Sen. Thune Signals No Big Hurry On Federal Data Privacy Legislation

The Senate may actively take up national data privacy legislation someday, but one key senator in the process indicated today that there is currently little institutional urgency to hurry toward that goal.

Sen. John Thune, R-S.D., who until January was chairman of the Senate Commerce, Science, and Transportation Committee, said today at a committee hearing looking into policy concerns for a federal data privacy framework that the issue may have a two-year runway for action.

Questioning witnesses who mainly represent tech-sector interests at today’s hearing, Sen. Thune–who remains a member of the panel–said senators should be able to figure out the thorny set of policy issues up “in the next couple years,” and hoped that the witness testimony today would inform the debate.

That timeline was at odds with one suggested by Michael Beckerman, president of the Internet Association, a trade group representing dozens of heavy-hitting corporations in the tech and internet sectors.  Testifying today, he said his group wants a national data privacy bill signed this year.

Few big business groups ever go to Capitol Hill asking for any degree of regulation on their businesses–many lobbying efforts seek advantage through less regulation–but in the case of data privacy issues the industry seems to be strongly motivated for action by a range of concerns that will become even more pressing as time goes on.

Those include putting in place one national standard on data privacy and security that the industry can both live with and build future business practices around, while at the same time preempting individual state regulation that could go beyond the Federal standard and make it more complicated for industry to achieve compliance in individual states.  A warning shot across the industry’s bow last year was California enactment last year of state-level data privacy rules seen as among the toughest yet.

Another is the need take some momentum back from overseas efforts at data privacy regulation, principally the European Union’s General Data Protection Regulation (GDPR), which global tech companies have learned to deal with but which many think still goes too far particularly in the rights it gives consumers to have data about them removed from third-party services.

And a third is to strike the most favorable terms on legislation in the absence of any giant data breach or similar crisis that could color lawmakers’ thoughts and result in a worse result from Capitol Hill.

Beginning last year, tech-sector interest groups and even individual companies kicked off a notably public push to lay out their preferred principles for privacy legislation. While those legislative proposals have different wrinkles, most of them tend to agree on a few key points that witnesses coalesced around at today’s hearing:

  • Give consumers some additional degree of control over how their data–especially personal data–is used by companies;
  • Preempt state data privacy laws, while allowing state attorneys general to help enforce the federal statute; and
  • Appoint the Federal Trade Commission–traditionally seen as having duller regulatory teeth and less statutory scope than other watchdog agencies–as a prime regulator.

There remains much to hammer out in the way of details, especially exactly what privacy protections would be afforded to consumers, and how consumers could avail themselves of their rights.

Sen. Roger Wicker, R-Miss., chairman of Senate Commerce, said at today’s hearing he hopes that the exercise “will offer valuable insights that will help set the stage for meaningful bipartisan legislation.” He didn’t put a timeline on that hope.

Recent