All Things Newz
Law \ Legal

Readout On House Privacy Hearing: Wide Attendance, Lots Of Issues, Full Steam Ahead – Data Protection



To print this article, all you need is to be registered or login on Mondaq.com.

On June 14, the House E&C Subcommittee on Consumer
Protection and Commerce held a hearing to consider issues and concerns raised
by the “three corners” privacy “discussion
draft” released to the public June 3. As we blogged last week, the American Data Privacy and Protection Act
(ADPPA) is an historic bipartisan compromise among three key
committee leaders in the House and Senate (Sen. Wicker and Reps.
Pallone and McMorris Rodgers). So far, it lacks the backing of the
fourth, Senator Cantwell.

The hearing came together quickly, reflecting the limited time
and challenges in this election year to pass a bill of this
significance. The 3+ hour event showcased myriad issues and
concerns that the witnesses and other stakeholders have raised with
respect to the draft. Still, Subcommittee leaders pledged to keep
working on the bill and expressed optimism that they might be able
to pass comprehensive federal privacy legislation this year. As of
this writing, we understand that there will be subcommittee markup
next Thursday and a full-committee markup sometime after the July
4th recess.

Witnesses

The witnesses (eight of them!) included a mix of experts from
the public interest and business communities:

  • Caitriona Fitzgerald, Electronic Privacy Information
    Center Testimony

  • David Brody, Lawyers’ Committee for Civil Rights
    Under Law Testimony

  • Bertram Lee, Future of Privacy Forum Testimony

  • Jolina Cuaresma, Common Sense Media Testimony

  • John Miller, Information Technology Industry Council
    Testimony

  • Graham Dufault, ACT | The App Association Testimony

  • Doug Kantor, National Association of Convenience
    Stores Testimony

  • Maureen Ohlhausen, appearing for the 21st Century
    Privacy Coalition Testimony

Big Picture Takeaways

  • Virtually all subcommittee members attended (including full
    E&C Committee leaders Pallone and McMorris Rodgers) as well as
    some “guests” (Reps. Eshoo and Walberg, who serve on
    E&C, but not the subcommittee). Most applauded the bipartisan
    effort and expressed support for it in varying levels of degree.
    While the Democrats tended to focus their questions on the strength
    of the bill’s protections, many Republicans focused on whether
    and how the bill might impair legitimate business activities,
    particularly with respect to small companies.

  • Despite recent criticism by the business community and
    (reportedly) strenuous lobbying against the bill, the Republican
    leaders (McMorris Rodgers and Subcommittee Ranking Member
    Bilirakis) showed no signs of backing away from the bill and stated
    that they would work hard to address concerns in the coming
    weeks.

  • Witnesses from the advocacy community were generally more
    positive about the bill than those from the business community,
    although all applauded the goals and particular aspects of the
    bill. No witness opposed the bill outright, but all suggested
    changes, some quite significant.

Key Suggestions from the Witnesses

  • Fitzgerald expressed strong support
    for the bill’s data minimization provisions, which “sets
    the bill apart” from other laws. She also supported
    substantive protections for sensitive data that go beyond notice
    and choice. While citing the “big opportunity” here, she
    recommended changes, including adding a broad duty of loyalty (a
    feature long supported by Senators Cantwell and Schatz); strengthening algorithmic
    transparency; expanding the FTC’s rulemaking authority;
    authorizing enforcement by, not just state AGs, but other state
    agencies; and including statutory damages in the PRA.

  • Brody praised the civil rights
    protections in the bill, noting the gaps in current law and the
    value of requiring impact assessments and addressing online
    advertising and the platforms. Like Fitzgerald, he also applauded
    the data minimization standards, stating that data abuses and
    breaches disproportionately harm people of color. His suggestions
    to improve the bill focused mostly on the PRA, and included
    eliminating the 4-year delay; authorizing statutory and punitive
    damages; eliminating the limits imposed on demand letters and the
    right to cure; and extending the PRA to the data minimization
    requirement.

  • Lee was very supportive of the bill,
    saying it compares favorably to global privacy frameworks like the
    GDPR, and singling out the provisions governing civil rights,
    privacy by design, corporate accountability, the PRA, youth
    privacy, and large data holder responsibilities. However, he
    recommended more funding for the FTC, broader FTC rulemaking to
    ensure that the law keeps pace with technological changes, and
    greater harmonization with existing federal laws and the GDPR. Like
    Miller and Default (below), Lee questioned whether imposing direct
    legal requirements on service providers and third parties, instead
    of adopting the GDPR’s controller/processor model, would be
    workable.

  • Cuaresma focused on protecting
    minors, praising the ban on targeted ads, the creation of a Youth
    Division at the FTC, and including protections for teens. However,
    she suggested extending protections to all minors (not just those
    under 17); giving the FTC more resources; moving to a
    “constructive” (not “actual”) knowledge
    standard in the ADPPA and COPPA; and shortening the PRA waiting
    period. In response to a question from Rep. Lesko, Cuaresma seemed
    to agree that any consent involving minors should be given by a
    parent.

  • Miller was concerned about the
    breadth of the sensitive data provision and its effect on marketing
    and routine business functions. He noted that the bill includes
    consumers’ online activities as a sensitive data category,
    effectively turning the opt-out for targeted ads into an opt-in,
    and potentially impeding everyday functions like search and
    cybersecurity analyses. He also recommended including a broad
    carve-out for “first party” activities, consistent with
    state laws; adopting the GDPR approach to service providers and
    third parties (to more clearly delineate roles); and rethinking the
    PRA and preemption provision which, he said, are likely to lead to
    confusion and excessive litigation.

  • Dufault stressed the need to create
    legal certainty for small businesses. Like Miller, he was critical
    of the preemption and PRA provisions, and suggested limiting the
    PRA by preserving fewer laws, confining it to
    “substantial” privacy harms, broadening the right to
    cure, and adding a scienter requirement. He also expressed concerns
    about the breadth and definitions of some of the categories of
    sensitive data. Of note, he strongly supported the bill’s
    inclusion of the safe harbor program for small businesses, which
    could help alleviate burdens on these entities.

  • Kantor focused on creating a level
    playing field for all businesses while minimizing burdens on small
    entities. As such, he supported the bill’s direct coverage of
    service providers and third parties (in lieu of allowing certain
    entities to control others via contract), objected to carve-outs
    for particular sectors, and suggested changes to the bill’s
    small business exception. Like other business witnesses, he said
    that the preemption and PRA provisions would create significant
    burdens for businesses and that other provisions would impair
    legitimate marketing activities. For example, he said the
    bill’s attempt to preserve loyalty programs was confusingly
    drafted and that the requirements related to sensitive data would
    interfere with advertising that consumers want and expect.

  • Ohlhausen focused primarily on how
    the bill shifts oversight of telecom entities from the FCC to the
    FTC. While she strongly supported the shift, she expressed concern
    that the bill left voice services with the FCC while imposing
    onerous new requirements on broadband and video (rather than just
    shifting existing requirements to the FTC). Ohlhausen also
    recommended that the bill include a broad carve-out for “first
    party” data uses so as not to restrict routine, expected
    activities, and that the multiple exceptions to preemption would
    undermine the goal of creating a national privacy standard.

Other items of interest

  • Lesko asked Lee and Ohlhausen whether the algorithmic
    assessment should address discrimination based on political
    viewpoint. Neither was supportive – Lee because of potential first
    amendment concerns, and Ohlhausen because it is outside the
    FTC’s expertise.

  • Pence asked Fitzgerald whether the US should shift to a system
    that simply compensates people for their data. Fitzgerald said that
    would disadvantage less wealthy populations.

  • Armstrong said the preemption provision was confusing and
    suggested that future amendments to state privacy laws not
    preempted would make it more so.

  • Fletcher discussed the significance of protecting health and
    geolocation information in light of the impending Supreme Court
    decision on abortion rights.

  • Castor and Trahan emphasized the importance of protecting kids,
    citing their own efforts to expand protections for minors over the
    past two years.

  • In response to questioning, Dufault and Kantor expressed strong
    support for retaining the “actual knowledge” standard for
    determining who is a minor, stating that “constructive
    knowledge” is confusing and unworkable.

Where does this leave us?

  • Although no one “bashed” the bill at the hearing, the
    witnesses and members all raised numerous issues and concerns, with
    differing perspectives on how to resolve them. Subcommittee leaders
    aren’t giving up, but they have their work cut out for them and
    very little time to do it. Next step, Subcommittee markup!

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Immediate Thoughts On The Newly Proposed CPRA Regs

Frankfurt Kurnit Klein & Selz

Happy Friday before a holiday weekend! This afternoon the California Privacy Protection Agency (CPPA) issued a notice that it will be holding a public meeting on June 8, 2022.

Friday I’m Reading CPRA (Again)

Frankfurt Kurnit Klein & Selz

For the second week in a row, the CPPA has dropped a bombshell on a Friday afternoon. Last week, the CPPA released a 66 page first draft of its Proposed Regs to CPRA (you can read our initial analysis here)…

CPRA Countdown: The New Concept Of “Sharing”

Hogan Lovells

The California Privacy Rights Act (CPRA) introduces a new concept, “sharing,” that provides California residents with the right to opt-out of certain disclosures of personal information…



Source link

Related posts

The Supreme Judicial Court’s Boston Municipal Harbor Plan Ruling Is EXACTLY The Same As The Supreme Court’s West Virginia v. EPA Ruling! – Environmental Law

All Employees Are Now Protected By The Employment Act 1955 – Employee Benefits & Compensation

California Appellate Court Affirms Attorneys’ Fees For Meal And Rest Break Claims – Employee Benefits & Compensation