LIONEL BONAVENTURE/Getty Images
U.S. lawmakers are pushing ahead on a national data-privacy law, driven by a political backlash to the growing power of Big Tech and calls for regulation from Silicon Valley itself.
But partisan battles over whether to safeguard a growing array of individual state privacy laws could threaten to derail efforts by Congress to pass its first sweeping consumer protection legislation this year.
Congressional committees are set to hold hearings Tuesday and Wednesday on how to regulate tech giants such as Google and Facebook. Both Democrats and Republicans have published a raft of proposed legislation, and the Senate is expected to release its first bipartisan bill as early as next month.
The hearings come as lawmakers find themselves under increasing pressure to tackle data privacy. Earlier this month, the Government Accountability Office, the Congressional auditor, warned that the United States lacked significant safeguards over how companies use personal data.
The Federal Trade Commission, the national consumer protection watchdog, is reportedly readying to level a U.S. record-setting fine against Facebook nearly a year after revelations last March that the social media giant failed to prevent political consulting firm Cambridge Analytica from accessing data on millions of users without their permission.
Privacy experts say the change in tone in Washington over the past year has been striking. Lawmakers had long resisted calls for comprehensive national privacy regulations, fearing that restrictions would stifle tech firms’ abilities to innovate.
“Certainly a few years ago, the response among many Republicans and even some Democrats was anti-regulatory,” said Cameron Kerry, who as general counsel at the Commerce Department during the Obama administration, led efforts to pass a Consumer Privacy Bill of Rights that stalled in Congress. “That’s changed. You have a lot of Republicans talking about ‘we need to regulate in this area.’”
A number of issues that have emerged over the past year have helped turn data-privacy into a burning political issue. Scandals such as Cambridge Analytica and Russian political meddling on social media have sparked fears of Silicon Valley’s power over the political process.
At the same time, new European data-privacy laws that came into effect last spring forced many tech firms to change their privacy practices worldwide to comply. That prompted U.S. lawmakers to develop their own proposals to stave off regulation from abroad.
Most significantly, tech companies themselves have been lobbying Congress to pass national legislation that would override an emerging patchwork of state privacy laws – particularly new rules set to take effect in California next year that would give the state’s attorney-general broad powers to police Silicon Valley.
“There really is a unique confluence of events at the moment that has generated momentum around privacy in a way that I’ve never seen while I’ve been doing this,” Joseph Jerome of the Center for Democracy and Technology said, a Washington-based non-profit.
But while tech firms and lawmakers in both parties generally agree there should be new restrictions on how companies collect and use personal data, partisan fault lines are appearing that could thwart those efforts.
A handful of bills proposed by Republicans, such as Florida Senator Marco Rubio, seek to exempt tech startups and other small businesses from regulation, propose no new powers for federal watchdogs and would block states such as California from enforcing their own data-privacy laws.
Some Democratic proposals have instead called for hefty fines and even jail time for company executives that violate consumer privacy. California Democrats have also vowed to fight any Republican attempt to override their state’s privacy laws.
“I would hope that all 53 members [of California’s House delegation] would oppose it,” Representative Jackie Speier of San Francisco told Politico last week.
Industry groups such as the Internet Association, whose members include Google, Amazon and Facebook, have also pushed for a national law that negates state rules, arguing it creates a level playing field across the country. But some privacy experts fear that Silicon Valley’s newfound support for regulation is an attempt to replace aggressive state laws with weaker national ones.
“They want Congress to enact a get-me-out-from-under the European privacy law and the California privacy law,” said Jeff Chester, executive director of Center for Digital Democracy, a Washington-based advocacy group. “The fact that the companies want something is both an opportunity, but also a looming threat, because what they want and what the public needs are two different things.”
Other see dangers in the push to safeguard state rights. Mr. Kerry, now a fellow at the Brookings Institution, argues laws passed by states allowing consumers to block companies from selling their information still place too much onus on users, rather than businesses, to manage the reams of data that companies collect. Well-crafted national legislation could do more to protect consumers by requiring companies to commit to standards for how they safeguard personal information.
“A federal law that steps in and goes beyond consumer choice could be much stronger than state laws,” he said. “Then you really have the basis for a grand bargain in which businesses get one consistent set of laws across the country, and individuals and privacy advocates get strong protections.”
Some analysts are skeptical that a divided Congress will be able to overcome partisan differences and pass a bill before next year’s presidential election, but say they are encouraged that the tenor of the debate in Washington has changed.
A decade ago, most of the discussion about regulating tech giants was focused on narrow fixes such as whether companies could make their privacy policies easier to read, Mr. Jerome said. “Nobody seriously thinks that is what the U.S. should do with privacy anymore.”
Tamsin McMahon