A handful of high-profile privacy breaches – including the Facebook -Cambridge Analytica scandal – has galvanized Congress to craft a national data privacy law, akin to the U.K.’s GDPR, but lawmakers and proponents at a House committee hearing Tuesday differed on what that legislation should include, enforcement authority and how it would work in accordance with states’ laws already on the books.
“Without a comprehensive federal privacy law, the burden has fallen completely on consumers to protect themselves, and this has to end,” said Rep. Jan Schakowsky, D-Ill., Tuesday during the House Energy and Commerce Committee’s initial hearing on privacy.
Noting that self-regulation “was revolutionary in 1999,” the Center for Democracy and Technology CEO Nuala O’Connor said going forward that approach “is not going to be enough" and no longer offers sufficient protection to consumers.
“The U.S. privacy regime today does not efficiently or seamlessly protect and secure Americans’ personal information,” said O’Connor. “Our current legal structure on personal data simply does not reflect the reality that the internet and connected services and devices have been seamlessly integrated into every facet of our society.”
In the absence of an overarching federal law, states have, sometimes vigorously, created their own legislation. But the uneven guidance can make compliance difficult for public sector companies.
"Without a consistent federal privacy standard, a patchwork of state privacy laws will create consumer confusion, present substantial challenges for businesses trying to comply with these laws, and fail to meet consumers' expectations about their digital privacy," David Grimaldi, vice president for public policy at the Interactive Advertising Bureau, told the committee.
The myriad state laws can also result in consumers receiving unequal protections.
"Your privacy and security should not change depending on where you live in the United States," said Rep. Greg Walden, R-Ore., who also contended that a single state, like California with its recently passed, stringent California's Consumer Privacy Act, "should not set the standard for the rest of the country."
O’Connor called for lawmakers to expand funding to and bolster the Federal Trade Commission (FTC), which currently provides a “backstop” for privacy violations and to grant enforcement authority for national legislation to state attorneys general.
“The FTC must be given the ability to extract meaningful fines from companies that violate individuals’ privacy,” she said. Noting that “state attorneys general have been enforcing their own state consumer privacy laws for decades, first under state unfair and deceptive practice laws and more recently under state statutes targeted at specific sectors or types of data,” O’Connor said, “employing their expertise will be necessary for a new federal privacy law to work.”
The Senate takes up the issue in a Wednesday hearing.