Tech Companies Preparing Framework for Federal Data Privacy Legislation

It looks like some of the largest tech and communication companies – Google, Apple, Amazon, Twitter, AT&T – will be meeting with Congress to discuss data privacy. The point of the hearing is to discuss their privacy services, but I’m seeing some articles that at least some of these companies intend to present ideas for federal data privacy regulations.

I have to admit that I was surprised when I heard it. Many of these same companies have come out against the California Consumer Privacy Act. In a Security Boulevard article, Terry Ray, chief technology officer at Imperva, made the point that to tech companies, data is more valuable than gold, adding:

It’s more like uranium — extremely valuable, yet radioactive. Controlling this flow of information is difficult for any type of organization, but especially for companies such as Google and Facebook, where the sharing of data is a prime commodity.

But here they are, preparing to go to Congress with frameworks to guide data privacy legislation (at least Google and Apple have that intent), with The Hill adding:

The set of proposals is designed to be a baseline for federal rules regarding data collection. Google appears to be the first internet giant to release such a framework, but numerous trade associations have published their own in recent weeks.

A lot of people in the security world think this is a step in the right direction. In an email comment, for example, Harold Byun, vice president of products and marketing at Baffle, told me that he believes that yes, we should have a national data privacy act, and here’s what he thinks should be included:

• Establish a data privacy bureau that would be responsible for defining requirements and standards and liaising with businesses.
• Establish a personal records opt-in mechanism that gives users methods to authorize sharing with entities.
• Impose financial penalties for non-compliance and data breaches and requirements on disclosure.

However, not everybody is thrilled that tech companies are suddenly not only on board but taking the lead in data privacy legislation talk. The Electronic Frontier Foundation pointed out that historically, tech companies have stood in the way of consumer privacy legislation and, as we saw in California, don’t support legislation when it is proposed or passed. The EFF also argues that if you have a Senate hearing about data privacy, you need to have consumer privacy advocates at the table because their concern is that if you let only tech companies push the legislative frameworks, it could end up weakening some strong state-based bills.

It’s clear that some action is necessary, but as Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told me in an email comment, let’s slow down a little bit:

Before talking about the need for a U.S. regulation around data privacy, we must first understand that in this deeply connected global economy, the EU’s comprehensive GDPR regulation affects the vast majority of U.S. businesses. Most U.S. businesses, and some branches of government, do indeed handle EU citizens’ data and are therefore required to comply with GDPR. An additional U.S. regulation would just close the gap on the businesses that are truly local, as well as most branches of the federal and local governments.

Before engaging in any new regulation, it is best to watch and learn from the implementation of Europe’s GDPR as we already know of some flaws that need adjustment.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba