A recent hearing of the U.S. Senate Commerce Committee had an open-ended, soft-focus title: “Examining Safeguards for Consumer Data Privacy”. In reality, it was the latest sharp-edged skirmish in a war that might – might – lead to comprehensive privacy legislation in the U.S.
The “Where’s the consumer’s voice?” criticism of the witness list (at the table were AT&T, Amazon, Google, Twitter, Charter and Apple) was legitimate, but missed the point. The agenda was early, two-party negotiations on how to pre-empt the new California Consumer Privacy Act, which looks a lot like the new European privacy law. Each puts a demand on corporate resources, locks in fines and serves as a model for the next states to act. And, they will act.
The hearing was a chance for the senators and those who lobby them to sketch out a framework whereby a new federal law could supersede any and all state laws when it comes to the privacy. All they have to do is “balance the rights of individuals and the ability to innovate.” Some might bet sooner on cold fusion.
From the Senate side, it was said, by Senator Brian Schatz of Hawaii, that pre-emption would occur only if the federal law was at least as protective of privacy as is the California law. Senator Bill Nelson of Florida even offered up what might be considered in trade – increased legal authority, role and resources for the FTC. That trial balloon was met with responses that ranged from “not yes” to “not no”.
It was Senator Richard Blumenthal of Connecticut who noted that whichever the ultimate destination, the regulatory train really needed to leave the station. He said: “Don’t you agree we need mandatory (privacy) rules, not self-governance?” All said “aye.”
Privacy Twitter was quite active during the hearing. Journalists, advocates, academics and camp followers participated by actively live blogging the event. Particularly when Senator Ted Cruz of Texas got to the subject of China, Google and Project Dragonfly.
It fell to Google’s Chief Privacy Officer Keith Enright to return serve, but each time he did, Cruz launched another. The exchange was spirited, perhaps that’s why most of the headlines focused on Enright’s confirming the existence of Project Dragonfly, purported to be a search engine built to comply with China’s restrictive rules on information access.
Enright, whom I know only a bit, was uncomfortable in a way that suggested he had not been given rules of engagement on the matter before he left the West Coast. It was hard to imagine not imagining the question being asked. After all, the story had been out there for almost two months.
Google is an easy privacy piñata, because of the vast amount of data it holds (there are 1.5 billion monthly gMail users and over 1 billion unique searches each month, too) and the mis-steps it has made (Google is not yet half-way through one consent deal it has with the government). But ever since Google shut down its search engine in China in 2010, the financial markets have assumed the company will one day get back in.
At the hearing, the combination of China and Google was like catnip to Senator Cruz. In fact, he made only a short appearance, focused solely on grilling Enright, who, after confirming there was a Project Dragonfly, could say no more except that his team had not yet been engaged. Bad enough that a former Google engineer seemed to suggest otherwise when he criticized the “catastrophic failure of the internal privacy review process”, but neither was there a whole lotta love on Privacy Twitter.
Even tech reporters, who as a group know Google better than most, took a turn. Cecilia Kang of the New York Times and Jessica Guynn of USA Today both weighed in, but neither noted that it was Enright who was taking the heat, just some “Google guy.” Ouch.
That could and should change. As privacy rockets up the list of essential corporate concerns, Enright (and others, like Disney’s Mary Ellen Callahan or Cisco’s Michelle Dennedy, who work for significant and well-recognized companies) ought to see their portfolio expanded beyond a primary focus of internal policies, practices and procedures.
They can be broadly and consistently put forward, to serve as guides for the rest of us; to help us better understand the threats and opportunities created by collecting all that data.
This will be particularly important as Washington, D.C. seeks to become more fluent in technology. It can result in fewer one-off exchanges between a Senator and some company’s “guy” playing defense. With more expert interaction over time, it can give companies a chance to play a little offense. A guy can dream.