Four former commissioners of the Federal Trade Commission (FTC) testify that the US needs a robust federal privacy law, with the majority believing the authority should go to the FTC.
“Passing a comprehensive federal privacy law is a critical national priority, and the public wants action now” — Former FTC Commissioner Julie Brill
Today, the Senate Committee on Commerce, Science, and Transportation convened to revisit the need for federal data privacy legislation, with four ex-FTC commissioners and California’s attorney general giving testimony.
Former FTC Commissioners Julie Brill (2010-2016), William Kovacic (2006-2011), Maureen Ohlhausen (2012-2018), and Jon Leibowitz (2009-2013) testified on the urgent need for a federal data privacy law, what it should look like, and which agency should be the governing body.
“Passing a comprehensive federal privacy law is a critical national priority, and the public wants action now,” Brill submitted in her testimony.
Likewise, Leibowitz submitted that “Congress must pass a federal privacy law that gives consumers the choice, clarity, and enforcement they deserve.”
And Ohlhausen declared, “The United States would benefit significantly from a strong and unified, technology-and-industry-neutral federal privacy law that applies uniformly to all entities, regardless of their business model.”
“There is no question in my mind that the FTC should have the primary authority to administer the national privacy law” — Former FTC Commissioner Jon Leibowitz
As to the question of which entities should be in charge of data privacy, California Attorney General Xavier Becerra said that federal data privacy legislation should not preempt existing state laws, and that “state law is the backbone of consumer privacy in the United States.”
But former FTC commissioners Leibowitz and Ohlhausen both argued that having different data privacy laws for different states would “create inconsistent protections for consumers.”
In his opening testimony, Leibowitz claimed that “A Seattle resident visiting Biloxi should not live under a different privacy regime than a Mississippian visiting Washington State, nor should she lose any protections if she decides to drive from one of those states to the other.”
Becerra rebutted in his opening remarks, “As you consider enacting a federal digital privacy law, give us a playbook, but don’t preempt smart, nimble privacy protections that let states meet the varying challenges coming at us, from Mississippi, or Washington state, or California.”
“State law is the backbone of consumer privacy in the United States” — California Attorney General Xavier Becerra
However, in their written testimonies, both Leibowitz and Ohlhausen submitted the same exact response — “A proliferation of different state privacy requirements would create inconsistent protections for consumers.”
And Ohlhausen claimed, “By its very nature, the Internet connects individuals across state lines. Put simply, data (and, increasingly, commerce) knows no state boundaries.”
For Leibowitz, the answer to who should be the primary authority over federal data privacy protection was crystal clear.
“There is no question in my mind that the FTC should have the primary authority to administer the national privacy law,” he submitted.
“A proliferation of different state privacy requirements would create inconsistent protections for consumers” — Former FTC Commissioners Maureen Ohlhausen and Jon Leibowitz
Former FTC Commissioner Kovacic also came out in favor of having the FTC be the authority, but he offered an alternative to appease those not wanting to preempt state authorities, and that was to establish a new independent privacy commission.
“Some commentators have argued that a full-scale renovation of the US privacy framework should preempt the ability of states to pursue initiatives inconsistent with national policy,” Kovacic submitted in his testimony.
“I envision an extension of existing cooperation and coordination efforts through the establishment of a domestic privacy network” — Former FTC Commissioner William Kovacic
Kovacic added, “I think an alternative pathway holds greater promise. Federal and state privacy regulators currently cooperate in a variety of ways, but there is no systematic mechanism for policy coordination, let alone promoting convergence on shared norms.
“I envision an extension of existing cooperation and coordination efforts through the establishment of a domestic privacy network.
“Such a network could encourage individual privacy regulators to converge upon superior policy norms.”
“The US unfortunately has not been sufficiently agile in using data to help society address the COVID-19 crisis” — Former FTC Commissioner Julie Brill
Trust in data collection has become a hot issue this year during the coronavirus pandemic, especially when it comes to how contact tracing and health-related data is used, and Brill suggested that the rules could be murky on how data could be collected during the crisis.
Brill commented, “The US unfortunately has not been sufficiently agile in using data to help society address the COVID-19 crisis. One reason for this is we do not have a common understanding of what companies and other organizations can and cannot do with data to address the crisis.
“For instance, in the absence of comprehensive protections, it has been difficult for US organizations to understand how they can responsibly deploy health-related data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA).
“This has created confusion and friction, and has hindered our ability to create effective technologies that people can trust.”
“A robust, clear, federal privacy regime was long overdue before the pandemic, and now, every day seems to teach us something new about the necessity of such a law” — Former FTC Commissioner Jon Leibowitz
In the same vein, Leibowitz submitted, “What this last year has taught us, if anything, is that we simply cannot afford to kick the privacy legislation can down the road.
“A robust, clear, federal privacy regime was long overdue before the pandemic, and now, every day seems to teach us something new about the necessity of such a law.”
Leibowitz added, “Congress must pass a federal privacy law that gives consumers the choice, clarity, and enforcement they deserve, avoiding the pitfalls that have befallen statutes like CCPA and GDPR, so that this nation can once again be the global consumer protection standard-bearer.”