On 26 September 2018, the Commerce, Science, & Transportation Committee of the US Senate hosted a hearing with representatives of ISPs (AT&T, Spectrum) and tech companies (Amazon, Apple, Google, Twitter). The hearing examined privacy policies of those companies and reviewed the current state of consumer data privacy regulation in the US. Witnesses also provided input on the future of data privacy regulation. The hearing showed there is now an active debate on the topic, which could lead to the passing of a US data protection framework for the first time. Companies accept that regulation is coming, and would rather deal with a consistent set of rules at the federal level, rather than facing a patchwork of state-by-state legislation.
Stakeholders start to engage in the detail of new regulation
Wednesday’s hearing of AT&T, Amazon, Google, Twitter, Apple, and Charter Communications was a further proof that the discourse in the US is gradually, but significantly, changing. The default approach not to regulate anything, to avoid stifling business, is no longer an undisputed mantra – at least when it comes to consumer data privacy.
Following the more theatrical hearings with Facebook’s CEO Mark Zuckerberg both in senate and congress earlier this year, yesterday’s hearing was a thorough discussion not only about where things are with company’s practices in protecting customers’ data, but also about where they should go next. Perhaps for the first time, the tone of the whole discussion and the statements of the participants showed acceptance of the need for a new data protection framework in the United States. The reasons for this conclusion tend to vary between stakeholders; this in turn is reflected in different views of what US data protection regulation should look like. One thing is sure though; the debate on the subject is now alive and well, like never before.
Tech companies accept that regulation is coming, and are pushing for consistency
The Facebook–Cambridge Analytica scandal which unfolded earlier this year is still very much present in the minds of politicians, the press, and the more privacy-savvy consumers. This was inevitably going to result in Congress and Senate at least carefully evaluating the option to intervene, which is what we are seeing happening now. Congress and Senate want to ensure they protect the interests of their voters. Assembly’s Platforms and Big Tech Tracker, and Privacy and Data Protection Tracker, show that online platforms have been under scrutiny both for their practices around privacy, and for contributing to spreading misinformation, allegedly amplifying political bias. As a result, there is now a much stronger desire to intervene and regulate internet companies, compared to the past.
On the other hand, companies are starting to recognise the need to make amends for their shortcomings; after all, Zuckerberg himself admitted that some form of regulation for social media is now needed. In a scenario where businesses now see regulation as inevitable, they need to engage proactively to achieve two outcomes of paramount importance. Firstly, regulation should not be over-prescriptive, and should not force tech companies to radically rethink their business model. Secondly, regulation should be consistent from one country to the next.
In a rush to intervene, individual states in the US have already started the process to pass privacy legislation; California has led the way, with a set of rules clearly influenced by the European GDPR. This move is meaningful for the following reasons : it is the state of the Silicon Valley, where all the successful US tech companies were born; the state is one of the 10 largest economies in the world; and the set of rules is seen by industry as very prescriptive. If California led the way, and other states followed, US companies would have to deal with much tougher privacy rules, and, more worryingly, with a patchwork of different legislations, as noted by one witness at the hearing. A federal framework on data protection is then seen as a much better outcome compared to state-by-state legislation, which would be a potential nightmare for regulatory compliance.
It is unlikely that US privacy rules will be similar to GDPR
The above is a telling example of how the tide as clearly turned when it comes to privacy regulation, and shows that the so-called “regulatory competition” (i.e. the drafting of regulation more attractive to business, compared to frameworks in other geographies) is not always a race to the bottom. GDPR has led regulators in other large economies (e.g. Japan, South Korea and India) to embark on an overhaul of the privacy framework; and is now influencing changes that could happen in the US, where privacy culture was nearly non-existent until recently, and the current rules give the Federal Trade Commission (FTC) relatively limited powers to intervene, when companies violate their own privacy policies.
However, it is too early to predict whether the US will pass a set of rules akin to the GDPR: the culture of the hands-off approach is still very strong in the country, across the political spectrum. Responding to Senators’ questions in the hearing, company representatives argued that the US should have its own privacy framework, rather than copying another one; they also pointed out that GDPR is very cumbersome in terms of compliance (Google’s representative quantified the effort as “hundreds of years of human life”) and noted small businesses could suffer as a result. However, this is something that could be addressed through appropriate safeguards, and requires policy makers and small companies to engage directly with one another, to achieve a sensible outcome.