[Senate Hearing 116-120]
[From the U.S. Government Publishing Office]


                                                       S. Hrg. 116-120


        PRIVACY RIGHTS AND DATA COLLECTION IN A DIGITAL ECONOMY

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                                   ON

EVALUATING CURRENT APPROACHES TO DATA PRIVACY REGULATION, INCLUDING THE 
     EUROPEAN UNION'S GENERAL DATA PROTECTION REGULATION, AND ITS 
                 APPLICATION TO FINANCIAL INSTITUTIONS

                               __________

                              MAY 7, 2019

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban 
                                Affairs
                                
                                
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                


                Available at: https: //www.govinfo.gov /

                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
39-483 PDF                  WASHINGTON : 2021                     
          
--------------------------------------------------------------------------------------

            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
PATRICK J. TOOMEY, Pennsylvania      JACK REED, Rhode Island
TIM SCOTT, South Carolina            ROBERT MENENDEZ, New Jersey
BEN SASSE, Nebraska                  JON TESTER, Montana
TOM COTTON, Arkansas                 MARK R. WARNER, Virginia
MIKE ROUNDS, South Dakota            ELIZABETH WARREN, Massachusetts
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada
MARTHA McSALLY, Arizona              DOUG JONES, Alabama
JERRY MORAN, Kansas                  TINA SMITH, Minnesota
KEVIN CRAMER, North Dakota           KYRSTEN SINEMA, Arizona

                     Gregg Richard, Staff Director

                Laura Swanson, Democratic Staff Director

                      Joe Carapiet, Chief Counsel

                Brandon Beall, Professional Staff Member

                 Elisha Tuku, Democratic Chief Counsel

           Corey Frayer, Democratic Professional Staff Member

                      Cameron Ricker, Chief Clerk

                      Shelvin Simmons, IT Director

                    Charles J. Moffat, Hearing Clerk

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                          TUESDAY, MAY 7, 2019

                                                                   Page

Opening statement of Chairman Crapo..............................     1
    Prepared statement...........................................    36

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     3
        Prepared statement.......................................    37

                               WITNESSES

Peter H. Chase, Senior Fellow, German Marshall Fund of the United 
  States.........................................................     5
    Prepared statement...........................................    39
    Responses to written questions of:
        Senator Menendez.........................................    66
        Senator Cortez Masto.....................................    69
Jay Cline, Principal and U.S. Privacy and Consumer Protection 
  Leader, PricewaterhouseCoopers LLP (PwC).......................     7
    Prepared statement...........................................    52
    Responses to written questions of:
        Senator Menendez.........................................    73
        Senator Cortez Masto.....................................    75
Maciej Ceglowski, Founder, Pinboard..............................     8
    Prepared statement...........................................    56
    Responses to written questions of:
        Senator Menendez.........................................    78
        Senator Cortez Masto.....................................    79

              Additional Material Supplied for the Record

Letter submitted by Susan K. Neely, President and CEO, The 
  American Council of Life Insurers..............................    82
Letter submitted by Richard Hunt, President and CEO, Consumer 
  Bankers Association............................................    85
Letter submitted by Jim Nussle, President & CEO, Credit Union 
  National Association...........................................    89
Prepared statement of Rebeca Romero Rainey, President and CEO, 
  Independent Community Bankers of America.......................    90

                                 (iii)

 
        PRIVACY RIGHTS AND DATA COLLECTION IN A DIGITAL ECONOMY

                              ----------                              


                          TUESDAY, MAY 7, 2019

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:04 a.m. in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. This hearing will come to order.
    On February 13, Senator Brown and I invited feedback from 
the public on the collection, use, and protection of sensitive 
information by financial regulators and private companies in 
light of the immense growth and use of data for a multitude of 
purposes across the economy.
    The Committee appreciates the insights and recommendations 
of respondents, who expressed a range of views on the topic of 
data collection, use, and sharing and how individuals can be 
given more control over their data.
    Building on that effort, today the Committee will look 
closer at the European Union's General Data Protection 
Regulation, or GDPR, and other approaches to data privacy, 
including the impact on the financial services industry and how 
companies collect and use information in marketing and 
decisionmaking related to credit, insurance, or employment.
    Providing testimony to the Committee today are three data 
privacy experts, including Peter Chase, Senior Fellow at the 
German Marshall Fund of the United States; Jay Cline, Privacy 
and Consumer Protection Leader, a Principal, 
PricewaterhouseCoopers (PwC) US; and Maciej Ceglowski--close 
enough?--Founder of Pinboard.
    Each witness brings a unique perspective on the practical 
implications of implementing and complying with new data 
privacy laws; what has worked and what has not worked to give 
individuals more control over their data; and considerations 
for the Committee as it explores updates to Federal data 
privacy laws within the Banking Committee's jurisdiction.
    My concerns about big data go as far back as the creation 
of the CFPB, which was collecting massive amounts of personal 
financial information without an individual's knowledge or 
consent.
    In 2014, the GAO reported that the Bureau alone was 
collecting information on upwards of 25 to 75 million credit 
card accounts monthly, 11 million credit reports, 700,000 auto 
sales, 10.7 million consumers, co-signers, and borrowers, 29 
million active mortgages, and 5.5 million private student 
loans.
    Consumers deserve to know what type of information is being 
collected about them, what that information is being used for, 
and how it is being shared.
    Financial regulators are not the only ones engaged in big 
data collection; private companies are also collecting, 
processing, analyzing, and sharing considerable data on 
individuals.
    The data ecosystem is far more expansive, granular, and 
informative than ever before.
    As the U.S. economy becomes increasingly digital, people 
are using the internet, including search engines and social 
media, mobile applications, and new technologies to manage and 
carry out more parts of their everyday lives.
    The digitization of the economy allows for seamless access 
to both more generalized and granular pieces of data on 
individuals and groups of individuals, including data 
collected, with or without consent, directly from individuals, 
tangentially to individuals' activities, or gathered or 
purchased from unrelated third parties.
    In particular, data brokers play a central role in 
gathering vast amounts of personal information--many times 
without ever interacting with individuals--from a wide range of 
public and private sources, which is then sold or shared with 
others.
    In 2014, the Federal Trade Commission issued a report 
entitled, ``Data Brokers: A Call for Transparency and 
Accountability,'' in which it highlighted data brokers' big 
role in the economy and concerns around their transparency and 
accountability.
    In many cases, an individual's data or groups of 
individuals' data is used in ways that provide value, such as 
risk mitigation, fraud prevention, and identity verification, 
or to meet the requirements of laws and regulations.
    However, in many other cases, that data can be used in ways 
that have big implications for their financial lives, including 
to market or to make decisions on financial products or 
services that impact a consumer's access to or cost of credit 
and insurance products, or in ways that impact their employment 
prospects.
    In any case, the way that an individual's or a group of 
individuals' data is used matters immensely.
    As its rightful owner, an individual should have real 
control over his or her data.
    A complete view of what data is collected, the sources of 
that data, how it is processed and for what purposes, and who 
it is being shared with is vital to individuals exercising 
their rights.
    People should also be assured that their data will be 
reflected accurately and have the opportunity to opt out of it 
being shared or sold for marketing or other purposes.
    In 2016, the European Union took steps aimed at giving 
individuals more control when it replaced a 1995 Data 
Protection Directive with the General Data Protection 
Regulation, or GDPR.
    The European Union's principles-based GDPR is broader in 
scope, applying to a more expansive set of companies, including 
some based in the United States, and more types of personal 
information than its previous directive.
    The GDPR also imposes specific responsibilities on both 
data controllers and data processors and enumerates rights for 
individuals with respect to their personal information.
    In contrast to the European Union, the United States has 
adopted Federal laws focused on data privacy within particular 
sectors.
    Two such Federal laws in the Banking Committee's 
jurisdiction are the Gramm-Leach-Bliley Act and the Fair Credit 
Reporting Act.
    Today I look forward to hearing more about the principles, 
obligations, and rights underlying GDPR and how those differ 
from the previous 1995 Data Protection Directive; how GDPR 
addresses data brokers and other companies that collect and 
disseminate personal information, often without an individual's 
knowledge, and the ways the Fair Credit Reporting Act may be 
adjusted to account for activities by such entities; challenges 
that U.S. financial institutions have faced in implementing and 
complying with GDPR; how financial institutions' privacy 
practices have evolved since its enactment; and how individuals 
have responded to this additional information and rights with 
respect to their data; whether individuals actually have more 
control over their data as a result of GDPR, and what the 
European Union did right and wrong in GDPR; and considerations 
for the Banking Committee as it looks to update and make 
improvements to Federal laws within its jurisdiction.
    Again, I thank each of our witnesses for joining the 
Committee today to discuss GDPR, data privacy, and individual 
rights.
    Senator Brown.

           OPENING STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Mr. Chairman.
    I am excited to be working in a bipartisan way with 
Chairman Crapo on protecting Americans' sensitive personal 
data--an issue everyone agrees is important.
    As we start to think about this subject, we need to do it 
with an open mind. Technology has advanced rapidly. We should 
have some humility to admit that we do not even know all there 
is to know about what happens when personal information is 
collected on a large scale. As it turns out, personal 
information can be far more than your name, address, and Social 
Security number. Sometimes harmless data, once it becomes big 
data, can reveal big secrets, as you have all pointed out in 
your testimony.
    Take, for example, a fitness tracking app that became 
popular among U.S. soldiers stationed abroad. Many of those 
service-women and -men tracked their daily workouts. When the 
aggregated fitness tracking information became public, heatmaps 
of common running paths revealed the locations of secure 
military facilities all over the world.
    Even when we agree that data is sensitive, we are often not 
good at protecting it.
    Most of us still remember the Equifax breach that exposed 
the detailed financial information of more than half the U.S. 
adult population--information that will remain useful to 
potential criminals for the rest of those 147 million 
Americans' lives.
    The Equifax case reminds us that we cannot fix this by just 
warning people they should share less personal data on the 
internet. People were not putting their Social Security numbers 
on Facebook. Equifax had collected data from various sources, 
and in many cases people were not even aware Equifax knew 
anything about them or had even heard of Equifax.
    There is a lot of data floating around that can be compiled 
and analyzed in creative ways to make shockingly accurate 
predictions about our lives.
    What you think of as your ``personal data'' is not limited 
to bank passwords and credit scores.
    As we learned several years ago, even if you do not have a 
Facebook account, Facebook builds a shadow profile of your 
activities and your interests and your preferences from 
digital, shall we say, bread crumbs spread by your friends and 
associates online.
    Sometimes you may not realize that data is being monetized. 
Businesses can pay to have Pokemon show up near them in the 
game, herding customers into their stores.
    There is a common saying that ``if you are not paying for 
the product, then you are the product.'' Services that appear 
free make money from your personal data.
    It is not easy for consumers to protect themselves. ``Buyer 
beware'' is not a particularly helpful warning since most 
people cannot afford to protect themselves by opting out of 
internet services just like they cannot opt out of banking 
services with arbitration clauses in them.
    In today's world, telling people to look out for themselves 
when it comes to protecting their personal data is about as 
useful as telling people to look out for themselves when it 
comes to food safety.
    We cannot tell people to avoid the internet and avoid 
having their data collected any more than we can tell people to 
stop eating dinner. We cannot abandon the people we serve when 
it comes to protecting them.
    If we do not take this seriously, a handful of big 
corporations and financial firms will continue to strong-arm 
customers into sharing their most intimate details.
    So in addition to talking about ownership and control of 
our data, I hope we can talk about where Government needs to 
step in and create rules about the appropriate uses of personal 
data, regardless of whether a customer opts in. And I hope we 
can talk about what kind of data should be collected and should 
not be collected and for how long it should be stored. This 
problem is not just important to our personal privacy; it is 
also critical to our democracy. As the Cambridge Analytica 
scandal demonstrated, a big enough pile of seemingly 
meaningless data can give a bad actor ways to meddle in our 
elections.
    The Banking Committee is responsible for one slice of the 
data ecosystem. I hope to work with the Chairman of Banking as 
well as the Chairs and Ranking Members of the other committees 
to set some commonsense rules on the use of Americans' 
sensitive personal data.
    Thank you all for weighing in.
    Chairman Crapo. Thank you, Senator Brown, and I appreciate 
working with you on this issue as well. It is critical to our 
country and to our American citizens.
    We will now move to the testimony. I have already 
introduced each of you. I ask you to please pay attention to 
the clock so you can keep your oral remarks to 5 minutes. We 
have got a lot of Senators who are going to want to ask 
questions, and so we would like to have adequate time for that 
as well.
    Let us go in the order I introduced you, and you may begin, 
Mr. Chase.

  STATEMENT OF PETER H. CHASE, SENIOR FELLOW, GERMAN MARSHALL 
                   FUND OF THE UNITED STATES

    Mr. Chase. Thank you so much, Chairman Crapo.
    Chairman Crapo, Senator Brown, Members of the Committee, 
good morning and thank you for providing me an opportunity to 
provide some perspectives on the European Union's General Data 
Protection Regulation--GDPR, as you have put it. My 
perspectives are based on over a quarter century of working in 
U.S.-European economic relations, including with the State 
Department, with the U.S. Chamber of Commerce, and now at the 
German Marshall Fund. My views obviously are my own.
    I was asked to provide an objective description of GDPR as 
background, content, and implementation. My written statement, 
which I request be made part of the record, provides more 
information on each of these.
    First, GDPR is in many ways unique given its context as a 
law of the European Union. The European Union was created to 
create peace in Europe after World War II, to integrate it. And 
the GDPR tries to bring together and find a unified basis for 
28 very, very different countries on how they approach data 
protection, and this is to preclude them from doing things that 
would actually block commerce.
    Second, I think it is important to remember that in the 
evolution of the European Union, privacy and data protection 
have become much more important over time, most importantly, I 
think, in 2009 when data protection was formally recognized and 
incorporated into EU law as a fundamental right.
    Third, it is also important to remember that while the GDPR 
was being considered, the Snowden revelations came out about 
NSA's ability to access data held by U.S. companies, and that 
fueled, added to the political dynamic in the European 
Parliament and member states.
    Although long, GDPR is simple. It lays out six principles 
that govern the protection of personal data in the European 
Union and derives from those a number of rights for individuals 
and obligations for those who have the data.
    The principles affirm that data of any identified or 
identifiable person, including an IP address, must be collected 
and used only for specified purposes; processed in a legal, 
fair, and transparent fashion; limited only to what is 
necessary for the specific processing purposes; accurate; 
retained only for as long as is required; and securely 
protected. Of these, one of the most important is the legal 
basis for processing data. GDPR Article 6 provides an 
exhaustive list of the legal grounds on which data can be 
processed, with the consent of the individual, of course, which 
must be freely given, informed, unambiguous, and specific; to 
perform a contract with the individual; to comply with the 
legal obligations spelled out in law; for the vital interests 
either of the individual or other individuals; for a public 
purpose, again, spelled out in law; and in the legitimate 
interest of the controller or a third party, as long as those 
interests do not supersede those of the individual. Legitimate 
interest is the one that is the most expansive in many ways.
    Under these principles, Article 9 also prohibits the 
processing of any sensitive personal information, including 
about racial origin, sexual orientation, health, political 
beliefs, biometric information, unless one of 10 specific 
exceptions are made.
    These principles lead to the rights for the individual, 
including the right to transparency, which get to all of the 
things both the Chairman and the Ranking Member mentioned in 
their opening statements, knowing who is collecting the data, 
what they are using it for, very importantly what the legal 
basis of any processing is, and how long it will be kept, who 
it is going to be shared with; access to the data that is held 
by companies; rectification, amendment, and even erasure; 
portability; and the right to object, including, very 
importantly, to automated decisionmaking and profiling that 
would be used for advertising and direct marketing.
    The principles lead to obligations on the companies, 
including that they have to facilitate all the rights noted 
above. They have to have a specific legal basis for any 
processing. They must use technical means such as protection by 
design to ensure that they minimize data use. They have to 
conduct data protection impact assessments if they are going to 
process large amounts of data, particularly sensitive data or 
other data, in a way that would affect the rights of 
individuals. They have to keep records. They have to provide 
appropriate security. And, of course, for many companies that 
do do a lot of data processing, they have to appoint a data 
protection officer.
    GDPR is not a year old, but companies have spent a billion 
dollars preparing for it over the past 2 years, not least 
because the maximum fine is 20 million euros or up to 4 percent 
of their global turnover. So far, very few fines have been 
levied. The most notable one is against Google in France. This 
is mainly because the GDPR data protection authorities are 
trying to help companies comply rather than punish.
    I have gone into some of the guidance documents that have 
been issued that have helped define some words like 
``contract'' and ``consent,'' ``legitimate interest,'' 
``automated data processing.'' Maybe we can talk about those in 
the question-and-answer period. But I thought also that it is 
important to note that GDPR gives organizations the right to 
bring--to raise inquiries into companies, and there has been a 
recent case, inquiry against a lot of the data brokers, 
including some of the financial credit rating agencies, that 
has been lodged in the United Kingdom in November that has not 
yet come out. But I think that in the end, it will take years 
before we have a really good sense of the impact of the GDPR. 
And there are some who argue that its prescriptiveness could 
stifle innovation to an extent. But I think that certainly 
companies whose business model is based on monetizing personal 
data, those are the ones that will probably have to take care.
    Thank you. I look forward to your questions.
    Chairman Crapo. Thank you.
    Mr. Cline.

STATEMENT OF JAY CLINE, PRINCIPAL AND U.S. PRIVACY AND CONSUMER 
              PROTECTION LEADER, PRICEWATERHOUSE-
                       COOPERS LLP (PWC)

    Mr. Cline. Chairman Crapo, Ranking Member Brown, and 
distinguished Members of the Committee, I appreciate the 
opportunity to appear today as the Committee considers privacy 
rights and data collection in a digital economy. As previously 
mentioned, my name is Jay Cline, and I am the U.S. Privacy and 
Consumer Protection Leader at PwC. I appear before you today on 
my own behalf and not on behalf of PwC or any client. The views 
I express are my own.
    My oral testimony today will highlight some of the 
observations contained in my written submission to the 
Committee on the experience of U.S. financial institutions with 
the EU General Data Protection Regulation. It is an experience 
marked by large-scale technical and organizational change to 
afford new privacy rights to EU residents in an evolving 
regulatory environment. It is my hope that my testimony will be 
useful to the Committee as it considers the collection, use, 
and protection of personally identifiable information by 
financial regulators and private companies in the United 
States.
    GDPR caused many U.S. financial institutions operating in 
Europe to undertake their largest-scale privacy program 
initiatives in two decades. Beginning after the ratification of 
the GDPR in April 2016, these initiatives often rivaled the 
scale of U.S. financial institutions earlier mobilizations to 
prepare for the Privacy Rule of the Gramm-Leach-Bliley Act and 
other related U.S. data privacy laws and regulations.
    I think it is worth noting that the GDPR's requirements are 
focused on individual rights and program accountability and do 
not introduce detailed information security specifications. It 
is more of a data privacy law than it is a security law, as we 
understand those terms in the United States.
    My written testimony provides more detail on lessons I 
learned helping financial industry clients implement privacy 
programs. I would like to take a few minutes to discuss some of 
those observations.
    Almost 1 year since the GDPR implementation deadline of May 
25, 2018, some top industry challenges identified for your 
consideration include completing a data inventory. To comply 
with the GDPR's record of processing requirement, U.S. 
financial institutions embarked on extensive projects to record 
details about thousands of applications, databases, devices, 
and vendors. These initiatives involved thousands of labor 
hours and in turn became the foundation for providing Europeans 
their new rights of data portability and erasure.
    Another top challenge of the GDPR was the 72-hour data 
breach notification requirement. A challenge for all companies 
was providing meaningful notifications to regulators within a 
relatively short period of time within which forensics 
investigations would normally still be underway. Sometimes 
after 72 hours of detection of a potential incident, for 
example, there are more unanswered questions than confirmed 
facts.
    Two operational insights I have submitted for the 
Committee's consideration about the initial experience of U.S. 
financial institutions with the GDPR include:
    First, some privacy rights appear more popular with 
individuals than others. The GDPR provides eight privacy rights 
for individuals, but when European residents started to 
exercise their GDPR rights after May 2018, those most chosen in 
my experience generally were the rights to access, erasure, and 
objection to use for marketing.
    Second, a formalized data governance program is critical 
for data privacy success and forward progress. The GDPR 
emphasizes the need to have strong controls for personal data 
throughout its life cycle of collection, storage, use, 
disclosure, and deletion. Because personal data often moves 
horizontally across vertically structured financial 
institutions, there is a heightened need in the financial 
industry to identify data governance leaders and develop 
enterprise plans for data use that support privacy regulatory 
compliance.
    I would like to share for the Committee's consideration one 
major unanswered question many of the clients I serve are 
struggling to answer during their long-term planning 
initiatives. That question is: Will the GDPR become the global 
standard? To plan for a future where consumers around the world 
may generally expect the core rights of access, correction, and 
deletion, many U.S. financial institutions are redesigning 
their privacy organizational models and capabilities as a 
contingency.
    However the Committee chooses to address these difficult 
questions, I submit to you that the highest level of privacy 
protection in the digital age will result when both companies 
and consumers exercise their roles to the fullest.
    Thank you for your time, and I look forward to your 
questions.
    Chairman Crapo. Thank you very much.
    Mr. Ceglowski.

        STATEMENT OF MACIEJ CEGLOWSKI, FOUNDER, PINBOARD

    Mr. Ceglowski. Thank you, Chairman Crapo, and to the 
Committee for inviting me to speak today. My name is Maciej 
Ceglowski. I run a small online business called ``Pinboard,'' 
and I operate what in Silicon Valley is considered an extremely 
exotic business model. I take a small amount of money, $11 a 
year, for a useful service.
    As you know, in my world the economic basis of the internet 
is mass surveillance. We all have some sense to the extent to 
which our behavior is being constantly monitored, not just the 
data we provide to the services that we use, but the 
observations that computers make about us in every aspect of 
private and public life.
    This data is simply not regulated. As a tech person, I am 
not used to wearing a necktie. Putting mine on this morning, I 
saw that there was a small tag on the back of it. I realized 
that my necktie is better regulated than my entire industry. We 
collect this data. We have no transparency in what we do with 
it. And we are simply deceiving the American people because, as 
a technologist, I know that we lack the technical capacity to 
keep large collections of user data safe over time. And I think 
you have seen in the news the litany of data breaches year 
after year, time after time, whether from industry, from 
Government. It is simply easier to attack computer systems than 
it is to defend them, and that reality is going to hold for the 
foreseeable future.
    I worry that we are in the same position as the nuclear 
industry was in the early 1950s. We have an amazing new 
technology with real potential, but we are not being honest 
about the risks and our incapacity to store a wasteful and 
harmful byproduct for periods of time much longer than how long 
the companies storing them have existed. The last reactor in 
the United States was built in 1977, and the reason that we do 
not have new ones is in large part because we do not have the 
public trust.
    As a small business man in a big industry, I worry that we 
are losing the trust of our users. It is hampering our ability 
to innovate because every time someone uses a computer service 
or product, they have to ask themselves: What am I giving away? 
Where is it being stored? And they are not getting clear 
answers. People are being asked to make irrevocable decisions 
about their online lives over and over again.
    The pattern that I have seen in my industry is one of 
deceit. We are not honest about what we collect, the uses we 
put it for, and we are ashamed, frankly, of our business 
models. I am not ashamed of mine. Like I said, I take a small 
amount of money, I provide a service, and if you do not like 
it, I refund your $11. But you will never get someone from 
Google or Facebook to speak honestly about what it is they are 
actually doing with our data and the uses they put it to. 
Instead, what Silicon Valley seeks to do is evade. They see a 
regulation, and they find a way around it. We do not like 
banking regulations, so we invent cryptocurrency and we are 
going to disrupt the entire financial system. We do not like 
limits on discrimination in lending, so we are going to use 
machine learning, which is a form of money laundering for bias, 
a way to blame mathematical algorithms for the desire to simply 
avoid rules that everybody else has to play by in this 
industry. And we see now that Facebook is about to enter the 
banking system again through the side door by releasing its own 
cryptocurrency.
    I worry about this because Silicon Valley has been a force 
of
dynamism. It is one of the great success stories of American 
capitalism, and we are putting it at risk right now by not 
having sensible regulation in place that creates the conditions 
for innovation.
    I came to the United States as a kid from communist Poland, 
and I remember calling my father sometimes, a very expensive 
phone call, and every few minutes it would be interrupted by a
recording that said, ``Rozmowy kontrolowane,'' and that was the 
Polish Government informing us that the conversation was being 
listened to by the secret police. At least the Polish state had 
the courtesy to say that it was eavesdropping.
    [Laughter.]
    Mr. Ceglowski. We should at least give people that 
courtesy, have openness into what is being collected, what is 
being done with it, and give some sense of agency so that 
people no longer feel like their data is being extracted from 
them, and we can have new business models and a new flourishing 
again of innovation in an industry that was once famous for it.
    Thank you very much.
    Chairman Crapo. Thank you very much, Mr. Ceglowski.
    I will start out with the questioning, and there is so much 
to ask, I am only going to get a couple of my questions in. But 
I would like to start on the question of--I appreciate the 
description of the European Union's system as one giving rights 
to individuals and obligations to those who collect and manage 
data.
    With regard to the right, one of the rights that I think is 
most central is that people should be allowed to give consent 
to the use of their data. There is a lot of privacy consent 
requests going around in the United States, probably more in 
Europe, but I have had the experience of looking at the privacy 
statements that different companies or internet websites use 
where you give consent and agree to move forward. They are 
phenomenally long. They are incomprehensible. And when you do 
get to the actual parts of them that say what data is being 
collected, the description is like meaningless.
    One of the questions I have--oh, and some of them say, 
``You cannot go forward unless you agree,'' so you cannot even 
access the site unless you agree to something that is giving 
you virtually no information.
    How is it handled, is this issue handled--how is the 
consent required to be obtained in the GDPR? And how is that 
working? Anybody. Mr. Chase?
    Mr. Chase. There is a requirement to make sure that 
individuals know what information is being collected on them. 
There is a specific requirement that the descriptions of the 
privacy obligation be done in a way that is easy to understand, 
clear language, and I think that what they are trying to do is 
trying to say you can put it up front in very useful language, 
but then if people want to go deeper, they can, rather than 
being addressed with 10-hundred pages of something that is 
incomprehensible. So they are talking a lot about the 
presentation.
    It is interesting, though, that the European Union, because 
it requires consent for a specific and each specific use, in a 
way you can get many more questions, but they are supposed to 
be clear. It is going to be interesting to see how all of that 
is balanced between them.
    One of the things for the requirement for specific, 
informed, unambiguous consent is that you are not meant to 
bundle things. So if you are entering into a contract with 
someone, you need to get permission to use or you need to tell 
them what information they need for you to objectively 
undertake that specific contractual purpose. You cannot tie 
that to also collecting information, by the way, to provide to 
data brokers. And it is interesting how that requirement for 
specific consent has been spelled out.
    Chairman Crapo. All right. Thank you.
    I will just use the rest of my time to follow up on this 
and invite anyone on the panel to respond to this. But you just 
kind of
referred to it, Mr. Chase, in your last comment. There are a 
lot of folks who collect data on individuals who do not 
actually interact with the individual. So, obviously, the 
individual is not being
provided a very clear, obvious consent opportunity. How is that 
issue addressed in the GDPR or how should we address that 
issue?
    Mr. Ceglowski. Senator, I went to visit a weather website 
from an EU IP address. I was asked to opt into 119 separate 
services and trackers.
    Chairman Crapo. I have had the same experience. Go ahead.
    Mr. Ceglowski. The consent requests become disempowering. I 
am an expert in the domain. I do not understand what I am 
consenting to, and I spent an hour reading all of the 
materials. So I think it is being used as a bludgeon against 
users and saying, ``Hey, you wanted regulation? Well, here you 
have it. Everything is less convenient.'' And I see it as a 
weapon by the people who really do not want their data 
practices to be closely examined.
    Chairman Crapo. OK. Mr. Cline, were you interested in 
commenting?
    Mr. Cline. Yes, Mr. Chairman. Thank you for the excellent 
question. In the GDPR, you see a model that you see in many 
privacy laws around the world where there is a combination of 
an opt-in and an opt-out approach, where the opt-in threshold 
is set for the most sensitive or important data processing. For 
example, the collection of sensitive personal data requires an 
explicit consent or the sharing with third parties for 
secondary purposes requires an opt-in consent. I think Mr. 
Ceglowski presented testimony, in his written testimony, that 
even the opt-in approach has its limitations if you do not 
understand all of the things that you are reading.
    So what I think is useful and the model I personally like 
and advise clients on is like when you download an app on your 
phone, it asks you if you allow that app to act as your 
contacts or track your geolocation. Even my kids understand 
this. I like how it is unbundled and presented in a short 
question. And so I think that is the challenge, is how to 
present these questions simply and understandably.
    Chairman Crapo. Thank you.
    Senator Brown.
    Senator Brown. Thank you, Mr. Chairman.
    Mr. Ceglowski, let me start with you. There is a concern 
that data collection does not just hurt individuals' privacy. 
You cite in your testimony a New York Times experiment, a sort 
of inadvertent New York Times experiment, and in light of 
recent reports, the entire staff of the New Orleans Times-
Picayune lost their jobs. We know what has happened to print 
newspapers around our country.
    Does the shift to targeted online advertising and data 
collection contribute to that decline?
    Mr. Ceglowski. I very much believe so. We had a business 
model for many, many decades where ads were targeted to 
content, and that was lucrative and fine. We had a show about 
Batman. They paid for the Batmobile with advertising that was 
targeted to content. They paid the salaries of the people on 
that production.
    As the targeting has shifted to individuals, we have seen 
that the money has started pouring into the ad networks first 
and ultimately Facebook and Google. It is a great shift of 
revenue away from publishers, and the New York Times experience 
shows what we suspected, that this is--publishers are better 
off without the targeted advertising.
    Senator Brown. It has not changed behavior?
    Mr. Ceglowski. Behavior by whom?
    Senator Brown. Behavior by the newspaper industry?
    Mr. Ceglowski. Very much so because the newspapers are now 
targeting--every article has metrics on it, so every time you 
publish something, you have to chase clicks, you have to chase 
eyeballs. It creates different incentives for reporters, for 
editors, and it takes away their power, the very basic power of 
the purse. Their revenue comes from an outside source, and they 
have to do whatever----
    Senator Brown. They change their behavior online, not 
change their behavior in print.
    Mr. Ceglowski. The print edition now follows the online 
edition, so the newsroom behavior is affected very much by the 
economics of it.
    Senator Brown. You said machine learning is money 
laundering for bias. Would you explain that?
    Mr. Ceglowski. That is correct, because machine learning 
algorithms are opaque. You feed them data, but then their 
behavior is not something that you can open the hood and look 
at the workings of and explain. It becomes a powerful way to 
circumvent restrictions. So, for example, if I wanted to lend 
only to women in their 30s who do not have a child and are not 
going to have a child, there are laws in place that prevent me 
from doing this directly, but if I can train a machine 
algorithm on enough data that it can identify those people 
without looking at any of the protected categories, I have 
effectively evaded the regulation, and my hands are clean if I 
do it in a clever enough way. So that is the sense in which I 
mean it.
    Senator Brown. GDPR focused on giving individuals ownership 
and control of their personal data. Is that working?
    Mr. Ceglowski. I think it is too soon to tell, and I would 
defer to the people who know more.
    Senator Brown. Anybody else? Too early? Mr. Cline? Mr. 
Chase?
    Mr. Chase. One of the things GDPR was supposed to do was to 
increase trust in the internet and, interestingly enough, trust 
in the internet has actually been going down since the 
implementation of GDPR, probably because people are becoming 
more aware of what companies do.
    So the question will be whether or not they start acting on 
that, and I think that there is some indication that they are.
    Mr. Ceglowski. I would say it is hard to trust foreign 
companies from the perspective of a European. Imagine if every 
online service was provided by people from outside the United 
States how we would feel trying to regulate it and seeing it 
not regulated at home.
    Senator Brown. Mr. Ceglowski, one more question. Is there 
any entity, public or private, that has done a good job 
protecting people's sensitive data over a long period of time?
    Mr. Ceglowski. I think the closest we have seen to that is 
the IRS. However, even they, I believe, were infiltrated by 
Scientology at some point in the 1970s. I do not recall the 
details. But that is the best example I can think of. Basically 
highly regulated industries and Government have done the best 
job that they could, but even they have slipped.
    Senator Brown. A handful of huge tech companies have 
dominated the data collection landscape. Can regulation give 
small businesses the ability to compete with them?
    Mr. Ceglowski. Absolutely. Small companies in the sector, 
they cannot compete on price when things are free. They cannot 
compete on engineering when, you know, they are outnumbered. 
But they can compete on privacy very effectively. We need the 
tools, however, to be able to compete on privacy, and those 
tools include some legal basis for making credible commitments 
to customers. Right now we just have terms of service that can 
change at any time. But if there was a basis in law where I 
could commit to certain privacy practices and my users could 
believe that commitment because I would go to jail if I broke 
it, I think we would see a flourishing of innovation and 
privacy-friendly smaller companies.
    Senator Brown. Thank you.
    Chairman Crapo. Thank you.
    Senator Tester.
    Senator Tester. Thank you, Mr. Chairman and Ranking Member 
Brown, for having this hearing. Thank you all for being here 
very, very much.
    I think that some of you have pointed out, if not all of 
you, that the public trust is being lost, and I could not agree 
with you more, and it is somewhat distressing.
    I want to touch a little bit on the consent forms. I have 
the impression--and correct me if I am wrong--that the consent 
forms are complicated because there is an agenda behind them. 
They could be made much more simpler if they wanted to. Is that 
correct? I am talking about the consent form to opt in or opt 
out on whether you want your information shared or utilized.
    Mr. Ceglowski. I believe part of the complexity is the 
extreme complexity of the middlemen intermediaries, data 
brokers, ad networks.
    Senator Tester. So let me ask you this: Why can't there 
just be a consent form at the beginning, similar to what I 
think Mr. Cline talked about, that just says, ``Will you allow 
me to use your information in any way that I want? Yes or no.''
    Mr. Ceglowski. That is the de facto state of affairs.
    Senator Tester. And so why isn't it that way? Why can't we 
regulate it to that effect? What is the downside of saying, 
``You know what? Your consent form statement is going to be 
clear,'' just like a pack of cigarettes, ``This will kill 
you,'' basically is what it says on it. Why can't we do the 
same thing with the internet, with the websites that we use, 
with the programs we use?
    Mr. Ceglowski. Because one aspect of consent is the ability 
to say no, and we really do not have that ability. Opting out 
of the online world is really not an option for anybody.
    Senator Tester. So what you are saying is even if they--in 
the consent form, if you had--if we required that at the very 
beginning, if you are working on--if you are utilizing Wells 
Fargo's bank account, it says, ``You cannot utilize this 
information except for me, my purposes,'' in other words, if I 
want to get on a website, I can, but you cannot export it to 
anybody else, that is impossible?
    Mr. Ceglowski. That is a very different question. They are 
only allowed to use the data for themselves.
    Senator Tester. Yes.
    Mr. Ceglowski. It is very different from the current----
    Senator Tester. Right. It would change the current system.
    Mr. Ceglowski. Understood.
    Senator Tester. Could it be done?
    Mr. Ceglowski. It would have an enormous impact on the 
online economy, but it could be done.
    Senator Tester. And so you think it would tank the online 
economy?
    Mr. Ceglowski. As currently built around collecting all 
information about everybody, yes.
    Senator Tester. OK, but would--I know, but does that mean 
it would tank the economy?
    Mr. Ceglowski. We would bounce back.
    Senator Tester. OK. That is better.
    Mr. Chase?
    Mr. Chase. You know, there is a lot of discussion about 
consent. In the GDPR, there is a difference between 
transparency, which the consumer should always know what is 
happening----
    Senator Tester. Right on.
    Mr. Chase.----and consent as a legal basis for processing 
data. So there are a number of different legal bases, and it is 
interesting because the data protection supervisors have 
basically said consent in some ways is the least useful way of 
doing it because it means that there is no other legal grounds 
for processing the data. And it was an interesting way that 
they put it.
    But getting back to Senator Crapo's earlier comment, when a 
company scrapes all my information off the internet and then 
creates something with it, they actually have to inform me that 
there is a whole article about indirect collection and 
processing of data. They have to inform me that they are doing 
it either when they have collected it or when they, for 
instance, sell that information, sell my clients----
    Senator Tester. This is through the GDPR, you are talking 
about?
    Mr. Chase. Yes, that is correct.
    Senator Tester. And how do they inform you?
    Mr. Chase. They have to write to you and make a public 
announcement----
    Senator Tester. And what happens if you do not like it?
    Mr. Chase. Particularly if it is being used--you can 
object. You can object to the data processing----
    Senator Tester. And did they stop it then? Does that stop 
it from being shared?
    Mr. Chase. If they do not stop, then they have to--then 
they are liable to fines.
    Senator Tester. All right. So this is for anybody who wants 
to answer it. There were a couple breaches that were pretty 
high profile, in Target and Equifax. Would the outcome of--I do 
not know if you are familiar with them or not, and if you are 
not, that is fine. But would the outcome of those situations 
have been different here if GDPR had been--if something like 
GDPR had been implemented?
    Mr. Chase. Just very briefly, Europe has lots and lots of 
data breaches as well. The existence of GDPR does not stop it. 
But if companies----
    Senator Tester. Has it reduced it? Or has it not been in 
effect long enough to know?
    Mr. Chase. Actually, reports of data breaches have been 
going up because people are over-interpreting the requirements 
of the law.
    Senator Tester. Well, I have got a whole bunch of stuff on 
this. I have just got to tell you that I am really, really, 
really old school. In fact, when I get out of this job, this 
baby [indicates phone] is going away, OK?
    [Laughter.]
    Senator Tester. Because I do not like people tracking me on 
it, and I say ``Do not track me,'' but I am not sure that has 
any effect. I do not like when I use a website that I get 
telephone calls from telemarketers on something entirely 
different, which is total B.S. And I just think we have got 
to--the point that was made that we are losing the public trust 
is critically important. I think the internet can be used to do 
some marvelous things and is being used to do some marvelous 
things. But I think there are other people out there--and their 
names have already been mentioned--that are using it to make 
themselves into billionaires, and I get no benefit from it. All 
I get is the nuisance of all this B.S.
    Thank you.
    Chairman Crapo. Thank you, Senator Tester.
    Senator Warner.
    Senator Warner. Thank you, Mr. Chairman and Ranking Member 
Brown.
    Before Senator Tester leaves, I think, you know, you have 
hit on the right things. But the first-party consent alone is 
not going to get it done. I would argue that particularly some 
of the social media platform companies use levers of 
psychological manipulation that would blow you away no matter 
how clear-cut your first consent form is. So I have got 
legislation with Deb Fischer called ``The DETOUR Act,'' which 
basically looks at the dark patterns and the tools these 
platforms use to psychologically manipulate. The 17 arrows 
pointing at ``Click here, I agree,'' and you can never find 
``Unsubscribe'' is the most kind of basic notion. And we do 
need some rules of the road in this space and some guardrails, 
I would argue. This would be de minimis, a starting point.
    Your questions to Mr. Chase, GDPR would not stop the 
negligent behavior of Equifax. The fact that we are almost 2 
years after Equifax, 150 million Americans' personal 
information out there. They took a small dip in the stock 
price, and that there has not been a penalty paid in terms of a 
fine is outrageous. The fact the stock has recovered and this 
is being built into the cost of doing business--and the FTC is 
going to come out a little bit later, sometime over the next 
couple of weeks, and do a few billion dollar fine on Facebook. 
Facebook makes $18 billion a quarter top-line revenue. If we do 
not find a way to put some rules of the road in place--you 
think you are getting hosed now?
    Senator Tester. I know I am getting hosed now.
    [Laughter.]
    Senator Tester. The problem is there has got to be some way 
to stop it. And, by the way, psychological warfare is one 
thing, but it is tough to do that when there is not a lot of 
psychology----
    Senator Warner. Well, let us go with Mister--your last 
name, sir, again?
    Mr. Ceglowski. Ceglowski, sir.
    Senator Warner. And for the whole panel, but one of the 
things that makes me crazy is that a number of individuals 
think, ``Oh, gosh, Facebook, Twitter, Google, they are free.'' 
They are not free at all. They are giant sucking sounds, 
sucking personalized data out from each and every one of us, 
and then marketing that to a whole series of entities. I know 
there are people that are grossly concerned about what the 
Government knows, but if the KGB had had the kind of data 
collection tools that Facebook and Google and Twitter have, the 
Soviet Union would have never fallen because they would have 
been able to have that level of control. And they will shortly 
have this level of control in China because the Chinese 
Communist Party does scrape the information from Alibaba, 
Baidu, Tencent, and a host of other companies most of us have 
not heard of.
    So starting with you, sir, is there not a way, if we put 
requirements in place, that we could have--I am going to give 
you three notions.
    One, shouldn't our data be portable? As a former old telcom 
guy, it used to be really hard to move from one telco to 
another until we did number portability. Shouldn't we have data 
portability? We are tired of Facebook? Shouldn't we be able to 
pick up and move all our data in an easily usable form to 
another platform?
    Two, shouldn't we have a right as a consumer to actually 
just know what data points are being collected on us on a 
regular basis and easily access that?
    And, three, because I want to make sure I get everybody on 
the panel to respond, shouldn't we know--and this is kind of 
the Holy Grail, but I think they will end up giving you the 
data points. But the Holy Grail is we should know what that 
data, our personal data, how much that is worth on a monthly or 
quarterly basis to a Facebook, a Google, or a Twitter. And they 
will say they cannot give you that. Baloney. We have got 
documents that show that. But shouldn't we be able to know 
portability, what the data points are, and data valuation?
    Mr. Ceglowski. Being able to download data, absolutely, we 
should have that right.
    Portability is a tricky issue in a situation where you have 
an oligopoly because what you will have is you will have 
companies like Facebook that dominate a market, they will just 
suck the rest of the data in, and they will find ways to 
undercut anybody----
    Senator Warner. Well, portability along with 
interoperability, because you do not want to be able then not 
communicate with people who are on the previous platform.
    Mr. Ceglowski. I think in principle it is a great idea, but 
it can lead to further concentration.
    And then finding out where the money is coming from, these 
free services that have lavish headquarters, I would love to 
know what the real Facebook business model is----
    Senator Warner. Or how much your data or my data--yours may 
be worth 15 bucks a quarter, and mine may be worth 12.
    Mr. Ceglowski. At what point does it go ``ka-ching,'' I 
would love to know that.
    Senator Warner. Well, part of it would be that would also 
potentially allow people to disintermediate because there might 
be a business proposition.
    Mr. Chairman, could I get the other two to answer? And I 
will not say another word.
    Chairman Crapo. Yes, please do answer. I want to know your 
answers. But we need to keep moving.
    Mr. Cline. Senator Warner, thank you for your question. I 
think it gets to the heart of the answer, the heart of the 
issue. From my experience helping primarily banks and insurance 
companies get ready not only for GDPR but laws around the 
world, I have seen some commonalities go in the direction that 
you indicated. So, for example, the GDPR, the California 
Consumer Privacy Act, the Fair Credit Reporting Act, and other 
privacy laws around the world do share one thing in common: 
giving people a right to access their data. GDPR and CCPA also 
share a right to delete data. And the financial institutions 
that I serve that are operating globally are making contingency 
plans for the day when people worldwide will expect these 
rights, whether or not they are legally required in the 
jurisdictions where they live. So there is a customer 
experience question that the clients I serve are dealing with.
    Mr. Chase. I have nothing further to add. It has been 
pretty much covered.
    Chairman Crapo. All right. Thank you.
    Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    So companies like Equifax vacuum up and profit from 
mountains of sensitive data, including Social Security numbers, 
passport numbers, driver's license numbers, and there is no way 
for consumers to say, ``No, thanks. Leave me out of this.'' You 
need a credit report to buy a home, to rent an apartment, even 
to get a job nowadays.
    So consumers also cannot withhold the information. Banks 
and other companies send it directly to credit report agencies, 
which package it together and then sell it for a profit.
    So 20 months ago today, Equifax announced that hackers 
broke into the Equifax treasure trove and ransacked it. The 
hackers stole personal and sensitive information for almost 150 
million people. So, Mr. Ceglowski, millions of American 
families are struggling to figure out how to protect their 
identities in the wake of this hack. My office issued a new 
report showing that Equifax-related complaints to the CFPB have 
nearly doubled since the breach was announced, but data like 
birth dates and Social Security numbers cannot be changed 
easily in order to thwart the scammers or identity thieves. Is 
there any way to actually put consumers back in the position 
they were in before the hack?
    Mr. Ceglowski. No. That ship has sailed, and it holds even 
more for the OEM hack where you have very sensitive 
questionnaires that were leaked about people with security 
clearances. That is going to have an impact for decades.
    Senator Warren. OK. So once the data has been stolen, 
families are vulnerable to identity theft basically forever. My 
office launched an investigation a week after the breach was 
announced and found that Equifax routinely failed to patch 
known cybersecurity vulnerabilities, including the one that was 
exploited by the hackers in this breach 20 months ago. The 
company also failed to segment data into different systems, 
meaning that once Equifax's outward defenses were breached, 
hackers had access to almost everything.
    Mr. Cline, you advice a lot of companies on cybersecurity. 
Are these the types of practices that you would expect to see 
at a company like Equifax that holds huge troves of sensitive 
data?
    Mr. Cline. Senator Warren, I appreciate your question. My 
experience is in helping financial institutions build the 
privacy controls and privacy rights for laws like GDPR and not 
so much on cybersecurity. But it is my experience that writing 
a foolproof privacy policy is difficult because hackers keep 
changing their tactics. The company----
    Senator Warren. I am sorry. The question was just pretty 
simple. You know, they did not patch known vulnerabilities, and 
once you got in, you could go through the whole thing. Is that 
what you would expect from a company like Equifax or any 
security company that has this kind of sensitive information? 
Is that what you think is best practices?
    Mr. Cline. I think the companies I have seen have the most 
success preventing breaches are those----
    Senator Warren. That is not the question I am asking. The 
companies that have the most success preventing breaches are 
those who do a better job. The question I am asking is: Did 
Equifax follow best practices here?
    Mr. Cline. I----
    Senator Warren. I will take that as a no. You are saying 
that it was--so let us think of it this way. It does not 
surprise me that Equifax is not doing this. For companies like 
Equifax, hardworking Americans are products. They are revenue 
sources, bundles of information to sell. And it does not matter 
if the customers get hurt. As long as the consumer data are 
still there and they can sell it, Equifax will keep doing fine. 
And unless companies actually take a financial hit when there 
is a breach, there is no incentive for them to invest in 
cybersecurity.
    So we are now a year and a half out from the Equifax 
breach, and what has happened financially to Equifax? According 
to Bloomberg, the company suffered ``no major defections'' of 
clients and with a year of the breach was on track to make 
record profits. Equifax's revenue went up by over $200 million 
in 2017 and went up by another $50 million in 2018. And the 
Federal agencies that have jurisdiction over the breach, the 
FTC and the CFPB, have done nothing. Equifax put nearly half of 
American adults at risk of identity theft for potentially the 
rest of their lives, and they got away with it.
    I have a plan to change that. Senator Warner and I are 
reintroducing the Data Breach Prevention and Compensation Act, 
which will impose mandatory penalties on credit reporting 
agencies for every piece of data they lose and will compensate 
the victims. The bill will also give the FTC new tools to help 
keep data safe.
    The only way the credit reporting agencies are going to 
adequately invest in cybersecurity is if we make it too 
expensive for them to ignore, and Congress should pass our 
bill.
    Chairman Crapo. Senator Smith.
    Senator Smith. Thank you very much, Chair Crapo and Ranking 
Member Brown. And I want to thank all of you for being here, 
especially thank my colleague from Minnesota, Mr. Cline, for 
joining us today. I appreciate that.
    So, you know, as I listen to this, it just seems so clear 
that this system, this business model, is set up for the 
benefit of the data and tech companies, and basically our 
personal data is basically fuel for this incredible money 
machine that has been created. And the GDPR is attempting in 
Europe to set up some guardrails to protect how that data gets 
used and what people know about their data, but yet it seems 
that that is sort of layered on top of this system that is for 
the benefit of making tons of money off of people's personal 
data.
    And so my question is: First of all, if the GDPR were to 
become the global standard, do you think that that would solve 
our challenges here? And I know you think it is a little too 
early to say, but do you think that that is going to fix this 
issue for us?
    Mr. Ceglowski. I would say that the GDPR is an important 
step, but it is not adequate basically because of this problem 
of consent. How do you consent to something that you do not 
even understand?
    Senator Smith. Right.
    Mr. Ceglowski. How can you withhold consent in a world 
where you have to be online? So I think that is the challenge 
that the GDPR does not address?
    Senator Smith. As somebody said, you know, it has created 
more friction, I think, for the user, but fundamentally it is 
just--I think you said it is like this baroque system of 
consent that is completely confusing to everybody. Mr. Chase?
    Mr. Chase. GDPR recognizes that direct marketing is 
legitimate, but it does create, I would say, frictions in a lot 
of how that is done, and it does create a very strong ability 
for customers to opt out of it--not to opt out of advertising 
per se, because it is advertising that brings in the revenue, 
but to opt out of personalized advertising. And so I think that 
that distinction is interesting.
    Senator Smith. So what if we were to set up a system that 
actually put privacy--you know, either a system that allowed 
for companies to compete on privacy or required them to compete 
on privacy, what would that system look like?
    Mr. Ceglowski. One very effective place to begin is to put 
limits on the amount of time that you can retain data. So if 
you are hoovering up everything in the world about people, at 
least do not store it permanently, reduce the chances of a 
breach, and it means I can try your service without forever for 
my lifetime knowing that you know my location or that you keep 
recordings of what I said into the home microphone that you 
sold me.
    Senator Smith. So a lot of that is around how long you save 
the data, and that would be a system that rewards protecting 
privacy. What would be some other things that we could do? 
Anybody.
    Mr. Cline. Senator Smith, it is an honor to meet you in our 
Nation's capital. I can point to two things that I have seen in 
operation that have moved things in a positive direction as a 
result of the GDPR. The GDPR elevated two industry best 
practices to the status of regulatory requirements: completing 
a data inventory and conducting privacy impact assessments.
    Now, these things are not seen by consumers, but they are 
happening in the background, and they are necessary in order to 
provide privacy rights. I encourage my clients to do these two 
things whether or not they are legally required because they 
are so essential for giving transparency and having control 
over the data they have.
    Senator Smith. OK. Thank you.
    I want to just switch to another topic which I think is 
really interesting. Mr. Ceglowski, you talk about how tech 
startups in the highly regulated areas of health, finance, and 
banking, how they should be required to compete on the same 
regulatory footing as established businesses in those areas, 
and so think about the data privacy laws that are required 
around HIPAA, for example, yet you note in your testimony how 
machine learning can identify based on people's images on 
Instagram whether or not they are likely to be suffering from 
depression, and what they do with that learning is not guided 
by HIPAA. The same issues in another category of financial 
services about how machines can decide whether or not you are 
eligible for a loan, but you do not have the same credit 
protections.
    What should we do about that? Where does that lead you in 
terms of what steps we ought to take?
    Mr. Ceglowski. I think the issue here is that those 
protections were determined by democratically elected 
representatives. They represent years of effort and thought, 
and they are being circumvented by people who are accountable 
to no one. So introducing the accountability so that regulation 
about how machine learning is used does not come from 
idiosyncratic founders but it actually part of the regulatory 
conversation is important. But that principle that you do not 
get to go around regulation you do not like I think is a vital 
one.
    Senator Smith. It is essentially a fundamental question of 
fairness.
    Mr. Ceglowski. Yes.
    Senator Smith. Thank you.
    Thank you, Mr. Chair.
    Chairman Crapo. Senator Cortez Masto.
    Senator Cortez Masto. Thank you, and thank you, Mr. 
Chairman and Ranking Member, for this conversation. I really 
appreciate it.
    Let me just follow up on some of the conversation of my 
colleagues. The Gramm-Leach-Bliley Act and the Fair Credit 
Reporting Act are two data privacy-focused Federal laws under 
our jurisdiction right here that we are talking about. My 
understanding is the privacy provisions of the Gramm-Leach-
Bliley Act are really based on two things--notice and choice 
model--which we have said are ineffective. Would you all agree 
at this point in time that there needs to be more done than 
just a notice and choice model? Just for the panel members, yes 
or no. Let us start here, Mr. Chase.
    Mr. Chase. Looking from the GDPR point of view, they would 
say that it is nowhere near effective enough.
    Senator Cortez Masto. Thank you.
    Mr. Cline?
    Mr. Chase. My job is to help companies operationalize 
whatever Congress and the States deem is the best for the 
American people.
    Senator Cortez Masto. OK.
    Mr. Ceglowski. I would say yes.
    Senator Cortez Masto. Yes, it is effective enough, or no, 
it is not?
    Mr. Ceglowski. Yes, it needs to change. It is not 
effective.
    Senator Cortez Masto. It needs to change, right. And so you 
would all agree--let me ask you this: Would you all agree that 
the rules for the financial sector should be the same as every 
other broader business in the economy as well? As we address 
this issue with respect to data privacy and security, they 
should all be treated equally, including the financial sector? 
Mr. Chase, yes or not.
    Mr. Chase. No. If you want my personal opinion, just for--
--
    Senator Cortez Masto. Why should the financial sector be 
treated differently?
    Mr. Chase. The GDPR, which is what--I am trying to come in 
from the point of view of what the European law requires, and 
the European law provides an omnibus law for everything, so it 
provides in a way a minimum. But there can be additional 
requirements for some information. And there is a difference, I 
think, here between types of information and--focusing on types 
of information or focusing on institutions. I think the GDPR 
focuses on the type of information more than just the 
institution and its location.
    Senator Cortez Masto. OK. Mr. Cline?
    Mr. Cline. Senator, I do not have an opinion on that 
question.
    Senator Cortez Masto. OK.
    Mr. Ceglowski. I do not understand financial regulation 
enough to give a qualified answer.
    Senator Cortez Masto. All right. Thank you. So let me ask 
you this: Would you all agree that what we are trying to 
achieve here, it requires a comprehensive approach, is what I 
am hearing to addressing data privacy and security? Would you 
all agree with that? Is that a yes?
    Mr. Ceglowski. Yes.
    Mr. Cline. Yes.
    Senator Cortez Masto. Yes? OK. So let me ask you a couple 
of things. Would you support the need for, if we were looking 
at doing some sort of data privacy legislation, that it require 
entities to practice reasonable data minimization practices? 
Would you support that? Yes or no.
    Mr. Ceglowski. Yes.
    Senator Cortez Masto. Mr. Cline?
    Mr. Cline. I can tell from my observations in serving 
companies that have been helping to do GDPR, data minimization 
is a foundational principle for their programs.
    Senator Cortez Masto. That is yes. Thank you.
    Mr. Chase?
    Mr. Chase. Yes, and what he said about minimization 
requirements under GDPR.
    Senator Cortez Masto. OK. And would you also agree that 
anything that we come up with must be for a legitimate business 
or operational purpose and must not subject an individual to 
unreasonable privacy risk? Yes or no.
    Mr. Ceglowski. ``Legitimate'' is the loaded word there.
    Senator Cortez Masto. OK. Mr. Cline?
    Mr. Cline. Again, I think from the European perspective, 
where legitimate interest is a foundational principle now under 
GDPR, the clients that I serve are operationalizing that 
principle.
    Senator Cortez Masto. Mr. Chase?
    Mr. Chase. That is the approach the Europeans took, and 
sometimes I wonder if they were actually--if they did not need 
a better problem definition.
    Senator Cortez Masto. OK.
    Mr. Chase. What was the problem they were trying to solve?
    Senator Cortez Masto. That is helpful. Thank you.
    What about this? Would you agree that the data practices 
may not discriminate against protected characteristics, 
including political and religious beliefs? Yes or no.
    Mr. Ceglowski. That is a foundational American value.
    Senator Cortez Masto. That is a yes.
    Mr. Ceglowski. That is a strong yes.
    Senator Cortez Masto. Thank you.
    Mr. Cline?
    Mr. Cline. Yes.
    Senator Cortez Masto. Mr. Chase?
    Mr. Chase. Of course. That is current law.
    Senator Cortez Masto. Thank you.
    Now--and I have only got a few minutes left--let us talk 
about the consent piece because I think that is our biggest 
challenge. And I hear what you are saying today in the 
conversation today.
    What about this? What if we were to look at kind of a 
bifurcated approach here and we had two things: one, we allowed 
entities--required entities to provide users with reasonable 
access to a method to opt out for data collection, processing, 
storage, or disclosure; but we also required affirmative opt-in 
consent in two circumstances: one, collecting or disclosing 
sensitive data, such as generic, biometric, or precise location 
data; and disclosing data outside the context of the consumer 
relationship, as I talked about earlier. Are we getting closer 
to addressing the consent concerns that you addressed earlier?
    Mr. Ceglowski. I think given the realities of machine 
learning, you can no longer talk about some data being 
sensitive and other data not being it, because you can 
reconstruct the sensitive data from the other stuff. So opt in 
across the board is what I would urge for.
    Senator Cortez Masto. Opt in across the board for 
everything.
    Mr. Ceglowski. For everything.
    Senator Cortez Masto. OK. Anybody disagree with that?
    Mr. Chase. Yes, I disagree.
    Senator Cortez Masto. OK. Why do you disagree?
    Mr. Chase. Because I think that there are a lot of 
processes that are undertaken that are not intrusive and that 
do not affect a person but can be useful for a company or the 
data processor or controller. And, also, I think that there is 
a question of the difference between inferred data and actual 
data. And to all our credits, to the technologists, not 100 
percent of their inferences are right, and that is one of the 
problems, in fact, that they are sometimes not as good as they 
like to make it out to be.
    Senator Cortez Masto. Thank you. I notice my time is up. 
Thank you so much. I appreciate it.
    Chairman Crapo. Senator Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman.
    Do any of you disagree with the proposition that if I go on 
the internet and generate data that I own my data? Does anybody 
disagree with that?
    Mr. Ceglowski. I do disagree.
    Senator Kennedy. You do. OK. Well, I think I own it. I 
think I have a property right in it. I have a right to license 
it. Let us take Facebook, for example. When I go on Facebook, 
and in return for giving up all my data rights, I get to see 
what my high school friends had for dinner Saturday night. I 
think I still own my data. That is my opinion, anyway. But I 
license it to Facebook.
    Problem number one, it seems to me, is the user agreement--
not to pick on Facebook. Their user agreement has been 
improved, but for the longest time you could hide a dead body 
in there and nobody would find it.
    Why don't we just require social media companies to write 
user agreements in plain English? Would that help with the 
problem?
    Mr. Ceglowski. I think that that user agreement would just 
say, ``We are taking all your data. Yes or no.''
    Senator Kennedy. Well, I think we can do better than that. 
Maybe you cannot, but I think most people can.
    Would a clearer user agreement help, gentlemen?
    Mr. Chase. The European approach would say yes, there has 
got to be a clear agreement, but more than that, there are 
limitations on the data that can be collected and----
    Senator Kennedy. I understand that, but I want to take 
this----
    Mr. Chase.----and how it can be used.
    Senator Kennedy. I want to take this--well, let me just put 
it this way: What if we just passed a law that says, number 
one, I own my data, I have a property right to it. Number two, 
I have the right to license it, but it has to be knowing and 
willful. Number three, the user agreement through which I 
license it has to be written in plain English so that a person 
of average intelligence can understand it. Number four, I have 
the right to change my mind about licensing it. Number five, I 
have the right--and the social media companies can do this by 
just putting a simple icon on their platform. I have the right 
not only to know what data the social media company has about 
me, but the analysis, their analysis of that data. Number six, 
or wherever we are, I also have the right to know what the 
social media company is doing with my data. Number seven, I 
have the right to transfer my data. And, number eight, I have 
the right to be notified immediately if my data is breached.
    Now, what if we just did that? Isn't the problem solved?
    Mr. Ceglowski. It comes back to the ownership of data. If I 
am part of a group conversation, who owns that conversation? Is 
it just me? Is it evenly split between participants? That is 
the part that I stick on.
    Senator Kennedy. I understand. We just disagree on that. 
Mr. Cline?
    Mr. Cline. So I help companies write some of those privacy 
notices that are long and difficult, and I can say that the 
goal is to be extremely precise and detailed for the purpose of 
being very transparent and I can understand----
    Senator Kennedy. No, it is not. The purpose is not to be 
transparent. The purpose is to cover the rear end for the 
social media company. You and I both know that. Let us not kid 
each other.
    Mr. Cline. I approach that part of my job with that goal of 
transparency.
    Senator Kennedy. Well, you are paid by whom?
    Mr. Cline. My firm.
    Senator Kennedy. Who is your firm--who is your firm's 
client? You are paid by your client, aren't you? Isn't your 
client the social media company?
    Mr. Cline. I focus in the financial services industry.
    Senator Kennedy. Are you telling me that when the user 
agreements are written, the main purpose of the user agreement 
is not to protect the social media company? Is that what you 
are saying?
    Mr. Cline. Senator, as a private----
    Senator Kennedy. Is that what you are saying?
    Mr. Cline. That is not what I am saying.
    Senator Kennedy. OK, good. Because if you believe that, you 
will never own your own home because it is just not true. Go 
ahead.
    Mr. Cline. In the privacy profession, I think it is 
widely--the privacy notices are widely seen as a contract 
between the company and the individual.
    Senator Kennedy. I agree with that. Would my idea work, 
Mister--I am sorry. I cannot see that far. Peter?
    Mr. Chase. Chase.
    Senator Kennedy. Mr. Chase.
    Mr. Chase. Thank you very much, Senator. You put too many 
things in there at one time. The question of ownership I think 
is a different issue than access. The Europeans are trying to 
make a clear distinction between ownership and access, because 
I think that not all property rights come from all knowledge 
about me. Indeed, a lot of the public--a lot of information 
about me is in the public domain. It is public. It is not owned 
by anyone.
    But more to the point, your point that companies must 
clearly tell customers, people, what they do with the 
information, who they share it with, all of that is something 
that the Europeans push for. Further, I think one of the things 
they also try to emphasize is the need to minimize the data 
collected and that the data is collected only for the purpose 
that is necessary. They would argue--they do argue, in fact, in 
papers--that it is not in your legitimate interest to vacuum up 
all the information that you can find about me.
    Senator Kennedy. Well, I will end on this note. I was in 
Brussels not long ago with our Chairman, and we had a meeting 
with a lot of the folks who are implementing the European 
Union's General Data Protection Regulation. They do not know 
what is in it. They do not know what is in it, and the people 
who have to comply with it do not understand it. It is a mess. 
I just think we need to aim for something simpler.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Reed.
    Senator Reed. Well, thank you, Mr. Chairman, and I must 
associate myself with many of the comments by Senator Kennedy. 
I thought he was very thoughtful and got right to the heart of 
the matter, so thank you.
    Let me commend you all for your testimony. I was 
particularly impressed with Mr. Ceglowski's testimony, its 
eloquence and its thoughtfulness. One of the rules of thumb 
that I learned in the Army was, ``Keep it simple, stupid.'' And 
there might be three ways in which we can deal with this issue, 
reflecting some of the comments before: first, require opt-in 
so people get the choice from the beginning whether they are 
going to give their data, because like Senator Kennedy, I 
believe people own their data, particularly sensitive data; 
second, as has been suggested, forget the data over a certain 
period of time, 6 months, a year, whatever is reasonable--
probably closer to 6 months than a year--and then give people 
the right, if their rights are violated, to go to court and 
demand their rights.
    Now, that is a pretty straightforward solution which I hope 
will address this. I think our tendency is to get into nuanced 
regulatory directives that are taken by agencies and further 
nuance so it is a fine powder and not a strong protection 
against privacy violations.
    So first let me go to Mr. Ceglowski. Your comments?
    Mr. Ceglowski. I definitely agree that much of the language 
around regulation is intentionally obfuscatory. People do not 
want to show how the sausage is made, to what extent data is 
being used. I do think there is a degree past which we cannot 
simplify these things. For example, it is fine to say I own my 
data, but if you can reconstruct everything you want to know 
about me by looking at my friends, by looking at their 
behavior, then to what extent is that now your data or is it 
still mine because it is identical? Those are the kind of 
things that I think make it difficult to regulate here. But I 
welcome any attempt at simplification.
    Senator Reed. It seems to me that you are exactly right, 
but if, for example, your data expires, it disappears in 6 
months, and your friends' data disappears 2 months after that, 
it is hard to--and, in fact, we have to take--I think what you 
are suggesting, we have to take a further step. The synthetic 
data created, the second-stage data created by this merger of 
data, that, too, has to be, you know, eliminated. Because I 
think you are exactly right. What the companies will do, create 
their models of the person's behavior and projections and then 
claim it is not the person's data, it is this synthetic data we 
have created. So that is in addition to what we should do.
    Mr. Cline, your thoughts?
    Mr. Cline. Senator, I think the model that you have 
proposed is the trend that we are seeing worldwide, even 
outside the United States and Europe in countries like Brazil. 
And the clients that I serve are preparing for these trends, 
this very simple model.
    Senator Reed. Interesting, because your comments before, 
Mr. Cline, is that they are preparing for these trends, 
anticipating them, and also are expecting to still profit from 
their business. Is that correct?
    Mr. Cline. The clients I serve are primarily for-profit 
companies.
    Senator Reed. Many times we get this, ``You cannot do this 
because it will ruin the internet. We will have to charge 
exorbitant fees. No one will get access to it.'' You know, 
there is a lot of weeping and gnashing of teeth about how 
terrible it is going to be, this is a free platform, et cetera, 
when, in fact, these commonsense approaches can be adapted to a 
profit-making enterprise that will still be significantly 
profitable. Is that your view? Thank you.
    Mr. Chase?
    Mr. Chase. It is understandable--and it was certainly the 
case in Europe--that when people were regulating, they were 
focusing just on the large social media companies. But the 
internet and the people who are in this ecosystem who were 
involved are, of course, everyone. I have done a lot of work in 
the energy area. The energy system is becoming highly 
digitalized. When you are regulating, in order to keep it 
simple, you also have to realize that there are many different 
issues and applications of data.
    Second, in terms of retention, going directly to that, if I 
am a member of Facebook, I want them to remember everything 
that I have had on there forever. I want that record. They are 
my custodian of my life. So----
    Senator Reed. You want that record until they bring up your 
conviction for drunken driving when you were 17-years old. That 
is when you say, ``I did not want that''----
    Mr. Chase. Obviously, you feel that you should have the 
right to change the record that you have created. But I think 
that the point here is that--is it that they have the 
information or is it how they use the information and 
specifically if they use it toward targeting advertising or 
targeting messaging? And I think that this goes to the point I 
made earlier about not always having a clear problem definition 
in Brussels when they were doing the GDPR.
    Senator Reed. I think it also goes to--and let us be 
honest--the capacity of Government. If we try to go and 
anticipate all the myriad ways in which these companies can use 
information and regulate it, we will be in a disaster. I think 
we have to have simple rules--they work pretty good--that can 
be enforced effectively.
    One other caveat I will make, because this is a very 
complex issue, is that I can anticipate some areas, for 
example, if you are following a group of children who have a 
pediatric disease, you probably want that data to stretch over 
many, many, many, many years because that is where you will 
find out what the effects are. And in that case, you can carve 
out an exception, which they would have to agree to, which 
presumably they would because they are in the trial. But it is 
a lot different than the purchases you are making, the 
locations you are driving to, things like that which are being 
woven together in very intricate ways. You know, the way--
again, we cannot anticipate some of the ways that this is being 
done, but locations are being coordinated so they can put the 
right sign up to advertise Adidas on the highway because they 
know there are, you know, crowds and crowds of 30-year-olds 
going to their high-tech companies that way every day. You are 
not going to put, you know, old people's medicines on that 
billboard. It is Adidas.
    So I think we have got to take a very simple but very 
effective--we have got to do it soon. We are running out of 
time. So thank you.
    Chairman Crapo. Thank you.
    Senator Jones.
    Senator Jones. Thank you, Mr. Chairman. And thank you to 
the witnesses for coming here.
    Just to follow that up a little bit, Mr. Ceglowski, this 
whole thing about inferences, a world of inferences, and 
everything that Senator Reed was talking about, are we actually 
having the wrong conversation? If all companies, if all they 
need is publicly available data, are we really having the wrong 
conversation here? And what impact does this have on the 
European Union and other jurisdictions? Have they addressed 
this issue? And what can we do? Because that just seems to be a 
different issue than disclosure, because this is publicly 
available stuff.
    Mr. Ceglowski. The power of inference, it does not come 
from the publicly available data. It comes from behavioral 
data, the incidental data, the observations about what did you 
click on, where were you at this time of day, who communicates 
with you. All of this digital exhaust that our lives produce 
that is collected then and tabulated. So it is only available 
to the very large tech oligopoly companies who can store it and 
can mine it.
    Senator Jones. So going back real briefly--well, no, let me 
change directions a little bit and use some of that as well as 
this. What is to prevent or how can we prevent--there was a 
question a minute ago about discrimination, and I know all the 
laws. I mean, I follow them, I have practiced, and I tried to 
enforce them as a prosecutor and as a private lawyer. We have 
got laws about doing this. But as a practical matter, it still 
exists, and it exists every day. And in some instances, it is 
getting worse.
    What can we do in this whole realm of data collection to 
try to ensure that people--whether it is businesses or 
whoever--do not collect this data and use it in a way that 
discriminates against Americans, or whatever, puts them in a 
protected class and then uses that data to discriminate? How 
can we prevent that? Anybody. Mr. Chase?
    Mr. Chase. We have laws on the books here in the United 
States now against discrimination in many, many respects. You 
do not necessarily need to see the inside of how the algorithm 
is working to look at the outcomes of decisionmaking. And 
often, I think probably many of the cases you were involved in, 
it was looking at the outcomes of the decisions that created 
the presumption, actually, that discrimination was going on.
    Senator Jones. Yes, but looking at the outcomes is not the 
prevention. I mean, that is maybe a deterrent if you do some 
things. I am talking about trying to prevent discrimination to 
begin with.
    Mr. Chase. You know, I think the Europeans tried very hard 
not to stop artificial intelligence, AI, machine learning, all 
of these things. They were trying instead to much more narrowly 
focus on how you use profiling, whether or not there is 
automated decisionmaking, because some things you cannot stop. 
I would argue that humans are pretty biased in many respects, 
too, and so it is not just the agent. You really do have to 
look at what the outcome is.
    Senator Jones. All right. Anybody else?
    Mr. Cline. Senator, some of the clients I am working with 
that are furthest ahead in their thinking on data ethics are 
putting in place some tools of processes. For example, policies 
and ethical impact assessments to identify--before they deploy 
a new machine learning or artificial intelligence capability, 
they will bring in a scientist, a mathematical scientist to 
look at the algorithm to identify if it could have disparate 
impact. So I am seeing some examples of tools that could 
address that.
    Mr. Ceglowski. I would just say that the bias is always in 
the data. The mathematical techniques that are being used are 
simple, they are well known. It is the data where the patterns 
live that they surface from. I think we need better visibility. 
I think we need strict limits on data retention. And we 
especially need research. We need access for people to be able 
to look and see what are the impacts of these algorithms, and 
nobody knows that. It is not just a question of people trying 
to do end runs around regulation. We genuinely are not familiar 
with how this will affect and impact society.
    Senator Jones. All right. Thank you all.
    The last thing I want to ask, how do we stop--how can we 
prevent a company, Facebook--Senator Kennedy talked about 
Facebook and not picking on Facebook. It could be anybody. And 
the end user agreements, and we have talked a lot about the 
disclosure. And I tend to agree with Senator Kennedy that my 
data is a basic property right that should be protected. But 
yet I have also got a lot of other rights that should be 
protected, like the right to a trial by jury that every day in 
this country somebody is buying a new car that has to give up 
that right in order to get that new car. Every day somebody 
gets employed, and they are having to give up a right to a 
trial by jury to go into arbitration.
    My question is: How can we stop that? How can we stop 
Facebook or anyone else from saying if you want to get on 
Facebook, as are the billions of people around this world, you 
have got to give us your data and let it go? How do we stop 
that if they want to do that?
    Mr. Ceglowski. We pass laws.
    Senator Jones. We have passed laws about a number of 
things, but if the Supreme Court will allow forced arbitration 
on things, there are always ways to get around the laws. Is 
there a way to adequately stop that from happening if you look 
at the historical precedent?
    Mr. Ceglowski. I am not able to answer that at this time.
    Senator Jones. That is my biggest concern, that if we pass 
these laws and we do these things like that, then all of a 
sudden somebody will go around and big companies and big 
businesses will be able to do whatever the heck they want to 
do. So thank you.
    Thank you, Mr. Chairman. Thank you, Ranking Member Brown.
    Chairman Crapo. Senator Van Hollen.
    Senator Van Hollen. Thank you, Mr. Chairman. Thank you all 
for your testimony. I have not been here for the whole hearing. 
I was at another hearing. So forgive me if I am plowing old 
ground.
    But it seems to me as we look for what kind of structure or 
law we want to apply in the United States, we should look first 
to other countries that have implemented it, and so the GDPR is 
obviously something important to look at and see whether it is 
meeting its goals. We also have the California law.
    So a very quick question to all of you, because we have had 
a lot of discussion about opt in/opt out. What has the 
experience been so far in Europe with this law, which is 
designed to give consumers rights? Are people exercising those 
rights, or are they deciding, look, I really need to use this 
system so much that I am going to opt in, not opt out? I am 
curious about your observations on how this law has been 
implemented so far and how it is working.
    Mr. Chase. Speaking more generally, it really is too soon 
to tell because some of the big cases that are coming through 
and a lot of the discussion has been about data brokers and 
decisions made by the--there have been complaints filed, but 
they have not been adjudicated. There has been guidance 
provided, but it is not yet there.
    I think that there has been some belief that the data 
inventorying, the data hygiene practices that companies have 
undertaken has been useful in and of itself. There clearly has 
been a lot of increase in people's awareness of their data. 
Those parts are good. But at the same time, as I mentioned 
earlier, in part because of that, some of the mistrust of the 
internet has also gone up, and I think that that is natural.
    Senator Van Hollen. Are we finding people exercising their 
rights in terms of the choices they are given or not so much?
    Mr. Cline. Senator, I can tell you what I have seen 
operating in the day-to-day trenches. GDPR gives about eight 
rights to consumers, but when we look at the logs, the ones 
that are most exercised are the right to access, the right to 
erasure, and the right to opt out of marketing. These requests, 
though, are falling in an uneven way across the financial 
services industry. So those financial services companies that 
have the direct relationships with the consumers, like direct 
insurers or retail banking, they are feeling the most, perhaps 
sometimes thousands of those so far in the first year. Those in 
commercial banking or reinsurance on the back end sometimes may 
even have received less than 100 of these rights in the first 
year. So it is an uneven story so far 11\1/2\ months out.
    Senator Van Hollen. Got it.
    Mr. Ceglowski. I would say consumers are seeing a lot of 
benefit from the work being done internally to protect data. 
Part of finding out where data is in the system means making it 
safer. So I think there is a lot of internal reform that will 
have a long-term impact.
    Europe is in the strange position of trying to regulate 
from across the Atlantic Ocean. The main tech companies are all 
here in the United States, and so we have seen them move lots 
of data out of the European Union. There is a lot of evasion of 
the GDPR that makes it harder to evaluate its impact.
    Senator Van Hollen. So, really quickly, are you all 
familiar with the California law?
    Mr. Ceglowski. Yes.
    Senator Van Hollen. So is there anything in the California 
law that is not in the GDPR that you think that we should look 
at as a positive thing or vice versa? Just to each of you, 
comparing the two, strengths and weaknesses, as we look to 
different models.
    Mr. Ceglowski. It is very hard to say with the GDPR because 
so many issues are still open to interpretation, especially 
around automated decisionmaking. I do not think that is in the 
California law, but I think that should be a strong focus. But 
it is hard to know what the decisions are going to be.
    Mr. Cline. When we look across the world's privacy laws and 
then compare those to California's new law, the one provision 
that does stand out is the prevention of--or the requirement 
for nondiscrimination.
    Senator Van Hollen. OK.
    Mr. Chase. I do not know enough about California.
    Senator Van Hollen. Got it. All right. Thank you, Mr. 
Chairman. I appreciate it.
    Chairman Crapo. Thank you.
    Senator Sinema.
    Senator Sinema. Thank you, Mr. Chairman. And thank you to 
our witnesses for being here today.
    Arizonans want to access the modern technological 
conveniences that make our financial lives easier, like online 
banking and apps for budgeting and for small finance. This 
technology helps Arizonans be more fiscally responsible in 
their everyday lives, plan and save for the future, and invest 
for retirement or help their kids go to college. But more than 
most, as Arizonans we value our privacy. Sometimes we just want 
to be left alone.
    So I am committed to finding a thoughtful solution that 
protects fundamental privacy rights while ensuring continued 
access to the financial technology that makes life easier and 
better for Arizona families.
    So with respect to privacy, it frustrates me that we still 
have not had a legislative response to the Equifax data breach. 
It affected nearly all of us, and yet Congress did actually 
nothing to tighten the Fair Credit Reporting Act and prevent 
another breach of our privacy.
    Most people do not know that credit bureaus have a great 
deal of information about us, even before we apply for our 
first credit card or our student loan. We do not affirmatively 
consent to give that information. So I have a few questions 
about credit bureaus.
    Mr. Ceglowski--did I say that correctly?
    Mr. Ceglowski. Close enough.
    Senator Sinema. Well, sorry. Thank you for being here. When 
examining the relationship between credit bureaus and consumers 
under current U.S. law, would you say that consumers are more 
like the customer or more like the product?
    Mr. Ceglowski. With respect, I do not know enough about 
credit bureaus to be able to answer you.
    Senator Sinema. OK. So what challenges does this 
relationship pose for individuals who are dealing with identity 
theft or financial fraud? And what rights conferred under GDPR 
could be helpful to consumers here?
    Mr. Ceglowski. I think the Equifax lesson to everybody else 
is that there are no consequences to data breaches, that you 
can get by with impunity. I think that is a very dangerous 
lesson to send. The GDPR at least has quite long teeth that it 
can sink into offenders, and I think that would be desirable in 
any regulation here, to be able to actually punish these kind 
of blatant acts of either incompetence or just not caring about 
your customer.
    Senator Sinema. Thank you very much. You know, this issue 
matters a lot to me because of an Arizonan I know named Jill. 
Her daughter was a victim of synthetic identity theft, so this 
is the type of theft that occurs when criminals use a stolen 
Social Security number with little or no history on it to open 
bank accounts or credit cards under a new assumed name.
    So the initial record is typically rejected, but once that 
denial occurs, a synthetic person is created, one that does not 
actually exist, and that synthetic person can be used to open 
up credit cards and other accounts, and they often rack up 
significant debt.
    In 2011, someone did this to Jill's daughter, so last year 
we teamed up with Senator Scott of South Carolina and passed a 
bill called the ``Protecting Children from Identity Theft 
Act.'' Our bill was signed into law last May, and so we are 
following its implementation. What our law does is strengthen 
the Social Security Administration's ID verification regime by 
modernizing it so it can be used for everyday financial 
transactions. We also called on SSA to cut through red tape 
that prevented Jill's family from getting a fresh start for 
their daughter.
    So there is more to do because these kinds of financial 
crimes targeting our most vulnerable are becoming more 
prevalent with every data breach, and I hear from Arizonans 
every day about how they feel helpless and overwhelmed when it 
comes to protecting their privacy, safeguarding their finances. 
This is particularly true for seniors and those raising 
families. So we want to ensure that consumers have greater 
control of how their data is used and effective recourse should 
there be a breach.
    So I would like to hear from all three of you: Do you think 
it is possible to keep our credit scoring system in the United 
States that has generally served us well over the years to make 
sure that Americans can get mortgages, buy cars, build their 
financial futures, but also advance some new commonsense 
reforms that protect people's privacy in a way that they are 
not currently protected?
    Mr. Ceglowski. Let me start by saying that many of the 
functions that credit reporting offered are now moving into the 
unregulated area of the online economy. So you are seeing 
Silicon Valley companies that have much bigger collections of 
personal data that are able to make decisions that have similar 
effect. For example, landlords now want to see people's 
Facebook accounts. These are things that--I welcome 
strengthening the regulations around credit reporting. I think 
they should be extended in a similar spirit to where they are 
being practically applied in the same sense.
    Mr. Chase. Did you want to----
    Mr. Cline. Senator, I do not have personal experience in 
the credit reporting industry, but the companies I have served 
who have had the most success preventing data breaches and 
identity theft are those that conduct regular risk assessments 
and fix the vulnerabilities that they find.
    Mr. Chase. If I may, I wanted to mention earlier, but 
Equifax actually has paid a fine, at least one that I know of, 
but that was in the United Kingdom, 500,000 pounds, I believe. 
That was the maximum that was allowed under the old law. The 
data breach law in the General Data Protection Regulation could 
indicate a much higher fine. Also, there are other things that 
the regulator can do, including forbidding someone from doing 
data processing. That is point number one.
    Point number two----
    Senator Sinema. Just to that first point, a fine is an 
important part of compensation, but what it does not do is 
increase privacy for consumers.
    Mr. Chase. I agree. The second thing, one of the points 
that you made in your opening remark, Senator, it would not be 
allowed under the GDPR for someone to say, ``Here is a 
financial service''--you enter into a contract for a financial 
service--``and, oh, by the way, you have to sign this too 
because I want to be able to use all the data I can from you 
and use that separately.'' It is interesting to me that some of 
the credit reference agencies are also agencies that are very 
much in the data brokering and reporting businesses. I find it 
interesting, although I am not sure--I think that there is a 
wall between the information.
    Senator Sinema. Thank you.
    Thank you, Mr. Chair.
    Chairman Crapo. Thank you. And that concludes the 
questioning, except that Senator Brown and I would like to 
ask--Senator Brown will ask the question. We have a joint 
question.
    Senator Brown. And any of you can answer, but particularly 
if you would, Mr. Ceglowski. Your back-and-forth with Senator 
Jones was a bit unfulfilling because you were sort of talking 
in different ways. He was asking you to sort of take our 
profession for a minute and tell you what to do legislatively. 
Obviously, we do not expect legislative language from you. What 
should Congress do? How do you regulate without stifling 
innovation? Take as long as you want and just kind of give us--
fairly briefly, but give us your thoughts on what we actually 
prescriptively should do.
    Mr. Ceglowski. Absolutely. So----
    Senator Brown. One more thing. I think that there is enough 
agreement here--you could see it from Senator Kennedy, you 
could see it from Senator Crapo's and my comments that we 
really, unlike some issues that we have had greater differences 
on, this is something we can really do. So instruct us, if you 
would.
    Mr. Ceglowski. Absolutely. Well, I would say first that 
this seems to be a rare bipartisan opportunity where we can 
really kind of speak with one voice about what should be done 
to improve things.
    I mentioned before data retention and lifetimes on it. 
There is something deeply inhuman about saying that, something 
that you did haphazardly one day is going to be kept forever in 
a computer system that you do not have any visibility into. I 
think we need to bring humanity to how data is retained about--
as one example, Google has now announced that they are going to 
allow people to delete location data after 3 or 18 months, 
proving that it is not really necessary to their business model 
to have this forever. I think that should be the default state 
of affairs, that things are forgotten unless you specifically 
ask for it to be remembered. You do not want Facebook deleting 
your wedding pictures, but you do want them deleting what your 
search queries were 7 years ago. Nobody needs to remember that.
    I think there is an aspect in which we can have positive 
regulation where we create a legal basis for making credible 
commitments about privacy. So, for example, my company, I do 
not offer third-party tracking. I do not sell people's data. I 
would like to be able to promise that in a way that my 
customers can believe.
    We had the example a few years ago of Snapchat. There was 
an application that showed--let you send videos that would 
disappear after you viewed them once. It turned out they did 
not really disappear. It turned out they were collecting all 
kinds of location data when they said they were not, and they 
got a slap on the wrist. If that slap on the wrist were much 
more than that, if people could go to jail for willful fraud, 
if people could face stiff fines, then we could compete on the 
basis of privacy, including small companies that can compete 
against the giants. So I think that is a second important way.
    And then, finally, visibility. We have no visibility right 
now into what is being collected. Things like Facebook shadow 
profiles, if you are not a member of the site, what exactly do 
they know about you? What do they get from data brokers? How 
does the advertising economy work? All of these things are 
questions that we cannot regulate them until we have at least 
some sense of how they work under the hood. And I think one of 
the key steps toward visibility is this idea that if you are a 
user of a site, you should be able to get all of the 
information that that site has on you. You should be able to 
make that request like under the GDPR and receive an answer 
that is not 6,000 pages on a CD or whatever it is that people 
used to get from Facebook when they made this request, but 
something intelligible so that people can begin to understand 
what is being stored, and then we can start to have a 
conversation about how to limit that or how to make it--at 
least make its use safer.
    Chairman Crapo. Do either of the two of you want to 
respond?
    Mr. Chase. Just very quickly, I think that the United 
States has another particular to learn from Europe's 
experiences with the GDPR. So in this sense, maybe having the 
first mover advantage may not the worst thing.
    I think once again I will just reiterate that it is 
important to bear in mind what problem you are trying to solve. 
It is not all data and all uses and all functions. But that is 
what the GDPR covers. You need to be able to say, ``What are 
you trying to do in this case?'' And I think that that goes for 
your mention of retention, that different--data can be used 
differently, and sometimes different retention requirements 
make a lot of sense. If you are talking about a social media 
platform, maybe it is different.
    Finally, I think on the innovation part that you asked, 
Senator Brown, there are a lot of people who talk about the 
requirements of GDPR as putting a burden on small firms, that 
it is harder for them to comply. And I think that there is some 
truth to that. I think that there is also--in GDPR they have 
tried to make that less burdensome, but they also recognize 
that small firms, too, can have very sensitive data and can be 
a source of real grief for individuals if that data is out. So 
I think you have to regulate small firms, but I think that the 
enforcement thing that GDPR creates is much more risk-based; it 
is much more going toward companies that have lots of data and 
do lots of processing, and that makes a certain sense.
    And, finally, Mr. Cline has mentioned a number of times the 
data protection impact assessments. There is a lot, I think, 
that can be looked at, learned from that.
    Chairman Crapo. Mr. Cline, did you want to add anything?
    Mr. Cline. A tool I have seen companies use to balance or 
to achieve both goals of consumer rights protection as well as 
encouraging innovation is the impact assessment. You know, the 
employees of the clients we serve all want to do the right 
thing, and when presented with competing goals, how do we 
innovate? How do we achieve the business purpose in a way that 
impacts privacy the least? These impact assessments document 
the rationale and the thinking and help get everybody on board 
toward competing goals.
    Chairman Crapo. Well, thank you. And, Mr. Ceglowski, your 
answer has prompted one more question to me, and I would just 
toss this out to see if any of you could briefly respond to it. 
When you mentioned the shadow files that in this case Facebook 
creates, those are files being created, I assume, without any 
connection with the individual whose data is being utilized, 
and the information has been collected elsewhere. If an 
individual knows that that data is being collected in that way, 
then I guess they could be given a right by the law to demand 
that that stop or be identified or made transparent. But it 
seems to me that that could be happening and is happening in 
many, many different circumstances and in different ways.
    How does the individual know in order to opt out?
    Mr. Ceglowski. My understanding is that we simply do not 
have that right now, and we do not have the visibility. I might 
be wrong. I am not an expert.
    Chairman Crapo. Mr. Chase?
    Mr. Chase. I draw your attention to Article 14 of the GDPR, 
which I mentioned previously. There are obligations. For 
Facebook in that sense to do a synthetic personality on someone 
in Europe, they would essentially have to tell that person that 
they are doing it. And there are three specific times when they 
have to do it. If they are doing it internally and they are not 
doing anything with it, that is one thing. But if they start 
taking that information and providing it to third parties for 
advertising and direct marketing, then that would be 
problematic. But the article itself has fairly
detailed requirements about what needs to be notified to any 
individual when they are doing profiling businesses--profiling 
work on individuals without having gotten the information 
directly from the individual himself or herself.
    Chairman Crapo. Thank you. So does the GDPR require that 
any time a company sells an individual's data that the 
individual be notified that it is being utilized in that 
fashion?
    Mr. Cline. It requires their consent, so more than a 
notification.
    Chairman Crapo. All right. Thank you.
    Again, I want to thank each of the witnesses for coming 
here and sharing your insights as well as your written 
testimony, which will be made a part of the record. As you can 
see, there is a lot of not only bipartisan but strong interest 
here in getting this issue resolved, and we appreciate--I 
suspect you will get some more questions from us, and to the 
Senators who wish to submit questions for the record, those 
questions are due to the Committee by Tuesday, May 14. And we 
ask each of the witnesses if you would respond to them as 
promptly as you can.
    Again, we thank you for your efforts on our behalf to be 
here and to give us your insights, and this hearing is 
adjourned.
    [Whereupon, at 11:51 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO
    On February 13, Senator Brown and I invited feedback from the 
public on the collection, use and protection of sensitive information 
by financial regulators and private companies in light of the immense 
growth and use of data for a multitude of purposes across the economy.
    The Committee appreciates the insights and recommendations of 
respondents, who expressed a range of views on the topic of data 
collection, use and sharing and how individuals can be given more 
control over their data.
    Building on that effort, today the Committee will take a closer 
look at the European Union's General Data Protection Regulation, or 
GDPR, and other approaches to data privacy, including the impact on the 
financial services industry and how companies collect and use 
information in marketing and decisionmaking related to credit, 
insurance or employment.
    Providing testimony to the Committee today are three data privacy 
experts, including Peter Chase, Senior Fellow, The German Marshall Fund 
of the United States; Jay Cline, Privacy and Consumer Protection 
Leader, Principal, PwC US; and Maciej Ceglowski, Founder, Pinboard.
    Each witness brings a unique perspective on the practical 
implications of implementing and complying with new data privacy laws; 
what has worked and what has not worked to give individuals more 
control over their data; and considerations for the Committee as it 
explores updates to Federal data privacy laws within the Banking 
Committee's jurisdiction.
    My concerns about big data collection go back as far as the 
creation of the CFPB, which was collecting massive amounts of personal 
financial information without an individual's knowledge or consent.
    In 2014, the GAO reported that the Bureau alone was collecting 
information on upwards of 25 to 75 million credit card accounts 
monthly, 11 million credit reports, 700,000 auto sales, 10.7 million 
consumers, co-signers and borrowers, 29 million active mortgages and 
5.5 million private student loans.
    Consumers deserve to know what type of information is being 
collected about them, what that information is being used for and how 
it is being shared.
    Financial regulators are not the only ones engaged in big data 
collection; private companies are also collecting, processing, 
analyzing and sharing considerable data on individuals.
    The data ecosystem is far more expansive, granular and informative 
than ever before.
    As the U.S. economy becomes increasingly digital, people are using 
the internet, including search engines and social media, mobile 
applications and new technologies to manage and carry out more parts of 
their everyday lives.
    The digitization of the economy allows for seamless access to both 
more generalized and granular pieces of data on individuals and groups 
of individuals, including data collected, with or without consent, 
directly from individuals, tangentially to individuals' activities, or 
gathered or purchased from unrelated third parties.
    In particular, data brokers play a central role in gathering vast 
amounts of personal information--many times without ever interacting 
with individuals--from a wide range of public and private sources, 
which is then sold or shared with others.
    In 2014, the Federal Trade Commission issued a report entitled, 
``Data Brokers: A Call for Transparency and Accountability,'' in which 
it highlighted data brokers' big role in the economy and concerns 
around their transparency and accountability.
    In many cases, an individual's data or groups of individuals' data 
is used in ways that provide value, such as risk mitigation, fraud 
prevention, and identity verification, or to meet the requirements of 
laws or regulations.
    However, in many other cases, that data can be used in ways that 
have big implications for their financial lives, including to market or 
make decisions on financial products or services that impact a 
consumer's access to or cost of credit and insurance products, or in 
ways that impact their employment prospects.
    In any case, the way that an individual's or groups of individuals' 
data is used matters immensely.
    As its rightful owner, an individual should have real control over 
his or her data.
    A complete view of what data is collected, the sources of that 
data, how it is processed and for what purposes, and who it is being 
shared with is vital to individuals exercising their rights.
    People should also be assured that their data will be reflected 
accurately, and have the opportunity to opt out of it being shared or 
sold for marketing and other purposes.
    In 2016, the European Union took steps aimed at giving individuals 
more control when it replaced a 1995 Data Protection Directive with the 
General Data Protection Regulation, or GDPR.
    The European Union's principals-based GDPR is broader in scope, 
applying to a more expansive set of companies, including some based in 
the United States, and more types of personal information than its 
previous Directive.
    The GDPR also imposes specific responsibilities on both data 
controllers and data processors, and enumerates rights for individuals 
with respect to their personal information.
    In contrast to the European Union, the United States has adopted 
Federal laws focused on data privacy within particular sectors.
    Two such Federal laws in the Banking Committee's jurisdiction are 
the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
    Today, I look forward to hearing more about the principles, 
obligations and rights underlying GDPR and how those differ from the 
previous 1995 Data Protection Directive; how GDPR addresses data 
brokers and other companies that collect and disseminate personal 
information, often without an individual's knowledge, and ways the Fair 
Credit Reporting Act may be adjusted to account for activities by such 
entities; challenges U.S. financial institutions have faced in 
implementing and complying with GDPR; how financial institutions' 
privacy practices have evolved since its enactment; and how individuals 
have responded to this additional information and rights with respect 
to their data; whether individuals actually have more control over 
their data as a result of GDPR, and what the European Union did right 
and wrong in GDPR; and considerations for the Banking Committee as it 
looks to update and make improvements to Federal laws within its 
jurisdiction.
    Thanks to each of you for joining the Committee today to discuss 
GDPR, data privacy and individual rights.
                                 ______
                                 
              PREPARED STATEMENT OF SENATOR SHERROD BROWN
    I'm excited to be working in a bipartisan way with Chairman Crapo 
on protecting Americans' sensitive personal data--an issue everyone 
agrees is important.
    As we start to think about this subject, I hope we do it with an 
open mind. Technology has advanced rapidly, and we should have some 
humility to admit that we don't even know all there is to know about 
what happens when personal information is collected on a large scale. 
As it turns out, personal information can be far more than your name, 
address and Social Security number. Sometimes harmless data, once it 
becomes big data, can reveal big secrets.
    Take for example a fitness tracking app that became popular among 
U.S. soldiers stationed abroad. Many of those servicewomen and 
servicemen tracked their daily workouts, and when the aggregated 
fitness tracking information became public, heatmaps of common running 
paths revealed the locations of secure military facilities all over the 
world.
    Even when we agree that data is sensitive, we're often not good at 
protecting it.
    Most of us still remember the Equifax breach that exposed the 
detailed financial information of more than half the U.S. adult 
population--information that will remain useful to potential criminals 
for the rest of those 147 million Americans' lives.
    The Equifax case also reminds us that we can't fix this by just 
warning people they should share less personal data on the internet. 
People weren't putting their Social Security numbers on Facebook--
Equifax had collected data from various sources, and in many cases 
people weren't even aware Equifax ever knew anything about them.
    There's a lot of data floating around that can be compiled and 
analyzed in creative ways to make shockingly accurate predictions about 
our lives.
    What you think of as your ``personal data'' isn't limited to bank 
passwords and credit scores.
    As we learned several years ago, even if you don't have a Facebook 
account, Facebook builds a shadow profile of your activities, 
interests, and preferences from digital breadcrumbs spread by your 
friends and associates online.
    Sometimes you may not realize that data is being monetized. 
Remember Pokemon Go? Did you know that businesses can pay to have 
Pokemon show up near them in the game, herding customers into their 
stores?
    There's a common saying that ``if you're not paying for the 
product, then you are the product.'' Services that appear free make 
money from your personal data.
    It's not easy for consumers to protect themselves. ``Buyer beware'' 
is not a helpful warning, since most people cannot afford to protect 
themselves by opting out of internet services just like they cannot opt 
out of banking products with arbitration clauses in them.
    In today's world, telling people to look out for themselves when it 
comes to protecting their personal data is about as useful as telling 
people to look out for themselves when it comes to food safety.
    We can't tell people to avoid the internet and avoid having their 
data collected any more than we can tell people to stop eating dinner. 
We can't abandon the people we serve when it comes to protecting them.
    If we don't take this seriously, a handful of big tech corporations 
and financial firms will continue to strongarm customers into sharing 
their most intimate details.
    So in addition to talking about ownership and control of our data 
today, I hope we can also talk about where Government needs to step in 
and create rules around the appropriate uses of personal data--
regardless of whether a customer opts in. And I hope we can talk about 
what kind of data should or should not be collected, and for how long 
it should be stored.
    This problem isn't just important to our personal privacy and our 
economy--it's also critical to our democracy. As the Cambridge 
Analytica scandal demonstrated, a big enough pile of seemingly 
meaningless data can give a bad actor ways to meddle in our elections.
    The Banking Committee is only responsible for one slice of the data 
ecosystem--I hope to work with the Chairman of the Banking Committee as 
well as the Chairs and Ranking Members of the other committees of 
jurisdiction to set some commonsense rules on the use of Americans' 
sensitive personal data.
    Thank you.
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
                    PREPARED STATEMENT OF JAY CLINE
      Principal and U.S. Privacy and Consumer Protection Leader, 
                    PricewaterhouseCoopers LLP (PwC)
                              May 7, 2019
    Chairman Crapo, Ranking Member Brown, and distinguished Members of 
the Committee, I appreciate the opportunity to appear today as the 
Committee considers privacy rights and data collection in a digital 
economy. I am currently a Principal and the U.S. Privacy and Consumer 
Protection Leader at Pricewaterhouse-
Coopers LLP (PwC). I am appearing on my own behalf and not on behalf of 
PwC or any client. The views I express are my own.
Lessons learned from U.S. financial institutions' GDPR experience, 
        2016-2019
    My testimony today will examine the experience of U.S. financial 
institutions (FIs) with the European Union (EU) General Data Protection 
Regulation (GDPR). It is an experience marked by large-scale technical 
and organizational change to afford new privacy rights to EU residents 
in an evolving regulatory environment. It is my hope that my testimony 
will be useful to the Committee as it considers the collection, use, 
and protection of personally identifiable information by financial 
regulators and private companies.
    GDPR caused many U.S. FIs operating in Europe to undertake their 
largest-scale privacy program initiatives in two decades. Beginning 
after the ratification of the GDPR in April 2016 and generally 
accelerating a year later, these initiatives often rivaled the scale of 
U.S. FIs' earlier mobilizations to prepare for the Privacy Rule of the 
Gramm-Leach-Bliley Act (GLBA) and other related U.S. data privacy laws 
and regulations. As a result, U.S. FIs generally used all of the GDPR's 
2-year grace period to prepare for the law's ``go live'' date in May 
2018.
Impact of GDPR requirements on U.S. FIs
    The GDPR introduced several new obligations on U.S. FIs.

    New requirements on data-subject rights most affected 
        retail banks and direct insurers--because of their direct 
        exposure to fulfilling data-subject requests (DSRs)--and least 
        affected commercial banks, re-insurers, payment-card companies, 
        and asset-management companies that generally had indirect 
        exposure to DSRs.

    New requirements on data privacy program accountability by 
        comparison most affected larger, diversified groups of 
        companies that had to allocate more resources to accommodate 
        their business variations and least affected more homogenous 
        FIs.

The effects of the GDPR requirements included increases in headcount, 
changes in information systems, and alterations in products and 
services.
    The GDPR also introduced several new organizing principles to U.S. 
FIs. Concepts such as ``personal'' data including data indirectly 
identifiable to individuals, ``sensitive'' personal data, 
``pseudonymized'' data, ``high-risk'' data processing, ``large-scale'' 
data processing, ``original purpose'' of data collection, ``cross-
border'' data transfer, ``data controller,'' and ``data processor'' 
materially affected the policy regimes of all U.S. FIs operating in the 
European Union. The GDPR also introduced a new enforcement environment 
for U.S. FIs. This environment resulted in new and uncertain risk 
exposures. In the United States, for example, class-action lawsuits 
related to the Telephone Consumer Privacy Act (TCPA) are a significant 
driver of data privacy-related economic risk for U.S. FIs. The private 
right of action for GDPR-related issues, however, is a new and untested 
citizen-led enforcement channel in the European Union that could have 
broader impact than the TCPA because of the broader scope of covered 
data. Moreover, the new powers of EU data-protection authorities (DPAs) 
to impose fines of up to 4 percent of annual global revenues has 
expanded the potential risk exposure of the largest corporations into 
the billion-dollar range for the first time. Similarly, the EU DPAs' 
power to issue injunctions to stop data processing that runs counter to 
the GDPR could have the result of ending revenue-generating commercial 
activities that depend on that data processing. As the GDPR and its 
enforcement regime influence how other jurisdictions in the United 
States and around the world take their next steps on data privacy law 
and enforcement, U.S. FIs operating globally are re-evaluating their 
approaches to privacy-risk management.
Challenges, insights, and questions
    The U.S. FI experience with addressing the GDPR can be grouped into 
three categories: top challenges, implementation insights, and 
unanswered questions.
Seven GDPR implementation challenges for U.S. FIs
    Financial institutions use personal data to provide most of their 
products and services. Whether to set up a bank or investment account, 
install a mobile application on a smartphone, underwrite an insurance 
policy, or process an insurance claim or payment-card transaction, data 
related to individuals are the linchpin for servicing these orders. As 
a result, the GDPR's impact on U.S. FIs' handling of personal data was 
destined to have a widescale impact on operations. That impact tended 
to materialize in the following ways:

  1.  Completing a data inventory. In order to comply with Article 30 
        of the GDPR requiring a ``record of processing'' of all EU 
        data, U.S. FIs embarked on extensive projects to record details 
        about hundreds and thousands of applications, databases, 
        devices, and vendors that often operated in clusters 
        independent of each other. Because no single technology on the 
        market could do all of this automatically, these initiatives 
        necessarily involved hundreds and thousands of labor hours 
        answering data-inventory surveys and completing in-person 
        interviews. To better automate this capability, many U.S. FIs 
        are exploring new technologies that rely to different degrees 
        on ``machine learning'' to scan and classify their data assets.

  2.  Operationalizing data-subject rights. GDPR enhanced or created 
        DSRs for EU residents to access, receive a copy of, correct, 
        restrict processing of, or delete their data and to withdraw 
        consent previously given to process their data. In the largest 
        FIs, a single person's data could exist across dozens and even 
        hundreds of systems often not synchronized with each other. 
        Facing an uncertain volume of incoming DSRs after GDPR's 
        effective date in May 2018--and lacking a single technology in 
        the market to fully address this need--U.S. FIs developed 
        predominantly manual processes to operationalize GDPR DSRs. To 
        better automate this capability, many U.S. FIs are exploring 
        updating or enhancing workflow-software solutions.

  3.  Completing DPIAs. GDPR introduced to U.S. FIs a requirement to 
        document a data-protection impact assessment (DPIA) of new 
        technology change involving EU personal data and to remediate 
        risks to the ``rights and freedoms'' of individuals that are 
        ``high'' as defined and understood by EU DPAs.\1\ Remediating 
        risks could involve reducing the data collected or how long it 
        was retained, for example. For large FIs, this could mean 
        conducting dozens or even hundreds of these assessments and 
        related remediation projects each year. To better automate this 
        capability, many U.S. FIs are exploring or enhancing workflow-
        software solutions.
---------------------------------------------------------------------------
    \1\ See Article 29 Working Party WP247, Guidelines on Data 
Protection Impact Assessment (DPIA) and determining whether processing 
is ``likely to result in a high risk'' for the purposes of Regulation 
2016/679, October 2017, for examples of these ``high-risk'' criteria.

  4.  Updating third-party contracts. The GDPR required ``data 
        controllers'' to have contractual provisions holding their 
        ``data processors'' accountable to the relevant provisions of 
        the GDPR. The newer DSRs and data-breach notification threshold 
        were among the more important provisions many opted to add 
        explicitly to their contract addendums and service-level 
        agreements. For U.S. FIs, the number of contracts needing 
        updating could range from dozens to hundreds and even 
        thousands. To better automate this capability, many U.S. FIs 
        are exploring workflow-software solutions that rely to 
---------------------------------------------------------------------------
        different degrees on machine learning.

  5.  Appointing a DPO. GDPR requires that organizations meeting 
        certain conditions appoint a data protection officer (DPO), an 
        ``independent'' person with direct access to leadership. For 
        large FIs, addressing this could involve a single, full-time 
        position or multiple positions that were internal staff or an 
        outsourced firm. The GDPR offers further practical advantages 
        for placing these DPOs in the FI's ``main establishment'' or 
        main EU country of operations where they could more easily 
        interact with their ``lead'' local data protection authority 
        (DPA). In the run-up to the May 2018 deadline for GDPR, demand 
        for DPOs grew rapidly and the available supply of qualified 
        candidates diminished, complicating U.S. FIs' decisionmaking.

  6.  Preparing to notify breaches within 72 hours. The GDPR echoed a 
        requirement from a New York State Department of Financial 
        Services cybersecurity regulation whereby companies that 
        experienced a compromise of EU personal data must notify 
        relevant regulators within 72 hours of becoming aware of it. 
        For FIs headquartered in the United States but operating in 
        Europe, this meant expanding their U.S. breach-response 
        capability into Europe--including associated staff, 
        technologies, and supporting vendor relationships. A further 
        challenge was informational--defining what could actually be 
        known and reported within a relatively short window of time 
        during which forensics investigations would often still be in 
        progress.

  7.  Engaging the ``first line of defense.'' One of the most 
        important, ongoing challenges for U.S. FIs is to re-organize 
        their data privacy organizations along the three ``lines of 
        defense'' in order to give scalable and sustainable effect to 
        GDPR controls. Many implemented a model based on placing 
        privacy representatives in the business operations of the first 
        line; data privacy governance leaders in the second line; and 
        an oversight role in the third line. Traditionally, privacy 
        expertise in the FI sector had been concentrated in the second 
        line of defense. Identifying and equipping privacy 
        representatives in the first line, whose primary jobs and 
        training had not historically been data privacy, remains a 
        general challenge for all commercial sectors.
Seven GDPR implementation insights for U.S. FIs

  1.  DSRs are not created equal. The GDPR provides for eight data-
        subject rights: to privacy notices, to data access, to data 
        rectification, to objection to processing, to withdrawal of 
        consent for processing, to objection to automated processing, 
        to data erasure, and to data portability. For most U.S. FIs, 
        these were new requirements they were not previously subject to 
        under U.S. data privacy regulations such as the GLBA Privacy 
        Rule. The DSRs in the latter Rule were limited to a right to 
        opt out of marketing and a right to opt out of data sharing 
        with affiliates. The implementation and exercise of these new 
        GDPR rights varied:

        The GDPR rights generally posing the most 
        implementation challenges for U.S. FIs were the rights to 
        access and erasure. Fulfilling an access request could involve 
        pulling information on an individual from dozens and even 
        hundreds of structured databases and unstructured data stores--
        but doing so in a timely manner would probably require 
        configuring all of these systems to a single consumer-identity-
        management system. Fulfilling an erasure request could in turn 
        require different erasure and redaction protocols for each of 
        these systems.

        When consumers exercised their GDPR rights after May 
        2018, those most exercised generally were the rights to access, 
        erasure, and objection to use for marketing.

  2.  Erased doesn't mean forgotten. The GDPR's right to erasure is 
        parenthetically referred to in the regulation as the ``right to 
        be forgotten,'' although in practice in the U.S. financial 
        industry, those two concepts may not be equivalent. The 
        substantial number and scope of regulations and other 
        obligations in the U.S. financial industry requiring the 
        collection and retention of personal data such as for fraud 
        prevention, cybersecurity, anti-money laundering, terrorist 
        watchlisting, and for other discovery or litigation-related 
        purposes means that U.S. FIs will limit or deny many requests 
        for erasure. Moreover, for compliance purposes, U.S. FIs tend 
        to keep a log of completed erasure requests that retains basic 
        contact information of the requestor.

  3.  DSRs benefit from strong authentication. For individuals, the 
        GDPR right of access could produce files containing many 
        personal details. If these files were delivered to the wrong 
        individual, their privacy would be exposed. To counter this 
        risk of misdirected files, companies can and do ask for 
        multiple pieces of personal information from DSR requesters to 
        first authenticate their identities before providing their 
        requested files. A strong authentication process could also 
        counter the risk of fraudulent DSR requests, which some U.S. 
        FIs experienced in the year since GDPR went into effect. A 
        challenge for this approach, however, is fulfilling DSRs for 
        individuals for whom companies do not keep enough information 
        to authenticate at a strong level. For example, a name and an 
        email address may not be enough information to strongly 
        authenticate.

  4.  The distinction between primary and secondary data controllers is 
        important. The GDPR does not distinguish between ``primary'' 
        data controllers that maintain direct relationships with data 
        subjects and ``secondary'' data controllers that do not. But 
        this distinction is useful in the insurance industry, for 
        example, where direct insurers are positioned to provide 
        privacy notices and data-breach notifications to data subjects 
        and obtain consent and field DSRs from data subjects, whereby 
        re-insurers are less well-positioned to do so.

  5.  Board visibility makes a difference. The prospect of being 
        exposed to a fine of 4 percent of global revenues motivated 
        many companies to implement their GDPR programs by May 2018, 
        but the lack of any enforcement action approaching that 
        monetary level in the year since GDPR took effect has reduced 
        the pressure for ongoing enhancement of privacy controls in 
        some quarters. U.S. FIs who routinized the reporting of their 
        privacy program status to the Board or Audit Committee were 
        more often successful in maintaining strong organizational 
        support for GDPR during its first year of operation.

  6.  Data governance is critical for privacy's success. The GDPR 
        emphasizes the need to have strong controls for personal data 
        throughout its lifecycle of collection, storage, use, 
        disclosure, and deletion. Because personal data often moves 
        horizontally across vertically structured financial 
        institutions, there is a heightened need in the financial 
        industry to formalize an approach to data governance. For this 
        reason, some FIs have endowed data governance leaders with some 
        data privacy responsibilities.

  7.  GDPR did not fully harmonize privacy regulation in Europe. A 
        benefit of the GDPR was to standardize many varying provisions 
        in EU member states' data-protection laws, but substantial 
        variations continue to exist. Accommodating regulatory 
        variations generally increases the cost of compliance for FIs 
        operating across multiple jurisdictions. To reduce their GDPR 
        compliance and enforcement exposure, U.S. FIs are finding it 
        necessary to continue to track variations at the EU member-
        state level where DPAs take the lead on enforcement and where 
        class-action lawsuits are adjudicated. Member states, for 
        example, are taking different approaches to the derogations 
        left to them in the GDPR, different interpretations of ``high 
        risk'' processing for DPIA purposes, and different enforcement 
        priorities. The need to monitor these changes has tended to 
        have a larger relative operational impact on smaller U.S. FIs 
        operating in Europe because of their generally smaller data 
        privacy teams.
Five unanswered questions for U.S. FIs post GDPR
    As U.S. FIs continue to absorb the GDPR into their daily operations 
and plan for the future, they tend to share five common questions they 
are in the process of answering:

  1.  Will the GDPR become the global data privacy standard? As U.S. 
        FIs operating internationally further automate their data 
        privacy programs and capabilities, the cost of these 
        enhancements is rising. Variances across jurisdictions 
        regarding how these capabilities should be delivered to 
        consumers--such as the specific nature and scope of DSRs--add 
        to that cost. If GDPR DSRs will become the de facto global 
        standard, it probably will make the most commercial sense for 
        these multinationals to design their DSRs to be offered 
        globally. If some GDPR DSRs won't become the global standard, 
        however--such as the GDPR's right to opt out of automated 
        decisionmaking--it would not make commercial sense to globalize 
        those DSRs. Moreover, if GDPR's program accountability 
        requirements become the global standard, it reduces the need 
        and likelihood that the GLBA's right for customers to opt out 
        of their nonpublic personal data being shared with affiliates 
        of the FI will become a standard outside the United States. 
        U.S. FIs engaging in long-term, strategic planning for their 
        data usage are needing to answer this question.

  2.  Will people increasingly exercise their privacy rights? Many U.S. 
        companies received under 100 GDPR DSRs in the year after GDPR 
        went into effect, while some outliers fielded thousands of 
        them. In some cases, U.S. residents attempted to exercise GDPR 
        rights. Companies receiving them had to decide whether to 
        reject them on legal grounds or fulfill them in order to 
        provide a positive consumer experience. Most U.S. healthcare 
        providers and insurers similarly receive fewer than 100 HIPAA 
        DSRs each year. As the California Consumer Privacy Act (CCPA) 
        brings to many U.S. companies for the first time the rights to 
        access and erasure and to opt out of selling data to third 
        parties, questions many U.S. privacy leaders are asking is 
        whether their expected volume of DSRs will outstrip their 
        generally manual processes for fulfilling DSRs, and whether 
        residents outside California will attempt to exercise these 
        rights in large numbers.

  3.  How can informed consent be facilitated in a blink? The sharp 
        rise in the use of pop-up windows on mobile and stationary 
        websites to capture user
        consent for cookies has slowed down the typical online customer 
        experience to demonstrate compliance without offering an 
        obvious material improvement in privacy protection. Corporate 
        privacy leaders are looking for new models--such as mobile apps 
        that ask you if you want to enable that app tracking your 
        device's geolocation or accessing your contacts--that break 
        down the privacy-consent process into quicker, more meaningful 
        steps.

  4.  What pseudonymization protocol will stand the test of time? 
        Effective pseudonymization can increase the ability to use and 
        monetize data and create commercial innovation while also 
        protecting individual privacy. Advances in data processing and 
        artificial intelligence, however, are changing the threshold of 
        what is identifiable data and how much has to be removed from a 
        data set in order for it to be pseudonymized, anonymized, or 
        de-identified. U.S. privacy leaders are looking toward the 
        ``statistical'' method of de-identification described in the 
        Health Insurance Portability and Accountability Act (HIPAA) as 
        a potential answer to this question.

  5.  What is a high risk to privacy? Effectively functioning companies 
        will allocate the most risk-management resources to address 
        risks they determine are ``high'' in their enterprise risk-
        management (ERM) programs. The concept of high risk embedded in 
        the GDPR and interpreted in varying ways across EU member 
        states diverges in many ways from the concept of high risk 
        provided for in different U.S. data privacy laws. For example, 
        the GDPR considers a person's status with regard to membership 
        in a trade union as ``sensitive'' data whose processing creates 
        inherent high risk, while no U.S. privacy law or regulation 
        results in a similar determination. Conversely, U.S. data-
        breach notification laws make the storage of Social Security 
        numbers an inherent high risk, but GDPR does not similarly 
        classify the processing of EU social-insurance numbers. 
        Similarly, EU DPAs have listed ``large-scale data processing'' 
        as a high-risk criterion that does not have an equivalent in 
        U.S. privacy regulations. Unless these concepts converge over 
        time across jurisdictions, privacy risk management may need to 
        be regionalized in several respects.
Looking ahead
    The GDPR has caused U.S. FIs to implement new ways for European 
residents to control their personal data. The GDPR's extraterritorial 
reach has in turn prompted other jurisdictions around the world to 
adopt its model that is centered on offering a set of data-subject 
rights and instituting programmatic controls. To plan for a future 
where consumers around the world may generally expect the core rights 
of access, deletion, and objection to marketing, many U.S. FIs are 
redesigning their privacy organizational models and capabilities. 
Because of the relative newness of technologies designed to automate 
the fulfillment of privacy rights and the technical complexity of many 
FIs, a significant effort lies ahead of them in realizing these 
designs. A key factor in whether automation is needed or manual 
processes will continue to suffice is the degree to which consumers 
will increasingly demand these rights. As these factors converge, the 
highest level of privacy protection in the digital age will result when 
both companies and consumers exercise their roles to the fullest.
                                 ______
                                 
                 PREPARED STATEMENT OF MACIEJ CEGLOWSKI
                           Founder, Pinboard
                              May 7, 2019
    Thank you for the opportunity to address you today.
    I am the founder and sole employee of Pinboard, a small for-profit 
archiving service founded in 2009 that competes in part on the basis of 
personal privacy. I have also been a frequent critic of Silicon 
Valley's reliance on business models requiring mass surveillance, 
speaking on the topic at conferences both in the United States and 
abroad.
    As someone who earns his living through data collection, I am 
acutely aware of the power the tools we are building give us over our 
fellow citizens' private lives, and the danger they pose to our 
liberty. I am grateful to Chairman Crapo, ranking Member Brown, and the 
Committee for the opportunity to testify on this vital matter.
    The internet economy in 2019 is dominated by five American tech 
companies: Apple, Microsoft, Google, Facebook, and Amazon. These are 
also the five most valuable corporations in the world, with a combined 
market capitalization exceeding four trillion dollars.\1\ Between them, 
these companies control the market for online
advertising, mobile and desktop operating systems, office software, 
document storage, search, cloud computing, and many other areas of the 
digital economy. They also own and operate a significant portion of the 
physical infrastructure of the internet, and act as its de facto 
regulating authority.
---------------------------------------------------------------------------
    \1\ At the time of writing, Amazon was valued at $966B, Microsoft 
$988B, Apple $974B, Facebook $558B, and Google (Alphabet) $824B.
---------------------------------------------------------------------------
    The concentration of power in the hands of these giant firms is the 
epilogue to a spectacular story of American innovation and dynamism. 
The technologies underpinning the internet were all developed here in 
the United States, and the many fortunes that they produced owe their 
thanks to fruitful cooperation between Government, industry, and the 
research community. Working together, the public and private sectors 
created the conditions for a startup culture unlike any other in the 
world.
    Today, however, that culture of dynamism is at risk. The 
surveillance business model has eroded user trust to such a point that 
it is impeding our ability to innovate.
    In many ways, the five internet giants operate like sovereign 
states. Their operations are global, and decisions they take 
unilaterally can affect entire societies. Denmark has gone so far as to 
send an ambassador to Silicon Valley. When Jeff Bezos, the CEO of 
Amazon, met recently with the Canadian prime minister, the occasion was 
covered in the press like a state visit.
    The emergence of this tech oligopoly reflects a profound shift in 
our society, the migration of every area of commercial, social, and 
personal life into an online realm where human interactions are 
mediated by software.
    To an extent that has no precedent, the daily activities of most 
Americans are now tracked and permanently recorded by automated 
systems. It is likely that every person in this hearing room carries 
with them a mobile phone that keeps a history of their location, is 
privy to their most private conversations, and contains a rich history 
of their private life. Some of you may even have an always-on 
microphone in your car or home that responds to your voice commands.
    Emerging technologies promise to afford these systems even more 
intimate glimpses into our private lives--phones that monitor our 
facial expressions as we read, and connected homes that watch over us 
while we sleep. Scenarios that were once the province of dystopian dime 
fiction have become an unremarkable consumer reality.
    The sudden ubiquity of this architecture of mass surveillance, and 
its enshrinement as the default business model of the online economy, 
mean that we can no longer put off hard conversations about the threats 
it poses to liberty.
    Adding to this urgency is the empirical fact that, while our online 
economy depends on the collection and permanent storage of highly 
personal data, we do not have the capacity to keep such large 
collections of user data safe over time.
    The litany of known data breaches is too long to recite here, but 
includes every one of the top five tech companies, as well as health 
and financial firms and Government agencies. Every year brings new and 
more spectacular examples of our inability to protect our users. At 
Yahoo, an internet giant at the time with a world-class security team, 
over 3 billion user accounts were compromised in a 2013 breach. In 
2015, the U.S. Office of Personnel Management allowed unauthorized 
access to the records of over four million people, including many with 
highly sensitive security clearances. And in 2017, Equifax exposed 
data, including Social Security numbers, on 147 million Americans, 
nearly half the U.S. population.
    While many individual data breaches are due to negligence or poor 
practices, their overall number reflects an uncomfortable truth well 
known to computer professionals--that our ability to attack computer 
systems far exceeds our ability to defend them, and will for the 
foreseeable future.
    The current situation, therefore, is not tenable. The internet 
economy today resembles the earliest days of the nuclear industry. We 
have a technology of unprecedented potential, we have made glowing 
promises about how it will transform the daily lives of our fellow 
Americans, but we don't know how to keep its dangerous byproducts safe.
Two Views of Privacy
    Discussing privacy in the context of regulation can be vexing, 
because the companies doing the most to erode our privacy are equally 
sincere in their conviction that they are its champions.
    The confusion stems from two different ways in which we use the 
word privacy, leading us to sometimes talk past each other.
    In the regulatory context, discussion of privacy invariably means 
data privacy--the idea of protecting designated sensitive material from 
unauthorized access.
    Laws like the Health Insurance Portability and Accountability Act 
(HIPAA) and the Gramm-Leach-Bliley Act (GLBA) delimit certain 
categories of sensitive information that require extra protection, and 
mandate ways in which health and financial institutions have to 
safeguard this data, or report when those safeguards have failed. The 
Children's Online Privacy Protection Act of 1998 extends similar 
protection to all data associated with children.
    We continue to use this framework of data privacy today, including 
in the recently enacted General Data Protection Regulation (GDPR).
    It is true that, when it comes to protecting specific collections 
of data, the companies that profit most from the surveillance economy 
are the ones working hardest to defend them against unauthorized 
access.
    But there is a second, more fundamental sense of the word privacy, 
one which until recently was so common and unremarkable that it would 
have made no sense to try to describe it.
    That is the idea that there exists a sphere of life that should 
remain outside public scrutiny, in which we can be sure that our words, 
actions, thoughts and feelings are not being indelibly recorded. This 
includes not only intimate spaces like the home, but also the many 
semi-private places where people gather and engage with one another in 
the common activities of daily life--the workplace, church, club or 
union hall. As these interactions move online, our privacy in this 
deeper sense withers away.
    Until recently, even people living in a police state could count on 
the fact that the authorities didn't have enough equipment or manpower 
to observe everyone, everywhere,\2\ and so enjoyed more freedom from 
monitoring than we do living in a free society today.
---------------------------------------------------------------------------
    \2\ The record for intensive surveillance in the pre-internet age 
likely belongs to East Germany, where by some estimates one in seven 
people was an informant; https://archive.nytimes.com/www.nytimes.com/
books/first/k/koehler-stasi.html.
---------------------------------------------------------------------------
    A characteristic of this new world of ambient surveillance is that 
we cannot opt out of it, any more than we might opt out of automobile 
culture by refusing to drive. However sincere our commitment to 
walking, the world around us would still be a world built for cars. We 
would still have to contend with roads, traffic jams, air pollution, 
and run the risk of being hit by a bus.
    Similarly, while it is possible in principle to throw one's laptop 
into the sea and renounce all technology, it is no longer be possible 
to opt out of a surveillance society.
    When we talk about privacy in this second, more basic sense, the 
giant tech companies are not the guardians of privacy, but its 
gravediggers.
    The tension between these interpretations of what privacy entails, 
and who is trying to defend it, complicates attempts to discuss 
regulation.
    Tech companies will correctly point out that their customers have 
willingly traded their private data for an almost miraculous collection 
of useful services, services that have unquestionably made their lives 
better, and that the business model that allows them to offer these 
services for free creates far more value than harm for their customers.
    Consumers will just as rightly point out that they never consented 
to be the subjects in an uncontrolled social experiment, that the 
companies engaged in reshaping our world have consistently refused to 
honestly discuss their business models or data collection practices, 
and that in a democratic society, profound social change requires 
consensus and accountability.
Behavioral Data
    Further complicating the debate on privacy is the novel nature of 
the data being collected. While the laws around protecting data have 
always focused on intentional communications--documents that can be 
intercepted, conversations that can be eavesdropped upon--much of what 
computer systems capture about us is behavioral data: incidental 
observations of human behavior that don't seem to convey any 
information at all.
    Behavioral data encompasses anything people do while interacting 
with a computer system. It can include the queries we type into a 
search engine, our physical location, the hyperlinks we click on, 
whether we are sitting or standing, how quickly we scroll down a 
document, how jauntily we walk down a corridor, whether our eyes linger 
on a photo, whether we start to write a comment and then delete it--
even the changes in our facial expression as we are shown an online ad.
    This incidental data has proven to be such a valuable raw material 
that an entire industry now specializes in finding ways to mine it. The 
devices used to spy on us include our computers, cell phones, 
televisions, cars, security cameras, our children's toys, home 
appliances, wifi access points, even at one point trash cans in the 
street.\3\
---------------------------------------------------------------------------
    \3\ Campbell-Dollaghan, Kelsey. ``Brave New Garbage: London's Trash 
Cans Track You Using Your Smartphone.'' Gizmodo. (Aug. 9, 2013), 
https://gizmodo.com/brave-new-garbage-londons-trash-cans-track-you-
using-1071610114.
---------------------------------------------------------------------------
Privacy and Consent
    The extent to which anyone consents--or can consent--to this kind 
of tracking is the thorny question in attempting to regulate the 
relationship between people and software.
    The General Data Protection Regulation (GDPR), enacted in May 2018, 
is the most ambitious attempt thus far to regulate online privacy. It 
takes a very traditional view of the relationship between people and 
data.
    In the eyes of the GDPR, people own their data. They make an 
affirmative choice to share their data with online services, and can 
revoke that choice. The consent they give must be explicit and limited 
to a specified purpose--the recipient does not have carte blanche to 
use the data as they please, or to share it with third parties, with 
some complicating caveats.
    People have the right to request a full download of their data from 
the services they have entrusted it to, and they have the right to 
demand that it be permanently erased.
    The GDPR imposes a notification requirement for data breaches, and 
requires affirmative consent for the sale of user data. It also 
restricts the movement of data to outside jurisdictions (though in the 
case of the United States, this restriction is superseded by the U.S.-
EU Privacy Shield framework).
    Finally, the GDPR mandates that privacy safeguards like data 
tokenization and encryption be built in to new systems, and that 
companies appoint a dedicated privacy officer.
    The GDPR is not a simple regulation, and many of its most 
potentially significant provisions (such as the scope of a data 
controller's ``legitimate interests,'' or what the right to erasure 
means in the context of a machine learning model) await interpretation 
by regulators.
    What limits, if any, the GDPR will place on the application of 
machine learning is a particularly important open question. The law on 
its face prohibits automated decisionmaking that has a ``legal or 
similarly significant effect'' on data subjects, but the definition of 
``significant effect'' is not clear, nor is it clear whether having a 
human being simply countersign an algorithmic decision would be enough 
to satisfy regulators that the decision process is not fully automated.
Impacts
    As it is so new, the GDPR's ultimate impact on online privacy in 
the European Union is unclear. Some of the dramatic early impacts (like 
major U.S. newspapers going offline) have proven to be transient, while 
many of the biggest impacts hinge on future decisions by EU regulators.
    Enough has happened, however, to draw some preliminary conclusions.
    The GDPR so far has made life hard on internet users. It is not 
clear that this is the GDPR's fault.
    The plain language of the GDPR is so plainly at odds with the 
business model of surveillance advertising that contorting the real-
time ad brokerages into something resembling compliance has required 
acrobatics that have left essentially everybody unhappy.
    The leading ad networks in the European Union have chosen to 
respond to the GDPR by stitching together a sort of Frankenstein's 
monster of consent, a mechanism whereby a user wishing to visit, say, a 
weather forecast page \4\ is first prompted to agree to share data with 
a consortium of 119 entities, including the aptly named ``A Million 
Ads'' network. The user can scroll through this list of intermediaries 
one by one, or give or withhold consent en bloc, but either way she 
must wait a further 2 minutes for the consent collection process to 
terminate before she is allowed to find out whether or not it is going 
to rain.
---------------------------------------------------------------------------
    \4\ This is an actual example.
---------------------------------------------------------------------------
    This majestically baroque consent mechanism also hinders Europeans 
from using the privacy preserving features built into their web 
browsers, or from turning off invasive tracking technologies like 
third-party cookies, since the mechanism depends on their being 
present.
    For the average EU citizen, therefore, the immediate effect of the 
GDPR has been to add friction to their internet browsing experience 
along the lines of the infamous 2011 EU Privacy Directive (``EU cookie 
law'') that added consent dialogs to nearly every site on the internet.
    The GDPR rollout has also demonstrated to what extent the European 
ad market depends on Google, who has assumed the role of de facto 
technical regulatory authority due to its overwhelming market share.\5\ 
Google waited until the night before the regulation went into effect to 
announce its intentions, leaving ad networks scrambling.
---------------------------------------------------------------------------
    \5\ Google has at least a 70 percent advertising market share in 
Europe, though this figure is averaged over the 10 year period 2006-
2016 and likely far higher today. Laurent, Lionel. ``Europe Is Changing 
Google for the Better.'' Washington Post. (March 20, 2019), https://
www.washingtonpost.com/business/europe-is-changing-google-for-the-
better/2019/03/20/691a
aff4-4b2e-11e9-8cfc-2c5d0999c21e_story.html.
---------------------------------------------------------------------------
    It is significant that Google and Facebook also took advantage of 
the U.S.-EU privacy shield to move 1.5 billion non-EU user records out 
of EU jurisdiction to servers in the United States. Overall, the GDPR 
has significantly strengthened Facebook and Google at the expense of 
smaller players in the surveillance economy.
    The data protection provisions of the GDPR, particularly the right 
to erase, imposed significant compliance costs on internet companies. 
In some cases, these compliance costs just show the legislation working 
as intended. Companies who were not keeping adequate track of personal 
data were forced to retrofit costly controls, and that data is now 
safer for it.
    But in other cases, companies with a strong commitment to privacy 
also found themselves expending significant resources on retooling. 
Personally identifying information has a way of seeping in to odd 
corners of computer systems (for example, users will sometimes 
accidentally paste their password into a search box), and tracking down 
all of these special cases can be challenging in a complex system. The 
requirements around erasure, particularly as they interact with 
backups, also impose a special burden, as most computer systems are 
designed with a bias to never losing data, rather than making it easy 
to expunge.
    A final, and extremely interesting outcome of the GDPR, was an 
inadvertent experiment conducted by the New York Times. Privacy 
advocates have long argued that intrusive third-party advertising does 
not provide more value to publishers than the traditional pre-internet 
style of advertising based off of content, but there has never been a 
major publisher willing to publicly run the experiment.
    The New York Times tested this theory by cutting off all ad 
networks in Europe, and running only direct sold ads to its European 
visitors. The paper found that ad revenue increased significantly, and 
stayed elevated into 2019, bolstering the argument that surveillance-
based advertising offers no advantage to publishers, and may in fact 
harm them.\6\
---------------------------------------------------------------------------
    \6\ Davies, Jessica. ``After GDPR, the New York Times cutoff ad 
exchanges in Europe--and kept growing ad revenue.'' Digiday. Jan. 6, 
2019, https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-
ad-exchanges-europe-ad-revenue/.
---------------------------------------------------------------------------
The Limits of Consent
    While it is too soon to draw definitive conclusions about the GDPR, 
there is a tension between its concept of user consent and the reality 
of a surveillance economy that is worth examining in more detail.
    A key assumption of the consent model is any user can choose to 
withhold consent from online services. But not all services are created 
equal--there are some that you really can't say no to.
    Take the example of Facebook. Both landlords and employers in the 
United States have begun demanding to see Facebook accounts as a 
condition of housing or
employment.\7\ The United States Border Patrol has made a formal 
request to begin collecting social media to help vet people arriving in 
the country.\8\ In both those contexts, not having a Facebook account 
might stand out too much to be a viable option. Many schools now 
communicate with parents via Facebook; Facebook groups are also the 
locus for political organizing and online activism across the political 
spectrum.
---------------------------------------------------------------------------
    \7\ Dewey, Caitlin. ``Creepy startup will help landlords, employers 
and online dates strip-mine intimate data from your Facebook page.'' 
Washington Post. June 9, 2016, https://www.washingtonpost.com/news/the-
intersect/wp/2016/06/09/creepy-startup-will-help-landlords-employers-
and-online-dates-strip-mine-intimate-data-from-your-facebook-page/.
    \8\ 81 FR 40892. https://www.federalregister.gov/documents/2016/06/
23/2016-14848/agency-information-collection-activities-arrival-and-
departure-record-forms-i-94-and-i-94w-and#h-11.
---------------------------------------------------------------------------
    Analogous arguments can be made for social products offered by the 
other major tech companies. But if you can't afford to opt out, what 
does it mean to consent?
    Opting out can also be impossible because of how deeply the 
internet giants have embedded themselves in the fabric of the internet. 
For example, major media properties in the European Union use a 
technology called ReCaptcha on their GDPR consent forms.\9\ These forms 
must be completed before a user can access the website they are 
gathering consent for, but since the ReCaptcha service is run by 
Google, and the form cannot be submitted without completing the Google-
generated challenge (which incidentally performs free image 
classification labor for the company), a user who refuses to give 
Google access to her browser will find herself denied access to a large 
portion of the internet.
---------------------------------------------------------------------------
    \9\ The purpose of ReCaptcha is to prevent automated submissions, 
and ensure that a human being is filling out the form.
---------------------------------------------------------------------------
    While this specific example may change when it comes to the 
attention of an EU regulator, the broader issue remains. The sheer 
reach of the tech oligopoly makes it impossible to avoid using their 
services. When a company like Google controls the market-leading 
browser, mobile operating system, email service and analytics suite, 
exercises a monopoly over search in the European Union, runs the 
largest ad network in Europe, and happens to own many of the undersea 
cables that connect Europe to the rest of the world,\10\ how do you 
possibly say ``no''?
---------------------------------------------------------------------------
    \10\ Zimmer, Jameson. ``Google Owns 63,605 Miles and 8.5 percent of 
Submarine Cables Worldwide.'' Broadband Now. (September 12, 2018), 
https://broadbandnow.com/report/google-content-providers-submarine-
cable-ownership/.
---------------------------------------------------------------------------
Informed Consent
    Beyond one's basic ability to consent, there is the question of 
what it means to give informed consent. Presumably we are not opting in 
or out of the services we use for capricious reasons, but because we 
can make a rational choice about what is in our interest.
    In practice, however, obtaining this information is not possible, 
even assuming superhuman reserves of patience.
    For example, anyone visiting the popular Tumblr blogging platform 
from a European IP address must first decide whether to share data with 
Tumblr's 201 advertising partners, and read five separate privacy 
policies from Tumblr's several web analytics providers.
    Despite being a domain expert in the field, and spending an hour 
clicking into these policies, I am unable to communicate what it is 
that Tumblr is tracking, or what data of mine will be used for what 
purposes by their data partners (each of whom has its own voluminous 
terms of service). This opacity exists in part because the 
intermediaries have fought hard to keep their business practices and 
data sharing processes a secret, even in the teeth of strong European 
regulation.
    Organizations like the Interactive Advertising Bureau Europe (IABE) 
defeat the spirit of the GDPR by bundling consent and requiring it 
across many ad-supported properties in Europe. If regulators block the 
bundling in its current incarnation, it will no doubt rise from the 
dead in a modified form, reflecting the undying spirit of surveillance 
advertising. But at no point will internet users have the information 
they would need to make a truly informed choice (leaving aside the 
ridiculousness of requiring a legal education and 2 hours of sustained 
close reading in order to watch a cat video).
Consent in a world of inference
    Finally, there is a sense in which machine learning and the power 
of predictive inference may be making the whole idea of consent 
irrelevant. At this point, companies have collected so much data about 
entire populations that they can simply make guesses about us, often 
with astonishing accuracy.\11\
---------------------------------------------------------------------------
    \11\ The line of argument in this section is adapted from the work 
of Dr. Zeynep Tufekci, UNC Chapel Hill. For example, ``Think You're 
Discreet Online? Think Again,'' (April 21, 2019),  https://
www.nytimes.com/2019/04/21/opinion/computational-inference.html.
---------------------------------------------------------------------------
    A useful analogy here is a jigsaw puzzle. If you give me a puzzle 
with one piece missing, I can still assemble it, reconstruct the 
contours of the missing piece by looking at the shape of the pieces 
around it and, if the piece is small compared to the whole, easily 
interpolate the missing part of the image.
    This is exactly what computer systems do to us when we deny them 
our personal information. Experts have long known that it takes a very 
small amount of data to make reliable inferences about a person. Most 
people in the United States, for example, can be uniquely identified by 
just the combination of their date of birth, gender, and ZIP Code.\12\
---------------------------------------------------------------------------
    \12\ Sweeney, Latanya. ``Simple Demographics Often Identify People 
Uniquely,'' Carnegie Mellon University, Data Privacy Working Paper. 
(2000), https://dataprivacylab.org/projects/identifiability/paper1.pdf.
---------------------------------------------------------------------------
    But machine learning is honing this ability to fill in the blanks 
to surprising levels of accuracy, raising troubling questions about 
what it means to have any categories of protected data at all.
    For example, imagine that an algorithm could inspect your online 
purchasing history and, with high confidence, infer that you suffer 
from an anxiety disorder. Ordinarily, this kind of sensitive medical 
information would be protected by HIPAA, but is the inference similarly 
protected? What if the algorithm is only reasonably certain? What if 
the algorithm knows that you're healthy now, but will suffer from such 
a disorder in the future?
    The question is not hypothetical--a 2017 study\13\ showed that a 
machine learning algorithm examining photos posted to the image-sharing 
site Instagram was able to detect signs of depression before it was 
diagnosed in the subjects, and outperformed medical doctors on the 
task.
---------------------------------------------------------------------------
    \13\ Reece, Andrew and Danforth, Cristopher. ``Instagram photos 
reveal predictive markers of depression.'' EPJ Data Science, (2017), 
https://epjdatascience.springeropen.com/articles/10.11
40/epjds/s13688-017-0110-z.
---------------------------------------------------------------------------
    The paradigm of automatic ownership of personal data does not mesh 
well with a world where such private data cannot only interpolated and 
reconstructed, but independently discovered by an algorithm!
    And if I can infer such important facts about your life by applying 
machine learning to public data, then I have deprived you of privacy 
just as effectively as I would have by direct eavesdropping.
    In order to talk meaningfully about consent in online systems, the 
locus of regulation will need to expand beyond data collection, to 
cover how those data collections, and the algorithms trained on them, 
are used. But to do this, we will first need far greater visibility 
into the workings of surveillance-dependent tech companies than they 
have so far been willing to grant us.
    As it stands, the consent framework exemplified in the GDPR is 
simply not adequate to safeguard privacy. As much as we would like to 
be the masters of our data, we are not. And the real masters aren't 
talking.
Goals for Privacy Regulation
    Absent a clear understanding of how our data is being used, and the 
role it plays in surveillance-based business models, it is hard to lay 
out a specific regulatory program.
    Nevertheless, there are some general goals we can pursue based on 
the experience of regulation attempts in Europe, and what we know about 
the surveillance economy.
Clarity
    Privacy regulation should be understandable, both for users of the 
technology, and for the companies the regulations govern. Users 
especially should not be required to make complex and irrevocable 
decisions about privacy. To the extent possible, intuitions about 
privacy from the human world (``a casual conversation between friends 
is not recorded forever'') should carry over into the digital world.
Privacy
    At the risk of sounding tautological, privacy regulation should not 
punish people for seeking privacy. It should not be necessary to turn 
on invasive tracking technologies in one's browser in order to express 
the desire to not to be tracked.
Retention Limits on Behavioral Data
    Knowing that we lack the capacity to keep data collections safe 
over time, we can reduce the potential impact of any breach by setting 
strict lifetimes for behavioral data.
    Google has demonstrated the feasibility of this approach with their 
recent announcement that users will be able to set their account to 
automatically delete location data after 3 or 18 months.\14\ This 
demonstrates that permanent retention of behavioral data is not 
critical to surveillance-based business models. Such limits should be 
enforced industrywide.
---------------------------------------------------------------------------
    \14\ Monsees, David and McGriff, Marlo. ``Introducing auto-delete 
controls for your Location History and activity data.'' (May 1, 2019), 
https://www.blog.google/technology/safety-security/automatically 
delete-data/.
---------------------------------------------------------------------------
    Moving to a norm where behavioral data is kept briefly instead of 
forever will mark a major step forward in data security, both reducing 
the time data is potentially exposed to attackers, and reducing the 
total volume of data that must be kept safe.
    Time limits on behavioral data will also reduce consumers' 
perception that they are making irrevocable privacy commitments every 
time they try a new product or service.
Right To Download
    The right to download is one of the most laudable features in the 
GDPR, and serves the important secondary purpose of educating the 
public about the extent of data collection.
    This right should, however, be expanded to include the right to 
download, and correct, all information that third-party data brokers 
have provided about a user, in a spirit similar to the Fair Credit 
Reporting Act.
Fairness
    Tech startups in the highly regulated areas of health, finance and 
banking should be required to compete on the same regulatory footing as 
established businesses in those areas. In particular, they should not 
be allowed to do an end run around existing data privacy laws by using 
machine learning and algorithmic inference.
    For example, the use of a machine learning algorithm should not 
allow a loan company to evade consumer protections against 
discrimination in fair lending laws.
    (For a fuller discussion of this point, see the addendum on machine 
learning at the end of this document).
Positive Regulation
    While the above suggestions seek to impose limits and restrictions, 
there is an important way that privacy regulation can create new ground 
for innovation.
    What is missing from the regulatory landscape is a legal mechanism 
for making credible and binding promises to users about privacy 
practices.
    Today, internet startups in the United States who want to compete 
on privacy have no mechanism to signal their commitment to users other 
than making promises through their terms of service (which usually 
include a standard legal clause that they may change at any time).
    Except in the case of the most egregious violations, which 
sometimes attract the attention of the Federal Trade Commission, these 
terms of service carry little weight.
    As the owner of a company that markets itself to privacy-conscious 
people, I would derive enormous benefit from a legal framework that 
allowed me to make binding privacy promises (for example, a pledge that 
there is no third-party tracking on my website), and imposed stiff 
fines on my company if I violated these guarantees (including criminal 
liability in the case of outright fraud).
    Such a legal mechanism would not only enable competition around 
privacy-enhancing features, but it would also give future regulators a 
clearer idea of how much value consumers place on data privacy. It is 
possible that the tech giants are right, and people want services for 
free, no matter the privacy cost. It is also possible that people value 
privacy, and will pay extra for it, just like many people now pay a 
premium for organic fruit. The experiment is easy to run--but it 
requires a modest foundation in law.
    Academic research in computer science is full of fascinating ideas 
that could serve as the seed for business built around user privacy. 
Results in fields like homeomorphic encryption, differential privacy, 
privacy-preserving machine learning, and zero-knowledge proofs all 
await a clever entrepreneur who can incorporate them into a useful 
product or service. It is very hard to compete against companies like 
Amazon or Facebook on price, but it is not hard to beat them on 
privacy. With a minimum of regulatory scaffolding, we might see a 
welcome new burst of innovation.
Preserving Liberty
    The final, and paramount goal, of privacy regulation should be to 
preserve our liberty.
    There is no clearer warning of the danger of building up an 
infrastructure of surveillance than what is happening today in China's 
Xinjiang Uygur Autonomous
Region. Claiming to be concerned about the possible radicalization of a 
Muslim minority, Chinese authorities have imposed a regime of total 
surveillance over a population of 25 million people.
    As recent reporting by Human Rights Watch has shown, a computer 
system called the Integrated Joint Operations Platform (IJOP) monitors 
the location and movement of all people in the province (based on phone 
data), as well as their gas and electricity consumption, which apps 
they use, where they worship, who they communicate with, and how they 
spend their money. This surveillance information is fed into machine 
learning models that can bin people into one of 36 suspect categories, 
bringing them to the closer attention of the police.\15\ Never before 
has a government had the technical means to implement this level of 
surveillance across an entire population. And they are doing it with 
the same off-the-shelf commercial technologies we use in America to get 
people to click on ads.
---------------------------------------------------------------------------
    \15\ Human Rights Watch, ``China's Algorithms of Repression,'' (May 
1, 2019), https://www.hrw.org/report/2019/05/01/chinas-algorithms-
repression/reverse-engineering-xinjiang-police-mass-surveillance.
---------------------------------------------------------------------------
    The latent potential of the surveillance economy as a toolkit for 
despotism cannot be exaggerated. The monitoring tools we see in 
repressive regimes are not ``dual use'' technologies--they are single 
use technologies, working as designed, except for a different master.
    For 60 years, we have called the threat of totalitarian 
surveillance ``Orwellian,'' but the word no longer fits the threat. The 
better word now may be ``Californian.'' A truly sophisticated system of 
social control, of the kind being pioneered in China, will not compel 
obedience, but nudge people toward it. Rather than censoring or 
punishing those who dissent, it will simply make sure their voices are 
not heard. It will reward complacent behavior, and sideline 
troublemakers. It's even possible that, judiciously wielded, such a 
system of social control might enjoy wide public support in our own 
country.
    But I hope you will agree with me that such a future would be 
profoundly un-American.
    There is no deep reason that weds the commercial internet to a 
business model of blanket surveillance. The spirit of innovation is not 
dead in Silicon Valley, and there are other ways we can grow our 
digital economy that will maintain our lead in information technology, 
while also safeguarding our liberty. Just like the creation of the 
internet itself, the effort to put it on a safer foundation will 
require a combination of research, entrepreneurial drive and timely, 
enlightened regulation. But we did it before, and there's no reason to 
think we can't do it again.
Addendum: Machine Learning and Privacy
    Machine learning is a mathematical technique for training computer 
systems to make accurate predictions from a large corpus of training 
data, with a degree of accuracy that in some domains can mimic human 
cognition.
    For example, machine learning algorithms trained on a sufficiently 
large data set can learn to identify objects in photographs with a high 
degree of accuracy, transcribe spoken language to text, translate texts 
between languages, or flag anomalous behavior on a surveillance 
videotape.
    The mathematical techniques underpinning machine learning, like 
convolutional neural networks (CNN), have been well-known since before 
the revolution in machine learning that took place beginning in 2012. 
What enabled the key breakthrough in machine learning was the arrival 
of truly large collections of data, along with concomitant computing 
power, allowing these techniques to finally demonstrate their full 
potential.
    It takes data sets of millions or billions of items, along with 
considerable computing power, to get adequate results from a machine 
learning algorithms. Before the advent of the surveillance economy, we 
simply did not realize the power of these techniques when applied at 
scale.
    Because machine learning has a voracious appetite for data and 
computing power, it contributes both to the centralizing tendency that 
has consolidated the tech industry, and to the pressure companies face 
to maximize the collection of user data.
    Machine learning models poses some unique problems in privacy 
regulation because of the way they can obscure the links between the 
data used to train them and their ultimate behavior.
    A key feature of machine learning is that it occurs in separable 
phases. An initial training phase consists of running a learning 
algorithm on a large collection of labeled data (a time and 
computation-intensive process). This model can then be deployed in an 
exploitation phase, which requires far fewer resources.
    Once the training phase is complete, the data used to train the 
model is no longer required and can conceivably be thrown away.
    The two phases of training and exploitation can occur far away from 
each other both in space and time. The legal status of models trained 
on personal data under privacy laws like the GDPR, or whether data 
transfer laws apply to moving a trained model across jurisdictions, is 
not clear.
    Inspecting a trained model reveals nothing about the data that went 
into it. To a human inspecting it, the model consists of millions and 
millions of numeric weights that have no obvious meaning, or 
relationship to human categories of thought. One cannot examine an 
image recognition model, for example, and point to the numbers that 
encode ``apple.''
    The training process behaves as a kind of one-way function. It is 
not possible to run a trained model backwards to reconstruct the input 
data; nor is it possible to ``untrain'' a model so that it will forget 
a specific part of its input.
    Machine learning algorithms are best understood as inference 
engines. They find structure and excel at making inferences from data 
that can sometimes be surprising even to people familiar with the 
technology. This ability to see patterns that humans don't notice has 
led to interest in using machine learning algorithms in medical 
diagnosis, evaluating insurance risk, assigning credit scores, stock 
trading, and other fields that currently rely on expert human analysis.
    The opacity of machine learning models, combined with this capacity 
for inference, also make them an ideal technology for circumventing 
legal protections on data use. In this spirit, I have previously 
referred to machine learning as ``money laundering for bias.'' Whatever 
latent biases are in the training data, whether or not they are 
apparent to humans, and whether or not attempts are made to remove them 
from the data set, will be reflected in the behavior of the model.
    A final feature of machine learning is that it is curiously 
vulnerable to adversarial inputs. For example, an image classifier that 
correctly identifies a picture of a horse might reclassify the same 
image as an apple, sailboat or any other object of an attacker's 
choosing if they can manipulate even one pixel in the image.\16\ 
Changes in input data not noticeable to a human observer will be 
sufficient to persuade the model. Recent research suggests that this 
property is an inherent and ineradicable feature of any machine 
learning system that uses current approaches.\17\
---------------------------------------------------------------------------
    \16\ Su, Jiawei, Vargas, Danilo, and Kouichi, Sakurai. ``One Pixel 
Attack for Fooling Deep Neural Networks.'' (Oct 24, 2017), https://
arxiv.org/pdf/1710.08864.pdf.
    \17\ Wang, Xianmin, Li, Jing, Kuang, Xioahui, Tan, Yu-an. ``The 
security of machine learning in an adversarial setting: A survey.'' 
Journal of Parallel and Distributed Computing, (August 2019).
---------------------------------------------------------------------------
    In brief, machine learning is effective, has an enormous appetite 
for data, requires large computational resources, makes decisions that 
resist analysis, excels at finding latent structure in data, obscures 
the link between source data and outcomes, defies many human 
intuitions, and is readily fooled by a knowledgeable adversary.

 RESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM PETER 
                            H. CHASE

                                ------                                

Q.1. We are approaching the 1-year anniversary of the GDPR. 
What are some of the negative unintended consequences that the 
United States can learn from as Congress explores its own 
privacy legislation?

A.1. There have been a number of stories about some of the 
negative unintended consequences of GDPR in its first year in 
force. One study (https://voxeu.org/article/short-run-effects-
gdpr-technology-venture-investment) found that venture capital 
for tech firms in Europe declined significantly compared with 
counterparts in the United States, noting specifically:

        EU technology firms, on average, experienced double-
        digit percentage declines in venture funding relative 
        to their U.S. counterparts after GDPR went into effect. 
        At our aggregate unit of observation, EU venture 
        funding decreased by $3.38 million at the mean of 
        $23.18 million raised per week per state per crude 
        technology category. This reduction takes place in both 
        the intensive margin (the average dollar amount raised 
        per round of funding, which decreased 39 percent) and 
        the extensive margin (the number of deals, which 
        incurred a 17 percent average drop).

        GDPR's effect is particularly pronounced for young (0-3 
        year-old) EU ventures, where an average reduction of 19 
        percent in the number of deals is observed . . . If 
        GDPR leads to fewer new ventures and less capital per 
        venture, there could be fewer jobs as a result. Our 
        back-of-the-envelope calculation suggests that the 
        investment reduction for young ventures could translate 
        into a yearly loss between 3,604 to 29,819 jobs in the 
        European Union, corresponding to 4.09 percent to 11.20 
        percent of jobs created by 0-3 year-old ventures in our 
        sample.\1\
---------------------------------------------------------------------------
    \1\ Jian Jia et al., The Short-Run Effects of GDPR on Technology 
Venture Investment, Vox.eu, (January 7, 2019).

    The authors of the study note that this effect may not be 
due to the GDPR per se, but rather to the actions major 
platforms took to ensure that apps available through them were 
GDPR-compliant. They also stress that this is a short-run 
observation, which could correct over time.
    Somewhat related, I have been told by representatives of 
major financial firms involved in mergers and acquisitions that 
the need for ``due diligence'' related to GDPR compliance has 
become a significant factor in slowing some deals.
    Another consequence, which probably is unintended in its 
magnitude and direction, appears to have been on hospitals that 
have increasingly moved toward digitalization of their 
healthcare-related services, as these have had to invest 
considerably more in compliance than less technologically 
advanced hospitals, including with respect to staff 
training.\2\
---------------------------------------------------------------------------
    \2\ Yuan Bocong and Li Jiannan, The Policy Effect of the General 
Data Protection Regulation (GDPR) on the Digital Public Health Sector 
in the European Union: An Empirical Investigation, International 
Journal of Environmental Research and Public Health, March 25, 2019. 
(https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6466053/)
---------------------------------------------------------------------------
    Unintended negative consequences such as these must be 
expected with any large and detailed law, and especially one 
that affects the practices of virtually all businesses, as all 
firms--not just the IT sector--have become digital. As noted in 
my written statement, certainly an expected consequence was the 
cost of compliance, although European authorities may have 
under-estimated those costs. One possible reason for this is 
that even in its own publications, the European Union and many 
others have stressed the somewhat absolutist aspect of the 
``fundamental right'' to data protection, although in fact GDPR 
does take more of a risk-based approach. This has been 
beneficial for the many large and small firms that have leapt 
into the GDPR compliance business.
    But these unintended costs are also offset by some 
unexpected benefits, such as those that appear to have come 
from extended ``data hygiene'' processes many firms have 
undergone, including with respect to their cyber-security 
practices.\3\
---------------------------------------------------------------------------
    \3\ Tim Woods, GDPR's Impact on Incident Response, Security Today, 
April 24, 2019. https://securitytoday.com/Articles/2019/04/24/GDPRs-
Impact-on-Incident-Response.aspx?Page=1.

Q.2. A central element of GDPR is that companies must clearly 
explain how data is collected and used. Already we've seen 
companies such as Google face heavy fines for failing to comply 
with GDPR's consent requirements. How would you grade the EU's 
enforcement of GDPR standards writ large, but also specifically 
---------------------------------------------------------------------------
the data collection and use standards?

A.2. GDPR has notably raised awareness of the importance of 
data protection in the European Union, among citizens as well 
as firms that hold consumer data. This is important, as the 
first step in GDPR enforcement comes from citizens exercising 
their rights to more information about what data is being 
collected about them and how it is being used. GDPR gives them 
a right to lodge complaints with a data protection authority, 
and to seek effective judicial remedies both against that 
authority (e.g., for not acting on a complaint) and a data 
controller or processor. GDPR also allows not-for-profit civil 
society organizations versed in data protection issues to lodge 
such complaints, as Privacy International recently did against 
a number of data brokers and credit rating agencies.
    Actual enforcement rests in the first instance on the Data 
Protection Supervisory Authorities in each of the EU member 
states, which may take differing approaches to this task. Some 
are more focused on helping firms--especially smaller ones--
comply with their obligations under GDPR; others may be more 
disciplinary. That being said, the European Data Protection 
Board (EDPB) provides guidance and rulings to ensure the member 
state DPSAs interpret the GDPR in a consistent manner.
    On May 22, 2019, the EDPB published a blog ``taking stock'' 
of the GDPR, noting that member state supervisory authorities 
received 144,376 queries and complaints in 2018, as well as 
89,271 data breach notifications, both up significantly over 
2017. (Note, however, that GDPR was only in force as of May 25, 
2018, so the numbers are not strictly comparable.) While 63 
percent of these cases had been closed, some 37 percent were 
still being processed as of May 2019, while 0.1 percent were 
being appealed--including those (such as the Google case noted 
in the question) that had led to the supervisory authorities 
levying some $60 million in fines in the 7 months following 
GDPR's entry into force.
    I have not yet seen an analysis of precisely how many of 
these queries and complaints specifically related to data 
collection and use standards, although suspect these issues 
were raised in most of them.
    In general, however, I would ``grade'' the European Union's 
enforcement efforts fairly favorably. All EU member states had 
data protection laws and data protection authorities under the 
previous 1995 Data Protection Directive, so GDPR was not 
completely new. That said, the political context surrounding 
and the emphasis on data protection has increased immensely 
during the past few years, not least because of the 2013 
Snowden revelations and the Cambridge Analytica stories.
    This, plus the more detailed and stringent GDPR 
requirements, places significant demands on the Supervisory 
Authorities, many of which had to be legally reconstituted to 
meet GDPR requirements for independence and enforcement 
authorities. GDPR requires member state governments to provide 
the requisite resources to the Supervisory Authorities, but 
this takes time, as does finding sufficient qualified staff (in 
competition with the private sector compliance business). Even 
with the 2 years between enactment in April 2016 and entry into 
force in May 2018, many supervisory authorities, especially in 
smaller member states, are still struggling to staff up.
    They are not helped by the fact that the EDPB is still 
developing detailed guidance on some of the trickiest parts of 
GDPR (e.g., on big data analytics, beyond profiling and 
automated decisionmaking), and that very little has yet been 
subjected to detailed judicial review.
    These ``growing pains'' should have been expected, and as 
noted the majority of Supervisory Authorities are managing them 
in part by focusing on helping the firms they supervise comply 
with the GDPR. This necessarily means emphasizing some of the 
risk and harm-based approaches that are reflected in the GDPR, 
as implicit in the Data Protection Impact Assessments. Applying 
such ``prosecutorial discretion'' makes sense at this point in 
the GDPR's life, although those who emphasize the ``fundamental 
right'' of data protection may be somewhat disappointed.
                                ------                                


  RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM 
                         PETER H. CHASE

Data Minimization vs. Big Data
Q.1. Data minimization seeks for businesses to collect, 
process, and store the minimum amount of data that is necessary 
to carry out the purposes for which is was collected. There are 
obvious advantages to this as it minimizes the risk of data 
breaches and other privacy harms. At the same time, big data 
analytics are going to be crucial for the future and play an 
important role in smart cities, artificial intelligence, and 
other important technologies that fuel economic growth.
    Can you describe how you view a balance between 
minimization and big data? Please describe how this balance 
applies specifically to the financial sector?

A.1. Data minimization and big data analytics are two different 
concepts.
    The European Union's General Data Protection Directive 
(GDPR) requires a data controller (including financial firms) 
to collect and process personal data in accordance with a 
number of principles, including the data minimization 
principle. This requirement in Article 5(1)(c) does not in 
itself restrict the amount of personal data a controller may 
collect; it merely stipulates that the data must be ``adequate, 
relevant and necessary in relation to the purposes for which 
they (the personal data) are processed.''
    ``Big data analytics''--that is, the application of 
powerful computing capabilities to large amounts of data to try 
to determine and learn from certain correlations--could be one 
of the purposes for which a data controller (including a 
financial firm) collects/processes personal data; that is, GDPR 
and the data minimization principle do not preclude big data 
analytics.
    That said, under GDPR a controller must also ensure that 
any processing of personal data complies with other key 
principles and requirements, including importantly the 
``lawfulness, fairness and transparency'' principle in Article 
5(1)(a) and the ``purpose limitation'' principle in Article 
5(1)(b). The first of these requires inter alia that any 
processing of personal data must be done in accordance with one 
of the six lawful purposes spelled out in Article 6, while the 
second mandates that data must be ``collected for specified, 
explicit and legitimate purposes and not further processed in a 
manner that is incompatible with those purposes.''
    Many see this ``purpose limitation'' principle as 
potentially more problematic for big data analytics than the 
``data minimization'' principle, as a data controller 
(including a financial firm) might wish to apply such analytics 
to personal data in a way that was not clearly and specifically 
envisioned and spelled out to a data subject when the data was 
collected. Interestingly, neither the European Data Protection 
Board (EDPB) or its predecessor, the ``Working Party 29'' (WP-
29), have provided clear guidance on this issue.
    They have, however, provided detailed guidance (https://
ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053) 
on two of the main purposes for which big data analytics might 
be applied to personal data, automated decisionmaking and 
profiling, both of which are specifically addressed as well in 
Article 22 of GDPR (https://gdpr-info.eu/art-22-gdpr/). The 
EDPB Guidance notes that both analytical tools may have useful 
applications, including in financial service industries, and 
indeed cites financial service applications in a number of the 
examples. Profiling is defined as:

        a procedure which may involve a series of statistical 
        deductions . . . used to make predictions (or 
        evaluations) about people, using data from various 
        sources to infer something about an individual, based 
        on the qualities of others who appear statistically 
        similar.

Automated decisionmaking can be based on data provided directly 
by a consumer, observed about that person, or derived or 
inferred about them; it may or may not involve profiling.
    Both of these ``big data'' procedures are allowable under 
GDPR, but they must comply the relevant provisions thereof. 
This may be difficult. Consent may not apply unless the 
individual was specifically alerted to the specific additional 
processing to which his or her data might be subjected, and 
even then the controller needs to meet the requirement that the 
``consent'' also meet the ``fairness'' principle (including the 
individual's reasonable expectations about the use of his/her 
data). European officials also point to the possibility of 
using the ``legitimate interests'' of the controller as a basis 
for big data analytics, although if so doing a controller would 
need to demonstrate--probably through a Data Protection Impact 
Assessment--that the rights of the individuals' whose data is 
being processed do not over-rule those interests. The Guidance 
suggests this will be increasingly difficult to demonstrate the 
more detailed, comprehensive and impactful the profiling might 
be for an individual.
    Note that under GDPR, an individual has an absolute right 
to object to the use of profiling for direct marketing 
purposes.
Security Standards
Q.2. Are the existing data security standards under GLBA 
sufficient for protecting consumer's information? If not, what 
do you recommend to make the standards adequate?

A.2. I do not know enough about the security standards under 
GLBA to assess whether or not they are sufficient for 
protecting consumers' information. The GDPR also has provisions 
in Articles 32-34 about data security and breach notification, 
but I am not in a position to compare those with GLBA. Data 
breaches of course continue to happen in the European Union; 
the European Union is trying to address these more through the 
upgrading of its cyber-security law and regulation than through 
GDPR.
Discrimination in AI
Q.3. Machine Learning and Artificial Intelligence can often 
lead to discriminatory and biased outcomes. It is important 
that Congress address and prevent discrimination in any future 
privacy legislation.

Q.3.a. Can impact assessments in the financial sector be 
useful?

A.3.a. Machine Learning and Artificial Intelligence are types 
of big data analytics, so many of the comments made in response 
to the first question are also applicable here.
    As a general matter, the GDPR's lawfulness and fairness 
principle would preclude decisionmaking based on personal 
information that either was not in compliance with existing 
laws against such discrimination or otherwise unfairly 
discriminated against an individual.
    Data Protection Impact Assessments, as described in detail 
in GDPR Article 35 (https://gdpr-info.eu/art-35-gdpr/) as well 
as relevant EDPB Guidance (https://ec.europa.eu/newsroom/
article29/item-detail.cfm?item_id=611236), would of course be a 
useful tool financial service firms could use to determine 
whether their use of big data analytics, including machine 
learning and artificial intelligence, is consistent with data 
protection laws and requirements.

Q.3.b. How do we balance the need for transparency in automated 
decisionmaking with proprietary business information?

A.3.b. The principle of transparency in automated 
decisionmaking need not conflict with protecting proprietary 
business information, an issue discussed in GDPR Recital 63. 
The EDPB has issued detailed guidance (https://ec.europa.eu/
newsroom/article29/item-detail.cfm?item_id=622227) on this 
issue, which essentially says that (a) data subjects have a 
right to access (and rectify) the personal data about them used 
in automated decisionmaking, and that (b) data controllers need 
to be able to explain in some detail about how their automated 
decisionmaking processes work, but do not need to reveal 
proprietary business data as part of that.\1\
---------------------------------------------------------------------------
    \1\ See especially the Guidance on Automated Decision Making, page 
25 (https://ec.europa.eu/newsroom/article29/item-
detail.cfm?item_id=612053).
---------------------------------------------------------------------------
    Note that the EDPB argues that GDPR prohibits solely 
automated decisionmaking that has a legal or ``similarly 
significant'' effects on an individual, unless in the 
performance of a contract (where the use of the procedure is 
clearly spelled out), pursuant to law or with the explicit 
consent of the individual. Every individual at the least has a 
right to human intervention in the decisionmaking and an 
explanation of the grounds for the decision.

Q.3.c. Where do you think we must be careful to avoid 
discrimination based on machine learning, AI and other 
algorithms?

A.3.c. The United States has laws against discrimination, 
including specific types of discrimination that might be 
practiced by financial firms, whether or not that 
discrimination is a result of the use of machine-learning, AI 
or other algorithms. The existence or not of a general data 
protection law in the United States along the lines of GDPR 
does not in any way excuse these firms from their need to obey 
these laws. The many levels of Government responsible for the 
enforcement of these laws, however, need to have the 
appropriate capacity, technical competence and resources to be 
able to do so in the context of the use of computer-based 
decisionmaking mechanisms.

Q.3.d. Are you aware of pricing differences for consumer 
financial products such as loans or credit cards based on 
algorithms?

A.3.d. Personally, no, but differential pricing is both common 
and permissible in many industries, and specifically financial 
industries. The use of computer-based analysis/modeling 
(algorithms) in making these pricing determinations is not 
novel, and, as noted above, is subject to existing laws.

Q.3.e. Are there firms that you think are utilizing algorithms 
to expand access for affordable credit or useful financial 
products that we can learn from?

A.3.e. I am not personally aware of any such firms in the 
United States or Europe, although have read about ways in which 
``fintech'' is arguably expanding the pool of individuals able 
to access financial resources.
Harms
Q.4. It is well documented that some businesses have collected 
and used personal information to engage in digital redlining 
against marginalized communities in areas from credit to 
housing to
employment and education. Others have sold customer location 
data intended to help 911 services save lives to bounty 
hunters, threatening the physical safety of citizens and 
discredit the use of emergency mechanisms. Data harms, in sum, 
can be varied and very real, going well beyond narrow financial 
harms that many would only like to focus on.
    What do you believe are the harms Congress should address 
in privacy legislation aimed at the Nation's financial sector?

A.4. I am not qualified to respond to the question, 
specifically with respect to the financial sector, but would 
not again that all existing laws apply.
    I would add that Privacy International has filed complaints 
under GDPR to the UK's Information Commissioner's Office about 
a number of specific data practices used by data brokers and 
credit rating agencies that might go to some novel personal 
data protection issues not now covered by U.S. law.
Impact of GLBA
Q.5. Recent polling found that 94 percent of Californians think 
that companies should get your permission before sharing your 
data with third parties. This polling is likely reflective of 
consumer sentiment across the Nation.

Q.5.a. How many consumers typically take advantage of their 
right to opt-out of the sale of their data to third parties?

A.5.a. I have not yet seen any data about the number of 
Europeans who have opted-out of (objected to) the sale of their 
data to third parties since the GDPR went into force in May 
2018. The GDPR (which is more of an ``opt-in'' approach) does 
however require that consumers be told in advance how their 
data will be collected and the specific purposes for which it 
will be used, and that they have the right to object to the 
sharing of their data with third parties. This is true even 
when the data is not provided directly by them (as addressed in 
Article 13, https://gdpr-info.eu/art-13-gdpr/), but also when 
it has been collected indirectly (Article 14, https://gdpr-
info.eu/art-14-gdpr/).

Q.5.b. Do you see differences in opt-out options based on firm 
size? Are consumers more likely to accept tracking from large 
monopolies like Google, Amazon or Facebook and deny it from 
smaller sites like local newspapers?

A.5.b. I am not aware of any specific research on this subject, 
whether related to the United States or in Europe.
National Rules and Standards
Q.6. A lot of data processing is done by third-party processing 
companies which exist simply to process the data on behalf of 
any business. They don't necessarily have a say in how the data 
is used, they simply perform the processing functions for 
someone else. This is important for a couple reasons. First, it 
presents a challenge in trying to craft rules because these 
entities have no consumer facing side. But it also raises the 
question of how these entities should manage compliance with 
different data privacy and security laws as they process for 
businesses that work in different sectors.
    What should Congress keep in mind as a few committees of 
jurisdiction are looking at the data privacy issues with 
regards to
ensuring processors are able to comply with the strong 
standards we need to set?

A.6. The GDPR, which provides generally applicable rules with 
respect to the protection of personal data (that is, regardless 
of sector), distinguishes between data ``controllers'' and data 
``processors'' for the reason described in the question. The 
roles and responsibilities of the two are discussed in GDPR 
Chapter 4, and specifically Articles 24 (Responsibility of the 
Controller), 26 (Joint Controllers), 28 (Processors) and 29 
(Processing under the Authority of the Controller or 
Processor). In principle, the controllers have the primary 
responsibility for ensuring that the companies they engage as 
processors also comply fully with the terms of GDPR. Precisely 
because the relationship between the controller and the 
processor can be complex, the EDPB and its predecessor, the WP-
29, have provided a number of guidance documents on this, 
including with respect to the contractual rules that should 
govern the relationship between them as well as for identifying 
the ``lead supervisory authority'' that oversees the 
relationship.
                                ------                                


  RESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM JAY 
                             CLINE

Q.1. As companies change the way they do business to comply 
with GDPR in Europe, here in the United States those same 
companies are voluntarily rolling out the same protections. For 
example, in April 2018, Facebook announced that it would 
provide GDPR privacy controls to all its users. My concern is 
that smaller companies and startups will not be able to 
voluntarily offer GDPR protections to Americans. What can be 
done to assist those companies that would like to comply but 
lack the resources?

A.1. My experience is primarily with large corporations, and I 
do not have an informed perspective about smaller companies.

Q.2. Is it realistic for the United States to ``free-ride'' on 
GDPR? Can we expect companies to voluntarily adopt all or part 
of GDPR? How can we avoid a balkanized world of privacy 
regulations?

A.2. I have published an analysis of the world's privacy 
regulations, highlighting the areas where there are common 
agreement and the areas where there are divergence. I advise 
companies to build global privacy capabilities in areas where 
there is common agreement--such as employee training and 
incident response--and local capabilities where there are 
divergence, such as on individual rights.

Q.3. As consumers begin to demand additional privacy 
protections, we will undoubtedly hear pushback from U.S. firms 
that too much regulation will undermine our competitive edge. 
According to analyses by Goldman Sachs, Facebook's revenue 
could ``potentially see a negative impact of up to 7 percent 
from GDPR.'' In your experience, are these concerns founded? 
And how can we strike a balance that protects consumers while 
allowing firms to grow?

A.3. There are indeed administrative requirements of GDPR which 
impose commercial burdens without providing obvious, concrete 
improvements in consumer privacy from an American perspective. 
For example, requirements to document cross border data-
transfer agreements and document the legal basis of data 
processing are vestiges of Europe's unique approach to data 
privacy. The widespread adoption by websites of cookie pop-up 
boxes in GDPR's wake are another example of administrative 
steps that do not practically improve consumer privacy.
    Some of the major requirements of the GDPR, however, have 
North American origins, such as the data-breach notification 
rules that emanate from the United States, and Privacy by 
Design that originates from Canada. Other parts of the GDPR--
such as data inventorying and risk assessments--reflect a code 
of good business practice that I have long advised clients to 
undertake in order to achieve their business objectives and 
protect their brands.
    The American-led rise of social media and mobile phones has 
both given the United States a global economic competitive 
advantage and shown American consumers are willing to trust 
these technologies while also demanding higher privacy 
protections. The sharp rise this year in venture-capital-
funded, innovative U.S. privacy technologies that sell their 
products to large enterprises reflects a market expectation 
that American consumers will continue to demand an increasing 
level of privacy protection in the years ahead.
    I advise clients to strike this balance between protection 
and innovation by designing a data architecture that puts 
consumers in control of their personal data, protecting that 
data throughout its lifecycle, and resolving privacy and 
ethical impact assessments for all new business and technology 
change. I have found that companies that take this approach 
achieve a more complete view of their data for innovation 
purposes, and also earn more trust of their stakeholders.

Q.4. We are approaching the 1-year anniversary of the GDPR. 
What are some of the negative unintended consequences that the 
United States can learn from as Congress explores its own 
privacy legislation?

A.4. One study\1\ of new deals activity in the European Union 
showed a decrease after GDPR's go-live date of May 2018. This 
study matched anecdotal evidence that investors perceived 
higher risk and uncertainties in the European Union, 
particularly with regard to the potential of a corporation to 
be fined 4 percent of its annual revenues for egregious 
violations of the GDPR. The July 2019 GDPR enforcement actions 
by the U.K. Information Commissioner that established record 
privacy fines in the European Union reinforced the perception 
that this fining capacity represents material risk for 
investors in the EU market.
---------------------------------------------------------------------------
    \1\ https://www.datainnovation.org/2019/06/what-the-evidence-shows-
about-the-impact-of-the-gdpr-after-one-year/.

Q.5. A central element of GDPR is that companies must clearly 
explain how data is collected and used. Already we've seen 
companies such as Google face heavy fines for failing to comply 
with GDPR's consent requirements. How would you grade the 
European Union's enforcement of GDPR standards writ large, but 
---------------------------------------------------------------------------
also specifically the data collection and use standards?

A.5. Many industry observers expected EU member states' first 
wave of privacy investigations to conclude sooner than they 
have. Since the hearing in May 2019, the United Kingdom has 
indicated its intention to impose the two largest privacy fines 
in EU history. It remains to be seen what the European Union's 
steady state of GDPR enforcement will be.
                                ------                                


RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM JAY 
                             CLINE

Data Minimization vs. Big Data
Q.1. Data minimization seeks for businesses to collect, 
process, and store the minimum amount of data that is necessary 
to carry out the purposes for which is was collected. There are 
obvious advantages to this as it minimizes the risk of data 
breaches and other privacy harms. At the same time, big data 
analytics are going to be crucial for the future and play an 
important role in smart cities, artificial intelligence, and 
other important technologies that fuel economic growth.
    Can you describe how you view a balance between 
minimization and big data? Please describe how this balance 
applies specifically to the financial sector?

A.1. The tremendous potential of big data can be achieved only 
with the ongoing trust of the people whose data are used for 
these purposes. Two components of gaining that trust ordinarily 
are transparency and individual control. People generally want 
to know how their data will be used in large-scale data sets, 
and they want the ability to not participate if they disagree 
with the uses. In order to deliver these two components of 
transparency and individual control, organizations would need 
to implement a new ``data architecture.'' Today, most companies 
organize their technology around a ``systems architecture'' 
that connects servers to each other in a network. To enable a 
single individual to remove their data from the entire network 
without causing individual applications and databases to stop 
working, however, and to make sure data was minimized to the 
agreed-upon purposes, companies would need to engineer their 
systems at a more granular, data-element level. Achieving a 
balance between data minimization and big data can be done, but 
it requires a re-thinking about how information technology is 
organized.
Security Standards
Q.2. Are the existing data security standards under GLBA 
sufficient for protecting consumer's information? If not, what 
do you recommend to make the standards adequate?

A.2. The most important and effective standard of the GLBA 
Safeguards Rule and how it has been enforced by the Federal 
Trade Commission is the requirement to regularly assess 
vulnerabilities and to remediate material vulnerabilities with 
commercially reasonable and available means. This all-
encompassing approach--if implemented consistently and 
comprehensively across an organization--should result in 
substantial and ongoing protection of consumer information from 
unauthorized access or disclosure. NIST has similarly developed 
useful and effective information security standards that when 
implemented have elevated the protection of consumer 
information.
Discrimination in AI
Q.3. Machine Learning and Artificial Intelligence can often 
lead to discriminatory and biased outcomes. It is important 
that Congress address and prevent discrimination in any future 
privacy legislation.

Q.3.a. Can impact assessments in the financial sector be 
useful?

A.3.a. Privacy impact assessments with supplemental data-ethics 
criteria can be useful and practically essential in meeting the 
objective of eliminating bias in machine learning and 
artificial intelligence. In the same way that software 
applications are tested
before they are put into production, algorithms that an impact 
assessment determines could cause substantially negative and 
disparate outcomes on vulnerable populations can be evaluated 
and improved before deployment.

Q.3.b. How do we balance the need for transparency in automated 
decisionmaking with proprietary business information?

A.3.b. Most automated decisionmaking programs are designed 
around three components: data input, data processing, and data 
output. The data input and the data output components are the 
most important to make transparent to people whose data are 
being processed in order for them to make informed decisions 
about whether they want their data included. Protecting the 
confidentiality of the middle, data-processing stage is the 
most important in order to preserve proprietary secrets. For 
example, highlighting to a user that they may like to buy a 
certain product because they bought a past product that others 
like them purchased demonstrates the relationship between the 
input and the output without revealing the business secret of 
why the one product
recommendation topped all of the other options. From a 
regulatory standpoint, GDPR article 15 contains a right of 
access to ``meaningful information about the logic involved'' 
in automated decisionmaking. This threshold falls short of 
requiring companies to provide their confidential source code 
as part of an access request.

Q.3.c. Where do you think we must be careful to avoid 
discrimination based on machine learning, AI and other 
algorithms?

A.3.c. I am recommending to my clients that they prioritize for 
privacy and ethical impact assessments any data-analytics 
processes that could reduce access to the basic necessities of 
life--food, clothing, housing, credit, insurance, and 
employment.

Q.3.d. Are you aware of pricing differences for consumer 
financial products such as loans or credit cards based on 
algorithms?

A.3.d. I am not aware of these specific scenarios.

Q.3.e. Are there firms that you think are utilizing algorithms 
to expand access for affordable credit or useful financial 
products that we can learn from?

A.3.e. I see positive steps taking place in the area of risk 
scoring within some parts of the financial services sector 
whereby advanced data analytics reduce uncertainty and allow 
for the reduction of rates and premiums, creating more access 
to credit and insurance.
Harms
Q.4. It is well documented that some businesses have collected 
and used personal information to engage in digital redlining 
against marginalized communities in areas from credit to 
housing to employment and education. Others have sold customer 
location data intended to help 911 services save lives to 
bounty hunters, threatening the physical safety of citizens and 
discredit the use of emergency mechanisms. Data harms, in sum, 
can be varied and very real, going well beyond narrow financial 
harms that many would only like to focus on.
    What do you believe are the harms Congress should address 
in privacy legislation aimed at the Nation's financial sector?

A.4. The GDPR includes a principle to use personal data only 
for the purpose it was originally collected, which has become a 
generally accepted industry standard in the privacy profession. 
Companies following this principle will generally avoid causing 
the aforementioned harms.
Impact of GLBA
Q.5. Recent polling found that 94 percent of Californians think 
that companies should get your permission before sharing your 
data with third parties. This polling is likely reflective of 
consumer sentiment across the Nation.

Q.5.a. How many consumers typically take advantage of their 
right to opt-out of the sale of their data to third parties?

A.5.a. Consumers' exercise of any type of opt-out right is 
highly dependent upon the context. Low, single-digit rates are 
normally observed if a consumer must log in to a preference 
center or click a link in an email footer to express a choice. 
Higher rates are seen when the opt-out choices are presented 
prominently during an account sign-up, registration, or 
reservation. The highest rates are seen when consumers must 
express one choice or another in order to successfully download 
a mobile app.

Q.5.b. Do you see differences in opt-out options based on firm 
size? Are consumers more likely to accept tracking from large 
monopolies like Google, Amazon or Facebook and deny it from 
smaller sites like local newspapers?

A.5.b. My experience is primarily with large corporations, and 
I don't have an informed perspective on this question.
National Rules and Standards
Q.6. A lot of data processing is done by third-party processing 
companies which exist simply to process the data on behalf of 
any business. They don't necessarily have a say in how the data 
is used, they simply perform the processing functions for 
someone else. This is important for a couple reasons. First, it 
presents a challenge in trying to craft rules because these 
entities have no consumer facing side. But it also raises the 
question of how these entities should manage compliance with 
different data privacy and security laws as they process for 
businesses that work in different sectors.
    What should Congress keep in mind as a few committees of 
jurisdiction are looking at the data privacy issues with 
regards to ensuring processors are able to comply with the 
strong standards we need to set?

A.6. Data processors face a fundamental challenge that they 
often do not have direct relationships with the people whose 
data they process. They act as agents of their clients who they 
depend on to manage privacy-rights processes with consumers. 
Their clients in turn are challenged to deploy sufficient 
monitoring mechanisms to ensure their data processors are only 
using personal data to fulfill their contractual terms. GDPR 
addresses this situation by requiring data controllers to hold 
their data processors accountable to relevant GDPR 
requirements, while HIPAA holds business associates directly 
accountable to the relevant provisions of the law. Neither 
creates specific rules for data processors. Together, these two 
approaches form the bookends of the current privacy regulatory 
spectrum regarding data processors.
                                ------                                


RESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM MACIEJ 
                           CEGLOWSKI

Q.1. What happens to a consumer's data after a consumer 
terminates their relationship with an institution collecting 
their data? Does the company delete the consumer's data? Does 
it encrypt the data?

A.1. Response not received in time for publication.

Q.2. Is there any uniform requirement or industry practice that 
dictates how institutions treat consumer data once a consumer 
decides to no longer conduct business with an institution?

A.2. Response not received in time for publication.

Q.3. If company is breached after a consumer has terminated 
their relationship, is the consumer's data still vulnerable?

A.3. Response not received in time for publication.

Q.4. To ensure consumer data is protected, should consumers be 
allowed to request their personally identifiable information be 
made nonpersonally identifiable, after the consumer ends their 
business relationship?

A.4. Response not received in time for publication.

Q.5. Using the Equifax data breach as an example, how much harm 
can bad actors, free from consumer scrutiny and armed with 
sensitive information, cause in 6 weeks?

A.5. Response not received in time for publication.

Q.6. Would consumers be better protected if companies were 
required to notify them of data breaches in a timely manner?

A.6. Response not received in time for publication.

Q.7. As companies change the way they do business to comply 
with General Data Protection Regulation (GDPR) in Europe, here 
in the United States those same companies are voluntarily 
rolling out the same protections. For example, in April 2018, 
Facebook announced that it would provide GDPR privacy controls 
to all its users. My concern is that smaller companies and 
startups will not be able to voluntarily offer GDPR protections 
to Americans. What are the implications for smaller businesses 
that want to comply but don't have the resources to do so?

A.7. Response not received in time for publication.

Q.8. As consumers begin to demand additional privacy 
protections, we will undoubtedly hear pushback from U.S. firms 
that too much regulation will undermine our competitive edge. 
According to analyses by Goldman Sachs, Facebook's revenue 
could ``potentially see a negative impact of up to 7 percent 
from GDPR.'' In your experience, are these concerns founded? 
And how can we strike a balance that protects consumers while 
allowing firms to grow?

A.8. Response not received in time for publication.
                                ------                                


  RESPONSES TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM 
                        MACIEJ CEGLOWSKI

Data Minimization vs. Big Data
Q.1. Data minimization seeks for businesses to collect, 
process, and store the minimum amount of data that is necessary 
to carry out the purposes for which is was collected. There are 
obvious advantages to this as it minimizes the risk of data 
breaches and other privacy harms. At the same time, big data 
analytics are going to be crucial for the future and play an 
important role in smart cities, artificial intelligence, and 
other important technologies that fuel economic growth.
    Can you describe how you view a balance between 
minimization and big data? Please describe how this balance 
applies specifically to the financial sector?

A.1. Response not received in time for publication.
Security Standards
Q.2. Are the existing data security standards under GLBA 
sufficient for protecting consumer's information? If not, what 
do you recommend to make the standards adequate?

A.2. Response not received in time for publication.
Discrimination in AI
Q.3. Machine Learning and Artificial Intelligence can often 
lead to discriminatory and biased outcomes. It is important 
that Congress address and prevent discrimination in any future 
privacy legislation.

Q.3.a. Can impact assessments in the financial sector be 
useful?

A.3.a. Response not received in time for publication.

Q.3.b. How do we balance the need for transparency in automated 
decisionmaking with proprietary business information?

A.3.b. Response not received in time for publication.

Q.3.c. Where do you think we must be careful to avoid 
discrimination based on machine learning, AI and other 
algorithms?

A.3.c. Response not received in time for publication.

Q.3.d. Are you aware of pricing differences for consumer 
financial products such as loans or credit cards based on 
algorithms?

A.3.d. Response not received in time for publication.

Q.3.e. Are there firms that you think are utilizing algorithms 
to expand access for affordable credit or useful financial 
products that we can learn from?

A.3.e. Response not received in time for publication.
Harms
Q.4. It is well documented that some businesses have collected 
and used personal information to engage in digital redlining 
against marginalized communities in areas from credit to 
housing to employment and education. Others have sold customer 
location data intended to help 911 services save lives to 
bounty hunters, threatening the physical safety of citizens and 
discredit the use of emergency mechanisms. Data harms, in sum, 
can be varied and very real, going well beyond narrow financial 
harms that many would only like to focus on.
    What do you believe are the harms Congress should address 
in privacy legislation aimed at the Nation's financial sector?

A.4. Response not received in time for publication.
Impact of GLBA
Q.5. Recent polling found that 94 percent of Californians think 
that companies should get your permission before sharing your 
data with third parties. This polling is likely reflective of 
consumer sentiment across the Nation.

Q.5.a. How many consumers typically take advantage of their 
right to opt-out of the sale of their data to third parties?

A.5.a. Response not received in time for publication.

Q.5.b. Do you see differences in opt-out options based on firm 
size? Are consumers more likely to accept tracking from large 
monopolies like Google, Amazon or Facebook and deny it from 
smaller sites like local newspapers?

A.5.b. Response not received in time for publication.
National Rules and Standards
Q.6. A lot of data processing is done by third-party processing 
companies which exist simply to process the data on behalf of 
any business. They don't necessarily have a say in how the data 
is used, they simply perform the processing functions for 
someone else. This is important for a couple reasons. First, it 
presents a challenge in trying to craft rules because these 
entities have no consumer facing side. But it also raises the 
question of how these entities should manage compliance with 
different data privacy and security laws as they process for 
businesses that work in different sectors.
    What should Congress keep in mind as a few committees of 
jurisdiction are looking at the data privacy issues with 
regards to
ensuring processors are able to comply with the strong 
standards we need to set?

A.6. Response not received in time for publication.
Data Protection Officers
Q.7. In your testimony, you note the lack of qualified data 
protection officers.

   LWhat are the qualifications for a data protection 
        officer (DPO)?

   LWhat are the costs for a firm to hire and train a 
        DPO?

   LWhat training exists for DPOs? How are they 
        certified? What is the cost for a DPO to attain 
        certification? Do the salaries paid to DPOs allow them 
        to repay their student loans and also support 
        themselves and their families?

A.7. Response not received in time for publication.

              Additional Material Supplied for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                         [all]