A lot has changed in the data privacy space since members of the Senate Committee on Commerce, Science, and Transportation held a hearing last December to discuss the urgent need for federal privacy legislation in the United States. The coronavirus pandemic has brought about concerns over remote cyber-security and contact tracing, the EU-U.S. Privacy Shield has been invalidated, and the Trump administration’s war against popular social media app TikTok has put the safety of U.S. citizens’ data in the spotlight perhaps more than ever before.

Yet, as the Senate Committee met Wednesday to “Revisit the Need for Federal Data Privacy Legislation,” as their session was essentially titled, the country is no closer to putting a law in place. One of the witnesses testifying, former Chairman and Commissioner of the Federal Trade Commission Jon Leibowitz, summed this up aptly in his opening remarks.

“In January 2019, Mr. Chairman, you invited several of us to appear before this Committee to speak about the need for federal privacy legislation,” said Leibowitz. “There were at least 40 staffers in the room from both sides of the aisle and, after our discussion, most of us walked out optimistic that there would soon be a federal privacy law to give all Americans greater control over their data.

“… I felt the same way when I testified before the Committee in a more formal setting the next month, and even more so at the end of last year when the leaders of this Committee, as well as your counterparts in the House, each released very substantive, thoughtful privacy bills. Unfortunately, nearly two years later, our shared goal remains unfulfilled, and consumers lack multiple safeguards as a result.”

“There is a sort of healthy competition among members on both sides of the aisle that has been fruitful in the sense that I think we’ve got a lot of very good ideas, but we’re sort of on a razor’s edge between that competition being fruitful and that competition preventing us from enacting legislation.”

Sen. Brian Schatz (D-Hawaii)

Don’t continue holding your breath, Commissioner. Wednesday’s hearing, though informative with regard to several areas of privacy legislation, did not include any action steps to take. Discussed was a new bill, introduced by Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and three of his colleagues last week, that would empower the FTC to hold businesses accountable regarding the use of consumer data, but the meat of the legislation is similar to the growing pile proposed by numerous other lawmakers over the last year.

“While all of us seem to want to talk about our bills … none of this will work unless we can figure out a solution that brings us all together,” Sen. Jerry Moran (R-Kan.) remarked at one point of the hearing.

“There is a sort of healthy competition among members on both sides of the aisle that has been fruitful in the sense that I think we’ve got a lot of very good ideas, but we’re sort of on a razor’s edge between that competition being fruitful and that competition preventing us from enacting legislation,” echoed Sen. Brian Schatz (D-Hawaii).

Among the areas of potential legislation that received the most attention Wednesday were whether a federal law should preempt state laws and how to go about defining private right of action. Witness Xavier Becerra, overseer of the California Consumer Privacy Act (CCPA) as the state’s Attorney General, unsurprisingly had a lot to say on the former.

“As you consider enacting a federal digital privacy law, give us a playbook, but don’t preempt smart, nimble privacy protections that let states meet the varying challenges coming at us,” said Becerra during his remote testimony.

“I urge you to favor legislation that sets a federal privacy protection floor, not a ceiling.”

The rest of the witness panel, comprised of all former FTC commissioners, leaned more toward the idea of a federal privacy law trumping the states.

“We aren’t talking about simply having a federal law in California,” noted former FTC Commissioner and Acting Chairman Maureen Ohlhausen via a remote feed. “What we’d have is a federal law, California, and a multitude of other states. So I think one of the issues here is the idea that as good and as strong as the California law may be, when we’ve got multiple other states it creates this confusion and complexity about which law controls.”

“There is the risk that another state law that’s over and above a strong federal law would require companies to all comply with that if they’re operating in that economy,” added Julie Brill, a former FTC commissioner and current chief privacy officer at Microsoft.

Looking beyond the CCPA, also discussed at the hearing was the European Union’s General Data Protection Regulation (GDPR), which applies to many businesses in the United States that have operations and customers overseas. Several senators took shots at the law as not working as intended, but William Kovacic, a former chairman and commissioner of the FTC, said interestingly at one point, “There’s a chance if we do not adopt a national privacy law of our own that reflects the deliberations of this committee … we will get a national privacy policy, and it will be called the GDPR. That will be it.

“Do we want our national privacy policy to be the product of a decision made by a thoughtful foreign government … without the contribution of the national legislature to formulate our own distinctive collective judgment about these issues?”

Privacy law ‘necessary’ in the wake of Privacy Shield ruling

The invalidation of the EU’s Privacy Shield in July is something the United States has not yet fully addressed. The Court of Justice of the European Union ruled U.S. surveillance laws clashed with the protections afforded to EU citizens under their privacy regime in a case referred to as “Schrems II.”

Creating a national privacy law would help clear up that discrepancy, witnesses at Wednesday’s hearing agreed.

“Passing a federal privacy law will not be sufficient to address Schrems with respect to all the issues the court has raised, but it will be necessary … to help the Europeans understand the way in which we do protect privacy in a much more clear way,” noted Brill.

“The skepticism that many Europeans bring to the evaluation of our own privacy regime … is diminished if the steps that you and your colleagues are contemplating are taken,” said Kovacic. “With the new framework in place … that skepticism and concern diminishes significantly, and we look like a regime that they can respect.”