Hearing Probes takes aim at US digital privacy law enforcement

A Congress committee hearing This week, lawmakers from both parties expressed support for a national digital privacy law, but debate has split over exactly how it should work.

Witnesses who testified expressed differing views on whether a new agency is needed to enforce any future privacy laws and whether private citizens should be allowed to sue for noncompliance.

Some speakers also focused on alerting consumers to breaches of their data, while others called for tackling widespread data collection and practices that could allow targeted manipulation.


Demand for a national law has grown as lives become increasingly digital and the absence of federal policy prompts more states to act.

Last year, 38 states introduced more than 160 consumer privacy bills, according to the National Conference of State Legislatures, while California, Colorado, and Virginia have comprehensive consumer privacy laws in place. A national law could supersede existing state privacy laws or simply establish a baseline that leaves states free to add other protections.

WHAT COUNTS AS DAMAGE?

Rep. Zoe Lofgren, D-Calif., who convened the hearing, called for holding private companies and public agencies to certain privacy standards.

Lofgren drew attention to herself and Rep. Anna Eshoo. Online Privacy Act. This bill would limit how companies can collect and use data and give residents rights over their data, such as the ability to view, correct and delete it.

Daniel Castro is vice president of the Information Technology and Innovation Foundation (ITIF), a nonprofit research and education organization focused on encouraging policies that support technological innovation. orally and written testimonyhe advised the government to promote innovation by being light-handed when it comes to restricting how organizations can collect and use data, and recommended focusing on preventing concrete economic harm to people. consumers.

An example of real harm resulting from a data privacy issue could include a consumer’s financial accounts being charged for “unauthorized and unreimbursed” payments after their personally identifiable information was breached, according to a 2018 study. American Bar Association room.

Some witnesses also sought to highlight harms that are more difficult to quantify. They raised concerns that organizations could use the data they and others glean to compile comprehensive profiles on individuals, which could then be used to abusively target them.

Profiles can be targeted with manipulative content — including political misinformation — or for discriminatory means, such as preventing people of particular backgrounds from seeing certain job postings or home listings, said Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC). EPIC is a non-profit research center that describes himself as focused on protecting “privacy, freedom of expression and democratic values ​​in the information age”.

“Just as advertising companies use profiles about us to manipulate us into shopping, they can also manipulate our opinions by filtering the content we see,” Fitzgerald said.

FTC OR DIGITAL PRIVACY AGENCY?

Whatever policy is developed, it will only make a difference if it is actually implemented.

Castro, who appeared to view data privacy largely as a consumer protection issue, argued that the app would fall under the jurisdiction of the Federal Trade Commission (FTC). Rep. Rodney Davis, R-Ill., said the FTC has also established relationships with state attorneys general (AGs) with whom it will work on enforcement.

Lofgren’s bill takes a different approach and would create a Digital Privacy Agency (DPA) to oversee compliance.

Fitzgerald supported such a move, saying the FTC’s broad reach means it already has enough on its plate. The FTC may also lack the technical expertise needed to fight big companies over digital privacy, she said.

Fitzgerald argued that a regulator designated to focus solely on privacy would have more impact and be similar to how the Environmental Protection Agency and the Federal Aviation Administration were created to tackle important niche areas.

PRIVATE RIGHT OF ACTION?

Lofgren’s bill would allow state privacy regulators, like the California Privacy Protection Agency (CPPA), to also participate in law enforcement. State MGAs could sue for violations, and nonprofits could sue class action lawsuits.

Castro advised against a private right of action, saying it could lead to a slew of cases involving situations in which organizations may not have fully complied with the law but had not caused actual economic harm. Organizations could then find themselves spending a lot of time and money responding to all the lawsuits.

Fitzgerald, however, said in written testimony that individuals – as well as groups – should be allowed to sue. State and federal authorities have limited ability to detect and respond to violations, so relying solely on them risks giving organizations a sense of impunity.

Shoshana Zuboff, professor emeritus at Harvard Business School and author of The era of surveillance capitalism, said during his testimony that prosecutions are important to ensure that legislation evolves to better meet the needs of society. They make it possible to probe and adapt policies.

“What the private right of action does is create the opportunity … to really bring issues to the justice system to have those issues explored and set precedents,” Zuboff said. “It’s called the ‘life of the law’ – how the law evolves and how we can move forward in this century, not just with laws frozen in time, but with laws that evolve.”

Comments are closed.