Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?
These possibilities were on the minds of participants in recent Congressional hearings concerning data privacy. The European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) have captured the attention of technology company executives and legislative leaders. Tech executives appear concerned that other states could follow California’s lead by enacting their own laws concerning consumer data privacy protections. Congressional leaders appear interested in understanding the impacts of GDPR and CCPA on U.S.-based companies — and in potentially applying these learnings to future legislative actions concerning data privacy and security. (Three such bills currently exist in Congress.)
In late September, U.S. Sen. John Thune (R-S.D.), who chairs the Senate Committee on Commerce, Science, and Transportation, held a hearing with executives of leading technology companies. Thune indicated that the hearing was designed to provide “leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.”
During the discussion, Amazon Vice President and Associate General Counsel Andrew DeVore urged Congress to consider “possible unintended consequences of the CCPA approach” while noting that the law’s speedy passage “left little opportunity for thoughtful review, resulting in some provisions that ultimately do not promote best practices in privacy.” DeVore pointed to the CCPA’s definition of “personal information” as an example, explaining that it “goes beyond information that actually identifies a person to include any information that ‘could be linked with a person,’ which arguably is all information.” The result, he concluded, “is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy protective practices like encouraging companies to handle data in a way that is not directly linked to a consumer’s identity.”
A few weeks later, Sen. Thune convened another hearing, this one attended by privacy advocates who also spoke about the types of consumer protections Congress should consider in future legislation.
In a carefully researched written testimony, the Center for Democracy & Technology President and CEO Nuala O’Connor argued for federal privacy legislation that “will shift the balance of power and autonomy back to individual consumers, while providing a more certain and stable regulatory landscape that can accelerate innovation in the future.” After pinpointing why “the existing patchwork of privacy laws in the United States has not served Americans well,” O’Connor described how a national data privacy law “should create an explicit and targeted baseline level of privacy protection for
Individuals” by addressing four areas:
- Enshrining basic individual rights with respect to personal information;
- Prohibiting unfair data processing;
- Deterring discriminatory activity; and
- Establishing meaningful enforcement mechanisms.
As businesses, consumer privacy advocates and legislators continue to discuss, and disagree on, data privacy rules, it appears that some common ground – in the form of a growing desire for federal legislation – has quietly been reached. In a speech at an EU privacy conference in October, Apple CEO Tim Cook asserted that the U.S. should follow the EU’s lead by enacting its own comprehensive federal data privacy law.
We’ll keep you posted as these discussions progress; until then, a large number of companies across multiple industries will be dreaming of Californication, or perhaps tossing and turning about the work they need to do to establish and sustain compliance with GDPR and the CCPA.