Ctrl + N
Top Democrats' ambitious new privacy bill has long odds of advancing in Congress. But it's sure to spark fresh debate along partisan lines about how lawmakers should respond to tech companies' repeated mishandling of consumer data.
Sen. Maria Cantwell, the top Democrat on the Senate Commerce, Science and Transportation Committee, intends to introduce legislation today aiming to give people their digital "Miranda rights" and impose tough penalties on companies that abuse consumer data, my colleague Tony Romm reports exclusively. There's broad bipartisan consensus that lawmakers should move to protect consumer privacy, but some of the legislation's more aggressive language will probably face opposition from Republicans who argue excessive regulation unduly burdens businesses.
The bill, known as the Consumer Online Privacy Rights Act, opens the door for individuals to sue companies that break the data privacy rules it outlines or engage in other deceptive practices. Republicans, including Commerce Chair Roger Wicker (R-Miss.), have fiercely opposed such a provision, known as a private right of action.
“This will be a big sticking point in the whole discussion,” Cantwell said in an interview with Tony previewing the bill.
After a flurry of individual proposal in recent months, Cantwell's measure provides the clearest roadmap of Democratic goals in the national privacy legislation. They're putting a stake in the ground on what they want from Republicans — especially if Democrats compromise with GOP demands for legislation barring states including California from enforcing their own privacy laws.
Cantwell told Tony if Republicans say they want a strong federal privacy law that preempts state laws, "you're going to have to have this discussion" about a private right of action.
Sen. Brian Schatz (D-Hawaii), who co-sponsored the legislation, told Tony that Democrats have tough demands for any bill that would supersede state laws. “We have to be satisfied that it’s worth it, and right now I’m not satisfied the Republicans understand the gravity of this problem and the need for a strong set of privacy rights and responsibilities in federal law,” he said. “If they embrace that, that will unlock the real possibility of bipartisan legislation. But if they think they’re going to get preemption of state law for relatively [little], I think they have the wrong calculation.”
Cantwell said Republicans need to consider a private right of action if they want a strong federal privacy law that preempts states. As written, her bill would allow California's privacy law to remain intact and let other states pass their own privacy legislation.
Wicker, who has been locked in negotiations with Cantwell, did not immediately respond to a request for comment about the bill. He told reporters last week that Democrats' push for a private right of action won't kill discussions. “I don’t think Democrats will insist on that in a final bill,” he said, according to Politico.
Cantwell told Tony they have reached some points of consensus in the negotiations, but she declined to share specifics.
Congress has tried for decades to pass a federal privacy law, and privacy advocates acknowledge it will not be an push -- especially during a presidential election and impeachment proceeding.
“It’s going to be hard to get anything done before 2021 because I don’t think leadership has the interest, time or appetite for it,” said Justin Brookman, director of consumer privacy and technology policy at Consumer Reports, which offered lawmakers advice on crafting the measure, told Tony.
Democratic Sens. Amy Klobuchar (Minn.) and Edward J. Markey (Mass.) are also co-sponsoring the legislation. The broad bill would also:
- Introduce higher fines for companies that mishandle user data
- Allow people to request to see what personal information companies are storing about them and block it from being sold
- Create a new privacy-focused bureau under the Federal Trade Commission, which would have the authority to fine companies for first-time privacy offenses
- Establish a "duty of loyalty," which would prohibit companies from using data in ways that could harm consumers
- Demand that companies get special permission to collect certain types of sensitive data, such as biometrics like fingerprints or precise location information
- Allow state attorneys general to bring privacy cases under federal law
- Require companies to conduct assessments of whether their algorithms making decisions about sensitive issues like housing or credit produce discriminatory results
- Establish a new data security fund at the Treasury, which would hold the privacy penalties that enforcers collect
- Commissions a National Institute of Standards and Technology report on forgeries, such as videos manipulated with artificial intelligence known as "deepfakes”
BITS, NIBBLES AND BYTES
BITS: Amazon's focus on speed has transformed its warehouses into “injury mills,” according to an investigation by Reveal's Will Evans. A review of serious injuries at 23 of the company's 110 fulfillment centers nationwide revealed the rate of serious injuries for those facilities was more than two times the national average for the warehousing industry.
The fulfillment centers Reveal reviewed had 9.6 serious injuries per 100 full-time workers in 2018, compared with an industry average that year of 4. A few of the centers were at or below the average rate, but some, such as a warehouse in Eastvale, Calif., were exceptionally dangerous. That facility had 422 injuries last year, and its rate of injuries that required job restrictions or days off was more than four times the industry average. (Amazon CEO Jeff Bezos owns The Washington Post).
“Amazon needs to take a hard look at the facilities where so many workers are being hurt and either redesign the work processes, replace the top managers, or both, because serious-injury rates this high should not be acceptable to any employer,” David Michaels, the former head of the federal Occupational Safety and Health Administration, who is now a professor at George Washington University, told Will.
Amazon declined interviews with Reveal, but it told Will in written statements that the high rate of injuries were due to it being aggressive about tracking workers' injuries and making sure they do not return to work too quickly.
“We know that by making a conservative choice to not place an injured associate back into a job, we are elevating restricted and lost time rates as a company, but with the intent to benefit the associate,” Amazon spokeswoman Ashley Robinson wrote.
But many workers disputed that, telling Reveal they were sent back to jobs that injured them further.
NIBBLES: Google said in an employee-wide email that it was firing four employees for violating its data-security policies, my colleague Greg Bensinger reports. The move could exacerbate tensions between corporate leadership and workers amid activists' protests and unionization.
The company's security team said in the memo obtained by Greg that “the individuals were involved in systematic searches for other employees’ materials and work. This includes searching for, accessing, and distributing business information outside the scope of their jobs — repeating this conduct even after they were met with and reminded about our data security policies.”
Rebecca Rivers and Laurence Berland, two employees at the center of a rally last week after they were indefinitely suspended, were among those fired. Last week about 200 people attended a protest at Google's San Francisco office to protest the company's actions against the two. Rivers was accused of accessing documents not relevant to her work, and Berland was accused of inappropriately accessing co-workers' internal calendars.
Rivers said on Friday that Google told her she was suspended for violating the security policy, but a company official instead narrowed in on her “involvement in a Customs and Border Protection petition and social media usage outside of work.”
Google is taking a firmer grip on what information employees discuss following a spate of leaks, ranging from the company's work with the Department of Defense and its efforts to build products for China, where it's largely banned. Google workers say the company has been trying to limit conversation among employees. Google’s top lawyer, Kent Walker, alerted employees this month of the company’s policy around reviewing internal documents, which generally limits materials to be accessed that are clearly pertinent to one’s work.
BYTES: The California Department of Motor Vehicles is making $50 million a year through selling drivers’ names, addresses and car registration details, according to document obtained by Motherboard's Joseph Cox. The document highlights how DMVs across the U.S. are selling information that drivers have to turn over to the organization to receive a license.
The document, which the California DMV turned over to Motherboard in response to a public records request, shows the total revenue in financial year 2017-18 was $52.05 million. That's up from $41.56 million in the financial year 2013-14. The document did not specify which companies are buying the data, but a previous Motherboard report found data broker LexisNexis and consumer credit reporting agency Experian appeared frequently in Motherboard's previous investigation into DMV's data handling.
The California DMV said in an email to Motherboard that requesters may also include insurance companies, vehicle manufacturers and prospective employers. Marty Greenstein, public information officer at the California DMV, told Motherboard in an email that the data's sale bolsters initiatives related to public safety, "including availability of insurance, risk assessment, vehicle safety recalls, traffic studies, emissions research, background checks, and for pre- and existing employment purposes."
"The DMV takes its obligation to protect personal information very seriously," Greenstein wrote, noting the DMV audits requesters to check that employees are trained in protecting DMV information. He said the organization is continuing to review the requests to ensure data is only being shared for authorized reasons.