The Senate Commerce Committee held a hearing this morning titled "Privacy and Data Security: Protecting Consumers in the Modern World" intended to examine Committee Chairman Rockefellers' Do-Not-Track Online Act, Senator Kerry's Commercial Privacy Bill of Rights Act, and Senator Pryor's Data Security and Breach Notification Act.
Chairman Rockefeller introduced the hearing by stressing the need for legislation:
"Poll after poll shows that Americans are increasingly concerned about their loss of privacy; and those same polls show that Americans don’t know what to do about it. It is my intent to change that. I want ordinary consumers to know what is being done with their personal information, and I want to give them the power to do something about it."
Senator Pat Toomey (R-PA) retorted that, “I think we need to thoroughly examine this issue and make sure we don’t make a solution in search of a problem.... I’m not sure we’ve considered the unintended consequences that would come from this legislation.”
Cameron F. Kerry, general counsel of the Department of Commerce, testified that the Obama Administration generally supports the approach of Senator Kerry's comprehensive privacy bill and Senator Pryor's data security bill, because “Privacy is a key ingredient for sustaining consumer trust, which in turn is critical to realize the full potential for innovation and the growth of the Internet.” He said that both bill’s approaches will help the U.S. (and his Department) in seeking "interoperability and harmonization" with the European Union's data privacy regime.
Federal Trade Commission (FTC) Commissioner Julie Brill warned in her testimony that:
“the aggregation of data in both the online and offline worlds have in some instances led to increased opportunities for fraud. For instance, entities have used past transaction history gathered from both the online and offline world to sell “sucker lists” of consumers who may be susceptible to different types of fraud. In both the online and offline worlds, data security continues to be an issue.”
While the FTC has not taken positions on any particular bills, she said that the agency favors legislation “that would (1) impose data security standards on companies, and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.” Addressing the issue further, she said that, “companies can definitely do more in the area of data security” and “we're never going to be able to catch all the criminals”, so governments needs to ensure companies improve their defenses.
When pressed by Chairman Rockefeller, Commissioner Brill admitted her approval that the data security bill would give the FTC extra powers necessary to improve the privacy practices of private companies. In particular, she felt that the “civil penalty authority … will incentivize companies to improve their practices before they ever have to deal with us.”
Chairman Rockefeller then turned to do-not-track, complaining that no one is honoring consumers’ online do-not-track requests: “Can the FTC take action against companies that do not honor such requests?”
Commissioner Brill responded that the agency could take action, “if the company promises to honor such request and they violate that promise.” But if the companies don't make such a promise, “then our jurisdictional test is harder to meet."
Senator Kerry focused his concerns on the rationale for a data privacy bill, since Senator Pat Toomey had questioned whether there actually any harm in need of redress: "So, what is the harm? Is there a harm? Is it imperative to have a national response?
Commissioner Brill contended that the harm was, "Consumers are very unaware of what is happening with their information".
Senator Kelly Ayotte questioned what the role of the Department of Commerce would be in data privacy and data security, asking the Department’s Cameron Kerry if the Department would be involved in enforcing new laws. Cameron Kerry responded that the FTC would continue to be the enforcement body and that the Department of Commerce would serve in the role of "convener" and to give the White House a voice in the debate.
Senator Ayotte also asked the witnesses if the enforcement mechanisms for a do-not-track registry would work and if they had any concerns that it could actually “take away some of the tools that consumers have?”
Commissioner Brill responded that do-not-track would not be a registry, but a "technological solution", preferably enforced strongly by self-regulation, but by government if necessary. “Those that receive do-not-track requests should honor them, and that is what we want to see happen,”
She said, “My view is that consumers will have much more trust in what is happening on the Internet if they understand they have control and choice…. I don't expect people to opt into this system, but it will engender a huge amount of trust which will cause the industry to thrive even more."
Commisioner Brill further lamented that, while the FTC wants industry to do this for themselves, the response has been "slow" and expressed worries that “we might not be able to get all the way there because of the way the industry is structured… Unless we get them to sort of uniformly agree to honor consumer requests, I’m not sure the self-regulatory approach can work."
Senator Amy Klobuchar asked Cameron Kerry if a “global standard” was a good idea for privacy. He responded that the U.S. wants “global interoperability,” so bringing privacy standards together is important.
The question and answer period was short and the second panel of witnesses were given only a few minutes to make their statements before the hearing was gaveled to a close (there was a lengthy series of votes pending on the Senate floor).
Stuart Pratt, President and CEO, Consumer Data Industry Association (CDIA), noted the need for "a true national standard for American businesses" in data security, but begged the Committee member not to "co-mingle privacy concepts" by using data security legislation to tackle privacy issues.
Ioana Rusu, Regulatory Counsel for Consumers Union, shared her organization’s support for Senator Kerry’s data privacy bill, though they feel that the FTC needs more leeway to modify and expand the bill. Consumers Union also endorsed Chairman Rockefeller’s do-not-track bill, noting that “public support is particularly high at this moment" for such an approach.
Just yesterday, Consumers Union released the results of their own public opinion survey of 1,007 households last month, which they claimed found that over 80 percent of respondents wanted the ability to opt out Internet tracking. The study, like many similar to it, should perhaps be taken with a grain of salt considering another recent research study on privacy, which will be presented by Google at a symposium in Pittsburgh in July:
The emotional aspect of privacy makes it difficult to evaluate privacy concern, and directly asking about a privacy issue may result in an emo- tional reaction and a biased response. This effect may be partly responsible for the dramatic privacy concern ratings coming from recent surveys, ratings that often seem to be at odds with user behavior. In this paper we propose indirect techniques for measuring content privacy concerns through surveys, thus hopefully diminishing any emotional response.
Tim Schaaff, President of Sony Network Entertainment International, stressed that laws and common sense require that companies to investigate breaches BEFORE making statements and notifications and expressed his fear that the data security legislation might violate that axiom. His focus made sense given the recent series of high profile data security breaches suffered by Sony’s video gaming network.
Tom Lenard, President and Senior Fellow at the Technology Policy Institute, pointed out that the privacy debate has produced little systematic data on privacy practices and that the best empirical data is from 2001. "Without substantially better data and analysis, there is no way of knowing with any confidence whether proposals currently under consideration will improve consumer welfare," he testified.
Scott Taylor, Vice President and Chief Privacy Officer, Hewlett-Packard (HP), spoke last, noting a “convergence of technology, trust, and privacy". In reiterating HP’s support for Senator Kerry’s data privacy bill, Mr. Taylor relayed that, “As more and more services are delivered through multiple parties, such as applications on mobile devices, a consistent baseline standard will strengthen the chain of accountability and unify the divergent regulations currently in existence.”