Lawmakers divided over privacy and data-security legislation

Top federal agencies and many industry leaders may be united in their desire for national legislation to protect consumer privacy and prevent data breaches, but divisions over exactly how to do that were on full display at a Senate hearing on Wednesday.

The hearing was the Senate Commerce Committee's third on privacy and data protection, and the testimony largely rehashed well-known issues. But remarks by the panel's top members highlighted the dueling bills and jurisdictional fights that bedevil the debate over electronic privacy and security issues.

The committee's chairman, Sen. Jay Rockefeller, D-W.Va., fired the first shot, saying that his committee has jurisdiction over privacy legislation. The Commerce and Judiciary committees are jostling for jurisdiction, and have both held hearings on the privacy and data-breach issues.

Arguing that his panel has authority over electronic privacy and information protection, Rockefeller has introduced two pieces of legislation to combat the problem. But Rockefeller also faces competition on his own committee, where Sen. John Kerry, D-Mass., has proposed a wide-ranging consumer-privacy bill, while other members question the need for such legislation at all.

While promising to work together, Rockefeller and Kerry each argued the benefits of their often-overlapping or competing bills at Wednesday's hearing.

Rockefeller has introduced a measure that would require companies to notify customers when their information has been stolen. "There is broad consensus that federal data-security legislation is needed," he said. Representatives of Sony and Hewlett-Packard voiced their support for some kind of federal legislation during Wednesday's hearing, and the White House has also called for a data-breach notification law.

But Kerry said that such proposals are only one part of the problem.

"Data-security requirements alone do not give people the authority over how their information is collected or its use and distribution. Data security is just one piece of the privacy puzzle," said Kerry, who, along with Sen. John McCain, R-Ariz., has introduced a broader bill that includes a consumer privacy bill of rights. "While by no means perfect, the commercial privacy bill of rights stands alone as the only comprehensive, bipartisan proposal before the Senate."

Not part of the Kerry/McCain legislation? A "do-not-track" requirement that would allow consumers to opt out of online tracking by companies.

Rockefeller contends that do-not-track provisions are vital to protecting privacy, and he has introduced another, separate bill to establish such protections.

"This bill is based on a simple concept," he said. "With an easy click of the mouse, consumers can tell all online companies that they do not want their information collected. Under my bill, companies would be obliged to honor that request."

Although several major Web browsers include a do-not-track feature, Rockefeller said he knows of only one company--the Associated Press--that honors those requests.

Federal Trade Commissioner Julie Brill testified that her agency can now do little to stop companies from tracking users unless the companies have promised not to do so. She said that the FTC favors some kind of do-not-track mechanism, and that Rockefeller's bill appears to do the job.

Without taking a hard position on particular legislation, Brill said that the commission supports legislation that "would impose data-security standards on companies and require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach."

But Sen. Pat Toomey, R-Pa., questioned whether Congress was moving too fast on legislation that could have far-reaching effects on businesses and the economy.

"I think we need to thoroughly examine this issue and make sure we don't make a solution in search of a problem," he said. Toomey said that it is still unclear whether Congress, agencies, or businesses are best suited to determine privacy standards.

"I'm not sure we've considered the unintended consequences that would come from this legislation," he said.

And Thomas Lenard, president of the Technology Policy Institute, testified that there is not enough information to determine what kind of legislation is needed.

"The privacy and data-security debates are extremely important to the future of the digital economy and of innovation in the United States," he said.

"Unfortunately, they are taking place largely in an empirical vacuum. Without substantially better data and analysis, there is no way of knowing with any confidence whether proposals currently under consideration will improve consumer welfare."

Recent cyberattacks on Sony, Citigroup, and others, as well as controversies over targeted advertising and online tracking, have increased pressure for Congress to enact nationwide legislation. Capitol Hill has attacked companies over the pace of their responses to their data breaches.

On Wednesday, two subcommittees of the House Energy and Commerce panel--Commerce Manufacturing, and Trade; and Communications and Technology--announced a series of joint hearings on privacy issues.