Data privacy advocates from California and the European Union on Oct. 10 defended new legislation designed to protect consumer data in those jurisdictions against critiques that the laws are harmful to technology companies.
The comments came at an Oct. 10 Senate Commerce Committee hearing at which U.S. lawmakers discussed the outlines of potential bipartisan federal legislation to protect consumer data. The new laws in California and the EU, as well as a series of high-profile data breaches this year at companies such as Facebook Inc. are prompting inquiries on Capitol Hill about crafting a U.S. federal privacy standard.
The Oct. 10 testimony included responses to some of the critiques raised by company executives at a September hearing that included representatives from AT&T Inc., Amazon.com Inc., Alphabet Inc.'s Google LLC, Twitter Inc., Apple Inc., and Charter Communications Inc. At the earlier hearing, executives cautioned that adopting elements of laws from California or other jurisdictions could encourage more states to form their own laws, leading to a patchwork of U.S. legislation that would be difficult for businesses to follow.
The California Consumer Privacy Act, or CCPA, which will take effect in 2020, will let consumers know why a company wants to collect their data, and which third-party companies have access to their data, among other provisions.
"CCPA is not anti-business," said Alastair Mactaggart, board chair of Californians for Consumer Privacy, an advocacy group backing privacy reform in the state, in written testimony to the Senate Commerce Committee at an Oct. 10 hearing on consumer data privacy. "It was, on the contrary, written and proposed by businesspeople concerned that regulations were needed."
Mactaggart noted that the law will only apply to large businesses with over $25 million of annual revenue and data brokers buying and selling personal information.
The chief regulator for data privacy in the European Union, Dr. Andrea Jelinek, who chairs the European Data Protection Board, also rejected claims that the EU's General Data Protection Regulation, or GDPR, will bludgeon economic development. Jelinek is charged with overseeing the implementation of the data protection rules across the EU.
The EU's GDPR, which took effect earlier this year, is a series of rules and privacy laws designed to strengthen the protections around how its citizens' data is collected, stored and managed. It requires companies to obtain unambiguous affirmative consent from a user before collecting or processing the user's personal data, among other provisions.
"The GDPR is carefully calibrated so as to not hinder economic development, while keeping in mind the fundamental right of the individuals," wrote Jelinek in prepared testimony. "The European supervisory authorities are not the fining machines we’ve been made out to be by some."
Noncompliance with the GDPR can bring about fines as high as 4% of a company’s annual global revenue, or 2% of the previous year’s global revenue.
But Jelinek said that the frequency with which these types of fines will be levied is overblown in public perception.
"The 2% or 4% numbers that are often reported are maximum ceilings that will only apply to the most serious infringements," she said.
Nevertheless, California consumer advocate Mactaggart sought to differentiate the state's law from the EU's GDPR. In prepared testimony, Mactaggart said that a provision in the EU's law requiring user consent before any processing can take place could be harmful to business, for instance.
"We are concerned that this provision may hurt new entrants to the marketplace," he said.
Mactaggart said California's law offers a better regulatory strategy by giving consumers the option to restrict the sale of their data.