Tech companies push for national privacy framework

Amid headline-grabbing breaches and exposés on shady data sharing practices, technology giants—Google, Facebook, Apple, and Amazon among them—seem resigned to the fact that national data privacy laws and regulations are in the offing.

While they await congressional action on that issue, a strategy has emerged: Let trade associations tackle much of the public-facing policy pushing; and support federal legislation to the degree it can reduce the confusion and compliance burden of state-by-state regulation.

In testimony, Web posts, and correspondence, there also seems nearly universal agreement that the Federal Trade Commission should continue to serve as the lead U.S. regulator for data privacy. The sincerity of that demand, however, is undermined by objections to giving that agency expanded tools, enforcement authority, and a less hamstrung ability to fine companies.

Some corporate leaders are more outspoken than others. Apple CEO Tim Cook recently described privacy as “a fundamental human right.” Unlike others who see it as too prescriptive and restrictive, he said that his company supports a U.S. data protection law that mirrors Europe’s General Data Protection Regulation.

Microsoft CEO Satya Nadella has similarly urged the promulgation of national privacy legislation.

“We will respect your local privacy laws and fight for legal protection of your privacy,” he wrote on Microsoft’s Website, addressing the company’s data privacy policies.

Brendan Eich, former CEO of Mozilla who now holds that title at Brave Software, lobbied members of the Senate Commerce Committee for “GDPR-like standards” in the United States.

“I view GDPR as a great leveler,” he wrote in a letter to senators. “[It] establishes the conditions that can allow young, innovative companies [like ours] to flourish.”

As regulators broaden their enforcement of the new rules in Europe, the GDPR’s principle of “purpose limitation” will prevent dominant platforms from using data that they have collected for one purpose at one end of their business to the benefit of other parts of their business in a way that currently disadvantages new entrants.

“In general, platform giants will need ‘opt-in’ consent for each purpose for which they want to use consumers’ data,” he explained. “This will create a breathing space for new entrants to emerge.”

There is also an international angle to consider for domestic lawmakers.

In the coming months and years, common GDPR-like standards for commercial use of consumers’ personal data will apply in the EU, Britain (post-EU), Japan, India, Brazil, South Korea, Argentina, and China, for civil and commercial use of personal data. “A common standard reduces friction and uncertainty, allowing companies from these countries to operate and innovate together with greater efficiency,” he wrote. 

During a September hearing convened by the Senate Commerce Committee, top technology and communications firms were called upon to testify on data privacy.

Rachel Welch, SVP for policy and external affairs at Charter Communications, was among those supporting “a single national standard that protects consumers’ online privacy regardless of where they live, work, or travel.”

“Whether a consumer’s information is adequately protected should not differ based on which state he or she is logging in from,” she said. “A patchwork of state laws would be confusing for consumers, difficult for businesses to implement, and hinder continued innovation on the internet—which is a borderless technology.”

Google is among the companies that has published a proposed framework for data-protection legislation on its corporate Website.

“Industry accountability programs and safe harbors can incentivize best practices, particularly in providing more flexible approaches to dealing with evolving technologies,” it wrote. “Also, enforcement and remedies should be proportional to the potential harms involved in the violation.”

Google pushed back against the extra-territorial application of privacy regulations.

“It unnecessarily hampers the growth of new businesses and creates conflicts of law between jurisdictions,” it warned. “Small businesses shouldn’t have to worry about running afoul of foreign regulators merely because a few people from another country navigate to their Website or use their service.”

As for the trade associations, they are actively promoting various data privacy frameworks with hopes that the tech industry can more effectively shape the regulations to come.

“A patchwork of state laws would be confusing for consumers, difficult for businesses to implement, and hinder continued innovation on the internet—which is a borderless technology.”

Rachel Welch, SVP for Policy and External Affairs, Charter Communications

In October, the Information Technology Industry Council released its “Framework to Advance Interoperable Rules (FAIR) on Privacy.” Among its members are Apple, Adobe, Amazon, IBM, Twitter, Facebook, Dell, and Dropbox.

“Consumer trust is a key pillar of innovation, and our industry must do everything we can to deepen that trust and meet consumers’ expectations when it comes to protecting their privacy and personal data,” says Dean Garfield, president and CEO of ITI.

He expects that the document will continue to take shape as his association works “alongside lawmakers and consumers to develop meaningful privacy legislation.”

Among the goals, Garfield says, is creating alignment with the privacy protections of other privacy regimes across the globe.

The ITI framework “can serve as a model for governments worldwide and a workable alternative to a patchwork of laws that could create confusion and uncertainty over what protections individuals have,” he said.

Companies, it says, should make it clear to consumers how their personal data will be used; how long it will be retained; and whether it may be accessed by or transferred to third parties.

The U.S. Chamber of Commerce has also published a series of “privacy principles.” The Chamber, like others, supports a nationwide privacy framework that preempts state regulation.

“Consumers and businesses benefit when there is certainty and consistency with regard to regulations and enforcement of privacy protections,” it wrote. “They lose when they have to navigate a confusing and inconsistent patchwork of state laws.”

The document also stresses that privacy protections should be “risk-focused and contextual.”

“Data controls should match the risk associated with the data and be appropriate for the business environment in which it is used,” it says.

Other highlights:

• Privacy laws and regulations should not include mandates that require businesses to use specific technological solutions.
• A national law should include safe harbors and other incentives to encourage “the development of consumer-friendly privacy programs.”
• Enforcement provisions should only apply where there is concrete harm to individuals.
• Congress should adopt policies “that promote the free flow of data across international borders.”

Also jumping into the fray is the Internet Association, which counts Google, Amazon, eBay, and Facebook among its members.

A U.S. standard should “protect individuals and their personal information through clear notifications, define a harm-based trigger for notification to avoid notice fatigue, and allow companies flexibility in how they notify individuals of unauthorized access to their personal information,” it wrote.

A national framework should also be both technology neutral (no specific technology mandates) and sector neutral (applying to online and offline companies alike), it added.