Technology

State rules complicate push for federal data privacy law

Lawmakers are running into their first major challenge as they finally begin work on a data privacy bill, with Republicans and Democrats sharply divided over whether to block states from enforcing their own rules.

Both parties are optimistic about the prospect of a bipartisan agreement on the nation’s first comprehensive data privacy law, but how that law will deal with tough new rules put in place by states like California is proving to be an early sticking point.

At recent hearings, the first in the current Congress on data privacy, Republicans pushed hard to override any state measures on privacy, while Democrats sought to punt on the issue. Democrats say they might consider preemption, which would allow the federal law to override state laws, but only if the final data privacy bill passed by Congress offers robust protections for customers’ data.

{mosads}

“Republicans were on message, and their message was, ‘You have to have one national bill,’ ” Rep. Jan Schakowsky (D-Ill.), who chairs the House Energy and Commerce Committee’s consumer protection subcommittee, told The Hill. “My view is that actually comes at the end. … If we have a really strong bill that is going to adequately protect consumers throughout the country, then definitely preemption’s on the table.”

The push for a data privacy bill has gained momentum in the past year in the wake of Facebook’s Cambridge Analytica scandal.

It also spurred California to pass the nation’s first consumer privacy law, with tough standards, requiring websites to offer more transparency about their data practices and to give users more control over how their information is collected.

The law set off a push among lobbyists and Republicans to try to head off the California rules before they go into effect in 2020 and to prevent any other states from following suit. Critics of the states’ efforts say they are concerned about the possibility of having to deal with conflicting regulations across the country.

“Your privacy and security should not change depending on where you live in the United States,” Rep. Greg Walden (Ore.), the top Republican on the Energy and Commerce Committee, said at a hearing before his panel last week. “One state should not set the standards for the rest of the country.”

Both parties are facing pressure from important groups to hold the line on the issue.

Multiple industry and business representatives warned against a “patchwork” of state laws, advising that while the largest tech companies are likely equipped to handle the complications, small businesses could struggle to navigate them.

Denise Zheng, the vice president for technology and innovation at the industry group Business Roundtable, warned that an array of state measures could present “massive barriers to investment for innovation” that businesses would find “unworkable.”

{mossecondads}

Many Democrats, though, signaled that they won’t go along with a weak privacy law just to prevent states from having any say over data collection.

“Are we here just because we don’t like the California law and we just want a federal preemption law to shut it down?” asked Sen. Maria Cantwell (D-Wash.), the ranking member of the Senate Commerce Committee, during a hearing Wednesday. “I find this effort somewhat disturbing.”

Sen. Brian Schatz (D-Hawaii), who also sits on the Commerce Committee, told reporters a day after the hearing that Democrats will be looking to see what is “sufficient to justify preemption.” Schatz hopes to include provisions in the law focused on codifying the responsibilities companies have when they collect user data.

Democrats are feeling pressure from consumer advocates and state leaders to oppose any effort to undercut to state regulations and weaken enforcement.

California Attorney General Xavier Beccera (D) said in a phone interview with The Hill this week that Congress should not eliminate “rights that Californians enjoy and count on.”

“What I am concerned about is Congress trying to diminish protections that Americans have under state laws that have been enacted in the absence of federal action,” Becerra said. “If the federal government is going to act, do no harm and don’t get in the way of those of us who have moved forward to protect people.”

The U.S. is one of the few countries in the developed world without a national privacy law or a watchdog dedicated to consumer data.

Last year, the European Union implemented an expansive data law called the General Data Protection Regulation (GDPR) that gave users much more control over their personal information online. Companies that violate the European law risk fines as high as $22.7 million, or 4 percent of their annual global revenue.

Privacy activists have hailed the GDPR as a win for consumers, pointing out that it gives users significant control over and access to their data while threatening severe penalties for companies that do not comply with its mandates.

Lawmakers stressed that Congress would not seek to copy the GDPR, but rather use it as a case study.

Schakowsky told The Hill that the committee intends to “take another look at what might be good there, what might be really good in the California bill as well.”

Beyond the issue of preemption, lawmakers will have to hammer out a wide range of details, including how the bill could expand the powers of the Federal Trade Commission, the rights consumers will be given to their data and the penalties companies could face if they violate those rights.

Sen. Roger Wicker (R-Miss.), who chairs the Senate Commerce Committee, told reporters he couldn’t offer a timetable for the legislation but that “it’d be nice to have it on the president’s desk this year.”

That’s assuming the two sides find common ground on the issue of preemption and other details. Democrats who have been itching to crack down on Silicon Valley and what they see as rampant abuses of consumers’ sensitive information say it’s important to impose new restrictions and obligations on the private sector.

“Consumer privacy isn’t new to this committee,” House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) said on Tuesday. “We’ve been talking about it for years, yet nothing has been done to address the problem.”

“It’s time that we move past the old model that protects the companies using the data and not the people,” Pallone added.