The recent activation of the EU’s General Data Protection Regulation (GDPR) represented a seismic shift in data handling for businesses. The global tech industry is seeing a future in which GDPR-style regulation, which includes stringent requirements for end-to-end handling of customer personal data and considerable fines for even small violations, will be widely adopted by regional and national governments.
Silicon Valley is more keenly aware of this than anyone outside of the EU. Passed in June of 2018, the California Consumer Privacy Act (CCPA) bears similarities to the GDPR and will become fully active on the first day of 2020. Though not quite as stringent overall as the GDPR, the CCPA gives state residents similar rights to know what data companies have collected about them and to require that companies fully remove this data from circulation upon request.
This apparent trend toward heavy government regulation of personal data collection has tech industry titans discussing support for a federal privacy law for the first time. While tech companies by and large view such regulation as onerous and a limitation on their ability to do business, there is a sense of inevitability in the industry. If such legislation is inevitable, then tech companies feel their best play is to get out in front of it with their own industry-supported legislation that contains terms that are as friendly to them as possible.
Trade groups including the Internet Association, The Software Alliance and Information Technology Industry Council are already pushing for voluntary standards to avoid data protection laws similar to the California law. The fear is that actions from Congress and the White House may have huge implications on the business model of the digital economy.
The sudden support for a federal privacy law
At the very least, many in the tech industry feel that a patchwork of state laws similar to the CCPA would be far more troublesome and expensive to comply with than one unified set of federal privacy regulations. In a set of privacy principles published recently, the U.S. Chamber of Commerce recommends that, “Congress should adopt a federal privacy framework that preempts state law on matters concerning data privacy in order to provide certainty and consistency to consumers and businesses alike.”
Some tech industry companies have additional concerns about legal liability. Leaks and hacks are far from uncommon, and sometimes expose the personal data of millions of customers when they occur. That not only represents a tremendous amount of potential fines, but also further susceptibility to massive class-action lawsuits that could prove ruinous to a company.
These tech companies aim to get a federal privacy law passed that is softer in these areas. Saying that “tech companies” are universally supporting federal legislation is painting with too broad of a brush, however; the interest mostly stems from social media companies and those that make their money primarily from advertising. Companies that deal primarily in hardware or in business-to-business services have less reason to seek pre-emptive federal regulation.
Tech industry vs. consumer watchdogs
Though no specific legislation is on the table, consumer rights groups are already taking up positions against a tech-sponsored federal privacy law campaign.
Critics are already sounding alarms that tech-sponsored legislation is about protecting the tech industry under the veneer of consumer privacy and safety. The Electronic Frontier Foundation has already taken a public stand against tech company involvement in crafting a federal privacy law, arguing that their efforts are an attempt to “neuter” California’s relatively strong protections and prevent any more states from adopting similar laws.
There is legitimate reason for concern. A September 26 Senate hearing on consumer data privacy was widely panned for including the biggest names in tech, but not one representative from consumer privacy organizations. These groups argue that allowing tech companies to be the only voices in the room is tantamount to self-regulation.
Additionally, Congress has a permissive record to date on consumer data privacy matters. Skepticism among the general public has been raised by issues such as their handling of the massive Equifax data breach of 2017, for which the company saw no real punishment or negative consequences. Concerns have also been raised that Equifax may actually be profiting from the data breach via sale of optional credit protection services.
Tech industry companies seeking to write their own federal regulations may see Republican control of both branches of Congress and the presidency as their best opportunity to get their desired legislation passed, given the party’s tendency to favor the business side of such debates. Some Senate Republicans have been sharply critical of some of these companies for their perceived resistance to the Trump administration’s agenda, however.
What’s on the table?
At present, no formal federal privacy law has been drafted. The September 26 Senate hearing is seen as being the foundational event at which tech companies will introduce their “wish list” to the Commerce Committee. Companies testifying at the hearing who have an inherent business interest in weaker data privacy laws include Google parent company Alphabet Inc., Amazon, Twitter, AT&T, Charter and Apple.
Some pending legislation may also have a significant impact on the formation of any new federal-level data privacy standards. Chief among these bills are the Data Security and Breach Notification Act and the Consumer Privacy Protection Act, both introduced in the wake of the 2017 Uber data breach. If passed, these bills would create a federal system of breach notification laws that would supercede the existing state laws and set new security rules for the handling of existing legally protected forms of personal information (such as social security numbers and financial account information).
Wild cards
Members of the tech industry interested in pressing for federal standards will also have to take into account that they are dealing with a volatile political situation. While some feel that a Republican government may be more friendly to business concerns, they may not be dealing with one come 2019. Public polling indicates that Democrats have a very good chance to retake the House, and have the race for control of the Senate competitive when it was thought to be completely out of reach for them just a few months ago. There is also uncertainty about the status of the executive branch given a swirl of scandal and investigations that will not go away. Democratic sponsors introduced and backed the current data privacy bills before Congress, and any Democrat-controlled branch of the government is likely to be much more resistant to allowing tech companies to write their data handling preferences into federal law.
The future of federal privacy legislation
It’s still very unclear what federal data privacy regulations will ultimately look like, or how much control the tech industry will be allowed to have in shaping them. Their efforts make it clear that such regulations are seen as being imminent, however. The results of the midterm elections in November are the next big bellwether as to the direction that legislation will ultimately take.