Chairman Crapo Repeats Call for Banking Involvement on Privacy Bill
Committees need to collaborate on privacy legislation to ensure there aren’t sectoral inconsistencies, Senate Banking Committee Chairman Mike Crapo, R-Idaho, told reporters Tuesday. His post-hearing comments again sought financial sector involvement as Senate Commerce Committee privacy talks continue (see 1904040073).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Meanwhile, Sen. Jerry Moran, R-Kan., met with Facebook Chief Operating Officer Sheryl Sandberg Tuesday, an aide said. A company spokesperson said Sandberg was in Washington for regulatory framework discussions with policymakers, but the trip didn’t concern the FTC. She was also expected to meet with civil rights groups, the company said.
Also Tuesday, Sens. Mark Warner, D-Va., and Elizabeth Warren, D-Mass., reintroduced legislation. It would provide consumer compensation for data breaches, mandatory penalties for credit reporting agencies and granting the FTC “more direct supervisory authority” over CRAs.
Crapo said Banking isn’t planning to deliver separate legislation for the financial sector, but the question is whether the U.S. should continue its sectoral approach. If it does, lawmakers need to collaborate, he said. He declined to endorse Warner’s bill. He said, “The notion that we need to go further in this area and that the enforcement portion of our law may need to be beefed up, I do think, is probably correct.”
The FTC “has been asleep at the switch” on data breaches like Equifax and Facebook, Warner told reporters. He said industry regards sloppiness as the “cost of doing business.” Warner’s also working on a bill on data portability, the right to know about collection and the value of consumer data for platforms like Facebook and Google: “If you had those valuations out there, new companies might be able to come in and disintermediate.” Warner cited his bill with Sen. Deb Fischer, R-Neb., dealing with dark patterns (see 1904090084). Dark patterns refer to deceptive user interfaces platforms allegedly use to manipulate consumers into sharing personal data.
Banking’s data privacy hearing featured testimony from Pinboard founder Maciej Ceglowski, German Marshall Fund Senior Fellow Peter Chase and PwC Privacy and Consumer Protection Leader Jay Cline. The lesson from Equifax is that there’s no punishment for blatant incompetence, Ceglowski testified. The EU’s general data protection regulation is a good example of a law with teeth to address companies without regard for consumer data protection, he said, describing his business as small.
Ceglowski countered arguments from big tech against heavy-handed regulation like the GDPR. Cline argued during the hearing against the GDPR’s 72-hour breach notification requirement. Sometimes, there are more questions than answers within 72 hours of a breach, he said. Cline said many companies are asking if the GDPR is going to become the default, global standard, saying many financial sector companies are preparing for that scenario. Ceglowski urged strict limits on industry data retention and greater information on how algorithms are affecting society.
Ceglowski conceded a law like the GDPR isn’t a panacea, saying it doesn’t fully address the issue of data brokers. Crapo cited data brokers as a major issue, saying it’s difficult for consumers to consent to their practices when they don’t deal directly with the brokers: “There’s not very obvious consent.”
The GDPR recognizes direct marketing is useful, but it doesn’t create a lot of flexibility to opt out of personalized advertising, Chase said, noting he spent about 25 years working on economic relations between the U.S. and the EU. He lauded the GDPR’s requirements for consent in specific uses of data collection and sharing. This unambiguous consent means companies can’t bundle permissions, helping cut out data brokers, he said.
Cambridge Analytica is an example of how a “big pile” of seemingly harmless data can be used for very harmful purposes, ranking member Sherrod Brown, D-Ohio, said. He also raised concerns about how targeted online ads contribute to the decline of print journalism. Ceglowski agreed, saying as targeting has shifted to individuals, it’s ultimately Facebook and Google that benefit.
If the KGB had the data tools of Facebook and Google, the Soviet Union would have endured, Warner said during the hearing. Many consumers view these services as free, but he described platforms as “giant” sucking machines, extracting the data out of U.S. citizens. Data portability is difficult under an oligopoly, Ceglowski said, arguing Facebook will finds ways to extract data regardless of portability. “My necktie is better regulated than my entire industry,” he said.
Unless companies take a significant financial hit during a breach, there’s no incentive to invest in cybersecurity, Warren said, citing her bill as a solution. The FTC and Consumer Financial Protection Bureau have done “nothing” to deter such behavior, she said. She also blamed Equifax for not following “best practices.” Sen. Kyrsten Sinema, D-Ariz., criticized Congress for not doing anything to tighten the Fair Credit Reporting Act. At the conclusion of the hearing, Crapo said, unlike on other issues on Capitol Hill, there’s enough broad agreement on this to reach consensus.