Witnesses endorsed federal data privacy legislation, with the caveat that tech and communications industry stakeholders are given an opportunity to contribute to the contents of any legislation that the Committee intends to seriously consider. In his opening remarks, Committee Chairman John Thune (R-South Dakota) stated that this hearing was one of several that the Senate Commerce Committee will hold in order to hear from privacy advocates, consumer advocates and business stakeholders regarding potential legislation. Further, he signaled that legislation was a legislative priority for lawmakers. Among his opening remarks, Thune stated that “[t]he question is no longer whether we need a law for consumer data privacy, the question is what shape these laws will take.”
During the hearing, lawmakers cited that federal data privacy protections fell behind the California Consumer Privacy Act (“CCPA”), California’s recently enacted privacy law, which takes effect beginning in 2020, and the European Union’s recently implemented General Data Protection Regulation (“GDPR”). Witnesses agreed that their companies supported federal data privacy legislation with the stated goal of preempting the California privacy law. Senator Brian Schatz (D-Hawaii) stated during the hearing that while companies’ “holy grail is preemption,” lawmakers do not intend “to replace a strong California law with a weaker federal one.”
With respect to jurisdiction, companies and lawmakers broadly expressed that federal legislation would be beneficial for consumers, as compliance with the most restrictive aspects among the patchwork of state laws is cumbersome for the range of companies that are subject to these state laws. Panelists also agreed that the Federal Trade Commission (“FTC”) should have primary responsibility for enforcement of the federal data privacy law that ultimately materializes; however, there was not consensus among the witnesses on whether the FTC should have rulemaking authority or if the legislation should expand the FTC’s authority to level fines. Some lawmakers raised concerns that tech companies’ voluntary participation would yield the desired level of consumer protection. For example, during the hearing, Senator Richard Blumenthal (D-Connecticut) remarked that “[v]oluntary rules have proved insufficient to protect privacy.”
The panel contemplated other related issues, such as what provisions should be included in a federal law. Among the proposals discussed for inclusion were plain language disclosures, consumer access to personal data, a 72-hour breach notification requirement, and a consumer right to opt-in or opt-out of having one’s personal information collected and used for a purpose other than to provide the service requested. Many of the panelists stated that their companies already have implemented aligned measures and none of the panelists appeared to support the 72-hour breach notification requirement.
Additionally, lawmakers contemplated how to define personally identifiable information (“PII”) in federal legislation and how to ensure that the definition of PII could be adapted for emerging technology in the future.
Finally, Senator Blumenthal’s remarks during the hearing are most aligned with the challenges that companies can expect to face as legislation is developed. The Senator said that despite opposition from a number of companies, companies have been able to comply with GDPR and are making strides to comply with CCPA. Further, Blumenthal queried why Congress should not adopt federal legislation that simply mirrors GDPR or CCPA, and noted that industry’s perceived ability to comply would be an outstanding question throughout the congressional debate on federal data privacy legislation.
Reporter, Wintta M. Woldemariam, Washington, D.C., +1 202 626 5502, firstname.lastname@example.org.
Commissioner Ohlhausen Departs the Federal Trade Commission – Commissioner Maureen K. Ohlhausen departed the Federal Trade Commission (the “FTC”) upon the expiration of her term on September 25th. Sworn in during 2012 as a Republican Commissioner, she later served as the Acting Chairwoman from January 2017 to May 2018 when the former Chairwoman stepped down. Upon that departure, Ohlhausen and Democrat Terrell McSweeny remained as the only two Commissioners on the five-seat Commission, the only time in the history of the agency that there were only two Commissioners—meaning that Commissioners Ohlhausen and McSweeny had to reach agreement for the FTC to take action during that period. In May 2018, three new Commissioners (Noah Joshua Phillips, Rebecca Kelly Slaughter, and Rohit Chopra) were sworn in, bringing the Commission back up to full strength.
During Ohlhausen’s tenure, her focus was on “strong enforcement of the nation’s antitrust and consumer protection laws, including the key priority of safeguarding consumer privacy and data security,” according to a press release issued by the FTC. Highlighting Ohlhausen’s accomplishments during her tenure, the FTC touted in its press release that 20 significant actions were initiated to protect consumer privacy and promote data security; 32 proposed mergers were targeted with significant competition concern, with 19 resulting in consumer protection settlements; and 138 consumer protection matters were initiated or settled resulting in settlement distributions of $300 million to 3.7 million people and $6 billion in refunds to consumers.
One day after Ohlhausen’s departure, Christine S. Wilson was sworn in as a Commissioner. Wilson’s career focus has been competition and consumer protection law with her most recent engagement as Senior Vice President of the Legal, Regulatory & International section of Delta Air Lines. Wilson formerly served at the FTC during the George W. Bush administration as chief of staff for Chairman Tim Muris and previously was a law clerk in the Bureau of Competition. In a statement issued by the White House, Wilson was described as “an advocate against regulation for more than two decades, and believes that competition is the best way to protect consumers and the economy.”
Reporter, Julie C. Crawford, Washington D.C., +1 202 661 7814, email@example.com.
European Code of Practice on Disinformation – A voluntary, self-regulatory European Code of Practice on Disinformation (the “Code”) was published on September 26, 2018. Under this Code, technology, media and advertising companies commit to implementing new measures to counter “fake news” (i.e. various types of false information including fabricated, manipulated and misleading content) and other forms of disinformation.
Fake news has been on the EU’s radar for some time now. The European Parliament adopted a Resolution in June 2017 calling on the European Commission (the “Commission”) to examine the issue and look at existing laws and possible legislative interventions. In November last year, the Commission announced the creation of a High-Level Expert Group (the “Group”) tasked with defining the scope of the phenomenon, identifying the steps that have already been taken by stakeholders against it, highlighting best practice in the area, and advising on policy initiatives and strategy to counter the issue on both a short and long term basis. The Code was recommended by this 39 member Group in its March 2018 report (the “Report”) and championed in the Commission’s April communication, titled “Tackling online disinformation: a European Approach”.
Signatories to the Code commit to taking steps to help people in Europe make informed decisions when they encounter online news that could be false, such as prioritising authentic information in search rankings or news feeds, making diverse perspectives more visible, establishing clear marking systems for bots (computer programs designed to simulate human activity) to ensure that they cannot be confused with real human interactions, and developing indicators of trustworthiness in collaboration with news organisations. Signatories also commit to making information available to the Commission on request, co-operating with efforts to assess how/whether the Code is working, and to publishing annual reports about their work to tackle disinformation, to be submitted to an independent third party for review.
Critics of the Code feel that it does not go far enough, and are particularly concerned by the explicit exclusion of “misleading advertising” and “clearly identified partisan news and commentary” from its scope. However, the Commission has not ruled out the possibility of further regulation in the future if the Code proves to be ineffective.
Reporter, Jessica Trevellick, London, +1 44 20 7551 7507, firstname.lastname@example.org.