The debut of Europe’s sweeping new digital privacy law has some U.S. lawmakers — and a few American tech giants — raising the idea of importing some version of it to the United States.
Facing mounting pressure over its privacy practices, and with Europe’s General Data Protection Regulation going into effect Friday, Silicon Valley is scrambling to shape the policy discussion as it seeps across the Atlantic. Microsoft and the big cloud computing company Salesforce have both called for some kind of national privacy regulations, while IBM has talked about adopting voluntary industry standards that could head off government mandates.
Either way, many in the tech world say avoiding the subject is no longer a viable option.
“In the last six to 12 months, it’s become very clear that doing nothing could be the recipe for very onerous and cumbersome regulation,” Chris Padilla, IBM’s vice president for government and regulatory affairs, told POLITICO.
The debate is erupting as the tech industry has faced growing scrutiny in Washington during the past year and a half from both the left and right — over everything from social media's role in the 2016 election to the exposure of user data in the Cambridge Analytica case to the notion that Silicon Valley may be biased against conservatives. And as lawmakers get practice acting as a check on tech, regulation that once seemed highly unlikely suddenly seems somewhat more plausible.
A bill holding digital platforms more responsible for online sex trafficking, for example, once seemed even to some advocates like a longshot. But President Donald Trump signed it into law in April.
For any U.S. leaders interested in further clamping down on the tech industry, the European Union's new regulation provides a potential model to follow.
At its core, the complex GDPR strengthens citizens’ right to say how data about them can be used, giving them the power to correct, delete and freely move their information from one service to another. It’s enforceable through fines up to a whopping 4 percent of a company’s global annual revenue — penalties that could amount to billions of dollars for U.S. tech firms found to be violating its requirements.
Facebook, Google and other U.S.-based internet companies have to comply with the rule for their European users, but they have been fuzzy on how they will apply the restrictions in the U.S.
Facebook CEO Mark Zuckerberg told Congress last month that he supported “in principle” U.S. regulation enshrining the standard, established by GDPR, that users must proactively consent to the use of their data by internet companies. But shortly afterward, Zuckerberg said the American approach to privacy should reflect the United States’ “different sensibilities.“
Salesforce CEO Marc Benioff has perhaps been the most explicit in his remarks. “[I]t’s time for an American GDPR to protect consumers at home,” he tweeted last week. “This can be the foundation of trust between technology and customers. The European GDPR privacy law means Europeans have ownership and control of their personal data. Now we need one.”
And Microsoft got attention this week for saying that it will "extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.” The software giant said it has long advocated for national privacy regulation, though it stopped sort for calling for the full importation of the European rules.
IBM has gone a different route. Rejecting the idea that GDPR and its top-down approach “should be simply grafted” onto the U.S. system, the company has floated the idea of voluntary industry standards that could win the backing of government and stave off regulation. It’s a similar model to the private-public framework on cybersecurity created after President Barack Obama floated the idea of regulating how private companies address threats to critical digital infrastructure.
Some in the tech industry say they've been prompted to action not only by Europe's moves, but by the erosion of user trust sparked by data scandals at Facebook and Uber, and the possibility of state-level rules like a consumer privacy ballot measure that's gained traction California.
But also lighting a fire under them to engage publicly, they say, is the fact that even politicians in Washington who have traditionally taken a hands-off approach to the tech industry are beginning to raise the specter of regulation.
Sen. Ed Markey (D-Mass.) told POLITICO in an interview last week that Americans, seeing Europeans' new privacy protections, are going to start demanding the same.
And on Thursday, Markey and colleagues Sens. Bernie Sanders (I-Vt.), Dick Durbin (D-Il.) and Richard Blumenthal (D-Conn.) introduced a Senate resolution "encouraging" companies to voluntarily apply the protections included in GDPR to Americans.
That might be expected talk for those Democrats, many of whom have long pushed for stronger consumer protection laws in the United States. But far more surprising — and concerning — to the tech industry is that it's starting to see the idea of regulation being raised by free-market Republicans.
House Energy and Commerce Chairman Greg Walden (R-Ore.), for example, raised eyebrows for saying, when asked about regulating tech at an event this year, "If responsibility doesn’t flow, then regulation will."
That sentiment was echoed by Senate Commerce Chairman John Thune (R-S.D.) during last month's hearing with Zuckerberg over the Cambridge Analytica controversy. Warned Thune: "In the past, many of my colleagues on both sides of the aisle have been willing to defer to tech companies' efforts to regulate themselves. But this may be changing."
Those in and around the tech industry describe recent rounds of meetings and calls aimed at figuring out to how navigate the new landscape.
“The overwhelming majority of our companies support the idea of protecting and advancing a fundamental right to privacy,” said Dean Garfield, president of the Information Technology Industry Council, which represents companies like Amazon, Apple and Facebook.
That said, he added, "They want to be thoughtful — certainly more thoughtful than GDPR — in figuring out how to do that in the United States effectively.”