By: Andrea Little Limbago
A quick glance at prominent press releases and opinion pieces, not to mention some new ad campaigns, demonstrates big tech’s push to reshape the privacy discussion in the United States. This shift away from self-regulation and in favor of federal data privacy legislation has rapidly evolved over the last year. However, a lot of this shift continues to occur due to the increase of privacy discussions on the Hill following unauthorized data access and breaches. These hearings have largely remained under the radar, but highlight the growing public interest and concerns over the way data is secured, accessed, and shared. In fact, the broad cross-section of committees discussing privacy demonstrates how data privacy and security permeate all facets of modern life.
Below are a few recent hearings and testimonies that cover everything from the recent Marriott and Equifax data breaches to the business impact of the General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act (CCPA) that goes into effect next year. While the committees reflect a diverse range of interests, they all have in common the growing nexus of security and privacy and debate the need for, and core components of, a U.S. federal data privacy regulation.
Hearing: Policy Principles for a Federal Data Privacy Framework in the United States
Committee: Senate Committee on Commerce, Science, and Transportation
Date: February 27, 2019
Representatives from major trade associations, such as the Retail Leaders Association and the Interactive Advertising Bureau, along with Northeastern Professor of Law and Computer Science Dr. Woodrow Hartzog, discussed the range of security and privacy risks consumers encounter. As U.S. Sen Roger Wicker (R-Miss) noted, “It is the committee’s responsibility and obligation to develop a federal policy standard to protect consumers without stifling innovation, investment, or competition.” This is an essential balance, and too often federal data privacy legislation is portrayed as an innovation killer instead of enhancer. While the witnesses eventually acquiesced that the CCPA should provide a baseline, not a ceiling, for a federal law, many other comments more closely resemble a preemption strategy. Preemption has become a major talking point as those opposed to privacy regulations seek to water down and lower existing or proposed state laws. During this hearing, it was noted that over 90 privacy laws are under consideration across state capitols, which has helped elevate and prioritize the discussion at the federal level.
Hearing: MISSION Critical: Assessing the Technology to Support Community Care
Committee: House Committee on Veterans’ Affairs
Date: April 2, 2019
As part of an oversight hearing, technology executives from the Department of Veterans Affairs (VA) discussed progress toward fulfilling the intent of the MISSION (Maintaining Internal Systems and Strengthening Integrated Outside Networks) Act in helping improve veterans access to quality healthcare. The MISSION Act is one of many modernization efforts at the VA and incorporates a broad range of training and education components. Technology modernization is often integral for success in these initiatives. Throughout the hearing, both representatives and witnesses debated the digital transformation required to further augment veterans’ services. As part of enhanced coordination capabilities for referral and authorization care, Virtru was mentioned as a secure method for exchanging health information. Like many organizations, VA mission success requires both secure data as well as data portability and collaboration; Virtru was listed as a core technology for helping both protect and share data. While the MISSION Act, not privacy, was the core topic, this is a useful example to highlight how privacy and security are mission-critical toward achieving innovations and customer support.
Hearing: Protecting Consumer Privacy in the Era of Big Data
Committee: House Committee on Energy & Commerce; Consumer Protection and Commerce Subcommittee
Date: February 26, 2019
Big data is one of those buzzwords that was originally shrouded in optimism until use case after use case demonstrated the necessity for privacy and security when considering big data solutions. Chairman Frank Pallone, Jr (D-NJ) summarized the overarching theme of the hearing in noting, “It is time that we move past the old model that protects the companies using the data, not the people.” In discussing these new models and approaches, the witnesses described how privacy-preserving technologies can promote competition and innovation, and argued against the false trade-off between convenience and privacy. Of course, concerns over potential negative effects of regulation were referenced, but most acknowledged the current tipping point where consumers are demanding greater protections. Many of the witnesses also highlighted how countries across the globe are moving ahead in their privacy and security regulations, and that the U.S. should take lessons learned from some existing legislation but also provide that necessary leadership in global privacy and security.
Hearing: Examining Private Sector Data Breaches
Committee: Senate Homeland Security and Governmental Affairs
Date: March 7, 2019
The Equifax breach and Marriott breaches, and their roughly 143 and 383 million compromised records respectively, took center stage in an oversight hearing on security practices. In addition to the interrogation of the corporation executives, several witnesses provided insights into courses of action to prevent such breaches. These included the evolving role of the FTC to address consumer concerns over privacy as well as what people, processes, and technologies should comprise ‘cyber defense’. With security and privacy overlapping throughout the hearing, these breaches and the solutions put forth demonstrate the overlapping nexus of security and privacy, a trend that is only likely to continue given the range of unauthorized data access breaches and compromises.