Experts Say That Federal Privacy Law is Necessary, But Can’t Agree on Specifics

WASHINGTON, July 11, 2019 — Congress urgently needs to create a federal privacy law, said panelists at a privacy conference held by the U.S. Chamber of Commerce on Thursday. However, coming to a consensus on the specifics of such a law has been and will continue to be a major roadblock.

Lawmakers have to create a policy that is “sufficiently agile to accommodate new uses of data that none of us can even conceive of right now,” said Ernest & Young Americas Privacy Leader Angela Saverice-Rohan.

Privacy standards are dependent on shifting cultural norms and constantly evolving technology, Saverice-Rohan said, and so Congress should focus on allowing context-dependent consumer choice. To make these choices effective, companies will need to simplify the terms and conditions of their privacy policies.

The current paradigm of legalistic privacy notices doesn’t work, explained Jerry Jones, executive vice president of LiveRamp. Privacy policies should be built with simple, standardized language that gives people clear control over what their data is used for.

Even with such changes, the consumer is a “terrible person to make decisions,” said Chris Calabrese, vice president of policy at the Center for Democracy and Technology. He claimed that most consumers lack both the technical knowledge to make decisions and the market power to influence them.

Instead, he said, the main burden should be shifted to the data processors, and particularly sensitive categories of information like location or biometrics should be strongly protected—to the point of not allowing any secondary use of the data whatsoever.

Calabrese’s suggestion drew criticism from other panelists such as Future of Privacy Forum Vice President John Verdi, who argued that when users affirmatively and aggressively make an informed request for a secondary use of their data, it should be permitted.

Protecting data without considering the uses of that data is flawed thinking, said Steve Rubley, managing director of government at Thomson Reuters. Public records are “absolutely critical” to preventing terrorist attacks before they take place, breaking up sex trafficking rings, and locating abducted children, among other important uses.

An individual’s reasonable right to privacy should be balanced against the significantly increasing societal benefits of sharing that data in careful and responsible ways, Rubley said. Saverice-Rohan agreed that laws should be risk-based, emphasizing the part that the free flow of information has played in important data-driven innovations.

Moreover, she said, laws must represent the technological reality of today. Implementing the California Consumer Privacy Act has proven to be a technical challenge for many companies, and having to deal with disjointed, frequently changing, and sometimes even contradictory sets of rules across the globe requires significant time and resources.

The effort to implement CCPA while the law is still being amended is akin to “building a plane and flying it at the same time, said Hogan Lovells Partner Mark Brennan, and companies are spending as much time trying to understand what the requirements mean as they are operationalizing them.

To avoid similar concerns, the federal privacy law should focus on clarity, said Calabrese. However, panelists agreed that the need for thoughtfulness did not diminish the need for timely action.

Ideally a law would be passed tomorrow, but Congress should at least try to get something on the books before CCPA goes into full effect, said Brennan, adding that the “worst possible outcome” would be waiting until a second state tries to create equally comprehensive legislation.

Brookings Institution Visiting Fellow Cam Kerry agreed, saying that in order for a federal privacy law to work, it must be implemented before more state legislatures adopt laws that make preemption intractable and before partisan positions harden.

(Photo of the Chamber of Commerce #DataDoneRight Conference by Emily McPhie.)