US tech giants told Congress that they would support a federal data privacy law to protect consumer data, as long as it didn’t stifle creativity and innovation.
Representatives from Google, Apple, Twitter, Amazon, AT&T and Charter Communications appeared before the Senate Committee on Commerce, Science and Transportation to give their views on a US version of the EU General Data Protection Regulation (GDPR).
They were unanimous in the need for a federal data privacy law but asked for clarity about definitions surrounding personal data and called for a unified, simple approach.
The idea of a federal privacy framework is said to have strong bi-partisan support. Tech companies are keen to avoid a fragmented system of state-by-state privacy laws. California, for example, recently passed its own consumer privacy act, which is similar in scope to GDPR but not as extensive.
“You want something that you can work with so that you don’t have to navigate 50 different statutory frameworks,” Senator Brian Schatz told the companies.
AT&T senior vice president of global public policy Len Cali agreed, saying:
“Federal legislation will be of very little help if it just becomes the 51st layering on 50 state rules. We need a comprehensive but singular privacy framework and it should be a federal pre-emptive framework.”
The cost to small and medium businesses
While the tech representatives agreed that a federal data privacy law is necessary, they urged caution about the disproportionate cost of data compliance to small and medium enterprises.
According to Cali, the barriers to entry created by GDPR are “actually strengthening the large incumbents”.
Highlighting this point, Google’s chief privacy officer Keith Enright said that the cost for Google becoming GDPR compliant was “in orders of magnitude higher” than the millions of dollars suggested by Senator Lee.
Enright also estimated that the time dedicated to ensuring GDPR compliance took “hundreds of years of human time” and asked Congress to carefully consider the costs and barriers to SMEs.
Amazon’s vice president and associate general counsel Andrew DeVore echoed this point.
“Meeting its specific requirements for the handling retention of personal data required us to divert significant resources to administrative tasks and away from invention on behalf of customers,” he said.
Some US sites, for example, couldn’t meet the demands of GDPR and became unavailable in the EU after the legislation came into force in May.
Clarity on definitions under a federal data privacy law
The panel also called for future federal legislation to provide clarity on what is defined as personal data. Several said that the definition under GDPR is too broad.
“Google classes personal information as information that would be identifiable to an individual user,” said Enright.
“Maybe that’s semantics,” replied Senator Tester, who raised concerns about targeted ads using personal data.
Both Twitter and Google voiced their support for simplifying language in disclosures.
None of the spokespeople voiced their concerns about the ability to opt out.
The witnesses all agreed that rules should be based on the sensitivity of the data. However, none of the witnesses spoke in support of a 72-hour window to report a data breach, as is the case under GDPR.
The role of the FTC
All of the company representatives said that the Federal Trade Commission (FTC), the US agency tasked with protecting consumer rights, would be the appropriate body to enforce any future federal privacy laws.
Apple’s vice president for software technology Guy Tribble said that the FTC has a role but there could be other options.
The representatives were initially hesitant when asked if they would support the FTC being granted more authority and legal tools to protect consumer privacy, drawing Senator Nelson to reply that “it seems to me that to protect consumer privacy should be an easy answer”.
Charter Communications’ policy & external affairs senior vice president Rachel Welch then responded that Charter Communications supports granting more tools.
Senator Schatz also highlighted that there’s currently no economic incentive because privacy policies are “mutually agreed to”. The FTC can also only bring an enforcement against a company if it’s in breach of its own policies – “basically if they lie,” he said.
Damien Kieran, Twitter’s global data protection officer, said that the time is right to “develop a robust privacy framework that protects individuals rights by ensuring transparency and accountability while preserving the freedom to innovate”.
“Consumers should be given the information they need to make an informed decision,” agreed Welch.