on how data is collected and have the primary responsibility for privacy, while processors don’t have all of a person’s information in their possession, Espinel said.
Lawmakers also probed panelists on how to draw a distinction between reasonable and unreasonable uses of consumers’ data.
Sen. Brian Schatz said legislation that simply calls for technology companies to be more transparent in their data collection and use would be insufficient.
As Internet of Things devices multiply there could be billions of sensors collecting small pieces of data, and asking consumers to provide consent for each device could lead to users making hundreds of decisions each day to share information, the Hawaii Democrat said.
Just as patients expect their doctors’ offices to safeguard personal information, consumers should expect technology companies to protect their information, Schatz said. Federal legislation should enshrine the principle that companies collecting personal information should not harm consumers, and the bill should allow agencies like the Federal Trade Commission to figure out whether a company’s action violated such a principle, Schatz said.