Symantec’s #PrivacyCon2019 – A Robust Discussion on Data Privacy
January 30, 2019
Yesterday, Symantec Corporation hosted its #PrivacyCon2019, which featured a diverse array of lawmakers, academics, policy experts, and regulators/government personnel.
Within 4 short hours, the program packed in 13 different presenters, including three members of Congress who have been outspoken about privacy concerns in this Internet of Things era -- Anna Eshoo (D-CA 18th District), Dave Schweikert (R-AZ 6th District), and Debbie Dingell (D-MI 12th District).
Each of the lawmakers used personal stories to describe what they saw as a pressing need for federal privacy legislation, and pledged decisive steps in the coming months as Congress gets busy in the new legislative session.
Key takeaways from these lawmakers include:
Eshoo, who represents Silicon Valley and was formerly the Ranking Member on the House Energy and Commerce Subcommittee on Communications and Technology, pledged to unveil federal data privacy legislation with Zoe Lofgren, a Northern California Democrat who sits on the House Judiciary Committee.
Eshoo described any legislation as requiring a “surgical” scalpel, stressing restraint where warranted.
Nevertheless, when speaking about the appropriate regulator/enforcer of privacy rules, she left open the possibility of a “new agency” that Congress could create.
She did not indicate whether any Republicans were working with her, nor whether she would embrace California’s recent consumer privacy law.
Schweikert, who co-chairs the Congressional Blockchain Caucus, reflected on how technology -- and particularly distributed ledger technology -- can revolutionize personal data accessibility for each individual, without compromising security/privacy.
Without getting into technological specifics, he told stories of how individuals should be able to access -- and transfer -- encrypted, personal information, with “one press of the button,” without government interference.
Dingell, who serves on the House Energy and Commerce Committee, described herself as a “privacy nut,” who was fixated on counseling her staff and other members on her view that privacy is compromised in this IoT era.
Time and again, she argued that her constituents and lawmakers themselves were completely oblivious to what companies do with “personal data” and that such information is not readily accessible and understandable.
When asked whether federal legislation is doable this Congress, she demurred.
She simply said she would make sure the House acts decisively.
In addition to these lawmakers, #PrivacyCon2019 also featured two panels. The first panel provided perspectives on privacy from academia, government, and privacy advocates.
Nuala O’Connor, CEO of the Center for Democracy and Technology, led the discussion on the vast considerations at stake when considering privacy legislation.
She also pointed to the CDT’s Dec. 2018 discussion draft as a possible guidepost for lawmakers, with input from stakeholders far and wide.
Ryan Anderson, a Director at the University of Texas Center for Identity, hailed the need for transparency and flexibility in any legislation, which would help to promote trust for consumers.
“Trust” was a recurring theme for many of the panelists/participants throughout the conference, and was a word that would continue to be used in any Congressional hearings on this topic.
Eric Einhorn, Senior Counsel to U.S. Senator Brian Schatz (D-HI), described the various approaches to legislation, including conferring authority to the FTC to write rules to promote flexibility across industries and technological advancements.
Chris Brown, a staffer from the House Financial Services Committee, touted Gramm-Leach-Bliley Act rules for the financial services sector, and foretold the struggle to reach any eventual compromise because of differences in how to view federal preemption -- i.e. should federal privacy rules be a “floor” or a “ceiling”?
Shaundra Watson, the Policy Director at the Business Software Alliance, spoke about the need for comprehensive solutions hovering around 10 key components, outlined here.
Notwithstanding the agreement that comprehensive policy solutions are necessary, the gaping question remained: is there a political avenue through which a divided Congress and White House could accomplish comprehensive legislation?
o This remained an open question throughout.
The last panel took a sideways view of federal data privacy legislation.
The panel, comprised of representatives from State Attorney General offices for the District of Columbia (AG Karl Racine and Natalie Ludaway (DC), AG TJ Donovan (Vermont), Tania Maestas (New Mexico), and Stephen Cobb (Virginia)), opened the panel with Vermont AG Donovan plainly stating that “if Congress doesn’t protect consumers by enacting federal privacy legislation, State Attorneys General will protect them.”
Each of the panelists described how their officers were uniquely positioned to protect consumers in each of their states/jurisdictions, and would use all legal levers to pursue investigations and to push legislators to set clear rules for the road.
Vermont, for example, recently enacted landmark privacy legislation, with the assistance of the Attorney General’s office, to require registration of third-party data brokers.
Many privacy hawks – and state regulators themselves – are watching the implementation of that law very closely.
State AGs nationwide are also increasingly hearing complaints from consumers – whether through hotlines or otherwise – and consumers are steadily becoming more educated on reporting data breaches to state authorities.
Each of the panelists urged industry, whenever faced with a data breach, to communicate, communicate, and communicate with State AGs.
AG Racine remarked that even if DC’s disclosure/notification rules were not as extensive as California, he appreciated when companies made disclosures/notifications coextensive with disclosures made under CA law.
Ultimately, the panelists’ shared view was that the mission of protecting consumers is a shared mission by State AGs and industry – i.e. it is both good for business and good for regulators/investigators to always be looking out for protecting consumers.
Therefore, even in the enforcement context, it makes sense to work collaboratively with State AGs, rather than as an adversary.
The panel also acknowledged that while the states often coordinate together, there are times they go at it alone, such as in the recent DC lawsuit against Facebook.
In sum, the weight of data privacy concerns was on full display through #PrivacyCon2019, as was the incredible breadth of stakeholders on the topic.
While everyone agreed that something must be done legislatively to address privacy – the real question is what, if anything, that “something” is?
And is that “something” even achievable in this political environment, with so many stakeholders bringing divergent perspectives to the table?
Stay tuned for more on this in the coming months.