Wednesday’s hearing at the Senate Commerce Committee with Apple, Amazon, Google and Twitter, alongside AT&T and Charter, marked the latest in a string of hearings in the past few months into all things tech: but mostly controversies embroiling the companies, from election meddling to transparency.
This time, privacy was at the top of the agenda. The problem, lawmakers say, is that consumers have little of it. The hearing said that the U.S. was lagging behind Europe’s new GDPR privacy rules and California’s recently passed privacy law, which goes into effect in 2020, and lawmakers were edging toward introducing their own federal privacy law.
Here are the key takeaways.
Tech giants want new federal legislation, if not just to upend California’s privacy law
For once, the tech giants seemed to agree with one another.
AT&T, Apple, Charter and Google used their time in the Senate to call on lawmakers to introduce new federal privacy legislation. Tech companies spent the past year pushing back against the new state regulations, but have conceded that new privacy rules are inevitable.
Now the companies realize that it’s better to sit at the table to influence a federal privacy law than stand outside in the cold.
In pushing for a new federal law, representatives from each company confirmed that they support the preemption of California’s new rules — something that critics oppose.
AT&T’s chief lawyer Len Cali said that a patchwork of state laws would be unworkable. Apple, too, agreed to support a privacy law, but noted as a company that doesn’t hoard user data for advertising — like Facebook and Google — that any federal law would need to put a premium on protecting the consumer rather than helping companies make money.
But Amazon’s chief lawyer Andrew DeVore said that complying with privacy rules has “required us to divert significant resources to administrative tasks and away from invention.”
Sen. John Thune (R-SD) asked the representatives why lawmakers shouldn’t adopt the same standards seen in Europe and California at a federal level, but none of the companies could answer.
“That question lingers here,” said Thune. “The opposition that you’ve expressed to these rules is one that can nonetheless accommodate the kind of rules that we’ve seen in GDPR and California.”
Google made “mistakes” on privacy, but evades China search questioning
Google took a rare moment to admit it hasn’t always taken the right approach to privacy — though, it wouldn’t point to any specific incident.
“We acknowledge that we have made mistakes in the past, from which we have learned, and improved our robust privacy program,” Keith Enright, Google’s chief privacy officer, said in his opening statement.
But that, lawmakers said, contrasted with recent reports of the company’s return to China — almost a decade after it pulled out of the country after allegations of Chinese efforts to hack into the search giant’s systems and ethical conflicts with China’s censorship policies.
Google reportedly began working on “Dragonfly,” a China-focused search engine that would block certain keywords to fall in line with China’s censorship rules. The effort has been widely decried by human rights groups, and led to a high-profile resignation.
Prior to the Senate hearing, a former Google engineer sent a letter to the committee asking lawmakers to pressure Enright to respond.
Google to date has refused to confirm or comment on the reports, but Enright said that “there is a Project Dragonfly.”
“We are not close to launching a search product in China,” he said, in response to one lawmaker. Later, he said that he didn’t think the company “could or would launch a product” without including its privacy and security policies.
Startups might struggle under GDPR-ported rules, companies claim
Startups and small businesses with slimmer resources than the tech giants could be a major casualty if GDPR-like rules were ported into federal law.
Enright said that ensuring compliance under GDPR was complicated and costly, but wouldn’t put a figure on how much Google had spent on complying with GDPR when asked by one lawmaker. Enright suggested that it was likely in the millions of dollars.
But even larger companies like Charter, which are wholly U.S.-based and have no European presence, said they wouldn’t know how they would be affected if GDPR principles were ported over stateside.
Charter’s policy chief Rachel Welch said that the U.S. should “put its own stamp” and not just roll over GDPR principles.
Apple added that self-employed developers and software house startups could suffer under new federal privacy rules. The company has some 20 million developers that rely on its app store to sell their software. “Small companies don’t have teams of lawyers to draft things,” said Apple’s Bud Tribble, and asked that any new federal rules should consider startups “to help make things clear and so that businesses have one set of rules than many sets of rules to follow.”
It’s a line parroted by tech giants before and without much evidence to back it up. Although some companies have shuttered operations in Europe, other startups hit the deadline and continue to thrive.
Sen. Jerry Moran (R-KS) called for greater representation from startups to help understand the cost breakdowns to understand it better.
Thune said that the committee won’t “rush through” legislation, and will ask privacy advocates for their input in a coming hearing.