What will a national data privacy law look like?

Lawmakers and industry are increasingly supportive of a federal data privacy law, but Republican and companies are not interested in the kind of proscriptive policies in the European Union's new data rules.

At a Sept. 26 Senate Commerce, Science and Transportation Committee hearing, chairman John Thune (R-S.D.) made the case national legislation to protect user data is necessary, but “the question is what shape that law should take.”

Representatives from AT&T, Amazon, Twitter, Apple and Charter Communications testified they were open to federal legislation, and said that they already take steps to protect consumers, do not sell user data and generally agreed they would support a law requiring clear explanations of how user information is used.

Len Cali, senior vice president for Global Public Policy at AT&T, made the case that the federal government should take the lead before individual states pass disparate privacy laws.

"Federal legislation will be of very little help if it becomes the 51st layer on top of 50 state rules," he said. "We need a comprehensive but singular privacy framework, and it should be a federal, preemptive framework."

Keith Enright, Google’s chief privacy officer, testified that his company’s definition of personal information, in the context of data privacy, is "data that directly identifies an individual user," such as a user's name or email address. The European definition includes "information relating to someone who could be identified based on a variety of identifiers," which Enright and Amazon’s vice president and associate general counsel Andrew DeVore argued doesn't meet the case.

Sen. Richard Blumenthal (D-Conn.) asked why America's stance towards consumer data privacy should differ from Europe’s, and pointed out that none of these companies were pulling out of Europe or out of California, which passed its own strict data privacy law.

"What that tells me is the opposition that you’ve expressed to these rules… is one that can nonetheless accommodate," stricter regulation, Blumenthal said.

The Trump administration has also planted a flag on data privacy. The National Telecommunications and Information Agency put out a request for comment on a new data privacy policy that "reduces fragmentation nationally and increases harmonization and interoperability nationally and globally." In a Sept. 26 Federal Register notice, the NTIA laid out a series of federal policy goals, including harmonizing regulation nationwide, policy interoperability with non-U.S. legal systems and providing incentives for privacy research.

"The Trump administration is beginning this conversation to solicit ideas on a path for adapting privacy to today's data-driven world," said David Redl, who heads the NTIA.

After the hearing, Thune said the bill would probably be introduced next year. By that time, he acknowledged, Democrats could flip control of the Senate, and they would likely push for stronger regulations on tech companies.

The main themes from the testimony, he added, were that industry wants a single national regulation rather than individual state laws, for that law to apply to “all the players in this space,” and they want the Federal Trade Commission to be the primary enforcement body.

Caitriona Fitzgerald, chief technology officer and policy director at the Electronic Privacy Information Center, said, “giving the FTC more authority is not the answer.”

"It is not a data protection agency and has repeatedly failed to enforce its own consent orders," she said, arguing instead "the US needs a dedicated data protection agency."

Sen. Brian Schatz (D-Hawaii) made a similar case against the FTC, in its current form, as the primary regulator, and said that industry’s goal of a preemptive federal law is "only going to get there if this is meaningfully done."

"We're not going to… replace a progressive California law, however flawed you may think it is, with a non-progressive federal law," Schatz said.