Several former commissioners of the Federal Trade Commission (FTC) warned the Senate Committee on Commerce, Science, and Transportation of the consequences of delay in passing a Federal privacy standard during a hearing on Wednesday.
“If we do not adopt a national privacy law of our own that reflects the deliberations of this committee, those who have thought about it a lot, we will get a national privacy policy. It will be called the GDPR,” said former FTC Chairman William Kovacic, of the General Data Protection Regulation, adopted by the European Union in 2016. “That will be it. We’ll have one, supplemented by the CCPA [California Consumer Privacy Act], with all the thoughtful work that’s been done there.”
“But do we want our national privacy policy to be the product of a decision made by a thoughtful foreign government, a very thoughtful state, but without the contribution of the national legislature to formulate our own distinctive collective judgment about these issues?” Kovacic asked the committee during the hearing.
Kovacic called the SAFE DATA Act, introduced Sept. 17, “a great step in the right direction.” The bill, according to Kovacic, who served on the FTC from 2006 to 2011, “will give us a voice again in this international arena.”
Julie Brill, the chief privacy officer at Microsoft and a former commissioner of the FTC herself from 2010 to 2016, also cited the importance of a Federal privacy bill for the U.S. internationally.
“If the United States does not pass a strong, robust Federal privacy law, we will lose our edge in terms of competitiveness on the global stage,” said Brill, “both in terms of the global economy and the ability of companies to engage effectively.”
In addition to the economic losses, Brill said the U.S. “will also lose our thought leadership in terms of where the world is moving, in terms of how people’s data is respected, and how it should be treated” if a privacy bill is not passed.
Providing a global context, she said that in a two-year time frame, 65 percent of the world’s population will be covered by privacy laws. “Many of these laws are being written with respect to a global standard that the United States is not participating in developing right now,” Brill said.
Jon Leibowitz, former FTC chairman and commissioner from 2004 to 2013, agreed. Without a Federal standard, “not only will we not be protecting citizens,” he said, “we will be behind the curve, and I think we already are, from a global perspective.”
Despite his assessment of the position of the U.S., Leibowitz said he is “optimistic here because there is an enormous amount of agreement among everyone on this committee about passing a bill.”
A Potential Stumbling Block
Sen. Roger Wicker, R-Miss., the committee’s chairman, who introduced the SAFE DATA Act, did not share that immediate optimism of the former FTC Chairman Leibowitz.
“It seems that in the discussion of data privacy at the Federal level, [a private right of action] has become an article of faith,” said Sen. Wicker, towards the end of the hearing, “and I really regret that because I think it amounts to a stumbling block that may prevent national legislation from being enacted.”
The committee chair listed several privacy bills without a private right of action, or an individual’s right to take legal recourse, including the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
California Attorney General (AG), and Sen. Wicker’s former colleague in Congress, Xavier Becerra shared a different perspective.
“There is enforcement of our CCPA privacy rights by the AG, by my office, but only my office, and so we’re probably not going to get to every violation that might occur in our state,” he said. “That’s why I say, ‘A right without a remedy is no right at all.’”
Implementation
While easy answers on the issues of the private right of action and Federal preemption of state privacy laws did not emerge from Wednesday’s hearing, the former FTC chairman Kovacic looked ahead to the implementation of a Federal law.
“I share the view of the leadership of the committee that a national privacy bill is an appropriate step to take,” said Kovacic, during his opening remarks. He provided two basic choices with how to implement the law, a new standalone data protection authority or enhancing the role of the FTC.
“I prefer the FTC option,” he said, citing as a benefit the accumulated experience the FTC has gained in the fields of rulemaking, law enforcement, and research. “I also think there is a close nexus between privacy and data protection and the other areas of the FTC’s responsibilities, that is antitrust and consumer protection.”
“The big issues involving big platforms of the future will be solved at the intersection of these different policy domains,” Kovacic said.
He added it is “going to cost a lot to come up with a real enhancement of capabilities” for the commission and suggested Congress provide “a billion dollars a year for 10 years.”