Representatives of six major technology and communications companies, including Google, Apple and AT&T, told lawmakers Wednesday that they support federal laws that would safeguard user privacy—if those laws aren't as stringent as rules recently introduced in Europe and California.
The executives, who also represented Amazon, Charter Communications and Twitter, made their remarks at a hearing before the Senate Committee on Commerce, Science, and Transportation that sought to examine the nation's patchwork of privacy laws and determine whether Congress should act to strengthen them.
The testimony highlighted the battle lines ahead when it comes to regulating the industry. The toll from years of bad news about consumer data being collected, sold or hacked has made new rules almost inevitable. The debate now is over how far-reaching such guidelines should be.
"The question is no longer whether we need a federal law to protect consumers' privacy. The question is what shape that law should take," Sen. John Thune, R-S.D., chairman of the committee, said in opening remarks.
Privacy advocates want Congress to take a cue from the California Consumer Privacy Act and the European Union's General Data Protection Regulation. Those laws are designed to give consumers far more control of their data, but companies have opposed them because of compliance costs, expensive penalties for violations and the restrictions on collecting data.
Executives told the panel that the United States needs federal legislation to protect personal data—but told lawmakers not to emulate California and Europe. They said restrictions on data collection would diminish user experience. Personal data are needed to determine which ads and services are most useful to each user, the executives said.
"We're urging for comprehensive federal law that looks at both these laws and learns from them, but does better than them," said Len Cali, senior vice president of global public policy for AT&T, who called the European law "overly prescriptive and burdensome."
Other executives said the European law would only strengthen incumbent companies such as theirs, given the costs of complying. "We're concerned about the small and medium-sized business," said Guy Trimble, Apple's vice president for software technology.
Privacy advocates say the companies' preference for a federal law is guided by fear that other states could adopt California's strict rules, which go into effect in 2020.
"What they mean is that they want weak federal privacy legislation that preempts stronger state laws," said Christine Bannan, an attorney for the Electronic Privacy Information Center.
The companies uniformly supported introducing federal laws that would preempt state laws on data privacy.
Sen. Ed Markey, D-Mass., said he hopes any discussion about preemption would come after lawmakers agreed on stronger federal rules. "Congress should not make weak laws to preempt strong laws," Markey said.
Alastair Mactaggart, a real estate developer who helped spearhead California's new consumer privacy law, said in a statement that he opposes federal rules that would supersede California's. The state will soon mandate that all consumers be able to see which businesses are using their data and be able to decline the sale of that information, among a host of other protections.
"To be clear: We will fight back against any attempts to undermine our state's ability to provide these fundamental rights to California consumers, and will support further efforts to provide these rights to all Americans," said Mactaggart, who is scheduled to meet with the Senate committee next month.
"We are on the right side of history here," Mactaggart added. "Europe has just made huge strides forward in consumer privacy. And as goes California, so goes the nation."
The Electronic Privacy Information Center supports a baseline federal law on user data that individual states could choose to enhance. "We want to set a floor for the country and not a ceiling," Bannan said.
The proposed baseline would require higher penalties for data breaches, prevent companies from forcing users to sign away the ability to sue them, more transparency in algorithms, and a promise not to collect more personal data than necessary.
Another point of contention is over which federal agency should have authority to regulate consumer data. That role currently belongs to the Federal Trade Commission—an arrangement that executives at the hearing said should stay in place.
The Electronic Privacy Information Center proposes the creation of a separate regulatory agency to oversee the handling of consumer data. It says the FTC is woefully understaffed and lacks the authority to set rules. The FTC's main deterrence tool is consent decrees, with which it can fine companies only after they have been caught violating rules.
"It seems absurd," Sen. Brian Schatz, D-Hawaii, said about the FTC's reactive, rather than proactive, stance on enforcement.
Of all the companies present at the hearing, Google received the most scrutiny. Lawmakers asked about issues including China, sharing Gmail data with outside companies, and political bias.
Keith Enright, the company's chief privacy officer, admitted in his opening remarks that Google had "made mistakes in the past" in handling user data. He said the company has learned from them and improved its security.
He was later questioned about reports that Google was developing a search engine for China called Project Dragonfly that would comply with censorship rules there and jeopardize privacy.
Enright acknowledged the project's existence but downplayed its viability. "We are not close to launching a search product in China, and whether we should or could is unclear," he said.
Explore further: A US privacy law could be good for Google—but bad for you (Update)