Tech executives say they want data privacy legislation without strongest regulations

Lawmakers grilled executives from technology companies, who said Wednesday that they supported legislation for privacy regulation but often dodged backing specific policies. 

The Senate Commerce Committee hauled in representatives from Twitter, Amazon, Google, Apple, AT&T and Charter to question their privacy practices and what type of new consumer data regulations they’re open to.

Executives from the companies were often quick to agree, or offer a “qualified yes” to broad commitments of support for new privacy legislation and increased government regulation regarding data privacy, but demurred when pressed for details on what they would support.

When representatives did specify, they said they want some of the strongest provisions, like a mandatory opt-out for data collection, to be excluded from the hypothetical legislation.

During Sen. Amy Klobuchar’s (D-Minn.) line of questioning each internet company in attendance agreed that they supported data privacy legislation, but largely declined to agree to specific details she put forward.

When she asked if they would be interested in a 72-hour public notification requirement in the wake of cybersecurity breaches, each declined.

And Google and Twitter chose to tout the work they did to simply their user agreements when asked if they would support requirements for more basic language in user agreements

Sen. Brian Schatz (D-Hawaii) argued specific updates were needed to give the Federal Trace Commission teeth to regulate the internet and telecommunications companies — a point executives said they would consider, but did not firmly agree to.

Schatz pointed out that currently, the FTC can only penalize companies after it establishes consent decrees with them, instead of immediately penalizing them for violating regulations.

“There is no economic consequence for violating existing rules or statutes on privacy,” he said, calling it “absurd”. “Only if you violate that consent decree is there the authority to fine.”

Google’s chief privacy officer, Keith Enright, declined to agree but said “we certainly would be interested in engaging in a conversation about what an extension of [the FTC’s] authority would look like and what the proper contours might be,” expressing a sentiment shared by the other executives testifying.

But each agreed that they would prefer national privacy legislation that would require federal law to preclude state law to avoid a “patchwork” of regulatory hurdles that vary from state to state.

They also said new regulations should avoid being as onerous as the new General Data Protection Regulation (GDPR) regulations imposed in Europe.

Len Cali, Senior Vice President Global Public Policy at AT&T, expressed concern that the new rules were “strengthening incumbent” internet players in Europe by boxing out smaller ones that could not afford to afford to comply with the new regulations.

And each executive, except Charter’s Rachel Welch, said that they did not want a default “opt-in” option for consumers to agree to have their data collected, out of concern that it would disrupt functions of their apps that automatically collect some users’ data.

California’s new privacy law was frequently referenced during the hearing, features a mandatory opt-out option that lets users decline share data with tech and telecom companies.

Though the executives tried to stick to their preplanned scripts, lawmakers were able to pull some new details from them.

Enright confirmed to Sen. Ted Cruz (R-Texas) that Google does indeed have a “Project Dragonfly” but did not confirm the details of what the project entails, despite Cruz’s probing.

“I am not clear on the contours of what is in scope or out of scope for that project,” Enright said declining to link the project to reports that said Dragonfly is a code name for a search engine Google is developing to comply with Chinese privacy and censorship laws.

The product has earned Google intense scrutiny, both within its own ranks from frustrated employees and with lawmakers like Cruz, Sen. Marco Rubio (R-Fla.) and Sen. Tom Cotton (R-Ark.).

The three have questioned why Google is reportedly working with China despite the company saying it would end its contract with the Pentagon.

The next step following the hearings is to draft and ultimately pass privacy legislation that both Republicans and Democrats are willing to agree on, though a specific timeline for this remains to be seen.

“The question is no longer whether we need a federal law to protect consumers’ privacy,” said Committee Chairman Sen. John Thune (R-S.D.) during the hearing. “The question is what shape that law should take.”