Tech companies really don’t want a US version of Europe’s privacy law – CNET

The US Capitol Building

Tech companies went to Capitol Hill on Wednesday to discuss a potential federal privacy law.

Getty Images

The United States’ privacy regulations shouldn’t be anything like Europe’s, tech giants argued on Wednesday.

During a hearing before the Senate Committee on Commerce, Science and Transportation, members of Congress heard six tech companies discuss what they want in a federal privacy law.

Lawmakers are still crafting a potential data privacy bill, but multiple senators indicated that tech companies might not like what they see.

Momentum has been building for a federal data privacy law as public concern over data abuse has reached a boiling point. State laws to protect data privacy have already passed, such as California’s Consumer Privacy Act, the toughest so far.

Threatened by the potential of more such state laws, tech companies are working with federal lawmakers in the hopes of being able to influence future laws. The hearing on Wednesday was a public opportunity to tell senators what’s on Silicon Valley’s wishlist.

What Silicon Valley wants

Representatives from AT&T, Amazon, Google, Twitter, Apple and Charter Communications talked about three key points in their frameworks for potential data privacy legislation: pre-empting state laws, promoting privacy on their terms, and most important, preventing another General Data Protection Regulation, which went into effect in Europe last spring. 

Referencing the GDPR and California’s law, AT&T Senior Vice President of Global Public Policy Len Cali said, “What we’re urging is a comprehensive federal law that looks at both these laws, learns from them, but does better than them.”

The European Union’s GDPR lays out strict guidelines for tech companies to follow, like opt-in standards, 72-hour breach notifications and fines when companies violate privacy rules.  

Most of the tech companies at the hearing took issue with the GDPR’s standards, asking for a watered-down version of the regulation for the US’ privacy law.

No company agreed with breach notifications within three days, and no company wanted to expand the Federal Trade Commission’s power to enforce privacy violations. Only Charter Communications was in favor of opt-in consent, where you have to agree before companies can collect your data.

Bud Tribble, Apple’s vice president for software technology, warned that opt-in consent could be more of a burden than a privacy improvement.

“Every time I turn around, I’m getting asked to approve cookies,” Tribble said. “I think there’s some risk of going overboard here.”

Google Chief Privacy Officer Keith Enright told Sen. Mike Lee, a Republican from Utah, that to be compliant with the GDPR, the search engine giant spent “hundreds of years of human time” and “orders of magnitudes higher” than millions of dollars.

Enright raised concerns that though Google had the resources to do that, smaller businesses might not be able to do the same.

What Capitol Hill wants

While tech companies don’t want a version of the GDPR coming to the US, senators question why these strict privacy standards should not be imported — especially if so many of the companies testifying are already compliant.

“You’re living with them. No undue hardships,” said Sen. Richard Blumenthal, a Democrat from Connecticut. “The opposition that you’ve expressed to these rules — recognizing that the devil may be in the details — is one that can nonetheless accommodate the rules that we’ve seen in the GDPR and in California.”

Senators were also not willing to budge on a federal law that would preempt existing state laws.

Tech companies want this policy in a federal bill because they’re worried that multiple state laws on data privacy would create confusion, as well as a logistical nightmare. Cali told lawmakers that AT&T intends to seek revisions to California’s privacy law, and wants one uniform rule that all states can follow.

“Federal legislation will be of very little help if it becomes the 51st layering on top of 50 state rules. We need a comprehensive but singular privacy framework,” Cali said.

But senators said that the only way a federal privacy law that nulls state laws would pass is if it were more progressive and robust than state laws that have already passed. Lawmakers are looking for legislation that can stand the test of time, and won’t give tech companies an easy pass.

The new rule would have to be stronger than existing state laws, multiple senators said during the hearing.

“I understand that from the standpoint of these companies, the holy grail is preemption. And I want you to understand that you’re only going to get there if this is meaningfully done,” Sen. Brian Schatz, a Democrat from Hawaii, said. “We’re not going to get 60 votes for anything, and replace a progressive California law, however flawed you may think it is, with a non-progressive federal law.”

Taking It to Extremes: Mix insane situations — erupting volcanoes, nuclear meltdowns, 30-foot waves — with everyday tech. Here’s what happens.

The Honeymoon Is Over: Everything you need to know about why tech is under Washington’s microscope.