Back to General Resources

Senate Commerce Committee Hearing on Data Privacy

Senate Commerce Committee

“Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework”

Wednesday, May 1, 2019

Key Topics & Takeaways

  • Preemption: Dixon referenced provisions in GDPR that created a hybrid system to provide a baseline regulation, but allow member States the ability to choose laws in certain areas that work particularly for them, such as the age of consent rule in the EU being 13 for some regions and 16 under GDPR. Guliani and Steyer expressed concerns over broad federal preemption and agreed to set CCPA as a floor. Guliani added that with rapid changes to technology, States and independent agencies need the ability to adapt to those changes. Polonetsky recommended to carefully craft language to preserve rights and protections regarding preemption.
  • GDPR: Dixon addressed concerns pertaining to GDPR restraining business growth and U.S. company compliances, stating that the commissions in the EU have worked to prepare industries on compliance and issued guidance for purposes of clarity and awareness. She added that GDPR implements and investigates according to scale and size for businesses and appropriately provides every organization a fair opportunity for compliance and appeals, as GDPR principles are risk-based and technology-based. Dixon added that there are varying levels of fines, with four percent global fines being the highest level, and that she believes the law is harmonized, robust and sustainable to monitor and investigate compliance and enforcement.
  • CCPA: Polonetsky said GDPR provides clarity for tracking and verification of data collection and usage, while CCPA does not, and needs to further provide strong clarity for right of access and lessen exposure over deletion rights. Steyer expressed a desire for utilizing California’s eraser button provision and data minimization. He added that when CCPA was crafted, major technology businesses were included in the conversation and CCPA provides strong privacy protections for businesses. Guliani added that when compared to the U.S., GDPR provides areas of benefit but should be modified to follow the Constitution and other laws, and recommended using CCPA as the baseline to prevent a framework that accommodates to States and the individual rights.

Witnesses

Opening Statements

Chairman Roger Wicker (R-Miss.), Senate Commerce Committee

Wicker said as reports of data breaches and misuse increase, consumer trust and engagement are at risk, which are “essential” principals to maintain in a “strong,” uniform federal framework. Wicker said the European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both provide consumers choice to rights, such as creation and deletion, to be informed, access, data portability and non-discrimination, adding that he would like to know how to include these rights in a U.S. federal framework to reduce privacy risks. He stated that existing notice and choice paradigms have been scrutinized due to their length and “take it or leave it” policies, and hopes that a simplified, easy to understand notice can be implemented for consumers. Wicker expressed a desire for consumer tools to be implemented for making informed privacy decisions on and offline, adding that it is “fundamental” to have privacy protections with a strong, consistent federal law.

Ranking Member Maria Cantwell (D-Wash.), Senate Commerce Committee

Cantwell said as consumer data continues to be mishandled and companies have not learned from past mistakes, self-regulation is no longer enough, adding that as more breaches are reported from major companies, millions are left exposed. Cantwell explained there is a need to address a culture of data security that protects consumers and allows commerce to continue to grow, especially as cyber threats become more organized and sophisticated. Cantwell stated that expecting consumers to have a deep understanding of risks is not enough and there is a need for more notice and consent measures to be implemented, as well as a stronger culture for protections, adding that opt-in and consent polices are not helpful when information is shared to third parties without consumer consent. Cantwell referenced implementing protections against election interferences, cyber security, cyber hygiene, and other areas to protect the lifecycle of data collection and storing.

Testimony

Helen Dixon, Data Protection Commissioner, Republic of Ireland

In her testimony, Dixon said a “fundamental” concept of GDPR is for individuals to have protections over their personal data for all data protection concepts, not just commercial. She said GDPR set out obligations for organizations, rights for individuals, and then addressed supervision and enforcement provisions for independent agencies. Dixon noted that obligations for data processing of identified individual data are set at high-level technology-based principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentially, and accountability. Dixon added that GDPR contains prescriptions for accountability provisions, particularly for the appointment of a data protection officer in EU member states, as well as obligations for data breach notification within 72 hours. She stated provisions are included for data protection authorities being granted independence and provided adequate resources to issue awareness and guidance, encourage industry codes of conduct, handle all complaints, and investigate infringements of the law. Dixon explained the role of the Irish Data Protection Commission is as a lead supervisory authority, overseeing global operations and compliance of U.S. companies in the region. Dixon said GDPR included harder enforcement provisions with a range of mechanisms, including authority of fines up to four percent of global business. She said the spaces where most consumer complaints and investigations come from are retail banks, telecommunications, and internet platforms, all of which are reviewed and given time to appeal decisions made regarding violations. Dixon said clarity and consistent standards will materialize as GDPR begins to mature.

Neema Singh Guliani, Senior Legislative Counsel, American Civil Liberties Union

In her testimony, Guliani said the current privacy regime is hurting consumers in increasingly “unfair” discriminatory practices and exasperating economic equality, adding that it is even threatening to physical safety. She said that studies show how realtors discriminate on prices based on zip codes and browsing habits, and that in many cases consumers are not aware of the collection of their information and of these practices, which are violations of equal opportunity laws. She had four recommendations for improving a framework: 1) that any federal law should be a floor, not a ceiling, as broad preemption would cause harm for States; 2) legislation should include the ability for consumers to sue violators, as there are some gaps in government and agencies’ ability to enforce ; 3) protect against discrimination; and 4) provide guardrails for how data is collected and used, such as limiting the purpose of what is collected without consent or addressing pay for privacy schemes. Guliani said without these protections, a federal framework would be a step backwards.

Jules Polonetsky, CEO, Future of Privacy Forum

In his testimony, Polonetsky said behavioral advertising continues to be a growing concern and it is long past time to implement a privacy law that protects consumers from harmful practices. He referenced global implementation of privacy protections and recommended the U.S. define technologies and establish terms of trade, as well as provide guidance of privacy standards. Polonetsky said the baseline for a framework should include strong protections, matching or exceeding CCPA, transparency, access, deletion, right to object, protections for minors, and object to cells of data. He recommended including compatible use and consent, as well as special restrictions of sensitive data, amongst other areas reflecting international models. Polonetsky said this is not a binary in or out system, as there are nuanced levels of rights and stages for data collection and use. He encouraged providing provisions of accountability through internal enforcement mechanisms, such as employee training and other tools for responsible stewardship. Polonetsky said privacy enhancing technologies (PETs) should be encouraged to deliver benefits of data to ensure strong mathematical proofs are in place to minimize risks. Polonetsky said any law would impact State laws and should avoid complexity to provide carefully crafted preemption provisions. He also said to allow the Federal Trade Commission (FTC) the ability of rulemaking and leveling civil penalties, education and outreach capabilities and providing State Attorney Generals (AGs) a role in the enforcement process.

Jim Steyer, CEO and Founder, Common Sense Media

In his testimony, Steyer said his business is focused on educating children and teens responsible use of technology, adding that now is a “major moment” for Congress to focus on creating a meaningful framework, which should include common sense provisions protecting everyone. He said only CCPA has comprehensive privacy laws in the U.S. for consumers and that there are no federal guardrails protecting privacy issues. Steyer made four points for the committee to consider: 1) CCPA should be treated as a floor, not a ceiling, with the federal framework being stronger than CCPA; 2) children and teens are the most vulnerable and deserve special protections; 3) there is a need for ongoing public education and awareness campaigns for the public to understand the federal framework; and 4) for Congress to pass a bipartisan framework.

Question & Answer

Preemption

Sens. Marsha Blackburn (R-Tenn.), John Thune (R-S.D.), Dan Sullivan (R-Ala.) and Richard Blumenthal (D-Conn.) asked questions pertaining to preemption and what to set as the baseline for State oversight in a federal framework. Dixon referenced provisions in GDPR that created a hybrid system to provide a baseline regulation, but allow member States the ability to choose laws in certain areas that work particularly for them, such as the age of consent rule in the EU being 13 for some regions and 16 under GDPR. Guliani and Steyer expressed concerns over broad federal preemption and agreed to set CCPA as a floor. Guliani added that with rapid changes to technology, States and independent agencies need the ability to adapt to those changes. Polonetsky recommended to carefully craft language to preserve rights and protections regarding preemption.

GDPR

Sens. Jerry Moran (R-Kan.), Ted Cruz (R-Texas), Roy Blunt (R-Mo.) asked about specifics regarding GDPR and areas to consider in developing a federal framework. Dixon addressed concerns pertaining to GDPR restraining business growth and U.S. company compliances, stating that the commissions in the EU have worked to prepare industries on compliance and issued guidance for purposes of clarity and awareness. She added that GDPR implements and investigates according to scale and size for businesses and appropriately provides every organization a fair opportunity for compliance and appeals, as GDPR principles are risk-based and technology-based. Dixon added that there are varying levels of fines, with four percent global fines being the highest level, and that she believes the law is harmonized, robust and sustainable to monitor and investigate compliance and enforcement.

CCPA

Sens. Jon Tester (D-Mont.), Sullivan and Wicker asked questions particular to CCPA and GDPR and utilization of both laws in a federal framework. Polonetsky said GDPR provides clarity for tracking and verification of data collection and usage, while CCPA does not, and needs to further provide strong clarity for right of access and lessen exposure over deletion rights. Steyer expressed a desire for utilizing California’s eraser button provision and data minimization. He added that when CCPA was crafted, major technology businesses were included in the conversation and CCPA provides strong privacy protections for businesses. Guliani added that when compared to the U.S., GDPR provides areas of benefit but should be modified to follow the Constitution and other laws, and recommended using CCPA as the baseline to prevent a framework that accommodates to States and the individual rights.

Consent, Control and Transparency

Sens. Deb Fischer (R-Neb.), Brian Schatz (D-Hawaii.), Jacky Rosen (D-Nev.), Gary Peters (D-Mich.), Blunt, Thune, and Tester asked questions about clarifying and strengthening areas regarding consent, control, and transparency when developing a federal framework. Steyer said there is further need for right to access, deletions, and protection, and providing provisions that keep certain areas off limits, as notice and consent policies are not enough. He said to provide simple, easy to understand terms of use and continue to bring awareness that consumer privacy is “critical.” Steyer added that “all” data needs protections, and that some needs special provisions in place. Guliani added the need for consumer choice and guardrails against sale and use in the secondary market, especially without consent. Dixon said re-design for user engagement flow is important, and that providing transparency standards, as well as keeping awareness efforts simple, are always good. Polonetsky recommended special provisions for sensitive data collection and use and suggested opt-out or default provisions for sensitive data. He also said knowing where information is going and providing consumer control is beneficial, as companies need to solve problems based on how humans act when protecting data.

Vulnerable Populations

Sens. Ed Markey (D-Mass.), Krysten Sinema (D-Ariz.) and Rosen asked questions about protecting the privacy of younger and older generations, as well as other vulnerable populations like the deaf. Steyer recommended setting special provisions in place and working to bring awareness to the standards for age-based groups. Guliani suggested addressing requirements for consent and pay for privacy schemes, as well as opt-in versus opt-out clauses.

FTC and AG Authority

Sens. Cantwell, Moran, Schatz and Rosen asked about enforcement issues in a framework. Guliani suggested to provide robust provisions for enforcement on all levels and provide individuals room for the ability to sue companies violating privacy standards when the government or agencies cannot enforce authority over violators. She also recommended company risk assessments and creating a multi-prong solution for enforcement. Steyer suggested fining authority, as well as the right to action and customer opt-in when considering the varying types of companies in the economy. Polonetsky explained that some areas will require specific detail for enforcement in a framework, while others will require FTC rulemaking and enforcement. He also suggested “spelling out” specifics for businesses and agencies to anticipate the direction the framework will take.

For more information on this hearing, please click here.