Once again, data privacy was hot on the agenda this week, as the Senate Committee on Banking, Housing, and Urban Affairs met yesterday for the first of two hearings scheduled this week. Yesterday’s hearing concerned privacy rights and data collection.
Among those testifying were; Peter Chase, senior fellow at The German Marshall Fund of the United States; Jay Cline, privacy and consumer protection leader and principal for PwC U.S., and Maciej Ceglowski, founder of bookmarking service, Pinboard.
A discussion on the European Union’s General Data Protection Regulation (GDPR) dominated the day’s proceedings. The GDPR, which became law in May 2018, created a great deal of interest for lawmakers working towards a Federal legislation in the U.S.
Focusing on the complexity of privacy statements that EU businesses are required to include on their websites under GDPR, Senator Mike Crapo, R-Idaho, called them “phenomenally long,” and “incomprehensible,” and said the explanation of the data being collected is “meaningless” to the average user. Peter Chase responded to Crapo’s comments by saying EU law requires privacy statements to be presented in “clear language” upfront with a deeper explanation for users who want more information. Chase also explained the importance the GDPR puts on “specific, informed, and unambiguous consent.”
Senator Mark Warner, D-Va., said “first party consent isn’t enough,” and addressed what he describes as “psychological manipulation” used by the social media giants. Warner continued by promoting his own legislation, the ‘Deceptive Experiences to Online Users Reduction’ (DETOUR) Act. In a statement from Warner’s office, the Act will “prohibit large online platforms from using deceptive user interfaces, known as ‘dark patterns’ to trick consumers into handing over their personal data.”
Adding to his already scathing attack on social media platforms, such as Twitter and Facebook, Warner added that although these companies might appear to be free of charge, they are actually “giant sucking sounds” siphoning off users’ personal data. Pushing the idea of data portability, interoperability, and ability to erase personal data, Warner addressed his comments specifically to Ceglowski, who said that data portability is challenging, and that while it’s a good idea, in theory, it could create additional complications.
Senator Elizabeth Warren, D-Mass., spoke about how citizens cannot opt out of credit reporting agencies (CRAs) and how the use of credit scoring is vital in today’s society. Warren continued to highlight the aftermath of the Equifax data breach that occurred in December 2017 and asked if the victims of the breach could be helped, to secure their data “to put them back to the same place they were before the hack”. Ceglowski replied, saying “No, that ship has sailed.”
However, Warren continued her argument, saying that Equifax “routinely” failed to patch known security weaknesses. She added that unless businesses take a “financial hit” as a result of a data breach, there is no “incentive to prioritizing security.”
Warren also took time to promote her own legislation, the Data Breach Prevention and Compensation Act, which was introduced on May 7. According to Warren’s office, the new legislation will:
“give the Federal Trade Commission (FTC) more direct supervisory authority over data security at CRAs, impose mandatory penalties on CRAs for data breaches to incentivize adequate protection of consumer data, and provide robust compensation to consumers for stolen data.”
The California Consumer Privacy Act (CCPA) was the topic of choice by Senator Chris Van Hollen, D-Md., as he asked if there is anything from the GDPR that is missing in the CCPA that Congress should consider for Federal legislation. Ceglowski chipped in that the idea of automated decision making is not well addressed in the CCPA but should be included in any Federal legislation in the future.
As mentioned above, this was not the only data privacy hearing on Capitol Hill this week. Today, (May 8, 209) the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce will hear from FTC commissioners, as it considers the role the agency plays in strengthening Americans’ privacy and data security protections.