When policymakers and top US tech companies held an unprecedented meeting about stronger consumer data protection rules in September, privacy advocates were notably absent. But on Wednesday, they got their chance to share proposals on what the new rules might look like.
The meeting comes days after a report that Google suppressed news of a recent privacy breach. A data breach exposed personal data from close to half a million Google+ users, and Google reportedly kept quiet because it was worried about regulatory backlash. Senator Richard Blumenthal said the report "confirms that Google's claims to value consumers' privacy seem like nothing more than empty talk." Senator Mark Warner added "it's clear that Congress needs to step in" because these large US tech companies have failed to regulate themselves.
In the hearing, privacy advocates agreed with tech companies' calls for a single set of national data privacy standards. But they pointed to the latest Google incident as evidence for Congress to make those rules tough. They held up the strict example of the EU's General Data Protection Regulation.
"The substantial fining authority such that fines really can rise to a level that provides the right incentives for companies under the GDPR — we desperately need that here in the US," said Laura Moy, Executive Director and Adjunct Professor of Law at the Georgetown Law Center on Privacy & Technology.
Privacy experts also pointed to California as a potential legal framework for national standards. They say California is a leader in cybersecurity, and has adopted some of the strongest privacy legislation of any state, like rules to regulate connected devices and anti-bot laws.
"We gave the California Attorney General the right to issue regulations," said Alastair Mactaggart, Board Chair of Californians for Consumer Privacy. "And I think that's so important going forward if you do a federal bill, to give the rule making authority to the enforcing authority because you don't want a bill that's gonna be stuck in time."
As of now, senators on both sides of the aisle appear to side with consumer protection groups. Senators John Kennedy and Amy Klobuchar are backing a bill that would require companies to notify users of a data breach within 72 hours of discovery — a similar standard to GDPR.