On September 10, 51 CEOs of some of the largest American companies sent an open letter (attached below) to leaders of Congress asking for a federal consumer data privacy law that protects consumers and “establishes a national privacy framework”. They also sent a Framework for Consumer Privacy Regulation (attached below) that gives a roadmap for such regulation. ZDNet first reported this development.

This is important because: The US currently has state-by-state regulation of privacy, for example, with each state with a different privacy law. California is the only one with a Consumer Privacy Act, which will go into effect on January 1, 2020. At present, there’s no federal (national/central) framework for data privacy.

Who signed this letter? This letter was sent on behalf of Business Roundtable, a non-profit association that is made up of CEOs of some of the largest American companies across sectors. The signatories included: Jeff Bezos (Amazon), Michael Dell (Dell), Ginni Rometty (IBM Corporation), Ajay S. Banga (Mastercard), David Taylor (P&G), Keith Block (Salesforce) and Doug McMillon (Walmart).

Wipro was the only Indian company to sign, with Abidali Neemuchwala, CEO of Wipro, also a signatory.

What does the letter call for? Federal consumer data privacy law to provide protections for American consumers. Business Roundtable also attached a Framework for Consumer Privacy Regulation which details the issues that a federal consumer data privacy law should address.

Key issues in the Framework for Consumer Privacy Regulation:

  1. Federal law on consumer privacy protection: Avoid status quo of state-by-state approach to regulating consumer privacy so that consumers don’t have to deal with conflicting, state-specific laws
  2. Consumer Protection: “Robust protections for personal data” that include clear rules about the “collection, use, and sharing of personal data” across industry sectors. Consumer protection focusses on right to transparency, consumer control, access and correction, and deletion.
  3. No interference with government activities: Such a national law should not interfere with government or law enforcement activities regarding personal data
  4. Definition of personal data: Notably, the framework excludes de-identified data and data in the public domain. Co-created or inferred data by companies is also not accorded any protection in this framework. Framework calls for defining categories of sensitive personal data.

Personal data: “[C]onsumer data that is held by the organization and identifies or is identifiable to a natural, individual person. This information may include but is not limited to: name and other identifying information, such as government-issued identification numbers; and personal information derived from a specific device that reasonably could be used to identify a specific individual”

  1. Accountability: Law must include accountability measures to ensure that laws are followed.
  2. Principles-based approach to privacy: Be technology neutral and “take a principles-based approach” so that companies can adopt privacy protections apt for specific risks. Law should not prescribe specific risk-based practices, or specific safeguards/tools against data breaches.
  3. Enable cross-border data flows and global interoperability: The framework calls for facilitation of “international transfers of personal data and electronic commerce” and bridge differences between American and foreign privacy regimes.
  4. Enable competition: Focus on how/if small companies, that do not process much personal data, should be covered

Who will enforce the national consumer data privacy law? As per the Framework, the Federal Trade Commission (FTC) should.

Whom was this letter sent to? It was send to Senate Majority Leader Mitch McConnell, Speaker Nancy Pelosi, Senate Minority Leader Charles Schumer and House Minority Leader Kevin McCarthy. It was also sent to chairpersons and members of the Senate Committee on Commerce, Science and Transportation, and House Committee on Energy and Commerce.

Why send this letter now? This letter comes at a time when data breaches are becoming all too common and governments across the world are looking at how companies, especially technology companies, handle personal data. FTC recently fined Facebook ($5 billion) and Google ($170 million) for committing privacy violations. 50 Attorneys General across USA started an investigation into antitrust violations by Google. France approved a 3% digital tax on Big Tech firms. Even the Indian government is looking to tax non-resident Big Tech companies. This letter appears to anticipate a federal law, and is potentially a way for major companies across the United States to get a law implemented which is most profitable for them.