Brookings Institution Panel on Protecting Information Privacy

Brookings Institution

“Protecting Information Privacy: Challenges and Opportunities in Federal Legislation”

Wednesday, September 11, 2019

 

Key Topics & Takeaways

• Federal Framework: All panelists agreed that a strong, standardized federal framework, accompanied by strong enforcement mechanisms, is necessary to restore consumer trust.
• Federal Preemption of State Law: Panelists disagreed on the merits of federal preemption of state law. While most stated that preemption would benefit both consumers and business, the National Consumers League and ACLU are of the belief that critical flexibility and innovation are more likely to occur and achieve effectiveness at the state level.

Opening Statements

Cameron Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, The Brookings Institution

In his opening statement, Kerry provided an overview of the current state of play as it relates to federal privacy legislation. He noted that while there is widespread interest in producing a federal privacy framework amongst policymakers and stakeholders, we do not yet know what the eventual product will contain. Kerry noted that key outstanding issues where significant disagreement persists include limits on data processing, algorithmic transparency and fairness, preemption of state laws and private right of action.

Panel 1

• Benjamin Wittes, Senior Fellow, Governance Studies, The Brookings Institution
• Sally Greenberg, Executive Director, National Consumers League
• David Hoffman, Associate General Counsel and Global Privacy Office, Intel Corporation
• Cameron Kerry, Ann R. and Andrew H. Tisch Distinguished Visiting Fellow, The Brookings Institution
• Lydia Parnes, Partner, Privacy and Data Protection, Wilson Sonsini Goodrich and Rosati

The first panel examined the debate surrounding federal privacy legislation through the lens of competing visions of what it should accomplish and the impact on businesses and individuals. Echoing Kerry’s opening statements, Wittes, serving as moderator, reiterated that Congress is hard at work on privacy legislation, but the substance of this legislation is fiercely contested.

Federal Framework

There was consensus amongst members of the first panel about the need for a uniform standard at the federal level with strong enforcement mechanisms that also puts the burden of compliance on the organizations processing the data. Kerry stated that legislation should focus on how data is handled and shared. He stated that this national standard should be strong and accompanied by strong enforcement while at the same time retaining agility and adaptiveness.

The panelists agreed that this description mirrors the General Data Protection Regulation (GDPR) in Europe but Parnes noted that the GDPR is a document-driven standard requiring companies to map data flows and document policies and practices. Parnes continued that while this may be good corporate governance, it is also incredibly time consuming and resource intense. He noted the U.S. debate is more focused on establishing federal guardrails for its usage.

Federal Preemption of State Laws

Kerry stated that due to a changing landscape defined by data breaches, increasing public awareness of how data is used and the presence of existing privacy legislation, such as the California Consumer Privacy Act (CCPA) and the GDPR,  the incentive to produce a single set of standardized federal regulation has grown. Parnes noted that the disparate state privacy laws currently in existence create an unfair and overly burdensome compliance environment for both businesses and consumers. Hoffman and Parnes stated that a strong, uniform federal standard that preempts state laws would be beneficial to both the business community and the consumer.

Greenberg stated that as a consumer organization, preemption of state laws is a challenging issue that they do not fully agree with. She stated that their opinion is echoes the position of Rep. Jan Schakowsky (D-Ill.) in that federal preemption of state law would be acceptable if the federal legislation is strong enough to ensure consumer protection. In response to an audience question, Greenberg expressed support for legislation that would give states preeminent status for a stated period of time before allowing federal preemption to take place.

Private Right of Action

Greenberg stated that a private right of action should be included and protected in federal privacy legislation, while Hoffman expressed skepticism about how feasible it would be to actually write this in.

Breach Notification

Parnes stated that the current patchwork of breach notification requirements is an inefficient and burdensome system. She said that while there is ongoing disagreement in the debate surrounding federal preemption, she pointed to the current state of the breach notification system as a clear example of why preemption is preferred.

Consumer Control

The panelists agreed that questions surrounding restrictions on data handling, use and transfer are complex issues capable of slowing the debate and are points of agreement between business and consumers. Hoffman noted that he believes there to be more convergence than initially apparent regarding use restrictions. Parnes stated her belief that Congress should limit their aspirations when crafting privacy legislation as the debate over use and transfer restrictions is capable of devolving into a forum that attempts to solve all the problems faced by the consumer in the marketplace, such as fairness and discrimination issues. Kerry agreed that Congress should not attempt to regulate every conceivable form of discrimination in a privacy vehicle, but stated his belief that such legislation, through smart and effective limits on data collection, usage, retainment and transfer can ensure that data does not contribute to societal problems.

Panel 2

• Michelle Richardson, Director, Privacy and Data Project, Center for Democracy and Technology
• Dylan Gilbert, Policy Fellow, Public Knowledge
• Stuart P. Ingis, Chairman, Venable, LLP
• Neema Singh Guliani, Senior Legislative Counsel, Washington Legislative Office, ACLU
• Berin Szoka, President and Founder, TechFreedom
• Denise Zheng, Vice President, Technology and Innovation Policy, Business Roundtable

Federal Framework

Richardson stated that Congress should attempt to include as much as possible in privacy legislation. Szoka acknowledged that there are clear-cut examples of data abuse that should be written in, but Congress should ensure that the relevant enforcement entities, such as the Federal Trade Commission (FTC), maintain the ability to judge on a case-by-case basis and engage in further rulemaking. Zheng, referencing the Business Roundtable’s recent letter on data privacy law, agreed that the FTC should maintain some degree of rulemaking power, as well as fining authority for first offenses and the authority to approve codes of conduct. She stated that the FTC needs to have a role in providing clarifying guidance as Congress cannot be expected to anticipate all relevant scenarios. Guliani agreed that a hybrid approach is most likely, but that the ACLU would like to have as much written in as possible including items related to consumer remedies and data minimization.

Federal Preemption of State Laws

Ingis stated that compliance with existing laws should be a priority and that he is doubtful that any politically feasible federal legislation would be capable of preempting all existing law. He noted that there are “serious shortcomings” to allowing individual states “incubate” their own privacy laws.

Private Right of Action

Guliani stated that the debate surrounding data privacy cannot be disentangled from discrimination and that consumers should be granted increased access to their data in order to bring about corrective action, whether corrective or class-action. Both Ingis and Szoka expressed reservations about Guliani’s recommendations, specifically concerning the scope of claims that could be brought before courts under such a system. Szoka responded that the enforcement arm of the FTC should be strengthened instead of inserting a private right of action. Ingis agreed with this prescription and stated that the public, both consumer and business, would be better off with a uniform federal standard that empowers the FTC and state Attorneys General via coordination and enforcement.

Consumer Control

Ingis stated that the traditional paradigm of transparency and choice when applied to data is no longer a viable solution. He stated his belief that the debate should begin by identifying the primary and secondary uses of data that are appropriate and those that are not, adding that such examples of inappropriate uses include eligibility determinations, and data restrictions disparately targeting protected classes.

Giuliani expressed the opinion of the ACLU that any debate surrounding data limits should hinge upon the question of forced consent and what rights a company can force a consumer to waive.

Data Security

Zheng stated that the Business Roundtable is fully supportive of including data security measures in a privacy bill but warned against being highly prescriptive concerning cybersecurity measures, saying organizations should be able to tailor cybersecurity measures in accordance with the scope and nature of the data at risk. Szoka agreed that different types of data should be handled with different levels of security.

For more information on this event, please click here.