Ireland’s GDPR regulator assists Congress with federal privacy law
Last week we posted on how Congress is being advised by various industry experts, as lawmakers’ wrestle with the task of codifying a federal consumer privacy law. However, as we reported, there are concerns that some external “advice” could potentially come from industry-funded lobbyists, whose job is to influence in favor of the big tech players.
Whether you support the introduction of a federal privacy law or prefer to see state-level consumer privacy legislation, you might find it comforting to know that at least one advisor to Capitol Hill has no such ulterior motive for providing her assistance.
Helen Dixon, the Irish data protection commissioner, regulates the GDPR compliance of big tech players, such as Microsoft, Facebook and Twitter, plus other companies incorporated in the EU country. During a hearing last Wednesday, Ms. Dixon shared some of the lessons learnt and offered advice on data privacy policies with senators.
The hearing was the latest of several congressional committee hearings, designed to develop policy ideas for a proposed law, which has gained momentum this year, as incidents of data breaches continue to occur.
Members of the Committee on Commerce, Science and Transportation raised their concerns with data privacy regulation on a federal level with Dixon, whose agency oversees GDPR compliance for Facebook, Twitter, Uber and other U.S. companies incorporated in Ireland.
Senator Ted Cruz, R-Texas, asked Helen Dixon about the impact of the GDPR on small-to-medium sized businesses in Europe, and also whether the regulation, which came into effect last May has reduced employment opportunities. Irish officials are "not aware of evidence that the GDPR is effecting jobs adversely," replied Dixon.
She added: “That's in part because certain GDPR articles don't apply to smaller companies,”
Dixon further explained that the law requires businesses to implement processes "appropriate to the risks and scale of personal data processing they're undertaking," not a one-size-fits-all approach.
Senators also asked Dixon about the value of pre-emption in a U.S. federal data privacy law. Senator Marsha Blackburn, R-Tennessee, said the GDPR is an "EU-wide regime", and not a law that is specific to Ireland. She continued, by explaining that the GDPR is a "hybrid" state and EU-level law, with
"member-state flavors in terms of choices" on certain aspects of the regulation.
Guliani and James Steyer, CEO of Common Sense Media argued that they would have "serious concerns" with a federal privacy law that pre-empted state law, particularly the CCPA. Both witnesses said the CCPA should be a "floor" for federal privacy regulation, not a ceiling, and would not back a nationwide law with looser consumer protections that undermined California's law.
Meanwhile, Google, Twitter and several other tech companies are continuing to push for a federal law that would pre-empt California’s CCPA. In a September 2018 Senate Committee on Commerce, Science and Transportation hearing, Google’s chief privacy officer Keith Enright and Amazon’s associate general counsel Andrew DeVore said the CCPA's definition of impacted personal information was unclear and backed the idea of a regulation with pre-emption.
Sen. Roy Blunt, R-Missouri asked Dixon some questions concerning Ireland's enforcement of GDPR violations against EU versus U.S. companies. Dixon said Ireland's Data Protection Commission has not yet issued any GDPR-related fines, however, the agency is currently investigating 51 companies for violations, 12 of which are U.S. tech companies.
The Irish agency plans to finalize the first wave of GDPR investigations this summer, Dixon said. This could include an investigation launched against Facebook in October after the company revealed a data breach impacting millions of users. The highest fine a company can face under the GDPR is 4% of its annual turnover, which, in Facebook’s case represents more than $1.5 billion.