High-profile data breaches continue to regularly make news and raise consumer concerns, prompting the White House, Congress, and tech groups to push for a nationwide privacy framework that clarifies privacy protections for consumers and also gives companies less burdensome compliance procedures.
However, with California taking the lead and other states considering new privacy statutes, lawmakers in Washington are eager to get out ahead and create a national standard that works, but isn’t so onerous or stringent that it hinders business growth and innovation.
Rep. Greg Walden (R-Ore.), Ranking Member of the House Energy and Commerce Committee and a vocal proponent of federal data privacy legislation, spoke on this subject at the Bloomberg Law Leadership Forum held on Sept. 18, 2019, in Washington, D.C. He emphasized the need to protect the innovative spirit at the core of internet and tech companies that would be most impacted by such a law.
“I worry a lot about the high cost of federal mandates and the effect that has on innovation,” Walden said. “Microsoft put 1,600 engineers into work to comply with GDPR. If you’re the new, competitive startup to Microsoft, and you’ve got 10 guys in a dorm room, you probably aren’t going to have what you need to comply.”
Though there is consensus in Congress that federal regulations need to be implemented that will establish a national standard for data privacy, Democrats and Republicans are divided on the level of regulation necessary and how those regulations will impact the American business climate.
In reference to Facebook’s recent $5 billion fine levied by the Federal Trade Commission, Walden discussed his intention to avoid overburdening “incredibly creative people that start literally in garages and in dorm rooms, who create worldwide global companies that have enormous magnitude and influence on society and commerce.”
Facebook faces the fine for its involvement with Cambridge Analytica.
Walden warned against allowing for massive fines that could have a disproportionate impact depending on the size of the company.
“Over time, what you intend for the biggest player to be more than a slap on the wrist gets used against a midsize player that practically wipes them out,” he said. “Because once you give that authority and that limit to an agency, you have given up control over that assessment.”
Walden is optimistic that federal legislation will pass this year, referencing good bipartisan discussions and urgency spurred on by the potential for continued action by the states.
Currently, 22 states have data privacy laws in effect. Walden stated the need for this national legislation to preempt enforcement of those state laws. “I don’t see how you have a national standard if you don’t have preemption,” he said.
The California Consumer Privacy Act, which goes into effect January 1, 2020, is the first major piece of modern data privacy legislation. Many believe it will be a standard bearer for how other states handle privacy enforcement.
“We’re waiting to see how the regulations are going to be written on it,” Walden said, “but there are concerns about what it mandates in terms of your right to be forgotten,” and the individual right to control what data is public and what can be hidden or erased.
Legislative action is also motivated – and inspired – by GDPR, which went into effect in May 2018. The legislation established data privacy rights for citizens of the European Union and a uniform set of regulations for companies doing business in Europe.
“I think we should look at what’s worked and not worked in GDPR,” Walden said, stating a concern that “you can go too far where the compliance costs are too high and the threat of damages are too high” and can inhibit innovation. “I think we just need to see how we can get to a national standard that works for all sizes.”