Wyden Prepares Privacy Bill; Senate Commerce Seeks Google Memo
The thrust of a forthcoming privacy bill from Sen. Ron Wyden will be a “different brand” of tech sector transparency with “consequences” for transgressing companies, the Oregon Democrat told us. Also Thursday, Senate Commerce Committee leadership hammered Google for not disclosing sooner its recent Google+ vulnerability (see 1810100066), given the company’s chief privacy officer testified months after the issue reportedly was discovered (see 1809260050).
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
“I’m getting ready to offer my privacy bill where we’re going to use the FTC as the kind of pointperson in this fight,” Wyden told us. Ensuring companies follow new transparency standards “will take talent. That will take resources,” he said. Asked when the bill will be introduced (see 1809050057), Wyden said, “Soon.”
In a letter to Google CEO Sundar Pichai, Senate Commerce Chairman John Thune, R-S.D.; Sen. Jerry Moran, R-Kansas; and Sen. Roger Wicker, R-Miss., requested a copy of an internal memo that reportedly argued for withholding information on the recent Google+ vulnerability to avoid attention from regulators and lawmakers. “Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” the lawmakers wrote Thursday. A company spokesperson pointed to a recent blog saying the platform’s goal is to ensure “everyone is confident that their data is secure.”
Determining the FTC’s level of authority will be key to the legislative debate before the committee, Thune told us. The first two hearings on the matter showed consensus from industry and privacy experts that the FTC is the proper enforcer, he said: “The question is how much authority and power they should have. Should they have rulemaking authority? And there are differences of opinion about that.”
Sen. Brian Schatz, D-Hawaii, argued in the first two hearings that any new privacy law should give the FTC the authority to fine and make rules on privacy. Currently, the agency relies on a consent decree framework, which typically requires multiple infractions to draw a civil penalty. Republicans are deciding where to draw the line, Schatz told us: “They are in good faith trying to figure out how to make a national privacy law. We’re in good discussions.”
The FTC has the proper resources to police online privacy, Moran told us, but “as the concerns of privacy increase, then we need to make sure they have additional resources to do so. … It’s up to us as Congress to provide the necessary money to expand those capabilities as the demands upon them increase.”
Sen. John Kennedy, R-La., agreed the FTC has the proper resources and authority to do its job as online privacy enforcer: “Does that mean they ought to be the only agency involved? Not necessarily.” Verizon and others have proposed an expanded enforcement role for state attorneys general, which have become increasingly involved in big tech issues.
“The tech sector would do well to be cooperative,” Sen. Thom Tillis, R-N.C., told us. “They’d do themselves a favor, the industry being cooperative, as we kind of work through policy choices. If they’re proactive, they get their governance right and they collaborate with us, it’s a lot better than having Congress tell them how it’s going to be done.”
Sen. Catherine Cortez Masto, D-Nev., supports increasing FTC authority: “We’ve got to do a better job of addressing these breaches and the privacy breaches and protecting individuals’ digital footprint, and I think that’s what we’re seeing now at the federal level,” she told us. “We recognize that.”
Sen. Angus King, I-Vt., told us there’s no question data breaches -- whether it’s Google, a federal agency or any other entity -- are a “serious problem.”