Despite an escalating series of privacy scandals, the tech industry’s cadre of Washington lobbyists have for years resisted attempts by policymakers and consumer advocates to craft federal rules governing the use—and punishing the misuse—of their customers’ personal data.
After the events of the last week, it seems safe to declare that resistance officially over.
On Tuesday the Internet Association, a trade group representing Facebook, Amazon, Alphabet, and nearly all other top-tier Silicon Valley platforms, announced their support for a federal framework to address data privacy. By Wednesday they were joined by the Software Alliance, a consortium that includes Apple, Oracle, IBM, and Adobe. Both groups came in behind the U.S. Chamber of Commerce, who last Thursday introduced their own plan for a federal privacy law.
Together, the groups encompass nearly every major company collecting or tracking consumer data in the United States. And representatives from all three are pointing to escalating global anxiety over privacy—supercharged by Cambridge Analytica and other scandals—as the driver of their newfound enthusiasm for federal rules.
Skeptical privacy advocates, however, point to the June passage of the California Consumer Privacy Act. The law is a forceful set of privacy provisions that restrict some common data-harvesting methods, expand opt-out requirements, mandate data portability, and potentially open the door to a flood of tech lawsuits.
California’s rules are slated to go into effect in 2020, but could be preempted by federal legislation. Achieving that preemption, say many privacy advocates, is the real reason behind Silicon Valley’s sudden U-turn.
“These industries have really fought tooth and nail against states passing privacy laws for a long time, and have never come to the table or have never supported a real consumer-privacy-protection structure,” said Ernesto Falcon, legislative counsel at the Electronic Frontier Foundation. “And suddenly California passes a law that puts some teeth on certain practices, and now the industry is desperate for a federal law.”
The notion that California’s new law is driving industry’s about-face is echoed by some—though not all—of Washington’s tech lobbyists. “California in particular, we think they got it wrong,” Michael Beckerman, the president and chief executive of the Internet Association, said during an Atlantic Live event Thursday. “And there’s corrections that can be made at the federal level.”
Alan Friel, a privacy attorney at Baker Hostetler whose clients include many in the tech industry, said he believes California’s new law—along with similar efforts now being pursued in Illinois and elsewhere—finally pushed tech companies to the table. “I think that the industry would rather concentrate its efforts in Washington than in a dozen or half-dozen state capitals,” he told National Journal.
But Friel also took umbrage at the suggestion that the move is a ploy to dismantle real privacy protections in favor of a federal fig leaf. “Another way to say it is, it’s an attempt to preempt reckless and ill-advised and costly—maybe well-intentioned, but ill-advised—state efforts at regulation, and to prevent an unworkable patchwork of state laws that make it impractical, if not impossible, for our data-driven economy to operate,” Friel said.
The aggressive industry push for federal rules is complemented by rapid moves on privacy by the Trump administration and the Senate. The National Telecommunications and Information Administration, in coordination with industry stakeholders, is working on a nebulous set of privacy principles. So too is the National Institute of Standards and Technology, which hopes to develop best-practice privacy guidelines that industry can draw upon when needed.
Republican Senate Commerce Committee Chairman John Thune has meanwhile teased the impending release of data-privacy legislation, telling reporters last month that he hopes to release a bill in September.
On Wednesday Thune announced a hearing for later this month on data privacy, and negotiations between Senate lawmakers and industry stakeholders over potential legislation are ongoing.
“The legislative process is serious right now, and we expect significant legislation introduced this year to set the stage for next year,” said one industry source, who requested anonymity in order to freely characterize discussions with lawmakers.
Privacy advocates are dismayed by the industry’s abrupt about-face on federal legislation, convinced it’s a prelude to the passage of federal rules that will cripple the tough privacy regime passed in California.
Laura Moy, the deputy director of Georgetown Law’s Center on Privacy and Technology, said she’s confused by the Chamber of Commerce and the Internet Association’s plans to promote a “neutral” privacy framework across all industry sectors, regardless of the amount or type of consumer data handled.
“As a consumer, I don’t have the same privacy expectations when it comes to interactions with my doctor as I do when it comes to interactions with a telemarketer,” she said, suggesting that a blanket framework for different industry sectors would be unworkable.
Falcon expressed his concern over the slate of panelists set to address the Senate Commerce Committee on Sept. 26. While executives from AT&T, Amazon, Google, Twitter, Apple, and Charter Communications are expected to testify, consumer advocates are conspicuously absent.
“There’s dozens of consumer-privacy groups out there,” said Falcon. “If you invite none of them that are challenging industry, and you only invite the Chamber of Commerce membership, you’re not going to get a hearing that actually is going to produce thoughtful dialogue.”
“I think it’s 100 percent the industry driving Congress right now,” Falcon added, arguing that no committee leaders on Capitol Hill were seriously considering privacy legislation before industry began clamoring for a bill.
But Thune’s bill isn’t the only potential privacy legislation percolating in Washington. On Thursday Sen. Mark Warner, the ranking Democrat on the Senate Intelligence Committee, said at the Atlantic Live event that any privacy bill backed by him would likely receive “overwhelming” GOP support.
Warner released a white paper this summer that called for a federal privacy framework mirroring certain provisions from the EU’s new General Data Protection Regulation. That idea received a cool reception from the Washington tech lobby, many of whom have openly criticized Europe’s adoption of the GDPR.
Dean Garfield, the president and chief executive of the Information Technology Industry Council, said Thursday he supports Warner’s effort to address privacy at the federal level. But, he added, the senator is making a mistake by assuming the privacy problem is easy to solve, and that the main roadblock is the lack of industry desire to fix it.
“We haven’t developed rules before, and so we have to work together to figure it out,” Garfield said during the Atlantic Live event. “And [Warner’s] suggestion that it is so simple is simply inconsistent with reality.”