Tech companies really don't want a US version of Europe's privacy law

So they probably won't like the legislation members of Congress seem to be crafting.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
The US Capitol Building

Tech companies went to Capitol Hill on Wednesday to discuss a potential federal privacy law.

Getty Images

The United States'  privacy regulations shouldn't be anything like Europe's, tech giants argued on Wednesday.

During a hearing before the Senate Committee on Commerce, Science and Transportation, members of Congress heard six tech companies discuss what they want in a federal privacy law.

Lawmakers are still crafting a potential data privacy bill, but multiple senators indicated that tech companies might not like what they see.

Momentum has been building for a federal data privacy law as public concern over data abuse has reached a boiling point. State laws to protect data privacy have already passed, such as California's Consumer Privacy Act, the toughest so far.

Threatened by the potential of more such state laws, tech companies are working with federal lawmakers in the hopes of being able to influence future laws. The hearing on Wednesday was a public opportunity to tell senators what's on Silicon Valley's wishlist.

What Silicon Valley wants

Representatives from AT&T , Amazon, Google , Twitter, Apple and Charter Communications talked about three key points in their frameworks for potential data privacy legislation : pre-empting state laws, promoting privacy on their terms, and most important, preventing another General Data Protection Regulation, which went into effect in Europe last spring. 

Referencing the  GDPR and California's law, AT&T Senior Vice President of Global Public Policy Len Cali said, "What we're urging is a comprehensive federal law that looks at both these laws, learns from them, but does better than them."

The European Union's GDPR lays out strict guidelines for tech companies to follow, like opt-in standards, 72-hour breach notifications and fines when companies violate privacy rules.  

Most of the tech companies at the hearing took issue with the GDPR's standards, asking for a watered-down version of the regulation for the US' privacy law.

No company agreed with breach notifications within three days, and no company wanted to expand the Federal Trade Commission's power to enforce privacy violations. Only Charter Communications was in favor of opt-in consent, where you have to agree before companies can collect your data.

Bud Tribble, Apple's vice president for software technology, warned that opt-in consent could be more of a burden than a privacy improvement.

"Every time I turn around, I'm getting asked to approve cookies," Tribble said. "I think there's some risk of going overboard here."

Google Chief Privacy Officer Keith Enright told Sen. Mike Lee, a Republican from Utah, that to be compliant with the GDPR, the search engine giant spent "hundreds of years of human time" and "orders of magnitudes higher" than millions of dollars.

Enright raised concerns that though Google had the resources to do that, smaller businesses might not be able to do the same.

What Capitol Hill wants

Tech companies may not want a version of the GDPR coming to the US, but senators question why these strict privacy standards shouldn't be imported -- especially if so many of the companies testifying are already compliant.

"You're living with them. No undue hardships," said Sen. Richard Blumenthal, a Democrat from Connecticut. "The opposition that you've expressed to these rules -- recognizing that the devil may be in the details -- is one that can nonetheless accommodate the rules that we've seen in the GDPR and in California."

Senators also weren't willing to budge on a federal law that would pre-empt existing state laws.

Tech companies say they want this policy in a federal bill because they're worried multiple state laws on data privacy will create confusion and a logistical nightmare. Cali told lawmakers AT&T intends to seek revisions to California's privacy law, and wants one uniform rule all states can follow.

"Federal legislation will be of very little help if it becomes the 51st layering on top of 50 state rules," Cali said. "We need a comprehensive but singular privacy framework."

But senators said the only way a federal privacy law that nulls state laws would pass is if it were more progressive and robust than state laws that've already been voted through. Lawmakers are looking for legislation that can stand the test of time and won't give tech companies an easy pass.

"I understand that from the standpoint of these companies, the holy grail is pre-emption," said Sen. Brian Schatz, a Democrat from Hawaii. "And I want you to understand that you're only going to get there if this is meaningfully done. We're not going to get 60 votes for anything, and replace a progressive California law, however flawed you may think it is, with a nonprogressive federal law."

Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.

The Honeymoon Is Over: Everything you need to know about why tech is under Washington's microscope.