NCISS *Data Privacy" Issue Update from Lobbyit

In This Issue

Data Privacy Activity

Recent Hill Activity

Data Privacy -- Background as the Federal Debate Takes Shape

Since the 2016 election, as more information has become known about the nature and extent of the collection of all sorts of personal data by companies dominating internet utilization, as well as the co-opting of such information by various parties for nefarious purposes (e.g. Russian interference in US elections, enabled by access to personal data via third parties such as Cambridge Analytica), Congress has been increasingly agitating for a broad federal data privacy framework.

The call for a federal approach comes on the heels of California's passage of California Consumer Protection Act (CCPA) - an internet data privacy bill modeled largely upon the European Union's (EU) General Data Protection Regulation (GDPR), which standardizes the laws for protecting consumer data in all 28 EU-member countries.

In the Senate, Senators Warner, Wyden, and Thune have each expressed an interest in drafting privacy legislation. Senator Wyden has indicated that he will be releasing a consumer privacy bill on his own within the next few weeks. In a recent hearing he stated that he is very "troubled" by what he has seen in Facebook's privacy audits that were submitted to the FTC. Senator Thune stated that he is working to put together a legislative package that would address Member concerns. However, he has also said that based on the legislative calendar, action on such a package is unlikely this year. For now, Senators are focusing on laying the groundwork for action in the next session. What we will need to keep an eye on is who is actually leading the committees of jurisdiction next year? The House will have a different leader with Rep. Blackburn running for Senate, and Sen. Thune may no longer chair the Senate Committee as he is in a position to rise in the leadership. The Senate plans to hold another consumer privacy hearing in October, potentially on the 10th.

At the state level, California's AG got a funding boost of $700,000 to hire five new staffers to help craft and implement the CCPA. AG Becerra expects to issue final rules by June 2019, with the measure taking effect on January 1, 2020. This has prompted many tech industry groups to come out in favor of national standards that would preempt California's law.

Agency Developments

Recently, a bipartisan group of senators wrote to Commerce Secretary Wilbur Ross urging him to give Congress a voice in the ongoing discussions between the Administration and big tech companies over a nationwide privacy framework.

The Senators urge that Congress should have a part in crafting any proposal that seeks to meet the needs of American consumers and the internet economy. The recent implementation of the GDPR has prompted a push by tech groups, Congress, and the Administration to work on a nationwide privacy framework that would prevent a state-by-state approach.

Industry Proposals

The Internet Association

The Internet Association (IA) put forward a privacy framework proposal that is supported by most major tech companies. The privacy principles have a stated goal of seeking to achieve the following-

1. Transparency - letting the consumer know what personal information is being collected by companies and how that information is shared.

2. Controls - it would grant the consumer the ability to limit how that data is being used, unless it is required for the basic operation of the business.

3. Access - individuals should have reasonable access to the information they provide companies. However, they feel that this access shouldn't interfere with others' privacy or the company's business operations.

4. Correction - individuals should be able to correct information provided to companies, unless a company has a legitimate need to maintain it.

5. Deletion - they should be able to delete their personal information, unless that information is necessary to provide services.

6. Portability - individuals should have the ability to transfer information that they've provided from one company to another.

Understandably, these priorities provide plenty of opportunity for companies to make exceptions and craft practices that will not greatly hamper their operations. IA advocates for these priorities to be weighted against other factors. Among these is whether the exercise of these rights is unduly burdensome or excessive. Whether the exercise of these rights would require companies to collect or process additional personal information about an individual.

IA goes further and makes additional recommendations for policymakers to consider. Key among these is whether de-identification or pseudonymizing will be hampered by any policies. The national law should explicitly preempt any local and state laws and provide unity and harmony nationwide. They also argue that any law should apply consistently across products and services and be technology neutral. They also argue against any prescriptive approach that dictates how privacy and data security protections should be taken.

The problem with this document is that it'll be unlikely to satisfy the concerns of some of the more consumer-centric minded Members on the Hill. There is a lot of room for companies to dictate what information is provided to consumers and what is deemed to be essential to the operation of their business. So, you could end up with a scheme similar to what we have now, where the use of a device or service is contingent on giving up your data.

US Chamber of Commerce

The US Chamber of Commerce has also issued what they believe should be the core principles guiding a national privacy framework discussion. Their recommendations, while similar, do not go as in depth as IA's do.

1. Nationwide Framework - the Chamber also believes that any privacy framework should occur at the federal level to provide consistency.

2. Risk-focused - using slightly different language than IA does, the Chamber also makes the case that the context of data use and the risk associated with it should inform the protections granted the control given over the use of that data.

3. Transparency - businesses should be transparent with their consumers regarding data use and collection.

4. Neutrality - the Chamber also advocates for neutrality across types of technology.

5. Efficient and Collaborative Enforcement - something unique in this proposal is the call for a collaborative relationship between businesses and the government. Companies should be given reasonable opportunity to cure deficiencies before punitive government actions are taken against them. The Chamber believes that there shouldn't be a private right of action for privacy enforcement created either.

Overall, this proposal is very similar to IA's. It goes a bit further in some areas, particularly with the risk focus language and the space dedicated to enforcement and compliance policies. The issue with both proposals is whether it will have more sway at the Administration level or with Congress. Congress, particularly the Members really driving this issue, are principally concerned with the consumer side of things and ensuring they have complete control of their data.

From Lobbyit's perspective, this will be a long process. Chief among our concerns is that whatever measures result allow NCISS members to be able to conduct their business efficiently and effectively.

As such, we have trained an eagle eye on the related legislative and regulatory developments, and will be doing whatever is necessary to modify or amend official actions to protect NCISS interests.

Commerce Committee Hearings

Examining Safeguards for Consumer Data Privacy

U.S. Senate Committee on Commerce, Science, and Transportation

On September 26, the Senate Commerce Committee conducted the first of two scheduled hearings on data privacy policy. Entitled, "Examining Safeguards for Consumer Data Privacy" the hearing featured testimony regarding the privacy policies of AT&T, Amazon, Google, Twitter, Apple, and Charter. Senators reviewed the current state of consumer data privacy and discussed ways to safeguard privacy more effectively, specifically the positive and negative aspects of the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Lobbyit attended this hearing, and provides this detailed coverage to our partners at NCISS.

Note in particular the panel's emphasis on crafting a federal regulatory framework.

Witnesses/Panelists:

Len Cali, Senior Vice President Global Public Policy, AT&T Inc.

Andrew DeVore, Vice President and Associate General Counsel, Amazon.com, Inc.

Keith Enright, Chief Privacy Officer, Google LLC

Damien Kieran, Global Data Protection Officer, and Associate Legal Director, Twitter, Inc.

Guy (Bud) Tribble, Vice President for Software Technology, Apple Inc.

Rachel Welch, Senior Vice President, Policy & External Affairs, Charter Communications, Inc.

Opening Statements:

Chairman John Thune (R-S.D.)

The Chairman stated that because of the developments of strict regulations and penalties by the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) the issue is not whether we need a federal law, but what the federal law should look like.

The Chairman believes there to be bipartisan support and by both industry and public interest groups, to work to reach a consensus on a national consumer data privacy law that will help consumers, promote innovation, reward organizations with little to hide, and force shady practitioners to clean up their act.

Ranking Member Bill Nelson (D-FL)

Ranking Member Nelson noted the many hearings on data privacy over the years because consumers have been hit by the misuse of their personal information and by data breaches.

Hopes the committee will gain insight into how companies are safeguarding customer's private information.

Len Cali

Mr. Cali stated there is a risk in over-regulating privacy by importing the GDPR.

Noted AT&T's commitment to consumer privacy and support of federal privacy legislation.

Mr. Cali believes that policymakers should design a national privacy law that builds upon the FTC's privacy framework and includes:

o   Consistent nationwide privacy protections for consumers

o   Avoids duplication and inconsistent requirements

o   Respects customer privacy choices, requiring companies to be transparent about their privacy practices

o   Allows innovative, consumer-friendly uses of data that enhance their lives, subject to appropriate protections

o   Requires companies to take reasonable steps to protect consumer data

o   Supports collaborative public-private partnerships

Believes there to be imminent risk of states passing legislation and companies facing a patchwork of inconsistent state privacy laws that will lead to confusion and uneven protections.

Andrew DeVore

Mr. DeVore stated that customer trust is their highest priority and that they are not in the business of selling customers' personal data.

Policy perspectives for Committee to consider in a federal approach to privacy legislation:

o   Data privacy must take into account all stakeholders.

o   Congress must ensure that any additional overhead and administrative demands future legislation requires, actually produces commensurate consumer privacy benefits.

o   Must address unintended consequences. The CCPA's definition of personal information results in a law that is confusing, difficult to comply with, and may undermine privacy-protective practices encouraging companies to handle data in a way that is not directly linked to consumer's identity.

o   Focusing on customers will create smart privacy policies and practices.

Keith Enright

Mr. Enright noted that in order to achieve Google's mission-to organize the world's information and make it universally accessible and useful-and provide products for free they must utilize advertisements.

Google supports Congress in their efforts to legislate privacy and wants to constructively engage with them in their developments.

Stated 4 key issues that are central to Google's framework for responsible data protection regulation:

o   Transparency: Stated that Google works to make privacy policies clear and concise recently updating them to include informative videos explaining practices and settings.

o   Control: Acknowledged that users can download a copy of their personal information Google has collected, see or delete activity, and disable personalized ads.

o   Data portability: Believe this is key to driving innovation, facilitate competition, and best serve users.

o   Security: Stated that Google shares their security technology and collaborates with partners to help people stay safe when online. Noted that small and midsize businesses are leveraging Google's cloud technology to protect the security and confidentiality of their business data.

Damien Kieran

Mr. Kieran stated Congress must balance consumer rights and the ability to innovate.

Believes companies must be held accountable for the protection of privacy.

Mr. Kieran noted that Twitter recently updated their Privacy Policy to explain what data we collect, how it is used, and what is and is not shared by utilizing and including callouts, graphics, and animations.

Noted that to share the public content on Twitter as widely as possible, they provide companies, developers, and other customers with programmatic access to public Twitter data through Application Programming Interfaces. Stated private information disclosures are only upon individual persons' consent or if the settings of an individual allow for personal data to be disclosed.

Bud Tribble

Mr. Tribble acknowledged that at Apple, privacy is about putting the user in control of what is shared and used.

Believes privacy is a fundamental right and should be supported by both social norms and the law.

Mr. Tribble stated that Apple minimizes the amount of information they collect.

Noted how Apple is specific and transparent about the data they collect and use with their customers.

Rachel Welch

Ms. Welch stated that online privacy is a complex issue and must be addressed with stakeholder support and there are increasing amounts of data being collected, shared, and sold without protections.

Charter believes a national online privacy framework should focus on 5 core principles:

o   Control: Consumers should be empowered to have a meaningful choice for each use of their data and reasonably limited to what the consumer understood at the time consent was provided.

o   Transparency: Consumers should be given the information needed to truly provide informed consent.

o   Parity: Consumers are best served by a uniform framework that is applied consistently across the entire Internet ecosystem not based on who is collecting it, or whether a service is free or paid.

o   Uniformity: Believes there needs to be a national standard that protects consumers' online privacy regardless of where they live, work, or travel.

o   Security: Security practices should include administrative, technical, and physical safeguards to protect against unauthorized access to personal data, and ensure that these safeguards keep pace with technological development.

Q&A

Chairman John Thune (R-S.D.)

If we pursue fed legislation, can you identify provisions from the California law, CCPA, or Europe's GDPR, that we should emulate?

o   Kelly: Both laws apply to all companies uniformly. California sets the default to opt out.

Are there conflicts between the 2 that we should address?

o   Cali: GDPR is overly descriptive and burdensome. California has a nondiscrimination obligation that is ambiguous, and the notice and consent process.

Do you plan to seek revisions to the California law before it goes into effect?

o   Cali: Yes, we do. Nondiscrimination obligation and the notice of consent.

Can anyone else talk about compliance costs under GDPR today and whether they create barriers to entry for start-ups?

o   Enright: The compliance costs have been a challenge at Google. An organization like Google can absorb those costs better than an entry business.

o   Welch: We do not fall under GDPR but are watching its impact closely as we realize it is a framework that people are looking at.

o   Tribble: Many of the companies who create Apps for the App store are small and medium-sized businesses and will have a hard time with compliance costs.

Ranking Member Bill Nelson (D-FL)

Will your companies support the FTC with more resources to protect consumer privacy?

o   Panel: Yes.

Do you support providing the FTC with more legal authority and better tools to protect consumer privacy?

o   Cali: We do not support unfettered discretion to any agency. We believe it is Congress' job to develop and set policy. If Congress were to do that we would work with them.

o   DeVore: Yes, but the issue is complex.

o   Enright: Would suggest that we first look at their existing authority is enabling them to exercise their mission effectively, and if that answer is no, then I think we move on to address expanding that authority.

o   Kieran: Support engaging in dialogue to work with the committee.

o   Tribble: FTC has a good track record. Important to look at whether their existing authority is sufficient.

o   Welch: If the committee finds that the FTC needs additional tools then they should have them.

Senator Deb Fischer (R-NE)

Do you think federal legislation is needed to protect consumers?

o   Tribble: Federal comprehensive legislation is needed. The amount of personal information available is only going to increase.

What is the best approach to federal legislation to not burden smaller businesses?

o   Tribble: Anything that makes things clear and one set of rules to follow.

What is an unreasonable way to use data?

o   Tribble: Identity theft. Information that is used out of context.

Should companies focus on using data in ways that don't directly link to individual identity?

o   Tribble: Even information that is disassociated can be later associated with an individual. Leaving personal information on the device and not having it sent back to company servers.

Senator Amy Klobuchar (D-MN)

Do you believe that we need federal legislation for privacy standards for consumers?

o   Panel: Yes.

Do you favor the idea of having a 72-hour notification window when there is a breach?

o   No one on the panel was in favor of the idea.

Do you think online platforms being forced to make plain language disclosures regarding how personal data will be collected and used?

o   Enright: We are constantly working to make our disclosures simple for consumers.

o   Keirnan: Earlier this year we revised ours completely to make it understandable for our consumers.

Do you think it would be helpful for consumers to be able to withdraw consent just as easily as they are able to give consent?

o   Kieran: We believe it is an important component.

Senator Brian Schatz (D-HI)

Do you think companies ought to take reasonable steps to prevent unwanted disclosures of data and that companies should not use data to the detriment of their customers?

o   Panel: Yes.

Do you support rule-making authority in this new federal privacy statute?

o   Panel: A qualified yes. Depends on what is involved in the statute.

Do you think the FTC should have the authority to fine in the first instance?

o   Cali: Qualified no.

o   DeVore: It is not something that should be ruled out.

o   Enright: Many FTC agreements already have penalties in settlements in the first instance.

o   Kieran: Qualified yes.

o   Tribble: We would be open to considering it and happy to be involved in the discussions.

o   Welch: Qualified yes.

Senator Jon Tester (D-MT)

Are you doing everything you can to ensure that private information is protected and if you're not, why aren't you? Why are we looking at Congress to pass laws and companies not doing it on their own?

o   Cali: We are doing all that we can as a company. The clarity of a federal law, leveling the playing field for participants makes sense.

Do any of you sell information that you get?

o   Cali: We do not sell information without affirmative customer consent.

o   DeVore: We are not in the business of selling personal information. We run a number of services that are information dependent.

What do you classify as personal information?

o   Enright: Information that would be identifiable to an individual user. Name, email account, or anything else tied specifically to a person or their device.

Senator Catherine Cortez Masto (D-NV)

Do we need to identify and define what personal information is?

o   Panel: Yes, it would be helpful with a uniform definition of personal information.

Would you support a default opt-in?

o   Cali: No because it would restrict non-sensitive data.

o   DeVore: Concerns that overlaying a regulation like default opt-in you risk breaking innovation on some services and the benefits from data.

o   Enright: No.

o   Welch: Yes, we feel a default opt-in is the right approach and the best way to empower consumers.

o   Tribble: May be appropriate in some cases but not all.

Senator Mike Lee (R-UT)

How much did Google spend in order to comply with GDPR?

o   Enright: I do not have specific figures available, but there were significant capital expenditures put forth to get into compliance before it went into effect.

How many human hours did it take to get into compliance with GDPR?

o   Enright: I would estimate hundreds of years of human time.

Is Congress' authority exclusive in data privacy similar to air traffic being federally regulated?

o   Cali: I believe it is exclusive. Data does not respect state boundaries, it is an intra-state service and therefore should be federally managed.

Senator Gary Peters (D-MI)

What percentage of users utilize Google's dashboard which provides features to control the collection of data?

o   Enright: I do not have those numbers with me, but I can get them.

Does Google's dashboard provide information to users how you track them across the internet?

o   Enright: Provides as much information as we are able. Users can see reporting about the advertisements they have seen.

Would you support a federal privacy law that mandates disclosure of tracking?

o   Panel: Yes.

What do you believe should be the contours of personally identifiable information, how should it be defined in legislation and how can we ensure it will be adaptable to new technology?

o   Enright: Our definition is data that directly identifies an individual user, i.e. an email address.

Senator Roger Wicker (R-MS)

Should federal legislation include preemption of state data privacy laws?

o   Panel: Yes.

o   DeVore: Qualified yes. The details matter a lot.

o   Tribble: Yes, assuming that it meets the bar protecting consumers meaningfully.

Do we all agree the FTC is the place for primary enforcement?

o   Panel: Yes.

Members of Internet Association, does that mean that your companies believe that EDGE providers and ISP's and all other online entities should be subject to the same privacy requirements?

o   DeVore: Yes. Core principles should apply to everyone.

o   Enright: Yes. Uniform application across industries enforced by the FTC is the way to go.

o   Kieran: We echo both those sentiments.

Do you think the national privacy law should take an online entities business model into account or should they be subject to the same data requirements?

o   Cali: Irrelevant to a company's business model. Information is either sensitive or not.

Senator Richard Blumenthal (D-CT)

Do all you agree that we need mandatory practices when it comes to privacy?

o   Panel: Yes.

Senator Ed Markey (D-MA)

Would companies support a federal privacy bill that requires companies to tell consumers in clear concise ways what information is being collected about them and how that information is being used, shared, retained, or sold?

o   Kieran: Twitter already has these practices in place and we would support that type of legislation.

o   Panel: Yes.

Should federal privacy policy establish consumers right to control their personal information and give consumers the right to say no to their data being sold or shared with others?

o   Panel: Yes.

Should Americans be able to access their personal data online? Would Charter support a federal policy bill that would put that right into law?

o   Welch: Yes.

o   Cali: Qualified yes.

o   Panel: Yes.

Senator Tammy Baldwin (D-WI)

How should we take into account the incentives of user data that may or may not exist depending on the business model?

o   Tribble: Apple's business does not depend on collecting user's information. Any comprehensive legislation should apply equally to companies.

o   Enright: We should be able to find a shared understanding and direction for uniform legislation to protect consumers.

This report is p rovided for NCISS by ...

...until the next installment!

Please contact Francie Koehler for questions or issues regarding private

investigators and James Huckabee for security professionals.

Francie Koehler - Investigations -- or -- James Huckabee - Security

Permission granted to repost