Amid Shifting Legal Landscape, Startups Need Congress to Act on Privacy
TLDR: While the European Union has moved in recent years to take the lead on enforcing global privacy standards, Congress has let states like California largely dictate the country’s privacy laws as a result of federal inaction on a national data privacy framework. As lawmakers prepare to discuss the importance of crafting comprehensive privacy legislation this week, it’s critical they pursue a framework that balances strong consumer privacy protections with much-needed clarity for startups and entrepreneurs.
What’s Happening This Week: The Senate Commerce Committee is holding a hearing at 10 a.m. tomorrow to examine the state of consumer privacy across the United States and discuss the need for a national framework to ensure that all Americans’ privacy is protected. The hearing will include four former Federal Trade Commission commissioners, as well as California Attorney General Xavier Becerra.
Members of the committee plan to examine the lessons learned from the implementation of state-level and international privacy laws, such as the California Consumer Protection Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), as they discuss the need for a national framework. Due to a lack of federal action on data privacy legislation, CCPA has effectively become the nation’s privacy standard, while GDPR has squeezed some small U.S. companies out of the European market because of costly compliance burdens associated with the rules. At the same time, transatlantic data transfers have come under scrutiny since the European Union’s top court ruled earlier this year to invalidate Privacy Shield, an agreement that let American companies store and process EU users’ data in the U.S.
The hearing comes after previous efforts to pass bipartisan data privacy legislation in recent years have stalled in Congress, despite strong support for a comprehensive measure from U.S. consumers, startups, and the tech industry.
Why it Matters to Startups: Without a federal privacy framework, startups and other small tech firms stand to lose the most in the absence of strong privacy protections. As California and other states move forward with their own privacy laws and regulations, it’s the early-stage firms that are the least equipped to deal with costly and burdensome privacy rules that can change from state-to-state. And when consumers lose trust in the Internet ecosystem after high-profile privacy violations, it's the startups without longstanding reputations or relationships with users that will be abandoned first.
In the absence of a federal privacy framework, it makes sense that states like California have passed or considered their own privacy laws. But the obligations associated with privacy protections shouldn’t change across state lines and open startups up to varying and potentially conflicting requirements depending on where they operate or where their users are based. That’s why Internet companies of all sizes and consumer advocates have voiced support for a federal privacy framework that provides strong consumer protections, promotes competition, and provides startups with the regulatory clarity they need to operate all across the country.
The need for a federal privacy framework is made clearer by the fact that California is considering changing its already burdensome law. CCPA passed in 2018 and took effect at the beginning of the year; California policymakers began enforcing the law in July, and final regulations for the law weren’t technically approved until August. Now, the author of the 2018 ballot initiative that led to the law’s passage has secured enough signatures for a November ballot initiative to change the bill’s requirements for companies. Rather than letting uncertain state laws serve as the nation’s de facto privacy standard, Congress should create a federal framework that applies to all startups and users.
Recent changes in Europe have made the international privacy landscape difficult for startups as well. GDPR went into effect in 2018, forcing some smaller companies to leave Europe rather than attempt to comply with the rules’ obligations. In July, the European Court of Justice invalidated the EU-U.S. data transfer pact known as Privacy Shield, which raises new worries for startups about their ability to handle users’ data as they grow abroad. Small- to medium-sized companies represent almost 70 percent of the companies that used Privacy Shield, but most of these firms lack the resources to find alternative legal mechanisms to transfer data from the EU—such as Standard Contractual Clauses (SCCs)—that many larger companies can use. Since Europe’s top court struck down Privacy Shield over ongoing concerns about U.S. surveillance programs, Congress can work to support a new data transfer pact by rolling back the scope of the government’s data collection efforts allowed under Section 702 of the Foreign Intelligence Surveillance Act. Passing a federal data privacy framework would also show European policymakers that the U.S. is committed to ensuring strong privacy protections for all.
There are several steps policymakers can take to help create a commonsense privacy framework that protects users while promoting innovation and competition at home and abroad, including creating a consistent set of rules within the U.S. and working to remove obstacles so that startups can compete in foreign markets. As the Senate Commerce Committee turns back to privacy this week, they should consider the impact their actions—and inaction—will have on the U.S. startup ecosystem.
On the Horizon.
The Brookings Institution is holding a virtual event at 10 a.m. tomorrow to discuss the creation of a new Digital Platform Agency.
The House Science, Space, and Technology Oversight Subcommittee is holding a hearing at 11 a.m. tomorrow to discuss the “responsible management of data during COVID-19 and beyond.”
The Information Technology & Innovation Foundation is holding a webinar tomorrow at 11 a.m. to discuss how artificial intelligence can help people get back to work.
The Hill is holding a virtual discussion at 11 a.m. tomorrow on the future of work amid the coronavirus pandemic.
The House Energy and Commerce Consumer Protection Subcommittee is holding a hearing this Thursday at 11 a.m. to discuss online extremism.
ACT | The App Association is holding a virtual event this Friday at 9:30 a.m. to discuss the future of U.S.-EU data transfers following the rollback of Privacy Shield.