Back to General Resources

Senate Banking Committee Hearing on Data Privacy in a Digital Economy

Senate Banking Committee

“Privacy Rights and Data Collection in a Digital Economy”

Tuesday, May 7, 2019

Key Topics & Takeaways

  • Consent: Chase said the GDPR has specific requirements for privacy that are clear and easy to understand and individual rights focused on unbundling, agreements for legal basis, and higher individual consent standards. Ceglowski said there is no clarity in the notice and consent agreements or in the GDPR opt-in clauses, stating companies will continue to be deceptive under these laws. He recommended that opt-in clauses be implemented across the board for individuals and that companies provide visibility of data protection practices. Cline said the GDPR is a model that combines opt-in clauses for sensitive data and opt-out causes, as well as the use of unbundling. He noted the popular uses of right to access, erasure, and opt-out for marketing, and said there is an uneven structure for the financial services industry under the GDPR for individual and company rights.
  • Data Ownership: Ceglowski said it is too early to tell the impact of the GDPR, but there are layers to consider on the different types of data that can be observed and whether it is an individual’s or not. He said that another area to consider may be shadow data collection practices, such as what is done by Facebook. Chase said that as individuals become more aware, they are losing trust in the internet, and the question comes down to access. He said for data that is owned by the individual, it is important to have transparency about who is collecting it, why, how they intend to use it, and how it will be stored.
  • GDPR: Ceglowksi said the GDPR is an important step for data privacy but lacks the concept of consent. Cline said the GDPR requiring data inventory and continuous risk assessment encourages transparency. Chase recognized the vulnerabilities of the GDPR for customer opt-out.

Witnesses

Opening Statements

Chairman Mike Crapo (R-Idaho), Senate Banking Committee

In his opening statement, Crapo said the hearing would take a closer look at the European Union’s (EU) General Data Protection Regulation (GDPR) to examine the impact on the financial services industry’s data privacy practices and how companies collect and use information in decision making related to credit, insurance or employment. He said his concerns regarding big data collection go back to the creation of the Consumer Financial Protection Bureau (CFPB), as they were collecting personal financial information without an individual’s knowledge or consent. Crapo said consumers deserve to know what type of information is being collected about them, what that information is being used for and how it is being shared by financial regulators and private companies, as the individual is the rightful owner and should have real control over his or her data. Crapo stated his desire to discuss the principles, obligations and rights underlying the GDPR and how those differ from the previous 1995 Data Protection Directive, how the GDPR addresses data brokers and other companies that collect and disseminate personal information, and ways to adjust the Fair Credit Reporting Act. He also asked the panel to address the challenges to U.S. institutions in implementing and complying with the GDPR, and how individuals have responded to the individual rights and control over their data as a result of the GDPR.

Ranking Member Sherrod Brown (D-Ohio), Senate Banking Committee

In his opening statement, Brown said many of the risks associated with data collection practices on a large scale are unknown and harmful to the U.S. Brown said the Equifax breach serves as an example of millions of individuals being affected without their awareness. He also said that personal information continues to be monetized through third parties, without individual knowledge, and that “buyer beware” is not a particularly helpful warning due to lack of opt-out options. Brown said that as the internet has become integral in every day use, big corporation strong arming practices should be monitored and avoided. He suggested setting standards for the appropriate use of data, customer opt-in and opt-out clauses, and data handling and storage.

Testimony

Peter Chase, Senior Fellow, The German Marshall Fund of the U.S.

In his testimony, Chase commented on three aspects of the GDPR: 1) its antecedent and political context; 2) its provisions; and 3) its implementation. He said the GDPR is “unique” given the context of the law for the EU, as the law tries to create a basis to unify many different member states and companies to preclude them from being blocked from commerce. Chase said that privacy and data protections have become bigger since the EU formally recognized and implemented protections in 2009. He stated that as the GDPR was being discussed, the Snowden revelations brought forward access to U.S company data, fueling the EU’s political dynamic. Chase mentioned that the GDPR has six “simple” principles for governing personal data, deriving several individual rights and creating obligations for individuals and companies. He said data for an identifiable person must be: 1) used only for specified purposes; 2) processed in a legal, fair and transparent fashion; 3) limited to only what is necessary to collect; 4) accurate; 5) retained for as long as required and 6) securely protected.  He said the most important components of the GDPR are included in the legal basis for processing data under Article 6, which includes requiring legal grounds for consent that is freely given and informed and following a contract that is agreed upon by both individuals and companies, adding that Article 6 is vital and legitimate for individual and public interest. Chase said Article 9 of the GDPR prohibits processing of sensitive information, unless exceptions are made, to further provide transparency in who is collecting data, how it’s being used, how long it will be harvested, the legal basis, and purposes of sharing.  He said under the GDPR, companies have obligations to facilitate rights, use technical means such as data by design, follow a legal basis, conduct data practice assessments, keep records of data collected, and provide security measures in order to protect data. He mentioned the fines that can be brought upon violators, as high as four percent of global turnover for companies, and the EU’s administered guidance to help companies transition.

Jay Cline, Privacy and Consumer Protection Leader, PwC U.S.

In his testimony, Cline said U.S. financial intuitions have had to consider their practices of collecting, using, and protecting data under EU operations since the implementation of the GDPR. Cline said the GDPR has caused many U.S. companies to mobilize to comply with the law, as well as with standards under Gramm-Leach-Bliley and the Fair Credit Reporting Act. He said the GDPR focuses on individuals’ rights based on a program of accountability, making the legislation a data privacy law rather than a data security law. Cline said some of the top challenges to industry have been in terms of completing data collection inventory reports and following the 72-hour data breach notification clause. Cline said though there are eight privacy rights offered under the GDPR, the rights that are most popular are the rights to access, erasure, and objection to marketing practices. He also said the GDPR formalizing the data governance program is critical for data privacy success due to the horizontal movement of data. However, Cline said the unanswered question for companies is if the GDPR will become the global standard, and under this assumption, many companies have restructured their privacy standard to remain consentient with the GDPR as a contingency plan.

Maciej Ceglowski, Founder, Pinboard

In his testimony, Ceglowski said private and public data is not properly regulated, and is collected without transparency. He said Silicon Valley is deceiving Americans, and most companies lack the capacity to keep large amounts of data safe over long periods of time. Ceglowski said it is easier to attack computer systems than defend them, and with emerging technologies, there is a need for companies to be honest about the risks and their capacity to store wasteful and harmful by-product. He said individuals are losing trust in companies collecting data, referencing Google and Facebook as two companies that are deceitful in their business models. Ceglowski said Silicon Valley seeks to evade regulations, such as through the creation of cryptocurrency to bypass banking regulations or utilizing machine learning to avoid limits to discrimination lending and utilizing the automation for money laundering. He said Silicon Valley needs to be sensibly regulated to create conditions of transparency for what data is being collected and what is being done with it.

Question & Answer

Consent

Sens. Jon Tester (D-Mont.), Catherine Cortez Masto (D-Nev.), Jack Reed (D-R.I.), Doug Jones (D-Ala.), Chris Van Hollen (D-Md.), and Crapo asked about GDPR consent standards and opt-in and opt-out clauses. Chase said the GDPR has specific requirements for privacy that are clear and easy to understand and individual rights focused on unbundling, agreements for legal basis, and higher individual consent standards. Ceglowski said there is no clarity in the notice and consent agreements or in the GDPR opt-in clauses, stating companies will continue to be deceptive under these laws. He recommended that opt-in clauses be implemented across the board for individuals and that companies provide visibility of data protection practices. Cline said the GDPR is a model that combines opt-in clauses for sensitive data and opt-out causes, as well as the use of unbundling. He noted the popular uses of right to access, erasure, and opt-out for marketing, and said there is an uneven structure for the financial services industry under the GDPR for individual and company rights.

Data Ownership

Sen. John Kennedy (R- La.) and Brown asked about the concept of individuals owning their data and the GDPR’s approach. Ceglowski said it is too early to tell the impact of the GDPR, but there are layers to consider on the different types of data that can be observed and whether it is an individual’s or not. He said that another area to consider may be shadow data collection practices, such as what is done by Facebook. Chase said that as individuals become more aware, they are losing trust in the internet, and the question comes down to access. He said for data that is owned by the individual, it is important to have transparency about who is collecting it, why, how they intend to use it, and how it will be stored.

Regulation

Sens. Krysten Sinema (D-Ariz.), Brown, Jones, Cortez Masto, and Van Hollen asked about creating regulation that keeps pace with technology trends and privacy standards. Ceglwoski said providing tools on the legal basis for credibility and implementing proper regulations would benefit customers and small business competition in keeping pace with the ecosystem. He suggested utilizing concepts from the California Consumer Privacy Act (CCPA) in addressing machine learning and automated growth. Ceglwoski reiterated looking into behavioral and observational data practices to address shadow collection. Cline said to achieve rights for consumers and innovation, the best approach forward is risk impact assessment, as is helps companies fix their vulnerabilities.

GDPR

Sens. Tina Smith (D-Minn.) and Cortez Masto asked about the effectiveness and challenges of the GDPR. Ceglowksi said the GDPR is an important step for data privacy but lacks the concept of consent. Cline said the GDPR requiring data inventory and continuous risk assessment encourages transparency. Chase recognized the vulnerabilities of the GDPR for customer opt-out.

Equifax

Sens. Mark Warner (D-Va.), Elizabeth Warren (D-Mass.), Sinema, and Tester asked about the Equifax breach, who companies have learned from it, and if the GDPR would have helped. Chase said the EU faces many data breaches as well, and while the GDPR does not prevent them, the law provides regulators with fining authority for violators of data protections. Cline said writing foolproof policies are difficult as hackers continuously change their tactics. Ceglowski said the breach shows there is no punishment for incompetence or not caring about the customer, and that the GDPR shows strong teeth in authority efforts.

Machine Learning

Brown asked Ceglowksi to explain how machine learning is a basis for money laundering, to which Ceglowski replied it is due to opaque machine learning data feeding practices. He said without looking at the inner workings of human behavior, one can use the automated approach to circumvent restrictions.

For more information on this hearing, please click here.