In the News

Lawrence Journal-World
Peter Hancock

U.S. Sen. Jerry Moran of Kansas may soon find himself at the center of one of the most complex and intensely personal issues for all Americans living in the 21st century: data security.

On Wednesday of last week, the Senate Commerce Committee, on which Moran serves, held a hearing on data privacy that appeared to be a prelude to future federal legislation that would impose national standards about data security on a wide range of American businesses, including credit rating agencies, online retailers and even ride-hailing services such as Uber, all of which have experienced massive data breaches in recent years.

Moran also chairs the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and he is part of a bipartisan group of senators — including Republican Roger Wicker, of Mississippi, and Democrats Richard Blumenthal, of Connecticut, and Brian Schatz, of Hawaii – that is working on developing a national data privacy protection framework.

But while data privacy advocates say they favor strong legislation protecting consumer privacy, some are concerned that Congress could end up writing a weak law that would pre-empt stronger state legislation, including the sweeping legislation passed in California earlier this year.

“What the industry is asking for is really for Congress only to ask them to be transparent about their business practice, some sort of disclosure requirements, and not really a whole lot else beyond that,” Ernesto Falcon, an attorney for the San Francisco-based Electronic Freedom Foundation, a group that advocates for digital privacy protection, said in an interview.

“And that is not too different from what currently exists,” he said. “So essentially what they’re asking is for Congress to eliminate a lot of those state laws that provide pretty strong protection in exchange for nothing in return.”

During Wednesday’s hearing, Moran let it be known that he has concerns about the recently-passed California Consumer Privacy Act, as well as sweeping new regulations imposed by the European Union, known as the General Data Protection regulations, or GDPR.

“Those are concerns (about) what it will mean to the Internet ecosystem, especially the innovative, entrepreneurial businesses that are positioned to be disadvantaged based upon these regulatory overhauls, and in some instances these regulations conflict, one with another,” Moran said.

Wednesday’s hearing drew little public attention in a week in which most of Washington was gripped by the emotional Supreme Court confirmation hearing for Judge Brett Kavanaugh, and rumors earlier in the week, which didn’t pan out, that Deputy Attorney General Rod Rosenstein was about to be fired.

But it took place against the backdrop of some massive data breaches that businesses experienced in recent years, in which hackers were able to obtain personal information about tens of millions of Americans.

It also came amid growing concern about the mountains of personal information that consumers routinely hand over in the digital age, and what companies like Facebook, Twitter, Google and Amazon are allowed to do with that information.

Falcon cited a 2014 poll by the Pew Research Center that found that 91 percent of Americans feel they have “lost control” of how their personal information is used by companies.

“And they should feel that way because the problem is, there are not laws that ensure they have legal rights,” Falcon said.

California, however, stands out as an exception. Among other things, starting in 2020, its new law will give all California residents the right to request the deletion of certain personal information, and to opt out of the sale of their information.

Moran, however, said during the hearing that he has concerns about the new California law.

“This could lead to a patchwork of state privacy laws that internet companies engaging in interstate commerce would need to navigate in order to remain compliant,” Moran said.

Wednesday’s hearing featured witnesses from some of the world’s biggest internet companies, including AT&T, Google, Twitter and Apple. All of them agreed with Moran that they want to see federal legislation that would pre-empt state laws like California’s.

“In fact, federal legislation will be of very little help if it just becomes the 51st layering on top of 50 state rules,” said Len Cali, senior vice president at AT&T. “We need a comprehensive but singular privacy framework, and it should be a federal, pre-emptive framework.”

Falcon, however, said he thinks concerns about a “patchwork” of state laws are overblown because, when it comes to privacy laws, companies will base their policies around the strictest laws.

For example, he said, if one group of states require companies to notify consumers of a data breach within 30 days, while other states requires notification in 15 days, companies will abide nationwide with the 15-day requirement.

“Because that way, they’ve covered their obligations to the lower law and have met the higher standard of the other law,” he said. “That’s a reason why Equifax, when 143 million people’s information was breached (in 2017), we all knew about it because of California’s law on data breach. It’s the strongest law in the nation in terms of data breach requirements. And by the time Equifax had to comply with that law, they’ve already set the machinery in place to inform the other 49 states.”

Wednesday’s hearing only included testimony from industry executives, but the committee’s chairman, Sen. John Thune, R-S.D., said there will be future hearings involving consumer and privacy rights advocates.

Click here to read more.