Representatives of six tech firms came to Washington, D.C., and, for once, did not ask government officials to leave them alone.
Instead, executives of Amazon.com, Apple, AT&T, Charter Communications, Google, and Twitter all told members of the Senate U.S. Senate Committee on Commerce, Science, and Transportation, during a committee hearing on consumer privacy, that their employers want a nationwide privacy law.
The past few years of privacy breaches weren’t enough to suppress the tech leaders’ traditional libertarian reflex. Instead, credit goes to two outside parties, the European Union and the state of California.
The EU’s General Data Protection Regulation already subjects many U.S. companies to strict privacy rules, while the California Consumer Privacy Act of 2018 will impose similar requirements in that state when it goes into effect on January 1, 2020.
“More than at any other time in my career, there is momentum towards codifying baseline privacy principles in law.”—Keith Enright, chief privacy officer, Google
Tech firms would much rather see one privacy law cover U.S. communications—as long as it’s not as strict as the GDPR and also supersedes any pesky state regulations like the CCPA.
(Some) privacy, please
The start of the hearing saw the six executives assemble into a bit of a choir.
“Consumers need understandable rules of the road,” Len Cali, senior vice president for global public policy at AT&T, said in a typical statement.
“More than at any other time in my career, there is momentum towards codifying baseline privacy principles in law,” Google chief privacy officer Keith Enright concurred.
“There should be a single, national standard that protects online privacy,” said Rachel Welch, senior vice president for policy and external affairs at Charter Communications.
Apple and Twitter’s representatives almost read from the same hymnal in professing their support for privacy rules. Damien Kieran, Twitter’s global data protection officer, called privacy “a fundamental human right,” and minutes later, Bud Tribble, Apple vice president for software technology, called it “a fundamental right, not a privilege.”
And after years of punting on the subject, lawmakers may be ready to oblige too with some sort of comprehensive privacy bill.
“Politics is always about timing, and I believe now is the time to begin action on this important issue,” said John Thune (R.-S.D.), chairman of Senate Commerce Committee , as he opened the hearing.
Outlines but not fine print
Most of these representatives agreed that copying the provisions of the GDPR—a roughly 55,000-word text—and the CCPA wouldn’t work.
“Meeting its specific requirements for the handling, retention, and deletion of personal data required us to divert significant resources to administrative and record-keeping tasks,” said Andrew DeVore, vice president and associate general counsel at Amazon.
He wasn’t fond of the California law either: “CCPA’s definition of ‘personal information’ goes beyond information that actually identifies a person to include any information that ‘could be linked with a person,’ which arguably is all information,” he said.
Google’s Enright told Sen. Mike Lee (R.-Utah) that complying with the GDPR’s provisions cost “orders of magnitude higher” than millions of dollars, while the labor involved added up to “hundreds of years of human time.”
Apple’s Tribble urged the senators to think of the burdens that a new law modeled after either the EU or California precedents would impose on the millions of small App Store developers.
And when Sen. Amy Klobuchar (D.-Minn.) asked the witnesses if they could endorse a 72-hour timetable to notify victims of a data breach—a key GDPR provision—none would.
More squishiness emerged when senators started pressing the tech execs about how the Federal Trade Commission might enforce any such law. They all seemed fine with giving the FTC more money, but they didn’t cleanly endorse granting it authority to set rules and impose fines.
As Sen. Brian Schatz (D.-Hawaii) observed, the FTC can’t today slap a company with a fine until after it violates a negotiated settlement with the commission to address an earlier privacy failing. In other words, for that first offense, “there’s no real economic consequence right now.”
After a particularly vague series of replies from Enright, Sen. Bill Nelson (D.-Fla.) replied: “Is that a ‘yes, maybe’?”
Asked and unasked questions
Some other interesting details emerged over the hearing, but those two and a half hours also featured numerous missed opportunities.
For example, nobody followed up on Enright’s admission during his opening statement that “we have made mistakes in our past” to ask him to identify those mistakes and lessons learned.
The entire notion of data minimization never came up. Nobody challenged the tech companies to name an instance when they eliminated a product feature in order to collect less data.
And after Sen. Gary Peters (D.-Mich.) asked Enright how many people actually used Google’s Dashboard interface to see and control the information Google collects about them, and Enright replied that he didn’t have that information, nobody posed a similar question to the other company representatives. (That would have been an especially apt question for Facebook, which repeatedly touts all the options it gives to users to control their data, but the social-networking giant went unrepresented Wednesday.)
AT&T got away particularly easy. Privacy advocates say its data collection practices have overreached in the past—for example, it defaulted subscribers of its GigaPower fiber Internet service into having their browsing activity monetized, then proposed to charge them $29 more a month to escape that tracking. And just Tuesday, it rolled out a new ad platform called Xandr that touts a “commitment to personalization” driven by “deterministic household and device mapping.” But nobody asked Cali about either topic.
Apple’s Tribble, in turn, didn’t have to answer questions about how its locked-down Mac App Store could have allowed a rogue app called Adware Doctor to collect browsing data from its unwitting users.
Some of the airtime that could have gone to exploring those topics went instead to exploring how Apple, Amazon, and Google are treating the Chinese market. That yielded little insight about U.S. privacy, though a question from Sen. Ted Cruz (R.-Tex.) to Google’s Enright about the extent of China’s censorship did elicit this incredulous reply: “I’m not sure that I have an informed opinion on that question.”
The hearing unquestionably worked to illustrate the complex nature of the advertising-linked technology that tracks our interests across the Web and all our devices. In the middle of an exchange about how ads for a product can follow you around online, Enright assured Sen. Jon Tester (D.-Mont.) that “we understand the complexity of the Internet ecosystem.”
The senator interrupted with a two-word response: ”I don’t.”