Georgetown Law
Technology Review

Several of the world’s largest technology companies expressed support last month for federal regulation to protect consumers’ data privacy, signaling a shift from Silicon Valley’s longstanding preference for self-regulation. But critics argued that the companies’ push for new federal law is driven more by their desire to head off tougher state-level data rules than by genuine concern for consumers’ privacy.

Testifying before the U.S. Senate Commerce Committeeon September 26, executives from six technology giants offered to work with lawmakers to craft federal law regulating how companies use and protect the data they collect from their customers and Internet users. Witnesses at the hearing included representatives of Amazon, Apple, AT&T, Charter Communications, Google, and Twitter.

“Now is the time for decisive congressional leadership to establish a thoughtful and balanced national privacy framework,” Leonard Cali, AT&T’s Senior Vice President of Global Public Policy, told the committee.

Data privacy issues encompass numerous concerns regarding how websites and digital-technology companies collect, protect, and use information regarding their consumers’ demographics and online activities. Key issues include digital providers’ tracking of consumers’ online behaviors, the sale of consumer data to third parties, largely without consumers’ knowledge or consent, and the risk that hackers will breach technology companies’ databases to steal consumer data.

The industry’s representatives used the hearing to recommend broad elements of any future federal data-privacy law, rather than proposing specific provisions or legislative language. AT&T and Charter executives recommended that Congress give the Federal Trade Commission, the U.S. government agency already tasked with enforcing some consumer-protection laws, more leeway to set its own data-privacy rules.

Perhaps more significantly, all of the executives, other than Charter’s, asked senators not to require digital providers to receive Web users’ affirmative consent before collecting their personal data. Such a requirement could severely undercut many technology companies’ revenues, given how much such consumer data is worth—potentially as much as $300 billion annually to the financial services industry alone.

As several of the technology-industry representatives acknowledged, their support for federal data legislation comes largely in response to two sweeping new data-privacy regimes: The European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act.

The GDPR, which became effective in May of this year, imposes numerous requirements on companies that collect and process Internet users’ personal data—essentially, any information that can, alone or with other data, reveal a user’s identity. The law obligates many digital companies to get users’ permission before collecting personal data, document such data collection, report data losses and breaches to regulators, and disclose information about the data they collect.

Especially concerning for many technology companies are the penalties the GDPR imposes for violations of its rules: for major violations, the EU may fine a company the greater of twenty million euros or four percent of the firm’s global revenue. For Amazon, which enjoyed $178 billion in revenue last year, such a penalty could, at least in theory, top seven billion dollars.

The California law, set to take effect in 2020, requires many digital companies to tell consumers in advance what sort of personal data they collect, what they do with it, and with whom they sell or otherwise share it. The law also allows consumers to obtain the data that a covered company has collected about them and, in many circumstances, to request that that company delete such information from its records.

The Senate hearing’s industry witnesses told lawmakers that the EU and California laws are too onerous. Amazon attorney Andrew DeVore complained that the GDPR had “required us to divert significant resources to administrative and record-keeping tasks,” and he called California’s law “confusing and difficult to comply with.” Enright, the Google executive, estimated that his company’s employees had spent “hundreds of years of human time” complying with the GDPR.

Given their concerns over the California law and the precedent it could set for other states, the industry representatives generally wanted any federal data-privacy law to preempt state data regulations. AT&T’s Cali warned that the alternative could be “a patchwork quilt of inconsistent privacy regulations at the federal and state level,” while Charter lobbyist Rachel Welch claimed that such a “patchwork of state laws” could hinder industry innovation.

Technology-industry witnesses largely couched their support for preeminent federal regulation in terms of consumer welfare: Cali and Welch both said individual-state laws could “confuse” consumers, while DeVore said such laws could “actually undermine important privacy-protective practices.” The executives emphasized what they described as their firms’ respect for consumers’ data privacy, with executives from Apple and Twitter both calling privacy a “fundamental right.”

However, privacy advocates and other industry critics argue that technology firms’ support for federal data laws are motivated far less by concern for consumers than by the desire to minimize restrictions on their own profitable data-collection activities.

“When and if a national law is introduced,” Gizmodo’s Dell Cameron argued, “one might be concerned, rightfully, that a company like AT&T has a hand in drafting it.” Cameron noted that none of the witnesses recommended financial penalties for data-privacy infringers.

TechCrunch’s Zack Whittaker suggested that the witnesses’ warnings of regulatory harm were overblown, writing that there is “not much evidence to back … up” the technology industry’s assertion that the GDPR could cripple technology startups.

Instead, technology firms may have accepted that federal data-privacy regulation is inevitable, and that it would be better to have a hand in its development than to allow Congress to draft a law less favorable to the industry. “It seems like companies are seeing that they can’t continue to claim people don’t want data-protection laws,” said Amie Stepanovich of data-rights group Access Now. “The movement is clearly forward, and companies don’t want to be left out of those conversations.”

The Commerce Committee was scheduled to hear from consumer advocates this month, likely providing a more favorable perspective on European-style data regulation.