info@ehidc.org

 202-624-3270

Summary of Commerce Committee Hearing: Consumer Perspectives

Emma Valinski, Ticia Gerber & Staff
May 8, 2019 - 9:15am

 

 

The Senate Committee on Commerce, Science and Transportation convened a May 1 hearing  “Consumer Perspectives: Policy Principles for a Federal Data Privacy Framework”. This is an important issue for eHI and its members. Key highlights are below, along with links to witness testimony.

Some Important Questions asked by Senators:

  • In the GDPR, consumers are given the right to see all data collected by companies about themselves, will this lead to less privacy for consumers because companies will be less likely to throw away data they are not using?
  • Are there American companies that are having non-compliance issues in the EU in regard to the GDPR?
  • Why it is critical to protect kids and teens data?
  • If Congress were to enact meaningful legislation, do the witnesses believe that the state Attorneys Generals should have more power?
  • If the federal government don’t pass legislation, will the states pass their own individual legislation?
  • Does the GDPR have a significant effect on jobs?

Experts sharing their views included:

  • Helen Dixon, Data Protection Commissioner, Republic of Ireland
  • Neema Singh Guliani, JD, Senior Legislative Counsel, American Civil Liberties Union
  • Jules Polonetsky, Chief Executive Officer, Future of Privacy Forum
  • Jim Steyer, Chief Executive Officer and Founder, Common Sense Media

Background and Overview

Hearing testimony covered a wide spectrum of stakeholder views and shed light on the complexities of a future and revamped nation-wide privacy framework. At the state level, currently there are a few states that have developed their own comprehensive privacy frameworks. States that have stepped up to the plate include Massachusetts, Vermont, and Washington, and California, which has followed most closely in the footsteps of the European Union (EU).

California has recently passed the bi-partisan policy framework, entitled California Consumer Privacy Act of 2018, that will go into effect in January 2020. This is the most inclusive piece of privacy legislation passed in the US to date. A few requirements for covered businesses include (1) giving consumers the right to opt out of any sale of their personal information (PI) to third-parties, and individuals under 16 must opt in the same sales; (2) giving consumers the right to request that businesses delete any PI that is collected about that individual; (3) prohibiting covered businesses from discriminating against consumers that exercise any of their new privacy rights described in CCPA; and (4) Enabling consumers to request the disclosure of data is collected about them by a covered business.

Regarding international privacy frameworks, The General Data Protection Regulation (GDPR) of the European Union is one of the most comprehensive collection of privacy provisions globally.  Helen Dixon, Data Protection Commissioner, Republic of Ireland discussed the GDPR at the May 1 hearing.  Ireland is the home to many larger technology corporations including Microsoft, Google and Facebook and so at the cutting edge of implementation. A few major requirements of GDPR include some familiar rules for covered businesses including ensuring consumers have access to their personal data that is collected by companies in question. Other requirements are more restrictive including ensuring all businesses must use a “positive opt-in” process.

Highlights from Testimony Provided by Witnesses:

Critical witness points are highlighted below. Testimony in its entirety is available online HERE.

Ms. Helen Dixon, Data Protection Commissioner, Republic of Ireland

  • Dixon highlighted the basic tenets and structure of GDPR which include:
    • Obligations:
      •  The obligations on organizations are set down in a series of high-level, technology neutral principles:
        • lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability
    • Rights:
      • The right to transparent information;
      • the right of access to a copy of their personal data;
      • the right to rectification, the right to erasure;
      • the right to restriction of data processing, to object to certain processing;
      • the right to data portability with varying conditions pertaining to the circumstances in which those rights can be exercised.
    • Enforcement:
      • the GDPR provides for independent and adequately resourced data protection authorities in each EU Member State to monitor the application of the GDPR and to enforce it.
  • Education:
  • Dixon observed that education about the GDPR law for businesses is critical in implementation, so that companies its provisions and know how the law helps them.

 

Ms. Neema Singh Guliani, Senior Legislative Counsel, American Civil Liberties Union

Guliani expressed the ACLU’s views that:

  • Federal legislation should not prevent states from putting in place stronger consumer protections or taking enforcement action.
    • Any federal privacy standards should be a floor, not a ceiling for consumer protection
  • Federal legislation must contain strong enforcement mechanisms.
    • Federal legislation will mean little without robust enforcement;
    • New legislation should grant greater resources and enforcement capabilities to the Federal Trade Commission (FTC) and allow state and local authorities to fully enforce federal laws.
  • Federal legislation should guard against discrimination in the digital ecosystem.
    • Any federal privacy legislation should ensure such prohibitions apply fully in the digital ecosystem and are robustly enforce;
    • Congress should strengthen existing laws to guard against unfair discrimination, including cases where it may stem from algorithmic bias.
  • Federal privacy legislation should place limits on how personal information can be collected, used, and retained.
    • Legislation must include real protections that consider the modern reality of how people’s personal information is collected, retained and used.

Mr. Jules Polonetsky, Chief Executive Officer, Future of Privacy Forum

Polonetsky expressed his organization’s views that:

  • Federal law often leaves much of data protection to FTC’s Section 5 authority that enforces against deceptive or unfair business practices;
  • Adequately protecting consumers’ data in health-related or fitness data held by app developers or online advertising companies is an emerging area of need for federal privacy laws;
  • Covered Data and Personal Information Under a Federal Privacy Law
    • Should avoid classifying covered data in a binary manner, personal or anonymous
  • Sensitive Data
    • Federal policy should provide heightened protections for the collection, use, storage and disclosure of users’ sensitive personal information or personal information that is used in sensitive contracts
    • FTC defines sensitive data
    • GDPR’s definition is more expansive than FTC’s
    • Federal legislation should include additional requirements for certain sensitive categories of data
      • For example, if the consumer gives the third-party app the ability to use their data, another set of consents is required to enable information sharing for another purpose or another sale.
  • Research
    • Any new privacy law be crafted in a way that does not unduly restrict socially beneficial research and that policy makers at the local, state and federal levels continue to have the information that they need to make evidence-based decisions.
  • Internal Accountability and Oversight
    • Federal baseline privacy law should incentivize companies to employ meaningful internal accountability and mechanisms, including privacy and security programs, which are managed by a privacy workforce.
  • Incentives for Technical Solutions
    • Federal privacy legislation should promote the use of technical solutions, including privacy-enhancing technologies.
    • The holy grail for data protection is utilizing technology that can achieve strong provable privacy guarantees while still supporting beneficial uses.
  • Machine Learning
    • A federal privacy law should promote beneficial uses of artificial intelligence (AI) and machine learning (ML).
  • Interaction with Existing Legal Frameworks
    • Federal baseline privacy laws should take into consideration existing legal frameworks.
    • At a minimum, it is important for the United States (US) to protect cross-border data flows by not creating obligations that directly conflict with other existing international frameworks.

Mr. Jim Steyer, Chief Executive Officer and Founder, Common Sense Media

Steyer expressed his organization’s views that:

  • The issues of young children and teens must be carefully considered in any new federal privacy law.
  • New federal laws must go beyond “consent” and include rights to access, port, and deletion of information.
  • Any new federal law must be coupled with consumer education.

Key Committee Member Statements

During the hearing, Senate Commerce Committee leaders and members discussed the following important points:

Chairman Roger Wicker (R-MS)

  • Consumer data has tremendous societal benefits as well. In a world of “big data” where physical objects and processes are digitized.
  • Reports of data breaches and data misuse underscore how privacy risks within the data-driven economy can no longer be ignored.
  • The increased prevalence of privacy violations threatens to undermine consumers’ trust in the Internet marketplace. This could reduce consumer engagement and jeopardize the long-term sustainability and prosperity of the digital economy.
  • Fundamental to providing truly meaningful privacy protections for consumers is a strong and consistent federal law.

Ranking Member Maria Cantwell (D-WA)

  • We need to build a culture that keeps consumers’ data safe but allows businesses to grow.
  • The Internet is a global network that will always be vulnerable to outside threats.
    • The US needs a new policy framework to deal with these outside threats and to work with international partners on compatible and effective worldwide privacy frameworks
  • The culture of monetizing out data should be balanced with date protection.

 

Highlights from the Q&A

Federal Framework

Senators asked many questions of the panelists that revolve around what should be included in the proposed federal framework. Each had their own major push for inclusion. Steyer would like to see consumer education for children and families. Ms. Dixon believes there should be inclusion of the fundamental rights for consumers to have their data protected. Ms. Guliani maintains that consumers should be protected from discrimination. She believes that because it is so difficult to see the violations at a national level, consumers should have the right to bring companies to court. Mr. Polonetsky would like to see that the federal law avoids classifying data in black and white, as this will only create gaps in the framework that will be difficult to fix once implemented.

eHI Privacy and Security Resources

Industry leaders must overcome several privacy and security challenges to fully participate in proper data access and use. The eHealth Initiative conducts important and on-going work to convene industry leaders to address privacy and security strategies in healthcare and develop effective, common-sense, consensus-based approached to managing and protecting data. For more information and a catalogue of eHI privacy and security approaches, click HERE. Our organization will continue to keep you updated on evolving federal and global privacy and security issues in healthcare.

 

Emma Valinski (emma@ehidc.org) is a staff member at eHealth Initiative & Foundation. eHealth Initiative and Foundation (eHI) convenes executives from every stakeholder group in healthcare to discuss, identify and share best practices to transform the delivery of healthcare using technology and innovation. eHI, and its coalition of members, focus on education, research, and advocacy to promote the use of sharing data to improve health care.  @ehealthdc www.ehidc.org

Meta Image: