Sitting at a conference table with a handful of reporters in his Capitol Hill office on Wednesday, Democratic Sen. Brian Schatz projected the kind of confidence typically reserved for members of the majority party.
The Hawaii lawmaker had just introduced new legislation, sponsored by 14 other Democratic senators, that outlined a framework for strict data-privacy protections at the national level. And while the bill failed to immediately attract any Republican supporters, Schatz said he wasn’t worried. While the tech industry and its congressional allies fret over the implementation of what they consider a burdensome new privacy law in California and push for Congress to preempt those rules, the senator said he was “serene” about hanging Silicon Valley out to dry.
“I think this is their sword of Damocles, and it’s not my problem to solve,” Schatz said. “We get to test their sincerity about getting meaningful privacy legislation done. If they try to drive an overly hard bargain, or if they try to start to play games with the California legislature, then it is relatively easy for us to not enact a national privacy law and allow GDPR California to go into place.”
Schatz was referring to the EU’s General Data Protection Regulation, largely despised by Silicon Valley for its byzantine nature and harsh penalties for noncompliance. The California Consumer Privacy Act, set to go into effect in 2020, was consciously modeled on the GDPR. And as Republican leadership and industry seek to preempt privacy efforts in both California and other states, Schatz said they’re increasingly likely to acquiesce to progressive demands for tough national rules instead.
“I just think we’re in a relatively strong bargaining position, because they need something to happen federally,” Schatz said. “Otherwise, something goes into place that they fear very much.”
The combination of California and Europe’s new rules with a slew of data-privacy scandals over the last two years has nearly everyone anticipating a major effort to address privacy in the next Congress. And while the House has done far less than the Senate to explore possible options, the incoming Democratic majority is expected to green-light legislation clamping down hard on companies that traffic in consumer data.
Things are less clear in the Senate, where the Republican majority’s sudden effort to address data privacy after California’s passage of new rules in June raised the possibility of a weak federal bill preempting tougher state regulations.
But Schatz isn’t alone in assuming that the focus on preemption gives progressives the upper hand in any Senate fight over privacy. The notion is shared by some of Schatz’s Democratic colleagues and outside experts. And it’s largely undisputed by Republicans, including current Commerce Committee chairman and incoming majority whip John Thune.
“If the folks that [Schatz] is sort of spokesperson for out there are comfortable with that idea—that they don’t have any objections to preempting California as long as they view the federal solution to be truly ‘progressive’—I mean, we’ll just have to take a look at what they’ve got [and] what we can put together,” Thune told National Journal.
Senate negotiations on privacy legislation are just getting started, and both sides say the current focus is on areas where the two parties can agree. But Gigi Sohn, a fellow at the Georgetown Law Institute for Technology Law and Policy, points to an expansive set of issues over which Republicans and Democrats will likely squabble. That includes the scope of breach notification to customers and law enforcement, the sensitivity of certain types of data, whether victims of data breaches should have a private right of action, the role of the Federal Trade Commission, and the possible expansion of strict privacy requirements to internet providers and other businesses.
Sohn thinks the fixation on preemption means progressives will win stricter rules in most of those areas, though she cautions it may take a while. “The preemption issue is the biggest piece of leverage that people that want strong national privacy rules have,” she said. “And there’s no reason to settle—particularly when you have a state like California, which for a lot of social and economic issues sort of sets the tenor for the country.”
An undercurrent of Democratic confidence persists even in the Senate’s bipartisan privacy efforts. Though Democratic Sen. Richard Blumenthal is currently hammering out a privacy framework with GOP Sen. Jerry Moran, he said the question of preemption puts a natural limit on his willingness to compromise. “California changes the calculus for [industry], because they’re going to have to obey it,” Blumenthal said. “So they have a real incentive to come to the table.
“Nobody’s drawing lines in the sand at this point,” Blumenthal added. “But California means there will have to be a law comparable to California’s.”
More states are expected to follow California’s lead on privacy, only increasing industry’s need for a preemptive federal framework before being subsumed by a patchwork of state requirements.
“You’re going to have new bills coming into the mix, and some state legislatures move fast,” said Michelle Richardson, director of the privacy and data project at the Center for Democracy and Technology. “If that continues, it may provide more incentive for companies to come to a deal, and urge members who are usually more anti-regulation to talk about what a fair trade is.”
Those members may include Moran, who—while open to some expansion of federal authority—is unlikely to be as comfortable as Blumenthal or Schatz with a progressive privacy framework. But because he sees preemption as such a “big deal,” the Kansas Republican acknowledged his potential willingness to compromise.
“I would take a look at the entirety of a bill, knowing there’s going to be provisions that aren’t my favorite, knowing that I might—in return for supporting something that isn’t perfect to me, I get something that is more important to me,” Moran said.
But Moran also had a warning to his Democratic colleagues who are sanguine about the prospect of letting onerous and confusing state privacy laws weigh down Silicon Valley’s ability to innovate.
“I think there’s a lot of unanswered questions about California,” he said. “So I think it’s hard to say that if it goes into effect, it’s no big deal.”