As Congress continues to assess what a U.S. response to the European Union's data protection law would look like, several lawmakers expressed interest in collaborating on a bipartisan solution during an Oct. 10 Senate Commerce Committee hearing.
A series of high-profile data breaches this year at companies like Facebook Inc. as well as new privacy laws in Europe and the U.S. state of California is prompting inquiries on Capitol Hill about crafting a U.S. federal privacy standard. Many U.S.-based technology companies already must comply with new EU rules enacted in May, and some technology leaders have testified that they would rather see the U.S. enact a federal privacy standard than be forced to comply with a patchwork of laws that could roll out on a state-by-state basis.
At the Oct. 10 hearing, several senators appeared to be mulling the outlines of a federal privacy bill. Sen. John Thune, R-S.D., the Senate Commerce Committee chairman, is reportedly planning to introduce a privacy bill in 2019.
"We all must endeavor to keep open minds about the contours of a bipartisan bill," Sen. Thune said at the hearing. "A national standard for privacy rules of the road is needed to protect consumers."
Europe's General Data Protection Regulation, or GDPR, is a series of rules and privacy laws designed to strengthen the protections around how EU citizens' data is collected, stored and managed. It requires companies to obtain unambiguous affirmative consent from a user before collecting or processing the user's personal data, among other provisions. Similarly, California's law, which goes into effect in 2020, will give customers the right to know why companies are collecting information about them and which third-party entities have access to that data. It also provides consumers the ability to opt out from the sale of their personal data.
Sen. Ed Markey, D-Mass., said that a federal privacy solution should provide consumers with information about when their data is being used or stored, notify them when their data is compromised and offer them the ability to deny unwanted data collection.
"The bill should prohibit companies from giving financial incentives to users in exchange for their personal information," he said.
While technology executives have cautioned that a patchwork of state laws would be detrimental to their businesses, some consumer advocates argue that any federal legislation should set minimum standards for consumer data privacy without stopping states from pursuing more stringent standards.
"New federal legislation should establish a floor, not a ceiling for privacy — thus allowing states to continue to pass stronger laws on their own," said Laura Moy, who serves as executive director at the Center on Privacy and Technology at Georgetown Law, in written testimony.
Sen. Richard Blumenthal, D-Conn., who serves as ranking member on the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, said that he's already working on crafting a bipartisan bill that would take that approach.