b"<html>\n<title> - DATA OWNERSHIP: EXPLORING IMPLICATIONS FOR DATA PRIVACY RIGHTS AND DATA VALUATION</title>\n<body><pre>[Senate Hearing 116-182]\n[From the U.S. Government Publishing Office]\n\n\n                                         S. Hrg. 116-182\n\n\n                   DATA OWNERSHIP: EXPLORING IMPLICATIONS \n                     FOR DATA PRIVACY RIGHTS AND DATA VALU-\n                     ATION\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n                   BANKING,HOUSING,AND URBAN AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n    EXAMINING THE CONCEPT OF PERSONAL DATA OWNERSHIP, INCLUDING ITS \n   EFFICACY ON ENHANCING INDIVIDUALS' PRIVACY AND CONTROL OVER THEIR \n                          PERSONAL INFORMATION\n\n                               __________\n\n                            OCTOBER 24, 2019\n\n                               __________\n\n  Printed for the use of the Committee on Banking, Housing, and Urban \n                                Affairs\n                                \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                \n\n\n                Available at: https: //www.govinfo.gov /\n\n                                __________\n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n40-382 PDF                 WASHINGTON : 2021                     \n          \n-----------------------------------------------------------------------------------   \n\n\n            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS\n\n                      MIKE CRAPO, Idaho, Chairman\n\nRICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio\nPATRICK J. TOOMEY, Pennsylvania      JACK REED, Rhode Island\nTIM SCOTT, South Carolina            ROBERT MENENDEZ, New Jersey\nBEN SASSE, Nebraska                  JON TESTER, Montana\nTOM COTTON, Arkansas                 MARK R. WARNER, Virginia\nMIKE ROUNDS, South Dakota            ELIZABETH WARREN, Massachusetts\nDAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii\nTHOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland\nJOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada\nMARTHA McSALLY, Arizona              DOUG JONES, Alabama\nJERRY MORAN, Kansas                  TINA SMITH, Minnesota\nKEVIN CRAMER, North Dakota           KYRSTEN SINEMA, Arizona\n\n                     Gregg Richard, Staff Director\n\n                Laura Swanson, Democratic Staff Director\n\n                Brandon Beall, Professional Staff Member\n\n               Alexandra Hall, Professional Staff Member\n\n                   Jan Singelmann, Democratic Counsel\n\n           Corey Frayer, Democratic Professional Staff Member\n\n                      Cameron Ricker, Chief Clerk\n\n                      Shelvin Simmons, IT Director\n\n                    Charles J. Moffat, Hearing Clerk\n\n                          Jim Crowell, Editor\n\n                                  (ii)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                       THURSDAY, OCTOBER 24, 2019\n\n                                                                   Page\n\nOpening statement of Chairman Crapo..............................     1\n    Prepared statement...........................................    31\n\nOpening statements, comments, or prepared statements of:\n    Senator Brown................................................     2\n        Prepared statement.......................................    31\n\n                               WITNESSES\n\nJeffrey Ritter, Founding Chair, American Bar Association \n  Committee on Cyberspace Law, and External Lecturer, University \n  of Oxford, Department of Computer Science (on research \n  sabbatical)....................................................     4\n    Prepared statement...........................................    33\n    Responses to written questions of:\n        Senator Jones............................................   141\nChad A. Marlow, Senior Advocacy and Policy Counsel, American \n  Civil Liberties Union..........................................     5\n    Prepared statement...........................................   104\n    Responses to written questions of:\n        Senator Menendez.........................................   143\n        Senator Warren...........................................   146\n        Senator Sinema...........................................   150\n        Senator Jones............................................   150\nWill Rinehart, Director of Technology and Innovation Policy, \n  American Action Forum..........................................     7\n    Prepared statement...........................................   107\n    Responses to written questions of:\n        Senator Warren...........................................   153\n        Senator Jones............................................   154\nMichelle Dennedy, Chief Executive Officer, Drumwave, Inc.........     8\n    Prepared statement...........................................   114\n    Responses to written questions of:\n        Senator Menendez.........................................   154\n        Senator Jones............................................   155\n\n              Additional Material Supplied for the Record\n\nLetter submitted by the Electronic Privacy Information Center \n  (EPIC).........................................................   156\nLetter submitted by The Association of Credit and Collection \n  Professionals..................................................   162\nLetter submitted by Consumer Reports<SUP>TM</SUP>................   164\nLetter submitted by the National Association of Federally-Insured \n  Credit Unions..................................................   168\n\n                                 (iii)\n\n \nDATA OWNERSHIP: EXPLORING IMPLICATIONS FOR DATA PRIVACY RIGHTS AND DATA \n                               VALUATION\n\n                              ----------                              \n\n\n                       THURSDAY, OCTOBER 24, 2019\n\n                                       U.S. Senate,\n          Committee on Banking, Housing, and Urban Affairs,\n                                                    Washington, DC.\n    The Committee met at 10 a.m. in room SD-538, Dirksen Senate \nOffice Building, Hon. Mike Crapo, Chairman of the Committee, \npresiding.\n\n            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO\n\n    Chairman Crapo. This Committee will come to order.\n    We would like to welcome today to the Committee four \nwitnesses with extensive experience and a range of perspectives \non issues related to data ownership, valuation, and privacy, \nincluding Mr. Jeffrey Ritter, Founding Chair of the American \nBar Association Committee on Cyberspace Law and an external \nlecturer at the University of Oxford--and I guess you are on \nresearch sabbatical--Mr. Chad Marlow, Senior Advocacy and \nPolicy Council at the American Civil Liberties Union; Mr. Will \nRinehart, Director of Technology and Innovation Policy at the \nAmerican Action Forum; and Ms. Michelle Dennedy, Chief \nExecutive Officer of DrumWave.\n    As a result of an increasingly digital economy, more \npersonal information is available to companies than ever \nbefore. Private companies are collecting, processing, \nanalyzing, and sharing considerable data on individuals for all \nkinds of purposes.\n    There have been many questions about what personal data is \nbeing collected, how it is being collected, with whom it is \nbeing shared, and how it is being used, including in ways that \naffect individuals' financial lives. Given the vast amount of \npersonal information flowing through the economy, individuals \nneed real control over it.\n    This Committee has held a series of data privacy hearings \nexploring possible frameworks for facilitating privacy rights \nto consumers. Nearly all have included references to data as a \nnew currency or commodity.\n    The next question, then, is, who owns it? There has been \nmuch debate about the concept of data ownership, the monetary \nvalue of personal information, and its potential role in data \nprivacy. Some have argued that privacy and control over \ninformation could benefit from applying an explicit property \nright to personal data, similar to owning a home or protecting \nintellectual property. Others\ncontend that the very nature of data is different from that of \nother tangible assets or goods.\n    Still, it is difficult to ignore the concept of data \nownership that appears in existing data privacy frameworks. For \nexample, the European Union's General Data Protection \nRegulation, or GDPR, grants an individual the right to request \nand access personally identifiable information that has been \ncollected about them.\n    There is an inherent element of ownership in each of these \nrights, and it is necessary to address some of the difficulties \nof ownership when certain rights are exercised, such as whether \ninformation could pertain to more than one individual or if \nindividual ownership applies in the concept of derived data.\n    Associated with concepts about data ownership or control is \nthe value of personal data being used in the marketplace and \nthe opportunities for individuals to benefit from its use.\n    Senators Kennedy and Warner have both led on these issues, \nwith Senator Kennedy introducing legislation that would grant \nan explicit property right over personal data and Senator \nWarner introducing legislation that would give consumers more \ninformation about the value of their personal data and how it \nis being used in the economy.\n    As the Banking Committee continues exploring ways to give \nindividuals real control over their data, it is important to \nlearn more about what relationship exists between the true data \nownership and individual's degree of control over their \npersonal information; how a property right would work for \ndifferent types of personal information; how data ownership \ninteracts with existing privacy laws, including the Gramm-\nLeach-Bliley Act, the Fair Credit Reporting Act, and the GDPR; \nand different ways that companies use personal data, how \npersonal data could be reliably valued and what that means for \nprivacy.\n    I appreciate our witnesses today for offering their \nexpertise and sharing their unique range of perspectives on \nthese issues.\n    Senator Brown.\n\n           OPENING STATEMENT OF SENATOR SHERROD BROWN\n\n    Senator Brown. Thank you, Mr. Chairman, for calling this \nhearing.\n    Welcome to all four witnesses. A special welcome to Jeffrey \nRitter, whom, shall we say, we knew each other 40 years ago. I \nwill leave it at that. At the Statehouse in Columbus.\n    This Committee has spent some time over the last several \nmonths discussing Facebook's poorly--no other adverb to \ndescribe it--poorly thought-out plan to create a global \ncurrency. The bottom line is we know that Facebook simply \ncannot be trusted with Americans' personal information. It is \nterrible at protecting its users' privacy. It was pretty clear \nthe last thing we should do is trust them with America's \ncurrency.\n    It is not just Facebook. Every time corporations in Silicon \nValley come up with a new business model, the result is the \nsame. They get more access to our personal data, spending \nhabits, location, the websites we visit, and it means more \nmoney in their pockets. Everyone else gets hurt.\n    So I want to begin this hearing with a simple question. Who \nhas the right to control your personal, private information? \nYou or Silicon Valley CEOs like Mark Zuckerberg?\n    I think we all agree that Americans should have more \ncontrol over their private information, but should we treat \nthat private information just like property? Today's witnesses \nwill discuss that idea.\n    At first glance, it might seem like a simple way to tackle \nthe common problems, the complex problems created by data \ncollection and machine learning. The promise is that if we just \ntreat personal data like property, markets will do the hard \nwork of protecting our privacy for us. We all know that is not \nhow it will work.\n    Instead of making companies responsible for protecting \ntheir customers' privacy, this idea puts the burden on all of \nus individually and collectively.\n    Now imagine if every time you wanted to use Facebook or pay \nfor something with an app or login to a Wi-Fi network, you had \nto read even more legal fine print and then check a box saying, \n``OK, I waive my personal right to my data to use this \nservice,'' or you had to join some kind of data collective to \nsell your data.\n    Working people in this Country have enough to worry about: \ntrying to get the kids out the door in the morning, get to work \non time, make rent, save for college, pay the bills. The idea \nthat people should also have to manage their data like a \nlandlord manages its tenants is just ludicrous.\n    It should be pretty simple. Corporations should not be \nallowed to invade our privacy. We know that today they are.\n    But think about all the personal data that is already \nfloating around out there. Equifax exposed the personal \ninformation of more than 150 million Americans: Social Security \nnumbers, birthdays, addresses. Capital One exposed the personal \ninformation of more than 100 million Americans. How can you own \nyour data when it is already littered all over the internet?\n    Big tech companies does not want to protect your personal \ninformation. They want to profit off it. Protecting your \nprivacy does not make them any money. It costs them money. So \nthey are simply not going to do it.\n    They want your data. They want to get it for free. They \nwant to pay as little as possible if they cannot get it for \nfree.\n    So it should be no surprise that I am skeptical--I think \nmost of us up here are quite skeptical--when I hear of plans \nfor America's data to be treated, again, like property.\n    If Americans want more control over their private \ninformation, we have to find a way to prevent corporations from \nmining our data and selling it to each other. Creating a \nsupermarket for selling away our privacy does the opposite. \nTreating data as something that can be owned and bought and \nsold does not solve any of these problems, especially when \nundermining our privacy is the business model.\n    Mark Zuckerberg and his Silicon Valley buddies want us to \nskip over the part when we have control over our own privacy, \nand they want to jump to the part where giant tech companies \nget to use their market power to squeeze our privacy out of us, \nand it would all be legal. That is not acceptable.\n    I appreciate that Chairman Crapo has been working with me \nin a bipartisan way. There is a lot of interest in this \nCommittee in doing it right to create real privacy protections. \nPrivacy is not partisan. It is a basic right.\n    I look forward to continuing our work together, Mike.\n    Chairman Crapo. Thank you.\n    We will now proceed to the testimony. I have already \nintroduced each of our witnesses, and we will proceed in the \norder that I introduced you. I ask you to please pay attention \nto the 5-minute rule, and I ask the same thing of our \ncolleagues here.\n    Mr. Ritter, please proceed.\n\n   STATEMENT OF JEFFREY RITTER, FOUNDING CHAIR, AMERICAN BAR \nASSOCIATION COMMITTEE ON CYBERSPACE LAW, AND EXTERNAL LECTURER, \n   UNIVERSITY OF OXFORD, DEPARTMENT OF COMPUTER SCIENCE (ON \n                      RESEARCH SABBATICAL)\n\n    Mr. Ritter. Thank you. Good morning, Chairman Crapo, \nRanking Member Brown, and Members of the Committee.\n    I join you today to speak in the role as an active \ncontributor for over 30 years to law reforms enabling the \nUnited States and global electronic commerce, privacy, and \ninformation security.\n    Speaking bluntly, the time is long overdue for this hearing \nand the work of this Senate Committee and the Senate and the \nCongress to develop comprehensive privacy reform. Right now, we \nhave basically been relegated to playing catch-up with the \nEuropeans and other nations that are embracing the rules they \nhave written. We are trying to weave together what we have into \nsome type of whole cloth that is new.\n    But privacy law reform will surely fail if we do not \naddress the issues that have been focused on by the Chair and \nby Senator Brown in their opening remarks. There is a \nfundamental question. It does need to be answered. Who owns \ndigital information? It is not any question that it is an asset \nof human society in the 21st century, but is it something that \ncan be owned?\n    In the totality of all digital information, we have, in \nSenator Brown's words, skipped over it. For billions and \ntrillions of dollars of development over the last 30 years, no \none has given an answer.\n    For personal information, this question is even more \nimportant. Yes, it is identifiable, but who truly owns it? Who \ncan control it?\n    From a perspective of decades working in the international \nscene, trying to advance these rules, I would observe that the \nUnited States once led the world writing the rules for \nelectronic contracting, electronic signatures, and electronic \ncommerce to work, but at this point, we are falling behind.\n    So I would suggest that we need to do something new. We \nneed to reestablish this Nation's leadership by confronting \nthis very hard question and incorporating it into our privacy \nreforms. Clear, explicit rules are needed.\n    I may disagree with Senator Brown's opening remarks about \nfiguring out that it should be owned or not owned as property \nby whom, but we needed to clarify these rules so that we can, \nin fact, control the uses and misuses of this information.\n    It is only by crafting those rules that we can then enhance \nand enable acquiring, using, transferring, selling, sharing, \ncontrolling data. We have got to know whose it is so we can \nmake someone accountable.\n    Every commercial system built on the rule of law for real \nestate, banking, consumer products, industrial products begins \nwith a commitment to define and protect the owner of the \nproperty. Yet across the digital world we now live in, \nparticularly for privacy and individual data, while the data \nsubject has controls, the fundamental question has not been \nanswered. Who owns it?\n    This is not a question that is being addressed in isolation \nhere in the United States. As summarized in an article that I \nincluded in our written testimony, German, Japan, and the OECD \nare all calling for formal legal rules on ownership, including \nChancellor Merkel herself. Japan has already published model \nguidelines for structuring data sharing and licensing \nagreements based on ownership principles, not yet translated in \nEnglish, allowing Japanese companies to build commercial \nmomentum in being able to engage in these kind of transactions.\n    So I submit, humbly, that failing to address data ownership \nin our privacy reforms will further isolate the United States \nand allow the rules for data and data as property to be written \nby others.\n    Now, the solutions for crafting this legal concept are \nalready part of Federal law. They were incorporated into the \nlaws governing electronic transferable records and in U.N. \nmodel laws that have recently been approved with substantial \nU.S. input and influence.\n    There, the rights of ownership are exercised by \nestablishing and maintaining control of the file. Now, under \nthis principle, realistically, the first owner of the \ninformation will be the business entity with whom the data \nsubject is engaging--the bank, the hospital, the university. \nAfter all, they are the ones that have the systems that \nestablish the control over the information.\n    But I do believe that recognizing ownership should not do \nanything to diminish or remove a data subject's controls. We \ncannot keep the world's systems from engaging with our \ninformation, but we can regulate it and recognizing the \nproperty rights are more clear. It is going to help the \nprocess.\n    So, in closing, just let me begin by emphasizing the \nopportunity, not the obstacle. Clarifying these rules, \nreconciling controls with ownership, will not only improve a \ndata subject's--individual's control of their information but \nwill, in fact, foster greater accountability for the misuse of \nthat information against the individual's interest.\n    Thank you, Mr. Chairman.\n    Chairman Crapo. Thank you very much.\n    Mr. Marlow.\n\n    STATEMENT OF CHAD A. MARLOW, SENIOR ADVOCACY AND POLICY \n            COUNSEL, AMERICAN CIVIL LIBERTIES UNION\n\n    Mr. Marlow. Chairman Crapo, Ranking Member Brown, and \nMembers of the Committee, thank you for the privilege of \ntestifying before you today.\n    I serve as a Senior Advocacy and Policy Counsel at the \nACLU, where my principal focus is on issues involving privacy \nand\ntechnology. In that role, I spend a great deal of time with the \nACLU's 53 affiliates throughout the Nation learning about and \ntaking positions on State-level privacy legislation.\n    Over the past year, I have encountered numerous State \nefforts to enact data-as-property laws, and today I would like \nto share what I have learned.\n    In the 2019 State legislative sessions, data's property \nlaws were pursued or introduced in 11 States. To illustrate \nthose States' experiences, I am going to focus on the effort in \nthe State of Oregon.\n    In Oregon, where the bill specifically sought to treat \npersonal health information as property, the leading talking \npoint of the bill was that it was pro-privacy. Such a law, the \nargument went, would give people the right to authorize the \nsale of their data and to receive a portion of the proceeds in \nreturn. It is notable that what that amount might be was never \nactually discussed.\n    The pro-privacy part of the pitch was that persons could \nalso elect to not have their data sold. The presentation proved \npersuasive. Forty lawmakers out of 100 in the entire \nlegislature signed on to sponsor the bill at the time it was \nintroduced.\n    But then something happened. Legislators started to learn \nmore about what the data's property model looks like when it is \nput into practice, and they became concerned that the model was \nnot pro-privacy after all.\n    The basis for these concerns was threefold. First, in order \nto effectuate the data-as-property model, at the same time a \npatient's personal information was collected and they were \nnotified of their privacy rights, the power of the Government \nwould be applied to essentially advertise the option to forego \nthose rights by selling away one's personal information. \nLawmakers grew uncomfortable with the sense they were \nfacilitating this anti-privacy choice.\n    Second, lawmakers became concerned about adopting a model \nwhere persons with less wealth were likely to end up with less \nprivacy. They recognized that Americans who were economically \nsecure would find it easy to reject offers to sell their \nprivate information, but they also knew that might not be the \ncase for an elderly person who has a hard time affording their \nprescriptions and rent or that it might be too tempting a sales \npitch for a family that is struggling to put food on their \ntable.\n    Lawmakers also started to appreciate how a Government-\nendorsed data-as-property law might serve to further expand the \nexisting digital divide, where persons enduring socioeconomic \nand regional economic disadvantages, including \ndisproportionately persons of color, already have less privacy \nbecause they are forced to rely on more affordable but less \nprivacy protective technology products and services.\n    Third, lawmakers were concerned that enacting a data-as-\nproperty model would require the application of a unique \ntracking identifier to all personal information, which they \nwere especially weary of, given the model's ability to expand \nbeyond the healthcare context. Privacy and the ability to \nremain anonymous might both be casualties of the effort to turn \ndata into property.\n    In the end, Oregon State legislature, despite 40 percent of \nits members having originally sponsored the bill, wisely \nabandoned the data's property model, and the bill died. \nUltimately, lawmakers in all 11 States in which the data's \nproperty bill was pursued came to the same conclusion, and not \na single bill passed.\n    In the laboratories of democracy, the data-as-property \nexperiment is failing to gain traction, but let me end my \ntestimony on a positive note from our State legislatures.\n    In 2019, two State laws were adopted that made important \nadvances in protecting privacy without treating data as \nproperty. The California Consumer Privacy Act, which among its \nmany achievements allows consumers to opt out of their personal \ninformation being sold, and Maine's Act to protect the privacy \nof online customer information, which takes the superior \napproach of not allowing a person's information to be sold \nwithout first securing their opt-in permission, these efforts \nshould be studied, replicated, perhaps improved upon, and most \nof all respected by Congress by not preempting the privacy \nprotections that they have achieved.\n    The high value Americans place on their privacy is \nuniversal, nonpartisan, and wisely enshrined in our Bill of \nRights. The proper response to the pervasive loss of individual \nprivacy is to pass stronger privacy laws, not just to throw up \nour hands and conclude the only issue left to tackle is who \ngets the money.\n    Congress has the ability to adopt strong privacy laws \nwithout relying on models that undermine privacy in the \nprocess, and I have every confidence that you will.\n    Thank you again for the opportunity to testify today.\n    Chairman Crapo. Thank you.\n    Mr. Rinehart.\n\n    STATEMENT OF WILL RINEHART, DIRECTOR OF TECHNOLOGY AND \n            INNOVATION POLICY, AMERICAN ACTION FORUM\n\n    Mr. Rinehart. Chairman Crapo, Ranking Member Brown, and \nMembers of the Committee, thank you again for the opportunity \nto testify before you today on the issue of data property \nrights.\n    Like others in privacy, I am skeptical that a data property \nright is actually the best policy mechanism for ensuring \nprivacy. My written testimony today actually goes into far more \ndetail, but I want to highlight three important points that I \nfeel are necessary to point out.\n    First all, a privacy--a property right to personal data is \nnot necessary to, in fact, secure privacy, and in fact, it \ncould be an efficient one economically.\n    Second, valuing data is often difficult because raw or \npersonal data is not what is in demand but, in fact, the \ninsights that are built on top of it.\n    And, third, regardless of the privacy regime that is \nadopted, privacy laws will create an unavoidable cost from \ncompliance, which will reverberate throughout the economy.\n    Data ownership seems to fit naturally with our common \nexperience in relationship with technology, but I think there \nare fundamental reasons to be skeptical. Since my fellow \npanelists focused on some of the legal side of things, I want \nto highlight one area that concerns me.\n    It is really unclear if the assignment of data property \nrights will actually align all of the incentives between users \nand firms. In particular, if a broad right to data is \nestablished, users would be forced to search for innovative \nopportunities. While some see this as a plus, I think, in \nreality, it would actually be a burden. Assigning property \nrights in data will dramatically change who can say no to any \npotential innovation. Users would be forced to become their own \ndata entrepreneurs.\n    In this world, users would become--rather, users would \nlearn what companies already know, which brings me to my second \npoint.\n    Valuing personal data is often very difficult because what \nis in demand are actually the insights that are built on top of \nthat data. In my written testimony, I go into far more detail \nand, in fact, lay out the four basic methods to price data, but \nthe takeaway, I think, is pretty abundantly clear. There is no \nperfect way to value data, and it is highly context-dependent.\n    I think one story really highlights this tension. So when \nCaesars Entertainment went bankrupt a couple years back, the \nTotal Rewards customer program got valued at nearly $1 billion, \nwhich made it the most valuable asset in the proceeding. Even \nthough it was not sold off, the ombudsman privacy report \nunderstood that it would actually be a very tough sell because \nof the difficulties incorporating it into another customer \nloyalty program.\n    The Total Rewards example, I think, underscores a pretty, \nparticularly important characteristic of data. It is often \nvalued within a relationship or a firm relationship, but it is \noften difficult to value outside of that firm relationship.\n    For my third and final point, I really want to highlight \nwhat I think is probably the most important thing to note here, \nthat regardless of the particular policy mechanism that is \nchosen for privacy, these laws will create unavoidable costs \nfrom compliance, which will impact investment opportunities in \ncountless industries.\n    We have already seen this in Europe where investment from \nventure capital had gone down at least in the short term by \nsome 39 percent.\n    In the United States, California's CCPA was estimated by \nits own State agencies to cost nearly 1.8 percent of gross \nState product, which is quite massive.\n    And the ITIF, a think tank here in the DC area, estimated \nthat a Federal privacy law could cost as much as $122 billion \nper year. All this reminds me of one of my favorite authors, \nSeth Godin, who once remarked, ``The art of good decisionmaking \nis looking forward to and celebrating the tradeoffs, not \npretending that they do not exist.''\n    I thank you for your time, and I look forward to questions.\n    Chairman Crapo. Thank you.\n    Ms. Dennedy.\n\n    STATEMENT OF MICHELLE DENNEDY, CHIEF EXECUTIVE OFFICER, \n                         DRUMWAVE, INC.\n\n    Ms. Dennedy. Chairman Crapo, Ranking Member Brown, and \nMembers of the Committee, thank you for having me here today.\n    I am in the clean-up position. So I will not go deeply into \nthe various analyses in my written testimony. I submitted to \nyou, Chapter 13 of the Privacy Engineer's Manifesto, a book \nthat was actually published before GPR was actually put into \nlaw but in the thick of the negotiations, and many of these \nissues were pertinent then as I believe they are now.\n    As everyone you have heard reflected here is, I think the \nsummation answer is this is hard, and we are not afraid of hard \nthings, although Ranking Member Brown might have some cynicism \naround--I think it was you or Silicon Valley CEOs. I happen to \nbe one. I am not like Mark in many different ways, but I assure \nyou there is a lot of work that has been going on over the \nyears.\n    I have spent most of my career first as a patent litigator \nand then as a chief privacy officer, as one of the first five \nin the world, where we decided and sat down in a small room \ntogether that there must be something better. There must be \nsomething bigger. There must be a way to functionalize what was \nthen the only real framework was the OECD Principles for Fair \nInformation Management and the '95 Act coming out of Europe. So \nwe have very much been led in high tech in the belly of the \nbeast by the Europeans for decades.\n    So what we did is really look at what is the functional \ntool. So just as Julia Apgar told us once upon a time, when \nthere was a huge infant mortality, stop looking at just the \nmother and sometimes look at the baby. The procedural change of \nturning a nurse's head and looking at a child to see if it was \nbreathing or not changed the child and the parent mortality \nrates.\n    We believe at DrumWave if you look at the data, we will \nhave a similar moment.\n    If we indeed say value our data--``I proclaim that you must \nvalue the data. You must give an accounting, dear tech firms, \ndear hospitals, dear Senator bodies, of every single piece of \ninformation that is observed''--I will submit that you cannot \ntoday because the systems are designed to create more systems. \nThe systems that we are sitting on top of and running our \neconomies on and our cultures and our families and our \neducational institutions are based on software and hardware \nrather than data.\n    So the shift is how do we account for and look at data, and \nI go into some length in my written submission about picking a \nmodel. Whether it is a tangible property right, we have aspects \nof tangible property that are working, but some are not.\n    So, for example, let us look at a privacy right that is not \nnecessarily a data privacy right. When I go into a public \nbathroom stall, for a brief moment, that stall is mine. I do \nnot own that real estate. I do not even buy a ticket. I just go \ninto the stall, and the expectation is that I close the stall, \nand it is mine for a moment. The moment I left, it is no longer \nmine.\n    So think about data moving in and out of cells, in \ndatabases, left and right. We may think that we want to \nunderstand every single transaction. What you actually want to \ndo is find the errant transaction. So we are actually working \non developing something that we are calling a ``dynamic \ninformation meaning score,'' which is a combination of looking \nat the machine learning on databases and data systems as they \ndo flow today.\n    So engineers, such as my father, with whom I wrote this \nbook, understand back from the days of Univac and the earliest \ndays, when you model data, when a real engineer models data, \nthey think constantly about all users, the auditors, the \nlawyers, the\nregulator, and the user. We have forgotten the user in this \ncurrent economy. To look at the user, you must look at the \ndata. To look at how you build systems, you have to think about \nwho these users are. There are aspects of data if we ask the \nsystems. We will find the answers, but I believe the model \nlooks a little bit more like the constructs around intellectual \nproperty, where you may have a shared right.\n    In fact, the economic value for companies in a social \nnetworking concept is the grand value. So, ironically, if you \nwanted to get a payback of what your data was worth, it is \nactually worth less as an individual person the greater the \ndataset. The greater the dataset, the more the social network \ngets from the analytics off the top of it. So if we do a pure \nformula of how much each of us is worth, we will find a \ndiminishing result.\n    If instead, we look to things like copyright and trademark \nand goodwill and brand, then we might find a blooming type of \nright. So the more I participate online as an individual, I \nactually am increasing the value of that transaction.\n    I will leave the rest of my remarks for question and \nanswer, and thank you very much for your time and covering this \nimportant topic.\n    Chairman Crapo. Thank you very much.\n    Each of you raise very interesting aspects of this issue.\n    I would like to start out with you, Mr. Ritter, and focus \nfor just a minute on GDPR. The European Union's new privacy \ndirective provides individuals with greater control over their \ndata, including the right to access, erase, and restrict the \nprocessing of it. How does the European Union approach--how \ndoes the concept of data ownership show up in the GDPR?\n    Mr. Ritter. Well, thank you, Senator.\n    Many of the rights that you are describing are the things \nthat we might associate as attributes of ownership to our \ncomputers, our cars, other things of physical goods that we own \nas consumers, who can use it, who can share it, who can \npossibly sell it on our behalf.\n    But the reality is that ownership as a legal concept has \nnot been addressed in the GDPR. So we have this awkward \nsituation in privacy law where these rights are being assigned \nto or being confirmed by legislation to exist for the \nindividuals, but they have no mechanism of attaching those \nrights to the information.\n    In all other modern systems that we have in commerce, there \nis a concept of ownership, and I think that has been, as \nSenator Brown said, something that was skipped over, both in \nEurope and here in the United States.\n    By establishing ownership as a concept, nothing should \ndegrade or reduce the rights of an individual, a data subject \nto be able to have awareness of what their information is \ndoing. But what I think the Europeans did in GDPR revisions has \nbeen to create transparency, create awareness, create \naccessibility, all of which are consistent with the kinds of \nthings that are being proposed in legislation such as the DATA \nAct by Senator Cortez Masto, and certainly the Own Your Own \nData Act by Senator Kennedy.\n    So the Europeans skipped it as well, and I think that \nactually has created an opportunity for the commercial sector \nto exploit that data without giving the individuals effective \nenforcement. And I think that is what is missing from GDPR. If \nwe know who owns it and, therefore, who breaks the rules of \ntheir custody of that data for the individual, then we have \nstronger enforcement of those.\n    Chairman Crapo. All right. Thank you very much.\n    Mr. Marlow and Mr. Rinehart, I think each of you, if I \nrecall correctly, talked about the cost of privacy or, I guess, \nthe cost of ownership if we create a system like that. Could \nyou each just briefly expand on that a little bit?\n    Mr. Marlow. Thank you, Mr. Chairman.\n    Let me say, initially, that I think that the concepts of \ncost and the concepts of ownership come in because of the \nfamiliarity of that model to Americans, right? I own my car. I \nown my television. I own my house. So the idea that because I \nhave control over my car, if I own my data, that would give me \nsimilar levels of control, and so we think about cost as being \npart of that conversation.\n    But what I would remind the Committee is we have rights to \nfree speech, even though we do not own our speech. We have \nrights to vote, even though we do not own our vote, and we have \nrights to privacy, even though we do not own our privacy and \nour data. So I would encourage people, although it is tempting \nto kind of come back to what is the value, the idea that \nbecause we see control elements in the marketplace and in \nprivate property, that if GDPR is trying to copy that level of \ncontrol, it must also copy the marketplace model, including \nassigning costs, I think gets us on the wrong track.\n    Chairman Crapo. Thank you.\n    Mr. Rinehart?\n    Mr. Rinehart. Yes. Thank you for the question.\n    This, I think, really fundamentally goes at kind of the \nheart of what consumers want. I mean, I know there are a lot of \nconcerns, obviously, with what is happening in Silicon Valley \nand concerns about privacy, but we do know that consumers do \nbenefit pretty massively from a lot of these services. And \nthere is a lot of reports and surveys and information to that \nextent.\n    What I would highlight is that if you really do establish \nthe property right and data where you are effectively requiring \nevery single person to say yes to some sort of innovative \nservice, the kind of new innovative services that you would \nwant to compete with a Facebook or a Google might not actually \nbe able to be created.\n    I know this is not exactly the--sometimes it is not exactly \nconvincing to individuals that these sorts of things could \nhappen, but we have seen these in the past. Especially with, \nfor example, the telecommunication companies, they had a very \nsimilar sort of, kind of opt-in requirement whenever they were \ndoing--in the 1990s when they were trying to reach consumers, \nand we do know that that did have an effect on some of the \ntelecommunications companies, including U.S. West.\n    I would just highlight the fact that when you do require \nindividuals to say yes to innovation, it just makes that sort \nof innovative service and products all that more difficult.\n    Chairman Crapo. Well, thank you.\n    And, Ms. Dennedy, I am out of my 5 minutes, but I am \nprobably going to ask you in writing to respond. You had some \nvery intriguing issues that you raised, and I want to pursue \nthose with you.\n    Ms. Dennedy. Absolutely.\n    Chairman Crapo. Senator Warner.\n    Senator Warner. Thank you, Mr. Chairman. Thank you for \nholding this hearing. This is an issue that I am very \ninterested in and engaged in. I agree and disagree with a \nnumber of the comments that have been made.\n    Mr. Ritter, I do think this America's failure to leadership \nin this area is going to come back and harm us. I think it is a \npattern where we are seeing America start to retreat.\n    Mr. Marlow, I think you accurately point out some of the \ntensions of a traditional ownership model. It gave me a lot to \nthink about.\n    Mr. Rinehart, I think you are a defender of the status quo, \nand frankly, I find your arguments very lacking because I \nactually think the status quo is not going to be continued. I \nfind this notion of ``Gosh, it is hard to figure out some of \nthese ideas'' is patently absurd.\n    I made some money in the telecom business. I remember, \ninitially, it was really hard to figure out beyond user base \nwhat these companies would be worth. Well, the market drove a \nmethodology around value, around spectrum, not imperfect. We \ncame to that. Marc Benioff, when he lost out on the acquisition \nof LinkedIn, basically said, ``Companies are buying these based \non the value of the data that is being collected.''\n    Ms. Dennedy, I agree there is a complexity to this. It is \nnot single data points. It is that combination, but to make an \nargument that you cannot figure this out or it is hard to \nfigure it out, it is going to be an unwarranted cost, that is \njust totally spurious. Companies are making acquisitions all \nthe time in this space based upon valuations.\n    That is why I think one of the areas I would like to start \nwith that I think there could be some broad bipartisan \nagreement--I got bipartisan legislation on this called the \nDASHBOARD Act that would say we ought to at least know what \ninformation is being collected on us in a more granular way. We \nought to be able to know who that is being offered to on a \nthird-party basis, and yes, even, Mr. Rinehart, if it is a \nlittle bit hard and we will not be a perfect model, but we \nought to know what it is worth because the premise of these \ncompanies that have said, ``We are offering you a proposition \nthat this is all free,'' there is nothing free about what \nFacebook or Google offer. It is not morally wrong, but they are \ngiant sucking sounds of personal data being collected about us, \nbeing monetized in a model that, based on advertising, there is \nnothing wrong. But there is so much opaqueness.\n    And, clearly, the establishment and established companies \ndo not want more transparency because we might have--grapple \nwith the questions that Mr. Ritter and Mr. Marlow put out so \nstrongly, and we might actually--if we had more valuation \nquestions, we might say there might be companies that would \nsay, ``Well, maybe there is a way to disintermediate between \nthe platform and the user,'' because if we know Kennedy's data \nis worth $10 and Tester's is worth $20 and mine is worth $5, \nmaybe you might be willing to give some portion of that, maybe \nnot even having to get to the ownership question, so that \nsomebody could provide a level of service in between to help \nprotect you.\n    So it is a hard, hard issue, but to say there is not any \nprevious models, I think, is wrong. I think the notion that we \ncannot sort this out, I would urge--and I know Senator Kennedy \nhas got some legislation in this area as well. I think it is \nreally, really important that we do the hard work of trying to \nsort this out, particularly whether we are thinking about \nconsumer protection, whether we are thinking about the idea of \ntrue transparency, whether we are thinking about the idea of \npro-competition.\n    Unlike some of my colleagues who want to go straight to \nbreak-up, I would rather see if we can introduce more \ncompetition into this model, and we are not going to have more \ncompetition if we have the level of opaqueness in where the \nlarge platform companies control all the data at this point and \nare not anxious to share, are not anxious to have more \ntransparency continue that way.\n    So I would like to start--I guess I am a little more \nspeechifying than questioning here, but, Mr. Ritter and Ms. \nDennedy, talk about the idea around digital markets, about the \nnotion--without getting to ownership, but just the notion of \nmore transparency, value add, value less. Either one of you \nwant to go first?\n    Ms. Dennedy. Jeffrey knows that I am obsessed with this \narea.\n    There is a great deal to be gleaned, earned, and profited \nby through transparency. I am a huge, huge fanatic and fan. In \none of my prior companies, I did--with the consent of the \nFederal Trade Commission, I did a graphic novel for our privacy \npolicy for Intel because I believed the subject matter was too \ncomplex to read through 16 pages of legalese.\n    So we did a cartoon to train our customers. At Cisco, we \ndid what I called the ``Lord Ashfields.'' We did subway maps \nthat look a lot like the underground in London to map out where \nthe data is, where was mine, where was yours, where was third \nparties. Was it perfect? No. those maps are proliferating.\n    Actually, ironically enough just this week, I heard from \nsome of the privacy engineers at Facebook that they are \nadopting them. I do not know if that is going to bubble up to \nthe top, but I am pleased to hear that the beginnings of that \ninnovation are occurring.\n    I think transparency allows you to understand where asset--\nI go back to the old-fashioned accounting rules and say, ``What \nis an asset?'' It is something based on an activity that can \npotentially provide benefit in the future, and if it stops \nproviding future benefit for the consumer or the user, it \nstarts to become a liability. That sounds a lot like a market.\n    So the more transparent, I believe, that we can be and \ncreate the systems to look at the metadata that we have \nalready, we can start to create those markets.\n    Now, I am a believer in this, but I am also early in the \nmarket. Is this something comprehensively that if you said \ntomorrow, we want abject transparency, it would take some time \nto catch up? I think we can get there.\n    Chairman Crapo. We will probably have to have your remarks, \nyour answers, Mr. Ritter, in writing or following.\n    Sorry, Senator Warner. We have got to move on.\n    Senator Kennedy.\n    Senator Kennedy. First, I want to thank all of you for \ncoming today. I know you are all busy, and I do not want you to \nconstrue what I am about to say as a comment on your \npersonhood. It is more a comment on the testimony.\n    I am not fluent in BS, and I have not the slightest idea \nwhat you are talking about, except that we have got a problem.\n    One of the issues before us is whether data is property or \nnot. I did not hear you answer that. If it is not property, it \nis something, and a lot of people are making money off of it.\n    Mr. Rinehart, you said it is hard to value this something. \nWell, let me tell you one way to value it. Last year, \nFacebook's revenue was $56 billion. That is nine zeroes. 98.5 \npercent of it was revenue from ads that were specifically \ntargeted to people based on data.\n    Mr. Rinehart. Yes.\n    Senator Kennedy. So whether it is property, a property \nright, or a cabbage, it is being monetized, and it is people's \npersonal information. Can we agree on that?\n    Mr. Rinehart. I would want to add a little bit of \ncomplexity to that, that----\n    Senator Kennedy. Of course, you would.\n    Mr. Rinehart. So, I mean, what they are selling is the--\neffectively, the attention of individuals, and that to me adds \nsome complexity to this question about the value of data as \ncompared to, say, the value of attention.\n    Senator Kennedy. Mr. Rinehart, I do not mean to be rude, \nbut we are Senators, OK? Whatever--this is what I sense, and I \nhave nothing against social media. These are wonderful American \ncompanies, but we are dealing with problems that nobody \nanticipated, at least I did not, and my constituents did not.\n    Forget about whether it is a property or not. It is \nsomething, and it is mine, or at least it originates with me. \nWhen I go on Facebook and share information, whatever you want \nto call it, it started with me, and now it is on Facebook and \nwhoever Facebook chooses to give it to.\n    Why can't we have a rule that says, whatever you want to \ncall it, my rights follow it and I can license it, share it \nwith you and Facebook--I hate to pick on Facebook, but that \nsharing has to be knowing, and it has to be willful. And I have \nto be able to change my mind, and I have to be able to call \nFacebook or click on an icon and say, ``By the way, I want to \nsee what you have got on me.'' And consistent with Senator \nWarner's point, I would kind of like to know what it is worth. \nWhy cannot we do that?\n    Now, I am going to tell you what part of we cannot--reason \nwe cannot do that. Part of that is our fault. We have been \nholding hearings on this subject--I do not know--2, 3 years. We \nwill probably be doing it again. This is not a reflection on \nthis Committee. This is on the Senate. All we do is issue press \nreleases, hold hearings, and strut.\n    This to me is not complicated. Why cannot we just agree on \nthose rules? What is wrong with that?\n    Mr. Rinehart. I would not necessarily say that those rules \nare wrong by any means. I mean, CCPA, California's Privacy Act, \ndoes, in fact, establish a lot of those sorts of rights without \nhaving to establish a property right. So that to me--I mean, we \ncan--and I have been supportive of privacy laws in the past, \nand I think that that is something that is very much needed for \nthis country.\n    Senator Kennedy. Yeah. But you all keep saying that, and \nthen you never propose anything.\n    Look, I am about to run out of time here. Let me tell you \nwhat is going to happen. We have got a problem. I do not think \nanybody anticipated it. If they did, they did not do anything \nabout it. At some point, the American people are going to get \nfed up, and then we are going to have to do something. \nOtherwise, we will not get reelected, which is what motivates \npeople around here.\n    Mr. Marlow. Senator, can I just suggest one thing?\n    Senator Kennedy. And you may not like what we do.\n    Mr. Marlow. Fair enough, sir, but if I could just suggest \none thing. If the Senate were to pass very strict privacy laws \nthat did not necessarily adopt a data property model, people \nwith the right to say you can and cannot use my data would \nstill be able to sell their permission. They could still say, \n``For $10, I will give you a yes instead of a no.'' So it is \npossible to have people sell their data without adopting the \ndata's property model that carries with it a lot of downsides \nthat strong privacy protections that do not necessarily impinge \nthe right to sell data would not bring with them.\n    Senator Kennedy. I am way over. I am sorry, Mr. Chairman.\n    Chairman Crapo. Thank you.\n    Senator Menendez.\n    Senator Menendez. Thank you, Mr. Chairman.\n    Mr. Marlow, companies such as LexisNexis Risk Solutions \ncollect hundreds of nonmedical personal attributes in order to \nhelp to predict a person's medical costs. The company claims \nthat providers can use this data to improve patient health care \nand health outcomes, but I have concerns that this same data \ncan be used to discriminate against patients, including \nvulnerable populations such as low-income individuals and the \nelderly.\n    What, if any, protections exist for consumers to prevent \ninsurance companies from using this data to discriminate \nagainst customers?\n    Mr. Marlow. Thank you, Senator.\n    First of all, I want to recognize that you point out a very \nparticular challenge. The healthcare data area is something \nthat will have to be explored and drilled down to \nindependently, regardless of where the Senate comes out on this \nissue, because certainly I think concepts of having people be \nable to study populations and develop healthcare solutions and \ncures to diseases is something that is very, very important.\n    I think the challenge is that when data flows into a \nmarketplace, slows into the insurance companies, it is very \ndifficult to be able to parse the algorithms, to understand to \nwhat extent they are----\n    Senator Menendez. So, in essence, you are telling me that \nthere is no patient protection at this point?\n    Mr. Marlow. Well, I think that there are certain laws that \nwould kind of writ large propose kind of blatant \ndiscrimination, but it is the finer discrimination that is hard \nto identify, that is hard to get at.\n    And so the question of--without, unfortunately, probably \nthe answer you want--algorithmic transparency is a very \nchallenging one, but it is within that question that an answer \nmay or may not be revealed.\n    Senator Menendez. Ms. Dennedy, after data companies analyze \nthis data and generate a health risk score for a client such as \na health insurance companies, do consumers have any right to \nsee that analysis or score?\n    Ms. Dennedy. I think that they should, if they do not \nalready. I think this is, part and parcel, of what we call \n``privacy engineering'' and the new field of ethics engineering \nthat is emerging, and this is exactly addressing these complex \nissues that you are talking about. When you are actually doing \nsystem design, the question must be asked. How do you \ninterrogate how decisions were made?\n    In the same light, when we are talking about ethics \nengineering for machine learning and machine algorithms as \neveryone is kind of calling, colloquially, ``AI'' these days, \nmost of it is machine learning. Understanding for patients \nwhere the algorithm has been applied may be nonsense to that \npatient. However, to the ethics boards of hospitals today to \nthe FDA that approves drugs and gadgets that are part of our \nhealthcare system, I believe there are structures in place if \nwe provide the transparency behind how these scores are \ncalculated.\n    Senator Menendez. What happens if some of the data is \nwrong?\n    Ms. Dennedy. Well, that is exactly the problem.\n    Senator Menendez. What recourse do consumers actually have \nto correct inaccurate data that is going to affect their health \nprofile and their risk that ultimately is going to affect their \ninsurance coverage and other things?\n    Ms. Dennedy. So this is part of the beauty of what is \nincluded in the GDPR that we would love to see in a Federal \nbill, which is the privacy disclosures, the privacy impact \nassessments that must be done before a system is put into place \nto process information or when that system is changed by third \nparties, that information would be in those disclosures of \nthose privacy impact assessments that are required under the \nlaw in Europe and not here.\n    Senator Menendez. I see Mr. Ritter is anxious to give a \ncomment.\n    Before he does, let me throw out what probably will be next \nto my final question. Given the sensitive nature of health \ndata, does that data deserve heightened protection and/or \nregulation?\n    Do you want to start off, Mr. Ritter?\n    Mr. Ritter. Thank you.\n    First, I would take exception to the notion that health \ndata can be treated apart from the broader questions, both the \npersonal information and all information that we gather. We \nneed solutions here, and with regard to how we enforce these \nrules, as a Government, we must demand transparency.\n    I watched with interest, the hearings of this Committee \nearlier this week on the audit process and looking at brokers \nand the SEC rules, and that kind of transparency of automated \nawareness, automated surveillance of compliance is going to be \nwhat we as a\nNation must anticipate. We can no longer just write generic \nrules that tell companies what they should and should not do.\n    The consumer benefits from that level of interaction in \nenforcing rules by being able to see that from an automated \nperspective.\n    One of the earlier references was to the provision of \nOregon law about having a unique tracer on a record. That is \nexactly how it is done today, and I actually think that is \nwhere we are moving in the future.\n    We have license plates on automobiles. We have serial \nnumbers. We have RFID devices. I put one inside the box of my \nbicycle when it ships across the ocean, so I know exactly where \nmy box is, no matter what the airline says. That kind of \ntraceability is getting smaller and smaller, and I think that \nis going to be part of how we can enforce the rules is asking \nthe machines to execute the compliance with those capabilities.\n    Senator Menendez. Mr. Chairman, this is a big topic, but I \nthink, particularly, we are being naive if we simply assume \nthat the collection analysis health data will be used only to \nlower costs and improve health outcomes. We have to take \nseriously the threat that this data could be abused and \nultimately lead to consumers being taken advantage of, and I \nlook forward to working with the Chairman.\n    Chairman Crapo. Good point.\n    Senator McSally.\n    Senator McSally. Thank you, Mr. Chairman, for having this \nhearing. Thanks, everybody, for their testimonies.\n    I first need to confess, like I am a privacy zealot. \nPersonally, I lead a very boring life, but just on principle, I \nam the kind of person who fills out those forms when you get \nthem in the mail about opting out from your credit card \ncompany. And I do not put location services on my phone. I do \nall sorts of other weird things that I want to let everybody \nknow about it.\n    And I always have these conversations, extremely \nfrustrating to me that we are in this situation that we are in. \nI have arguments with one of my staff members who like loves \ntailored ads and does not mind giving up all his privacy in \norder to have tailored ads, and I am like, ``I will pick what I \nwant to buy. I do not need you gathering my stuff and sending \nme ads. It is just like it is such a personal frustrating thing \nfor me and for my constituents that I represent.\n    And I appreciate it is a complex issue, and what I am \nhearing from you all today, maybe data as a private property \nmaybe is not the way to do it. OK, fine. But I guess what I am \nstruggling with is part of what has happened, I think, \nculturally, is we have got all these new tools that are out \nthere that people are able to use for free, and their revenue \nmodel is to collect your data and sell it. I mean, we all know \nthat, and maybe, unwillingly, people did it initially. But now \nthat is kind of our expectation that we can do a free internet \nsearch. We can do free social media contacts and communication. \nIt is not free because it is taking your information and \nprofiting off of that.\n    But if there is another model of like, OK, is the market \nnot demanding this, I guess, where we have a social media \nplatform where you can pay a certain amount and say, ``I want \nto be able to engage, but I want to keep all my stuff private, \nso you cannot sell it,'' what is the value of that, and is \nthere even a market for that?\n    Mr. Rinehart, on page 7 of your testimony, you said during \na study, most subjects happily accepted to sell their personal \ninformation for just 25 cents. Part of this is kind of cultural \non what our expectations are.\n    I would also be concerned about the socioeconomic divide. \nSo if some of us are willing to pay in order to protect our \nprivacy but others cannot, then we have a division going on \nthere of just those of the lower income having their data being \ntaken and sold, and that is a problem too.\n    So if the solution is not data as private property, what is \nit, and does it start with transparency? That is where I am \nsort of landing. Does it start with let us shine a flashlight \non what is actually going on, let people see and be mortified \nby what information they have that is being collected and \nanalyzed, and then maybe that will help drive a different \nmarket solution or even different companies?\n    I mean, I am not one that wants a Government solution that \nis going to stop innovation. We want less regulations and more \ninnovation, but in this case, how do we deal with that \nconflict, and what is the best place to start? Is it \ntransparency?\n    You guys are all saying it is not data as private property. \nThen what is it?\n    Mr. Ritter. Yes. Transparency is critical.\n    What we are seeing in the way we manage data as property is \nincreased detail, increased capability of managing detail, and \nthat also enables us to have more rapid response both in \ncorporate systems, in government systems, in information \nsecurity, allows us to see what is happening.\n    Transparency is good, and the division between you and your \nstaffer with regard to the acceptance of all this is something \nwe are just going to live through as they----\n    Senator McSally. But then we get to choose. It is all about \nfreedom, right?\n    Mr. Ritter. It is humankind.\n    Senator McSally. Yeah.\n    Mr. Ritter. Right? But for the systems to survive and for \nthe digital age to not bring us down but actually to be a \nbackbone for humankind to move forward, we have to demand that \ntransparency in Government requirements, such as the ones that \nare being proposed in Senator Kennedy's legislation and some of \nthe other pieces that have been drafted by Members of this \nCommittee are outstanding first steps in that direction.\n    Mr. Marlow. Senator, if I may--and I really appreciate \nbeing able to discuss with a privacy zealot like myself.\n    Senator McSally. Yes.\n    Mr. Marlow. But a couple of things. So, one, privacy is not \nabout secrecy. It is about choice, right? And so it is \ncertainly acceptable within a privacy regime for you and your \nstaffer to come out in different places.\n    Senator McSally. Exactly.\n    Mr. Marlow. But what we want to make sure----\n    Senator McSally. But right now, there is no choice for \npeople like me.\n    Mr. Marlow. Precisely. And we want to make sure not only \nthat you have a choice----\n    Senator McSally. Yeah.\n    Mr. Marlow.----right? But that the choice is well educated, \ninformed, transparent, meaningful, and precise. All those \nthings, I think, have to enter the equation.\n    Another aspect that you brought up that is important to \nprivacy is that we want to make sure that consumers like \nyourself and myself cannot be punished by companies----\n    Senator McSally. Right.\n    Mr. Marlow.----for exercising our privacy situations, or \nconversely, that those who give up their privacy are rewarded \nin ways that we are not.\n    But I think that the idea of bringing money into that \nequation goes to your final point, which is we do not want to \nestablish a system like data-as-property where Government is \nused to put additional weight on the anti-privacy side by \nsaying, ``And we are going to make sure you know there is \nmoney, although we may not tell you how much, but there is \nmoney at the other side of the equation.''\n    So I thank you very much for your observations. There is \nabsolutely a path to get there.\n    Senator McSally. Well, I know I am out of time, but \neventually, money is a part of it, whether it is monetizing \nyour data or not. There is no such model for Facebook to exist \nif we are all opting out, right? Because they do not--they \ncannot--that is not their business model.\n    So somehow--I mean, I know we got to go, but somehow we \nhave got to have this conversation about how some of these \ntools can be accessible for people that really can be impacting \ntheir lives. Forget about the social media aspect, but even in \nmedical advances, but also having people know what is going on \nwith their information and why it is being used.\n    Mr. Marlow. Right. But like your staffer, Senator, not \neveryone is going to opt out. That is kind of a dooms-day \nscenario, but that is not going to happen because some people \ndo like targeted ads and like to be directed online.\n    Senator McSally. All right. Thank you, Mr. Chairman. I \nappreciate it.\n    Ms. Dennedy. Can I just have one more quick----\n    Chairman Crapo. Real quick.\n    Ms. Dennedy. Thank you. Very quickly.\n    I think we are focused on transparency at the bottom \nlawyer. Let us not forget the top. The war that is going on for \nevery CPO right now, the war for attention in the budgets, I do \nnot see any CPOs sitting on public boards. I do not see the \nChairman's letter to their shareholders talking about what \ntheir data scores are. Until we score our data and it comes \nfrom the top down, it is entirely a battle of one, and it \ndepends on who you privacy officer and how big her hairnet is. \nI do not know what the appropriate senatorial thing is to say \nthere.\n    Chairman Crapo. Understood.\n    Senator McSally. Thank you.\n    Chairman Crapo. Senator Tester.\n    Senator Tester. I want to thank you, Mr. Chairman. I want \nto thank Ranking Member Brown for having this hearing. The more \nthat is talked, the more confused I become.\n    OK. I mean, I deal with property the same way most people \ndeal with property. It is something you own. It is something \nyou sell. A bushel of wheat, for example, I am a farmer. I sell \nit. It goes to General Mills. General Mills might sell it to \nsomebody else. They might make flour out of it, but I do not \ncare. I got my money, and I do not give a damn.\n    The problem here with this and why it is such a critically \nimportant issue and why this hearing is so important is because \nthe solution is so complex because everybody has got a \ndifferent perspective.\n    Senator McSally said it. She loves her privacy, and not \nsecrecy, but privacy.\n    So we have got a situation where we have got health \ninformation that if it gets in the wrong hands, it can have \nincredibly--or even in the right hands, I might add, that can \nhave incredibly negative impacts on my health insurance \npremiums; bank information that could cost me to buy a house a \nlot more or a lot less, or health premiums, same thing on the \nhealth premiums.\n    And then we have got a situation where I buy a transmission \nfor my combine, and who really gives a damn? Really, I mean, \nwhat are they going to do? I bought it. It is done. All that \ninformation can transfer. I am not going to buy another \ntransmission because I do not need it.\n    So it is really hard to figure out where we are in this and \nwhat works, but let me ask you this. And I have a great respect \nfor everybody that is on this panel, and I mean that. I \nappreciate all of your perspectives because I think they are \nvery interesting. But we had a hard time with REAL ID in \nMontana. If we put tracers on information, Mr. Ritter, should \nmy constituents be concerned about me voting for a bill that \nhas that in it?\n    Mr. Ritter. Yes, but not because of the tracers, but \nbecause the inadequacy of the bill to not deal with the \nconsequences of the records those tracers produce. That is \nwhere the difference can be made.\n    Mr. Tester, my original clients 40 year ago were farmers.\n    Senator Tester. Yes.\n    Mr. Ritter. And so in response to your point, actually when \nyou bought the new transmission, that fact is very interesting \nto the company from which you purchased the oil because it \nwanted to know the useful life of the transmission. The \ntransmission company wants to know, one, you purchased it based \non the number of hours of usage.\n    Senator Tester. A really good point.\n    Mr. Ritter. Number of hours of usage that created off of \nthe tractor.\n    Senator Tester. And so the issue becomes should we pass a \nbill that says, basically, you cannot----\n    Excuse me. If this is my wife----\n    Mr. Ritter. We all understand.\n    Senator Tester. It is not.\n    You know what? You know what this is? It is a targeted ad.\n    Mr. Ritter. It is a scam likely.\n    [Laughter.]\n    Senator Tester. So you want to talk about cost and money--\ndo you want to talk about cost and money? I mean, if there is \none thing that makes my head explode, it is the fact that I got \npeople out there who I do not want to do business with that are \ntrying to market crap to me that I do not want, and whether it \nis through this telephone or whether it is through the computer \nwhen I am sitting there trying to read an article and all these \ndamn screens keep popping up--and I am not a tech genius to get \nall this stuff off, it is baloney. And that is the real problem \nfor me. It may be a different problem for somebody that is in a \ndifferent economic stature, but the problem for me is I am \ngetting all this information I do not want. So how do we fix \nit? is the question. How do we really fix it and protect my \ncivil liberties for privacy, not stop business? But I would \ntell you that several of you talked about cost. There is a lot \nof cost with doing nothing here too. So we need to do \nsomething.\n    So how do we fix it? Because I got the impression from you, \nMr. Ritter, that the European Union is doing--and other people, \nby the way. I do not want to pick on you. You are a good guy. \nThe European Union is doing some stuff, and Japan is doing some \nstuff, but it is really not complete, or is it?\n    Mr. Ritter. One of the things that distinguishes both \nEuropean policy development and Japan is extensive research and \nconsensus development before they introduce definitive rules. \nThat is something we struggle with here in the United States to \nstay in the----\n    Senator Tester. So what did you just say?\n    Mr. Ritter. They think about it, and they write their rules \nwith design.\n    Senator Tester. OK.\n    Mr. Ritter. All right? You would not buy a combined----\n    Senator Tester. That is exactly what we do here in the U.S. \nSenate.\n    [Laughter.]\n    Mr. Ritter. A survey came out just about 8 weeks ago on the \nimpact of GDPR on the European citizen, and it indicates that \nthey have had over 145,000 complaints just in the first year. \nBut--and I will take a look at my notes here--45 percent of the \npeople that were surveyed in Europe liked the reduction in \nnonresponsive marketing. They were getting better tailoring, \nand they liked that.\n    Senator Tester. And how did--excuse me. I am going to make \nit very, very short. How did they stop that reduction? How did \nthey make that reduction in marketing happen?\n    Mr. Ritter. Many of the rules that the GDPR embraced, which \nalso, I think, Senator Cortez Masto's bill embraces, just put \nan accountability on companies for having to disclose the use \nof----\n    Senator Tester. And what happens if they do not follow the \nrules? Are there penalties?\n    Mr. Ritter. The problem of enforcement is one we also have \nto address.\n    Senator Tester. I get back to my original point. If this \nwas easy, it would already be done.\n    Thank you, Mr. Chairman. Thank you, Ranking Member Brown, \nfor your courtesy.\n    Chairman Crapo. Thank you.\n    By the way, we have a Do Not Call List bill that we are \nworking on.\n    Senator Tester. Yeah. Well, we passed it, did not we?\n    Chairman Crapo. Well, we have a better, more enhanced one.\n    [Laughter.]\n    Chairman Crapo. Go ahead, Senator Toomey.\n    Senator Toomey. Thanks, Mr. Chairman. I think this has been \na great hearing and a great discussion. I appreciate you doing \nit, and I want to really thank all of our witnesses for \ncontributing to thoughtful ideas to a very challenging and \ninteresting conversation.\n    Some of the points, I think, that are extremely important, \nI think Senator Tester was touching on the fact that probably \nmost people have different views about different datasets about \nthemselves. I mean, I want much more privacy about my \nhealthcare records, for instance, than I do about whether I \njust bought a tractor.\n    I am sympathetic to the argument that transparency is \ngenerally, probably a good thing, and I am sympathetic to the \nidea of consumers having greater ability to exercise some \nchoices about what data is released and what is not.\n    But one of the things we have not talked a whole lot about \nthis morning is the fact that in the model that has organically \nevolved, consumers get compensated. There is actually a lot of \ncompensation. We talk about how much revenue Facebook took in. \nIt is a staggering number.\n    It is hard for me to quantify, but I can tell you I \nperceive significant value every single day when I go and turn \non Pandora. I can get to listen to any music I want for free as \nlong as I want, and very regularly, I will go to any number of \ncompeting map software and get fantastic direction to any \ndestination I want to go to anywhere. And I pay nothing for it.\n    I can read newspapers and magazines. The list is endless, \nright, of all of the things, and in fact, in many of these \nspaces--not all--many of them, there is real competition. To \nthe extent that there is real competition, you have to assume \nthat the data that is being--that is the revenue stream for \nthese companies that have these apps, they are competing for \nthat. And so they are presumably competing to offer me ever \nmore in return for me providing them my data, to the point \nwhere it should converge on something approximating the value \nof it.\n    So I like that value. I love the innovation. I have no idea \nwhat new things are going to be available next year, but I bet \nthere is a bunch of others that I am going to enjoy using.\n    So I wonder if anybody--let me start with Mr. Rinehart--\nwould want to comment on the fact that without property rights, \nwhich I have not thought enough about to have an opinion on--\nconsumers are already being compensated every single day for \nthe data that they share. What are your thoughts on the level \nof compensation?\n    Mr. Rinehart. Yes. I mean, this is something I tried to \nhighlight in my testimony is the conflict between the data that \nsupports the services and how consumers then value the services \nbecause those are slightly different things.\n    We do know that consumers do value these services pretty \nextensively. I did some quick calculations before the hearings, \nand social media, by most accounts, probably benefits people to \nabout $13,000 per year. They use it pretty extensively. I can \nfollow up later. But we also know from a whole bunch of other \nsurveys that if you were to try to give up, for example, Google \nsearch, it would cost people something like $18,000 per year to \nbe willing to pay to get--or to be compensated to not use \nGoogle, similarly like $8,000 or around $8,000 for maps, as you \nhad mentioned, or mapping services.\n    So, yes, consumers do benefit in kind of these implicit \nvalues or in an implicit way, which does not show up in a lot \nof data, and that is also what makes the valuation of data \nitself. And as I mentioned throughout my testimony, it just \nmakes it a little bit more difficult.\n    Ms. Dennedy. Can I add one thing? My ears are hurting that \nwe are saying it cannot be a property right. I think that data \nis probably some sort of an intellectual property right. It may \nnot be a tangible right, but I think exactly as you are talking \nabout, data to me is currency.\n    So if you think about a penny, a U.S. penny, that alone is \nnot very much, and I can tell you I have got a penny had you \nhave got a penny. The story that that penny tells when you put \nit together with the rest of my data story--where am I spending \nit? How am I spending? Who am I? If I hand him a dollar, it \nmeans less than if I have a dollar based on our past history.\n    So when we are talking about valuing datasets, let us be \ncareful to understand that what you are really talking about is \nthe lifetime. Sometimes there is a one-time transaction with \ndata, and it looks and feels like a property right or a \nbailment. And other times, it really is ``What is that \nrelationship worth?'' And the banking community, in particular, \nunderstands that better than anyone.\n    Mr. Rinehart. Can I just add one small comment? I mean, I \nwould mention at least within intellectual property, the \ntraditional reason why you establish property rights for \nintellectual property is because there is an underproduction of \nthose sorts of services, and what we are talking about here, \nespecially with privacy, is very much the opposite of that. \nWhat we are trying to establish or at least what we are trying \nto talk about is the limitations of disclosure.\n    I just find the intellectual property, the typical way of \ntalking about it and the typical way of thinking about it \nthrough property rights as a way to incentivize creation is, in \nfact, the opposite of what we are talking about with privacy, \nwhich is incentivizing some sort of disclosure, which is just, \nI think, a complicated--it is a more subtle way to think about \nthe difference between the two.\n    Senator Toomey. Thank you very much.\n    Chairman Crapo. Thank you.\n    Senator Brown.\n    Senator Brown. Thank you, Mr. Chairman. Thanks for your \nflexibility. The Finance Committee was doing a really important \nhearing on opioids, and as Mr. Ritter knows and some of you \nknow, it is a terrible problem in Ohio. It is one of the worst \nproblems in the country.\n    We know the system we have right now does not protect \nAmericans' privacy--phones, laptops, TVs, credit cards--turned \ninto tools to harvest personal information for a few or maybe \nmore than a few to profit.\n    Mr. Ritter or Mr. Marlow, when we are talking about a \nproperty rights model for data, is not that just a way to \nlegitimize and expand on the way Facebook and other big tech \ncompanies spy on every aspect of our lives?\n    Mr. Ritter. In the 21st century, Senator, surveillance will \nbe part of our life. This is something that we as a society \nmust decide how to regulate.\n    I do not think that they are spying on our lives in a way \nthat is, at first instance, inapposite to our purpose in \ninteracting with them. I walk into a bank to open a bank \naccount so that I can save my money and pay my bills. I roll \nonto a gurney into a hospital ER for them to save my life, and \nthat involves collecting a whole bunch of data and X-rays and \nMRIs and vital information. This is part of how we provide \nservices in the 21st century.\n    Each of us, to use your metaphor, is a data generator, even \nour devices, and I think that what we have to recognize is that \nwe cannot stop the surveillance that the digital age demands \nfor operational efficiency. But we can impose appropriate rules \nagainst the misuse of that information beyond the original \npurpose for which it is collected, and we can better enforce \nthose by making clear who stands responsible.\n    Senator Brown. Thank you.\n    Mr. Marlow, answer that, if you would, in however direction \nyou want to take, but include in it explaining how a property \nrights model would or could or should provide meaningful \nprivacy protections.\n    Mr. Marlow. So I would say this. The property rights model \nwould provide privacy protections, and the fact that any model \nthat says you own this data, you have the right to sell it, the \ncorollary would be ``And you have the right not to sell it.''\n    The problem with the data property model is you can \naccomplish all those things with privacy legislation, like \nCalifornia has, like Maine has, without having to create a data \nproperty model that will further incentivize people to give up \ntheir property.\n    And I would say, just to put a fine point on something, \nsurveillance is not necessarily going to be a part of our lives \ngoing forward. Attempts to surveil us will be. The extent to \nwhich surveillance succeeds or fails, the extent to which we \nhave privacy or not is in your hands.\n    I would be more than happy to come back another time for \nthis Committee to talk about the way that our laboratories of \ndemocracy, our State legislatures are approaching this issue \nand making significant progress.\n    So I would not be defeatist here. The only way that privacy \ndisappears and surveillance wins the day is if we take an \nattitude that it is inevitable.\n    Senator Brown. Let me pursue that again with both of you, \nMr. Ritter and Mr. Marlow.\n    We have been discussing whether or not we should create \nproperty rights in data. I know that you both are skeptical \nthat it is even possible.\n    Senator Kennedy compared data to a cabbage. If I sell you a \ncabbage or house or a car or any other property, I have to hand \nit over to the property owner. I sell you data. I still can \nkeep a copy of it. How does the difference between data and \nSenator Kennedy's cabbage make it hard to exercise privacy \nrights, the same way you could exercise property rights?\n    Start with Mr. Ritter.\n    Mr. Ritter. Actually, I think cabbage and my medical record \nare very similar, Senator.\n    As detailed in my written testimony, the scientific \nconsensus surprises us. In contrast to what Ms. Dennedy said, I \ndo not believe information is intangible. It is a tangible \nobject. It is just small. And as our technology evolves, we \ncan, in fact, manage the rules and the use and the economic \nimplications of that use through technical means and through \nrules being applied. We just have to design the rules \ncorrectly.\n    So I actually do think there is a great potential here to \nimprove the protection of the individual from misuse and \nincrease the enforceability of violations of those rules by \nmaking more clear, if you will, who is on first and has the \nownership responsibility to make sure the consumers' interests \nare protected.\n    Senator Brown. Mr. Marlow, comments?\n    Thank you, Mr. Ritter.\n    Mr. Marlow. Data makes terrible coleslaw, unlike cabbage, \nso I would start there.\n    [Laughter.]\n    Mr. Marlow. But I would say, again, the problem is that it \nfeels like we are trying to put a square peg into a round hole. \nThe data-as-property model, although it has some facets that \npromote property, also undermines property, like the need to--\nif you had data or a cabbage, that could be replicated \nindefinitely and passed around, the need to track it everywhere \nit went, so people could be paid every time they consumed a new \ncabbage or piece of data. And that would require the tracking \nof any information.\n    I could post something online that gets linked to my \ncomputer. Therefore, it provides personal information, and now \nmy speech is being tracked all over the internet.\n    So, again, I think that if you want to focus on privacy, \nyou should focus on privacy protections that do not have such \nobvious downsides that come along with them, and that is the \ndata property model.\n    Senator Brown. Thank you, Mr. Chairman, for allowing me one \nmore question.\n    Again, this is for Mr. Ritter. I know you well enough, many \nyears ago, to know you care about the wealth gap in this \nCountry, and it is getting worse. We cannot continue to have an \neconomy, although the Senate does nothing to fix this, that \ndivides Americans into the haves and have-nots.\n    With that in mind, would a system of data ownership create \na world in which the rich could afford to keep their data \nprivate, but those who--Senator Crapo and I have talked about \nthe challenge for low-income people and the temptation to sell \nall of those things. Would this mean the rich could afford to \nkeep their data private, but too expensive or difficult for \neveryone else?\n    Mr. Ritter. People that are underprivileged or financially \ndisadvantaged sell their blood to be able to put food on the \ntable for their children, and I do not think we can escape the \nlikelihood that they would also sell their data if there was an \neconomic return that would be useful.\n    The bigger problem, of course, is to reduce the inequality, \nand we do that by being more visible of how that money is being \nmade.\n    For all the comments that have been made about the cost of \ncompliance, there are very few advocates that assert the \nobjection to the cost that do not knowingly talk about the \nrevenue, and when we realize how much money is being made by \nthese corporations from the personal information without \nreturning that back as part of the ongoing transactional \nrelationship with the individual, we are making a mistake and \nimproving the inequality.\n    Senator Brown. Could Mr. Marlow answer that too? And then I \nyield.\n    Mr. Marlow. I would just quickly say that blood is a \nreplen-\nishable resource. When you sell your privacy, it is gone, and I \nthink that if I were to say to any Member of this Committee, \nfor $50, would you sell me your most intimate, private, \npersonal information, you would say no. But if you could not \nput food on your kids' table, if they were getting bread and \nwater for the third night in a row and I said, ``I will give \nyou $50 for your most personal information,'' I would venture a \nguess that you would all say yes. I am not certain that that is \nwhat we want privacy to look like in this country.\n    Chairman Crapo. Thank you.\n    Senator Tillis.\n    Senator Tillis. Thank you, Mr. Chairman.\n    Thank you all. I think you have given us all a lot of good \ninformation to work on.\n    You know, I am somewhere between Senator McSally and being \na privacy zealot and Senator Toomey who has rightfully pointed \nout all the benefits of using this data responsibly.\n    I think that Congress--and I am curious, and I have got a \ncouple of questions for you that may to down the line. But, \none, Mr. Marlow, I hear you talk about the laboratories of \ndemocracy. I believe in it. I was the Speaker of the House. I \nloved the kind of stuff that I was doing in North Carolina.\n    But I am concerned if we do not come up with a Federal \nsolution to this problem that deals with data breach, data \nprivacy, and data ownerships, then we are creating a patchwork \nof lies that is going to make it more difficult for American-\nbased innovators to really produce the next generation of \nvalue-added. Is there anyone here who thinks it is a bad idea \nfor us to pursue Federal preemption and take on those three \nbuckets?\n    Mr. Marlow. I do, and the reason I----\n    Senator Tillis. That is why I asked you first.\n    Mr. Marlow. Thank you, sir.\n    [Laughter.]\n    Mr. Marlow. So the reason I say that, to be simply \npractical, is this. The idea that the U.S. Congress would pass \nstrong privacy laws that would set a reliable privacy floor for \nthe entire country is exceptionally appealing.\n    The idea that Congress would come in where some States have \npassed even higher privacy protections for their citizens, like \nNorth Carolina might, and then say we are going to bring that \nprivacy ceiling down to the Federal level, I find less \nappealing because I, like you, Senator, believe in our Federal \nmodel, believe that the States have the ability to--you know, \nyou may have North Carolina passing a privacy protection that \nturns out, as we let it exist in the world for 10 years, serves \nto be a guiding light for Congress. But if we squelch it \nthrough preemption from the very beginning, we will never learn \nthe lesson from your State, and so that is why I am very \nhesitant to have Congress creating a ceiling on privacy rather \nthan a floor.\n    Chairman Crapo. Others down the line?\n    Mr. Ritter. Thank you.\n    For nearly 30 years, I interacted on behalf of this country \nat the United Nations to write the rules that have enabled \nglobal electronic commerce to now thrive. There is one \nessential truth of global communication systems--uniformity \nrules.\n    Whoever writes the rules first usually wins that game, and \nour failure to be more proactive in addressing the valuation of \npersonal information and all data has handicapped our \ncompetitiveness.\n    Having 50 different States is going to be adverse to our \ninterests and, in fact, does not allow us to thrive.\n    Senator Tillis. I want to move on to some others. I have to \nsay that, in full disclosure, at Pricewaterhouse, I was a \npartner in global sourcing, strategic sourcing, and data \nanalytics and data privacy and worked on it quite a bit. I \nactually think, first, we have to get Congress better educated \non the issue so that we really know what we are talking about.\n    But I tend to believe we could be the jurisdiction that \nsets an international standard, that we may miss a few nuggets \nin some of the States that are doing good things, but at the \nend of the day, if we do not get this right, then the States \nthat are laggards are going to expose their constituents and \nour innovation opportunity may be lost for the United States.\n    We have to understand that they are going to be aggregating \ndata across the globe, and if we set a standard, we may be \nbetter off as a result of doing it.\n    Look, because I have been in technology all my life and I \nam still trying to teach all these young folks that work for me \nhow to use it, when I want to be private, I go into incognito \nmode. When I do not want somebody to know where I am, I turn \noff location services, or I use VPN. When I see a platform that \nI do not want to share my data, I do not. When I see a platform \nthat if I do share my data, I may be able to drive down the \nprice point of something I am purchasing by 50 percent.\n    There is a website out there now where I can go put \nsomething that I want to buy. It aggregates all of the online \nretailers, and over a period of time, I say when you see a \nprice point at this point, let me know and I will buy it.\n    When you talk about narrowing the wealth gap, I think there \nis a great opportunity for the people who have the least amount \nof money to benefit from these tools, if we get them right, to \ndrive down the cost and drive down the cost to the consumer.\n    We now have someone that may be growing up in the trailer \npark that I grew up in, in Tennessee, that can get on a phone \nan drive a price point down. That used to be only available to \nlarge corporations that did strategic sourcing and had access \nto the tools, but we have really got to educate people on the \nvarious layers of data that we are talking about here.\n    Tom Tillis and all of my personal information, I believe, \nis mine. I may allow someone to take it and use it. I want \nthere to be a very clear authorization there, and I want to \nknow whoever has it will then ultimately have a responsibility \nfor any kind of data breach or misuse of that information. \nThose rules of the road need to be defined.\n    But then we have to talk about the abstractions of data, \nwhere my identity is less important than my demographic, and \nthen the aggregation of data that you actually use to gain \ninsights and then target. I mean, all of that, all those layers \nof information have different implications in terms of whether \nor not I own it or whether or not my behaviors are just making \nit easier to find people like me that say, ``Hey, you may be \nable to get what you are looking for, for half the case, based \non your behaviors.''\n    We have got to better educate Congress on what layer we \nhave to protect and what consequences there are for platforms \nwho fail to be good stewards of the data, but then recognize \nthat these data models are also what are driving innovation \nthat ultimately benefit consumers and I think will ultimately \nbenefit patients in health care. That is the sort of stuff we \nhave to work on.\n    And in Congress, Mr. Chairman, I know right now we have got \nat least three committees that think that they have ball \ncontrol over this issue. One of the things that we have to do \nfairly quickly is figure out how we come together--and this has \nto be very task focused--and have each of these committees come \ntogether and figure out how to approach this on a more holistic \nbasis, or otherwise we are going to keep talking about it and \nnot act on it.\n    Ms. Dennedy, I think it is remarkable that you wrote a book \nwith your dad on data privacy manifesto. I am going to get one. \nI am going to get a copy of that book, but what I would also \nlike to get is the graphic novel that you were talking about, \nsome of the other things, if they are publicly available.\n    Ms. Dennedy. I think Intel has taken it down, but I will \nget you a copy, Senator.\n    Senator Tillis. I think that that would be very helpful \nbecause that is the sort of stuff that we need to get out to \nthe individuals so that they understand. You use the one as the \nunderground, the map to show, so that you can very quickly say \nthat when I opt in or if I opt out, an informed choice in that.\n    Ms. Dennedy. Those are public. You can find them on \ntrust.cisco.com.\n    Senator Tillis. I will go through that, but I think all of \nyou made very valid points. What we have got to do is \nsynthesize\nit and, I think, come up with a data breach, data privacy, data\nownership policy that could potentially set a standard. We can \nbe instructed by GDPR. We can be instructed by California. We \ncan be instructed by a dozen or so other States that are \nconsidering it. But I think at the end of the day, this is \nsomething that Congress is going to have to take on.\n    Thank you all.\n    Mr. Marlow. Senator, if I could just say one point. You \nactually, I think, perhaps inadvertently made a very strong \ncase additionally why we need privacy laws. You mentioned that \none of the ways that you protect your privacy is by using \nincognito mode. Incognito mode, despite its name, is not \nprivate. It basically means it is private for your computer and \nother people in your household.\n    Senator Tillis. Right.\n    Mr. Marlow. But if you search on Google, Google can still \nsee where you are going.\n    Senator Tillis. Right.\n    Mr. Marlow. So that is part of the point. We need to make \nsure that not only that the Congress is educate but consumers \nare educated and actually have meaningful rights in the area.\n    Senator Tillis. Absolutely. And there is a lot of other--\nthere needs to be a suite of tools available to the consumer \nthat can basically counter everything else that is going on \nafter you hit enter. I get that. I think that is a part of the \ndiscussion that we have to have.\n    I just, for one, think that I have been in Congress now for \n4 \\1/2\\ years. We have been talking about this 4 \\1/2\\ years. \nWe actually need to take action, and we need to do it on a \nmultijurisdictional basis. And we will continue to value your \ninput.\n    Mr. Chair, the only reason I went over is I was the last \nperson, so you are the only one I inconvenienced. And I am \nsorry about that.\n    [Laughter.]\n    Chairman Crapo. That is the only reason I let you keep \ngoing too.\n    Thank you very much. That concludes the questioning.\n    Every Senator who left told me this has been a really great \nhearing. The members of the panel are deeply appreciated. We \ndid not even get to get as deep as any of us wanted to on a lot \nof what you wanted to say and what we wanted to discuss with \nyou, but that will come, and we do have consensus that we need \nto move and move broadly and quickly, but effectively.\n    And your testimony today and what you will continue to give \nus in terms of counsel and advice and response to questions \nwill help us get that done.\n    So, again, thank you all very much. You will probably get \nsome more questions from Senators, and to those Senators who \nwish to submit questions for the record, those are due to the \nCommittee by Thursday, October 31st. And then we ask that you \nrespond to them as quickly as you can when you do receive them.\n    With that, again, thank you very much for being here, and \nthis Committee is adjourned.\n    Mr. Ritter. Thank you, Mr. Chairman.\n    Mr. Marlow. Thank you, Chairman.\n    [Whereupon, at 11:29 a.m., the hearing was adjourned.]\n    [Prepared statements, responses to written questions, and \nadditional material supplied for the record follows:]\n               PREPARED STATEMENT OF CHAIRMAN MIKE CRAPO\n    We welcome to the Committee four witnesses with extensive \nexperience and a range of perspectives on issues related to data \nownership, valuation and privacy, including: Mr. Jeffrey Ritter, \nFounding Chair of the American Bar Association Committee on Cyberspace \nLaw, and an external lecturer at the University of Oxford; Mr. Chad \nMarlow, Senior Advocacy and Policy Counsel at the American Civil \nLiberties Union; Mr. Will Rinehart, Director of Technology and \nInnovation Policy at the American Action Forum; and Ms. Michelle \nDennedy, Chief Executive Officer of DrumWave.\n    As a result of an increasingly digital economy, more personal \ninformation is available to companies than ever before.\n    Private companies are collecting, processing, analyzing and sharing \nconsiderable data on individuals for all kinds of purposes.\n    There have been many questions about what personal data is being \ncollected, how it is being collected, with whom it is being shared and \nhow it is being used, including in ways that affect individuals' \nfinancial lives.\n    Given the vast amount of personal information flowing through the \neconomy, individuals need real control over their personal data.\n    This Committee has held a series of data privacy hearings exploring \npossible frameworks for facilitating privacy rights to consumers.\n    Nearly all have included references to data as a new currency or \ncommodity.\n    The next question, then, is who owns it? There has been much debate \nabout the concept of data ownership, the monetary value of personal \ninformation and its potential role in data privacy.\n    Some have argued that privacy and control over information could \nbenefit from applying an explicit property right to personal data, \nsimilar to owning a home or protecting intellectual property.\n    Others contend the very nature of data is different from that of \nother tangible assets or goods.\n    Still, it is difficult to ignore the concept of data ownership that \nappears in existing data privacy frameworks.\n    For example, the European Union's General Data Protection \nRegulation, or GDPR, grants an individual the right to request and \naccess personally identifiable information that has been collected \nabout them.\n    There is an inherent element of ownership in each of these rights, \nand it is necessary to address some of the difficulties of ownership \nwhen certain rights are exercised, such as whether information could \npertain to more than one individual, or if individual ownership applies \nin the concept of derived data.\n    Associated with concepts about data ownership or control is the \nvalue of personal data being used in the marketplace, and the \nopportunities for individuals to benefit from its use.\n    Senators Kennedy and Warner have both led on these issues, with \nSenator Kennedy introducing legislation that would grant an explicit \nproperty right over personal data, and Senator Warner introducing \nlegislation that would give consumers more information about the value \nof their personal data and how it is being used in the economy.\n    As the Banking Committee continues exploring ways to give \nindividuals real control over their data, it is important to learn more \nabout what relationship exists\nbetween true data ownership and individuals' degree of control over \ntheir personal information; how a property right would work for \ndifferent types of personal information; how data ownership interacts \nwith existing privacy laws, including the Gramm-Leach-Bliley Act, the \nFair Credit Reporting Act and GDPR; and different ways that companies \nuse personal data, how personal data could be reliably valued and what \nthat means for privacy.\n    I appreciate today's witnesses for offering their expertise and \nsharing a range of unique perspectives.\n                                 ______\n                                 \n              PREPARED STATEMENT OF SENATOR SHERROD BROWN\n    Thank you to the Chairman for calling this hearing.\n    This Committee has spent some time over the last several months \ndiscussing Facebook's poorly thought out plan to create a global \ncurrency. And the bottom line is that we know that Facebook can't be \ntrusted with Americans' personal information and it is terrible at \nprotecting its users' privacy. It was pretty clear the last thing we \nshould do is trust them with American's hard earned dollars.\n    But it isn't just Facebook. Every time corporations in Silicon \nValley come up with a new business model, the result is the same--they \nget more access to our personal data, spending habits, location, the \nwebsites we visit, and it means more money in their pockets. And \neveryone else gets hurt.\n    So I want to begin this hearing with a simple question--who has the \nright to control your personal, private information: you or Silicon \nValley CEOs like Mark Zuckerberg?\n    I think we all agree that Americans should have more control over \ntheir private information.\n    But should we treat that private information like property? Today's \nwitnesses will discuss that idea.\n    At first glance this might seem like a simple way to tackle the \ncomplex problems created by data collection and machine learning.\n    The promise is that if we just treat personal data like property, \nmarkets will do the hard work of protecting our privacy for us.\n    But that's not how it will work.\n    Instead of making companies responsible for protecting their \ncustomers' privacy, this idea puts the burden on all of us.\n    Now imagine that if every time you wanted to use Facebook, or pay \nfor something with an app, or login to a Wi-Fi network, you had to read \neven more legal fine print, and check a box saying, ``OK, I waive my \npersonal right to my data to use this service.'' Or you had to join \nsome kind of so-called ``data collective'' to sell your data.\n    Working people in this country have enough to worry about--they're \ntrying to get the kids out the door and get to work on time; to make \nrent and save for college and pay the bills.\n    The idea that people should also have to manage their data like a \nlandlord manages its tenants is ludicrous.\n    This should be pretty simple--corporations should not be allowed to \ninvade our privacy.\n    We know that today, they are.\n    Just think about all the personal data that's already floating \naround out there. Equifax exposed the personal information of more than \n150 million Americans--Social Security numbers, birthdays, addresses. \nCapital One exposed the personal information of more than 100 million \nAmericans.\n    How can you own your data, when it's already littered all over the \ninternet?\n    Big tech companies don't want to protect your personal \ninformation--they want to profit off it. Protecting your privacy \ndoesn't make them any money--it costs them money--so they aren't going \nto do it.\n    They want your data, and they want to get it for free, or pay as \nlittle as possible for it.\n    So it should be no surprise that I am skeptical when I hear of \nplans for Americans' data to be treated like property.\n    If Americans want more control over their private information, we \nhave to find a way to prevent corporations from mining our data and \nselling it to each other. Creating a supermarket for selling away our \nprivacy does the opposite.\n    Treating data as something that can be owned, bought, and sold \ndoesn't solve any of these problems--especially when undermining our \nprivacy is the business model.\n    Mark Zuckerberg and his Silicon Valley buddies want us to skip over \nthe part where we have control over our privacy, and jump to the part \nwhere giant tech companies get to use their market power to squeeze our \nprivacy out of us--and it would all be legal.\n    That's unacceptable.\n    I appreciate that Chairman Crapo has been working with me in a \nbipartisan way to create real privacy protections. Privacy isn't \npartisan, it's a basic right.\n    I look forward to continuing our work together, and to the \nwitnesses' testimony.\n    Thank you.\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n                  PREPARED STATEMENT OF CHAD A. MARLOW\n                   Senior Advocacy and Policy Counsel\n                     American Civil Liberties Union\n                            October 24, 2019\n    Chairman Crapo, Ranking Member Brown, and Members of the Committee \non Banking, Housing, and Urban Affairs, on behalf of the American Civil \nLiberties Union (ACLU),\\1\\ I want to thank you for the privilege of \ntestifying before your Committee today.\n---------------------------------------------------------------------------\n    \\1\\ For nearly 100 years, the ACLU has been our Nation's guardian \nof liberty, working in courts, legislatures, and communities to defend \nand preserve the individual rights and liberties that the Constitution \nand laws of the United States guarantee everyone in this country. With \nmore than eight million members, activists, and supporters, the ACLU is \na nationwide organization that fights tirelessly in all 50 States, \nPuerto Rico and Washington, DC, to preserve American democracy and an \nopen Government.\n---------------------------------------------------------------------------\n    The ACLU is strongly concerned about the data-as-property model and \nhow it is being presented to the American public and its lawmakers. \nWhile the data-as-property model may have merit as a tool for \nredistributing the money that is currently being made off the sale of \npersonal information, any claim that it advances privacy is false. To \nthe extent Congress is seeking to provide greater private protections \nfor Americans' personal information, what we need is an affirmative \nconsent-based model that provides all individuals the ability to opt-in \n(or not) to the sharing of their personal data. Whether consenting to \nsuch use results in monetary gain is a separate matter, and does not in \nand of itself advance privacy. We should not countenance misleading \nassertions that the data-as-property model is itself pro-privacy.\\2\\\n---------------------------------------------------------------------------\n    \\2\\ Chad Marlow, Beware the Tech Industry's Latest Privacy Trojan \nHorse, ACLU (Mar. 18, 2019), https://www.aclu.org/blog/privacy-\ntechnology/medical-and-genetic-privacy/beware-tech-industrys-latest-\nprivacy-trojan.\n---------------------------------------------------------------------------\n    A central tenet of the data-as-property model is that the \nGovernment should establish--through regulating and policing a \nuniversal marketplace of personal data--that individuals are ``owners'' \nof their personal information and, consequently, have a property-based \nright to sell or refuse the sale of their data to third parties. \nHowever, if the objective is privacy protection, policymakers have \nidentified other approaches that more directly facilitate advancements \nin the cause of personal information privacy and do not carry the \nadverse privacy risks associated with the data-as-property approach. \nFor example, two State laws passed last year\\3\\--the ``California \nConsumer Privacy Act,''\\4\\ which allows consumers to opt-out of their \npersonal information being sold, and Maine's ``Act To Protect the \nPrivacy of Online Customer Information,''\\5\\ which takes the superior \napproach of not allowing a person's information to be sold without \nfirst securing their ``opt in'' permission--made important advances in \nprotecting individual privacy, without treating data as property or \nfocusing on its monetary value. Rather, they advanced privacy by \nempowering individuals to exercise control over their personal \ninformation. Indeed, at a time when our existing laws at the Federal \nlevel and in most States are wholly insufficient to ensure that \nindividuals have control over protecting their personal information, \nthe data-as-property model simply distracts us from pursuing meaningful \nprivacy legislation.\n---------------------------------------------------------------------------\n    \\3\\ Francoise Gilbert, Maine Follows California Lead: Prohibits ISP \nUse, Sale, Disclosure of Online Consumer Information Without Prior \nAffirmative Consent, The National Law Review (June 10, 2019), https://\nwww.natlawreview.com/article/maine-follows-california-lead-prohibits-\nisp-use-sale-disclosure-online-consumer.\n    \\4\\ SB-1121, 2017-2018 Leg., (Cal. 2018) also available at https://\nleginfo.legislature.ca.gov/faces/\nbillTextClient.xhtml?bill_id=201720180SB1121.\n    \\5\\ S.P. 275, 2019 Leg., 129th Sess. (Me. 2019) also available at \nhttp://www.mainelegis-\nlature.org/legis/bills/getPDF.asp?paper=SP0275&item=1&snum=129.\n---------------------------------------------------------------------------\n    Four aspects of the data-as-property model--which essentially \nmandates the creation of a Government-regulated and policed marketplace \nfor personal information--would be especially harmful to privacy and \nfree speech:\nCreating Conflict at the Time Individuals Might Otherwise Choose To \n        Protect Their Personal Information\n    To understand why the data-as-property model is concerning, one \nshould start by looking to how it would be effectuated. Namely, at the \ntime a person's information is collected--which is when pro-privacy \nlaws typically mandate the disclosure of one's data privacy rights--a \nGovernment mandate would require the simultaneous advertising of the \nindividual's ability to surrender their privacy by selling their \npersonal information. To make the decision to sell one's data seamless, \nwhere this model has been pushed by data sales facilitators on the \nState level, the bills further require data sales authorization forms \nbe concurrently provided.\n    Imagine, as was the focus of a data-as-property bill in Oregon \nearlier this year, how uncomfortable that exchange might be where, in \nthe course of ongoing medical treatment, a doctor requests a patient \nprovide consent so they can sell the patient's personal information. \nNow further imagine what pressure might be applied where the doctor has \nbeen incentivized to secure consent by being offered a cut of the sale \nrevenue for the data.\n    Instead of giving consumers meaningful control over their personal \ninformation, many of the private sector entrepreneurs who are \nadvocating for the data-as-property model want to use the power of the \nGovernment to mandate that the marketplace for selling data--one they \nwill very profitably help to facilitate--is advertised to all persons \nat the time their information is collected. We have seen this as a \ncentral feature of the data-as-property bills being introduced in \nStates, like the previously referenced bill in Oregon,\\6\\ where as soon \nas the bill was understood to be a privacy Trojan Horse, it was soundly \nrejected. In fact, no data-as-property bill has been adopted in any of \nthe States in which they have been pursued or introduced, which \nincludes Oregon, Maryland, Hawaii, California, Washington, Montana, \nArizona, Georgia, New Jersey, Massachusetts, and Pennsylvania.\n---------------------------------------------------------------------------\n    \\6\\ S.B. 703, 2019 Leg., 80th Sess. (Or. 2019) https://\nolis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/SB703/\nIntroduced.\n---------------------------------------------------------------------------\n    If anything, when it comes to privacy, what the data-as-property \nmodel actually does is create a hedge against the growing likelihood \nthat Congress and the States will pass tougher privacy laws. \nSpecifically, it would ensure that, should stronger privacy protections \nbe implemented, the data sales marketplace--which relies upon \nconvincing people to relinquish their privacy--will be advertised right \nalongside any required notifications about individuals' new privacy \nrights. As Congress explores how to better protect Americans' privacy, \nit should strongly resist supporting the data-as-property model, which \nwould undermine those efforts to directly protect privacy.\nWidening of Digital Divide and Disproportionate Harm to the Most \n        Vulnerable Individuals\n    The high value Americans place on their privacy is universal \\7\\ \nand nonpartisan.\\8\\ It is wisely enshrined in our Bill of Rights.\\9\\ As \na result, adopting a model where persons with less wealth are likely to \nend up with less privacy should give lawmakers pause.\n---------------------------------------------------------------------------\n    \\7\\ National Science Board, Americans' Attitudes Toward Information \nPrivacy in the World of Big Data at 1, also available at https://\nnsf.gov/statistics/2018/nsb20181/assets/404/americans-attitudes-toward-\ninformation-privacy-in-the-world-of-big-data.pdf.\n    \\8\\ Carl M. Cannon, Digital Privacy, a Non-Partisan Issue, Real \nClear Politics (July 23, 2013) https://www.realclearpolitics.com/\narticles/2013/07/23/digital_privacy_a_non-partisan_\nissue_119332.html.\n    \\9\\ U.S. Const. amend. IV.\n---------------------------------------------------------------------------\n    Americans who are economically secure will find it easy to reject \noffers to surrender their private information in order to make a few \nextra dollars. But that might not be the case for an elderly person who \nhas a hard time affording their prescriptions and rent. It may be too \ntempting a sales pitch for a family that is struggling to put food on \ntheir table. For persons who live in rural areas, where the cost of \nonline access may already be steep, a chance to offset those costs \nwhile online may feel impossible to turn down. And so they will agree, \nwhen pressed, to sell their private information for an unquantified \namount of money.\n    As a consequence, a Government-endorsed data-as-property model \nwould only serve to further expand this country's existing digital \ndivide,\\10\\ where persons already enduring socioeconomic or regional \neconomic disadvantages--including disproportionately, persons of \ncolor--frequently have little or no choice but to rely on cheaper, non-\nencrypted cell phones, free email, and other more affordable but less \nsecure tech products. The digital divide is a privacy divide, and the \ndata-as-property model would only serve to worsen it.\n---------------------------------------------------------------------------\n    \\10\\ Gry Hasselbach and Pernille Tranberg, Privacy is creating a \nnew digital divide between the rich and poor, The Daily Dot (Oct. 23, \n2016), https://www.dailydot.com/layer8/online-privacy-data-ethics/.\n---------------------------------------------------------------------------\nRequirement of a Universal Unique Tracking Identifier for All Persons\n    One of the most pernicious practical requirements of any data-as-\nproperty model would be the need to create some form of universal \nunique tracking identifier for all personal information. To track who \nowns personal data, who has sold it, who must pay, and who gets paid, \neach piece of data must be tagged with some form of a universal \nidentifier.\n    There likely would be no opt-out from a universal unique tracking \nidentifier for anyone, even for those who consistently refuse to sell \ntheir personal information. Why? Because legal compliance is likely to \nnot only require companies to identify what data they are permitted to \nsell and resell, but also to identify unlawfully distributed data as to \nwhich sales permission has been denied.\n    The need for a universal unique tracking identifier gets \nparticularly apparent, as well as difficult to implement as the lines \nblur on who owns what data. What happens when data is sold that has \ninformation about multiple parties, like DNA or a group photo? Does \neveryone have to agree and get paid? What happens when some parties \nwhose personal information is contained is data elected to sell it and \nothers refuse? Who prevails?\n    In the end, whether people choose to sell their personal \ninformation or not, the effectuation of the data-as-property model, \nincluding the universal unique tracking identifier it may require be \nattached to all personal data, raises significant privacy concerns.\nHarm to Free Speech on the Internet\n    The need to track all communicated personal information, in order \nto effectuate and enforce the data-as-property model, will have an \nadverse impact on free speech. For example, every time a person shares \ncontent on the internet, sends an email or text message over a public \nnetwork or using a free application, or posts a picture of themselves \nor their family or friends on social media, personal information about \nthem will be transmitted, either within the communication itself or in \nits accompanying metadata. As a result, under the data-as-property \nmodel, it will need to be tracked and associated with the person who \ncommunicated it using a universal unique tracking identifier. Once the \npublic becomes aware of this fact--and if the ACLU doesn't warn them, \none of dozens of other privacy organizations certainly will--the public \nwill know it has lost the ability to communicate anonymously.\n    This would have an adverse effect on the free exchange of ideas, \nincluding on the ability to communicate private thoughts, or messages \nintended for a limited audience, or ideas that are either unpopular or \nrepresent opinions one is exploring but does not necessarily endorse. \nPrivacy and free speech frequently go hand in hand, and that is \ncertainly the case with the harms presented to them by the data-as-\nproperty model.\n                                 ______\n                                 \nA Better Way: Adopt Meaningful Privacy Legislation\n    If Congress wants to pass a law that creates meaningful privacy \nprotections for Americans--if Congress wants to pass a law so that \nevery time Americans use the internet, or social media, or complete a \ncommercial transaction, they do not have their personal information \ngathered and offered up for sale to third parties--it does not need to \ntreat data as property to do so. In fact, passing legislation that \ntreats data as property carries specific harms that would undermine \nthat goal.\n    The Government should not be promoting privacy as a resource to be \nbought and sold. A growing number of State constitutions\\11\\ now \nrecognize that privacy is a fundamental right, including the \nconstitutions of the home States of this Committee's Members from \nArizona, Hawaii, Louisiana, Montana, and South Carolina, along with \nmany others.\n---------------------------------------------------------------------------\n    \\11\\ Privacy Protections in State Constitutions, National \nConference of State Legislatures (Nov. 7, 2018) http://www.ncsl.org/\nresearch/telecommunications-and-information-technology/privacy-\nprotections-in-state-constitutions.aspx.\n---------------------------------------------------------------------------\n    The proper response to the pervasive loss of individual privacy is \nto pass stronger privacy laws,\\12\\ not just to throw up our hands and \nconclude the only issue left to tackle is who gets the money when \npeople's data is sold. Yes, privacy protections for personal \ninformation are weak in this country, but Congress and the States have \nthe ability to strengthen them. And they should. Limiting data \ncollection, retention, and further transfers without a person's clear, \ndistinct, and informed permission is a strong place to start.\n---------------------------------------------------------------------------\n    \\12\\ Consumer Perspectives: Policy Principles for a Federal Data \nPrivacy Framework Before the S. Comm. On Commerce, Science, and \nTransportation, 116th Cong. 3 (2019) (statement of Neema Singh Guliani, \nSenior Legislative Counsel, ACLU) also available at https://\nwww.commerce.senate.gov/services/files/79ABFD7A-8BEB-45B5-806A-\n60A3467255DD.\n---------------------------------------------------------------------------\n    Additionally, companies should be prohibited from denying a good or \nservice to someone who chooses to exercise their privacy rights, and \nconsumers should have a private right of action to seek compensation \nwhen their privacy rights are\nviolated. Most relevant to today's discussion, we should not be looking \nto a data-as-property model, which monetarily incentivizes people to \ngive up their privacy, to enhance privacy protections.\n    Again, if those who support the data-as-property model want to talk \nabout it as a potential way to create a more robust and equitable \nmarketplace for the sale of personal data, by all means they should \nmake that argument, but they need to stop advancing the false narrative \nthat the data-as-property model is pro-privacy.\n    Congress has the ability to adopt laws that truly empower Americans \nto better protect their personal information without undermining \nprivacy in the process, and I have confidence that you will.\n    Thank you again for the opportunity to testify today. I look \nforward to answering your questions.\n                                 ______\n                                 \n                  PREPARED STATEMENT OF WILL RINEHART\n              Director of Technology and Innovation Policy\n                        American Action Forum *\n---------------------------------------------------------------------------\n    * The views expressed here are my own and do not represent the \nposition of the American Action Forum.\n---------------------------------------------------------------------------\n                            October 24, 2019\n    Chairman Crapo, Ranking Member Brown, and Members of the Committee, \nthank you for the opportunity to testify today regarding data property \nrights. Like many privacy experts, I'm skeptical that data property \nrights are the best policy mechanism for ensuring privacy is secured in \nthe digital age. I hope to make three main points today:\n\n  <bullet>  A property right to personal data isn't needed to establish \n        consumer privacy rights, nor would it be economically efficient \n        to establish this kind of property right;\n\n  <bullet>  Valuing personal data is difficult because raw or personal \n        data per se is not what is in demand, but rather the insights \n        that can be gleaned from that data-insights that often depend \n        on the data's environment; and\n\n  <bullet>  Regardless of the particular policy mechanism, privacy laws \n        will create unavoidable costs from compliance, which will \n        impact investment opportunities in countless industries.\nThe Purposes and Limitations of Propertization\n    With Congress again considering Federal privacy legislation, the \nidea of personal data property rights is being explored as one policy \nmechanism for securing privacy.\\1\\ The very phrase ``personal data'' \nconjures up the notion that individuals own that data and firms are \nmerely taking it. Data propertization, which is the creation of \nproperty rights in law, has been seen as an attractive alternative \nsince the 1970s, for two reasons.\\2\\ First, it would grant individuals \nthe ability to sell their personal data, thus allowing them to \nrecapture some of its value. Second, propertization would force \ncompanies to internalize the costs of disclosure, thereby aligning firm \nand user expectations about data collection and use since users would \nbe able to bargain over the terms of the deal.\\3\\\n---------------------------------------------------------------------------\n    \\1\\ Michael Gorthaus, ``Andrew Yang proposes that your digital data \nbe considered personal property,'' available at: https://\nwww.fastcompany.com/90411540/andrew-yang-proposes-that-your-digital-\ndata-be-considered-personal-property.\n    \\2\\ Alan Westin, Information Technology in a Democracy.\n    \\3\\ Pamela Samuelson, ``Privacy As Intellectual Property,'' \navailable at: https://people.i\nschool.berkeley.edu/pam/papers/privasip_draft.pdf.\n---------------------------------------------------------------------------\n    There are reasons to be skeptical that assigning property rights in \ndata will have unalloyed benefits. For one, assigning property rights \nto data is a contortion of the normal reasoning that underpins \nintellectual property (IP) rights such as copyright and patents. \nInformation, which is embodied in copyrights and patents as well as \nuser data, can be easily reproduced (i.e., is nonrivalrous), and it is \ndifficult to prevent nonpaying consumers from accessing it (non-\nexcludable). Property rights, incentivize information creation, since \nthose rights give the holder the ability legally to exclude others, \nthus making the information rivalrous. Yet, the problem faced in \nprivacy is of the opposite kind--the purpose is to limit information \ndisclosure.\n    Second, it is unclear if the assignment of data property rights \nwill align incentives between users and firms. While it is the case \nthat information disclosure can either be beneficial or detrimental, \nusers cannot know beforehand if the use of their data will necessarily \nlead to better products.\\4\\ Data propertization would only exacerbate \nthis problem, forcing users to search for the best value for their \ndata. In other words, data property rights would make users data \nentrepreneurs. Searching for innovative opportunities is costly, and \nthus one could imagine that users will likely hire an intermediary to \ndo this task--which is the job of platforms and other data providers \npresently.\n---------------------------------------------------------------------------\n    \\4\\ Alessandro Acquisti, Curtis R. Taylor & Liad Wagman, ``The \nEconomics of Privacy,'' available at: https://papers.ssrn.com/sol3/\npapers.cfm?abstract_id=2580411.\n---------------------------------------------------------------------------\n    As is detailed in an appendix to this paper, the Hart-Grossman-\nMoore model of property helps to flesh out the idea. This model can \nhelp to determine where it is most efficient to allocate property \nrights. When one party's investment in the data does not boost the \ntotal value that much, then it is better for the other party to have \ncontrol of the assets. In the parlance of economics, the party with \nhigher marginal returns from investment should be given the rights of \ncontrol, which is why platforms, and not users, spend so much time and \neffort to understand what is happening on the platform. Assigning data \nproperty rights to users will likely be inefficient because it will \nchange the investment decision veto point.\n    Third, and most important for this Committee, real world \nimplementation will prove tricky because of the interconnected nature \nof information. The vast majority of data generated in the last decade \ncomes from user interactions with online platforms. If Google didn't \nexist, there would be no search data. If Facebook didn't exist, there \nwouldn't be social graph data. To understand the challenge of \nimplementing data property rights, it is helpful to recognize how three \nclasses of data interact in online platforms.\\5\\ Volunteered data is \ndata that is both innate to an individual's profile, such as age and \ngender, and information they share, such as pictures, videos, news \narticles, and commentary. Observed data comes as a result of user \ninteractions with the volunteered data; it is this class of data that \nplatforms tend to collect in data centers. Last, inferred data is the \ninformation that comes from analysis of the first two classes, which \nexplains how groups of individuals are interacting with different sets \nof digital objects. At the very least, then, data is a co-created \nasset, with the users providing volunteered data and the platform \nassembling observed data to create inferred data. Creating data \nproperty rights will likely necessitate that only one party has rights, \nwhich has been a sticking point for previous efforts.\n---------------------------------------------------------------------------\n    \\5\\ World Economic Forum, ``Personal Data: The Emergence of a New \nAsset Class,'' available at: http://www3.weforum.org/docs/\nWEF_ITTC_PersonalDataNewAsset_Report_2011.pdf.\n---------------------------------------------------------------------------\n    As the German government discovered when trying to implement data \nproperty for connected cars, determining the owner isn't simple. Does \nthe car company own the property right, or might it be the driver, or \neven the rider?\\6\\ Privacy scholar Robert Gellman demonstrated this \nproblem would also beleaguer health care. For example, information \nabout a child's health could simultaneously belong to the patient, the \npatient's family, the school, the pharmacy, the supermarket, the \npediatrician, the drug manufacturer, social media platforms, \nadvertising companies, or internet service providers.\\7\\ Questions of \nfuzzy ownership continually plague IP and would similarly afflict data \nproperty.\n---------------------------------------------------------------------------\n    \\6\\ Lothar Determann, ``No One Owns Data,'' available at: https://\npapers.ssrn.com/sol3/papers.cfm?abstract_id=3123957.\n    \\7\\ Robert Gellman, ``Health Information Privacy Beyond HIPAA: A \n2018 Environmental Scan of Major Trends and Challenges,'' available at: \nhttps://ncvhs.hhs.gov/wp-content/uploads/2018/05/NCVHS-Beyond-\nHIPAA_Report-Final-02-08-18.pdf.\n---------------------------------------------------------------------------\n    Further, and even more practically, a property right in data isn't \nneeded to establish consumer privacy rights. For evidence of this fact, \none only needs only to consult the current laws in the United States. \nThe Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act \n(FCRA), the Children's Online Privacy Protection Act (COPPA), and the \nCalifornia Consumer Privacy Act (CCPA), just to name a few, all protect \nprivacy without creating property rights. As Stanford Law Professor \nLothar Determann has said quite bluntly, ``no one owns data'' because \ndata are already ``subject to a complex landscape of access rights and \nrestrictions.''\\8\\ Privacy regulation already defines certain kinds of \nentitlements to control and contract upon data. Adding a superordinate \nproperty right on top of these existing restrictions would make the \nentire enterprise all that more complicated and undermine current \nefforts to grant consumers control. If data property rights were \nimplemented, for example, would an individual be able to limit critical \ninformation from being shared with credit rating agencies?\n---------------------------------------------------------------------------\n    \\8\\ See footnote 6.\n---------------------------------------------------------------------------\n    Determann isn't the only scholar of privacy who opposes \npropertization efforts. Technologist Larry Downes has been critical of \nthe idea and instead prefers the current licensing model since it \n``recognizes that most information with economic value is the \ncollaborative creation of multiple sources, including individuals and \nservice providers.''\\9\\ Law Professor Julie Cohen has argued against \nprivacy as property as well since it doesn't uphold the values of \nautonomy and participation that are so central to privacy.\\10\\ European \nlaw professor Bart Schermer agreed with Cohen when the issue was raised \nin 2015 as an alternative to the European Union's (EU) General Data \nProtection Regulation (GDPR), saying that ``Reducing the discussion \nabout privacy and personal data to a discussion about ownership \noversimplifies the discussion about privacy in the information society \nand may lead to sub-optimal results when it comes to regulating the use \nof personal data.''\\11\\ But Dr. Mark MacCarthy of Georgetown University \nsaid it best, laying out the world of data property rights as ``a \nprivacy nightmare rather than a privacy paradise.''\\12\\ As much as \nthere is disagreement in privacy advocacy and scholarship, there is \nconsistent agreement that propertizing data has serious limits.\n---------------------------------------------------------------------------\n    \\9\\ Larry Downes, ``A Rational Response to the Privacy `Crisis,' '' \navailable at: https://papers.ssrn.com/sol3/\npapers.cfm?abstract_id=2200208.\n    \\10\\ Julie E. Cohen, ``Examined Lives: Informational Privacy and \nthe Subject as Object,'' available at: https://\nscholarship.law.georgetown.edu/cgi/\nviewcontent.cgi?article=1819&context=fac\npub.\n    \\11\\ Bart Schermer, ``Privacy and property: do you really own your \npersonal data?'' available at: https://leidenlawblog.nl/articles/\nprivacy-and-property-do-you-really own-your-personal-data.\n    \\12\\ Mark MacCarthy, ``Privacy Is Not A Property Right In Personal \nInformation,'' available at: https://www.forbes.com/sites/\nwashingtonbytes/2018/11/02/privacy-is-not-a-property-right-in-personal-\ninformation/.\n---------------------------------------------------------------------------\n    Finally, pricing data, which is one stated goal of data property \nrights, will have deleterious effects on privacy expectations. As Jason \nAaron Gabisch and George R. Milne reported in the Journal of Consumer \nMarketing, ``The findings show that receiving compensation, especially \nwhen it is a monetary reward, reduces consumer expectations for privacy \nprotection.''\\13\\\n---------------------------------------------------------------------------\n    \\13\\ Jason Aaron Gabisch & George R. Milne, ``The impact of \ncompensation on information ownership and privacy control,'' available \nat: https://www.emerald.com/insight/content/doi/10.1108/JCM-10-2013-\n0737/full/html.\n---------------------------------------------------------------------------\nValuing Data\n    Four methods can be employed to value intangibles such as data: \nincome-based methods, market rates, cost methods, and shadow prices.\n    Most popular data valuations are accomplished through income \nderivations, often by simply dividing the total market capitalization \nor revenue of a firm by the total number of users. For those in \nfinance, this method seems most logical since it is akin to an estimate \nof future cash-flows. In a Wired article, for example, Antonio Garcia \nMartinez placed an upper bound of $112 on the value of data for users \nin the United States, citing Facebook's 2018 annual report.\\14\\ \nSimilarly, when Microsoft bought LinkedIn, reports suggested that it \nwas buying monthly active users at a rate of $260 per user.\\15\\ \nStanford Law Professor A. Douglas Melamed argued before the Senate \nJudiciary that the upper-bound value on data should at least be \ncognizant of the acquisition cost for advertisements--putting the total \nvalue per user at around $16.\\16\\\n---------------------------------------------------------------------------\n    \\14\\ Antonio Garcia-Martinez, ``No, Data Is Not the New Oil,'' \navailable at: https://www.\nwired.com/story/no-data-is-not-the-new-oil/.\n    \\15\\ James E. Short & Steve Todd, ``What's Your Data Worth?'' \navailable at: https://sloan\nreview.mit.edu/article/whats-your-data-worth/.\n    \\16\\ A. Douglas Melamed, ``Prepared Statement,'' available at: \nhttps://www.judiciary.\nsenate.gov/download/melamed-testimony.\n---------------------------------------------------------------------------\n    Still, these income-based valuations aren't exact estimates because \nthey are not capturing a user's ability to marginally earn revenue, \nwhich is where the price would be set. As noted before, inferential \ndata is the key for platform operators, as it drives advertising \ndecisions and helps determine what content is presented to users. Thus, \nthe ultimate value of a user's data would combine the value of that \nuser's data to increase all their friend's demand for content and the \nvalue of that user's data to contribute to increases in advertising \ndemand. Calculating marginal income valuations in this manner are \ndifficult, but Shapley values have been shown as a viable method \ntheoretically.\\17\\, \\18\\ Still, it remains unclear if firms would be \nable to implement this method on their platform.\\19\\ Needless to say, \nincome-based valuations are difficult.\n---------------------------------------------------------------------------\n    \\17\\ Amirata Ghorbani & James Zou, ``Data Shapley: Equitable \nValuation of Data for Machine Learning,'' available at: https://\narxiv.org/abs/1904.02868.\n    \\18\\ Eric Bax, ``Computing a Data Dividend,'' available at: https:/\n/arxiv.org/pdf/1905.01805.pdf.\n    \\19\\ While Bax has shown that Shapley values can be implemented in \npolynomial time, it is unclear if Shapley values that exhibit demand \ninterdependencies could be implemented in polynomial time as well.\n---------------------------------------------------------------------------\n    Second, market prices are another method of valuing data, and they \ntend to place the lowest premium on data. For example:\n\n  <bullet>  Vice recently reported that Departments of Motor Vehicles \n        across the United States have been selling individual records \n        for as little as one cent each;\\20\\\n---------------------------------------------------------------------------\n    \\20\\ Joseph Cox, ``DMVs Are Selling Your Data to Private \nInvestigators,'' available at: https://www.vice.com/en_us/article/\n43kxzq/dmvs-selling-data-private-investigators-making-millions-of-\ndollars?utm_campaign=sharebutton.\n---------------------------------------------------------------------------\n  <bullet>  Wired editor Gregory Barber sold his location data, Apple \n        Health data, and Facebook data, and all he got was a paltry \n        $0.003 for everything together;\\21\\\n---------------------------------------------------------------------------\n    \\21\\ Gregory Barber, ``I Sold My Data For Crypto, Here's How Much I \nMade,'' available at: https://www.wired.com/story/i-sold-my-data-for-\ncrypto/.\n---------------------------------------------------------------------------\n  <bullet>  After a breach at Facebook, Facebook logins were selling on \n        the dark web for $2.60 per user;\\22\\\n---------------------------------------------------------------------------\n    \\22\\ Dan Hall, ``Hackers selling Facebook logins on the dark web \nfor $2,'' available at: https://nypost.com/2018/10/01/hackers-are-\nselling-facebook-logins-on-the-dark-web-for-2/.\n---------------------------------------------------------------------------\n  <bullet>  Advertisers typically pay $0.005 for complete profile for \n        an individual;\\23\\\n---------------------------------------------------------------------------\n    \\23\\ Frank Pasquale, ``The Dark Market for Personal Data,'' \navailable at: https://www.\nnytimes.com/2014/10/17/opinion/the-dark-market-for-personal-data.html.\n---------------------------------------------------------------------------\n  <bullet>  General information about a person, such as their age, \n        gender, and location is worth a mere $0.0005 per person, or \n        $0.50 per 1,000 people;\\24\\\n---------------------------------------------------------------------------\n    \\24\\ Financial Times, ``Financial worth of data comes in at under a \npenny a piece,'' available at: https://www.ft.com/content/3cb056c6-\nd343-11e2-b3ff-00144feab7de.\n---------------------------------------------------------------------------\n  <bullet>  Auto buyers are worth about $0.0021 per person, or $2.11 \n        for every 1,000 people;\\25\\ and\n---------------------------------------------------------------------------\n    \\25\\ Ibid.\n---------------------------------------------------------------------------\n  <bullet>  For $0.26 per person, buyers can access lists of people \n        with specific health conditions or taking certain \n        prescriptions.\\26\\\n---------------------------------------------------------------------------\n    \\26\\ Ibid.\n\n    In reviewing these estimates, The Financial Times noted that ``the \nsum total for most individuals often is less than a dollar.'' It is \nworth noting that sub $1 payments have been unprofitable for firms to \nprocess due to the fixed technical costs for developing the backend \narchitecture and hardware, storage costs for transaction integrity and \nlegal purposes, computational costs for processing payments, \ncommunication costs for information transfer, and administrative \ncosts.\\27\\\n---------------------------------------------------------------------------\n    \\27\\ Ioannis Papaefstathiou, ``Evaluation of Micropayment \nTransaction Costs,'' available at: http://web.csulb.edu/journals/jecr/\nissues/20042/Paper3.pdf.\n---------------------------------------------------------------------------\n    As with any market, it is important to pay attention to the \ndifference between the clearing price and the asking price. The \nbankruptcy proceedings for Caesars Entertainment, a subsidiary of the \nlarger casino company, offers a unique example of this problem. As the \nassets were being priced in the selloff, the Total Rewards customer \nloyalty program got valued at nearly $1 billion, making it ``the most \nvaluable asset in the bitter bankruptcy feud at Caesars Entertainment \nCorp.''\\28\\ But the ombudsman's report understood that it would be a \ntough sell because of the difficulties in incorporating it into another \ncompany's loyalty program. Although it was Caesar's asset with the \nhighest valuation, its real value to an outside party was an open \nquestion.\n---------------------------------------------------------------------------\n    \\28\\ Kate O'Keeffe, ``Real Prize in Caesars Fight: Data on \nPlayers,'' available at: https://www.wsj.com/articles/in-caesars-fight-\ndata-on-players-is-real-prize-1426800166.\n---------------------------------------------------------------------------\n    The Total Rewards example underscores an important characteristic \nof data: It is often valued within a relationship but is difficult to \nvalue outside of it. Within economics, there is a term for this \nphenomenon, as economist Benjamin Klein explained: ``Specific assets \nare assets that have a significantly higher value within a particular \ntransacting relationship than outside the relationship.''\\29\\ Asset \nspecificity helps to explain why there isn't an auction market for \npersonal data. It isn't the raw data that is in demand, but the \ninsights that can be gleaned from that data.\n---------------------------------------------------------------------------\n    \\29\\ Benjamin Klein, ``Asset specificity and holdups,'' available \nat: http://masonlec.org/site/files/2012/05/WrightBaye_klein-b-asset-\nspecificity-and-holdups.pdf.\n---------------------------------------------------------------------------\n    Third, data might be valued using cost-based methods, but this \nmethod also has shortcomings. Proxying the value of data by summing the \nsalaries of data analysts and the costs of data centers will likely \nunderestimate the value of data. Data is an intermediate product for \nother business processes. In practice, cost-based methods would \nprobably look like Shapley values anyway.\n    Last, data can be valued through shadow prices.\\30\\ For those items \nthat are rarely exchanged in a market, prices are often difficult to \ncalculate, so other methods are used to appraise what is known as the \nshadow price. For example, a lake's value might be determined by the \ntotal amount of time in lost wages and money spent by recreational \nusers to get there. Similarly, the value of social media data might be \ncalculated by tallying all of the forgone wages in using the site. A \nconservative estimate from 2016 suggests that users spend about fifty \nminutes a day month on Facebook properties.\\31\\ Since the current \naverage wage is about $28, this calculation indicates that people \nroughly value the site by about $8,516 over the entire year.\\32\\ A \nstudy using data from 2016 using similar methods found that American \nadults consumed 437 billion hours of content on ad-supported media, \nworth at least $7.1 trillion in terms of foregone wages.\\33\\\n---------------------------------------------------------------------------\n    \\30\\ Anthony E. Boardman, David H. Greenberg, Aidan R. Vining, & \nDavid L. Weimer, Cost Benefits Analysis Concepts and Practice.\n    \\31\\ James B. Stewart, ``Facebook Has 50 Minutes of Your Time Each \nDay. It Wants More.'' available at: https://www.nytimes.com/2016/05/06/\nbusiness/facebook-bends-the-rules-of-audience-engagement-to-its-\nadvantage.html.\n    \\32\\ Bureau of Labor Statistics, ``Average hourly and weekly \nearnings of all employees on private nonfarm payrolls by industry \nsector, seasonally adjusted,'' available at: https://www.bls.gov/\nnews.release/empsit.t19.htm.\n    \\33\\ David S. Evans, ``The Economics of Attention Markets,'' \navailable at: https://www.competitionpolicyinternational.com/the-\neconomics-of-attention-markets/.\n---------------------------------------------------------------------------\n    Shadow prices can also be calculated through surveys, which is \nwhere this method gets particularly controversial. Depending on how the \nquestion is worded, users' willingness to pay for privacy can be wildly \nvariable. Trade association NetChoice worked with Zogby Analytics to \nfind that only 16 percent of people are willing to pay any price for \nonline platform service.\\34\\ Strahilevitz and Kugler found that 65 \npercent of email users, even though they knew their email service scans \nemails to serve ads, wouldn't pay for an alternative.\\35\\ As one \nseminal study noted, ``most subjects happily accepted to sell their \npersonal information even for just 25 cents.''\\36\\ Using differentiated \nsmartphone apps, economists were able to estimate that consumers were \nwilling to pay a one-time fee of $2.28 to conceal their browser \nhistory, $4.05 to conceal their list of contacts, $1.19 to conceal \ntheir location, $1.75 to conceal their phone's identification number, \nand $3.58 to conceal the contents of their text messages. The average \nconsumer was also willing to pay $2.12 to eliminate advertising.\\37\\\n---------------------------------------------------------------------------\n    \\34\\ NetChoice, ``American Consumers Reject Backlash Against \nTech,'' available at: https://netchoice.org/american-consumers-reject-\nbacklash-against-tech/.\n    \\35\\ Lior Stahilevitz & Matthew B. Kugler, ``Is Privacy Policy \nLanguage Irrelevant to Consumers?'' available at: https://\npapers.ssrn.com/sol3/papers.cfm?abstract_id=2838449.\n    \\36\\ Jens Grossklags & Alessandro Acquisti, ``When 25 Cents is too \nmuch: An Experiment on Willingness-To-Sell and Willingness-To-Protect \nPersonal Information,'' available at: https://www.econinfosec.org/\narchive/weis2007/papers/66.pdf.\n    \\37\\ Scott J. Savage & Donald M. Waldman, ``The Value of Online \nPrivacy,'' available at: https://static1.squarespace.com/static/\n571681753c44d835a440c8b5/t/5735f456b654f9749a4af\nd62/1463153751356/The_value_of_online_privacy.pdf.\n---------------------------------------------------------------------------\n    In all, there is no one single way to estimate the value of data, \nand none of them is particularly easy to implement.\nThe Impact of New Privacy Laws\n    Regardless of the path that is taken, new privacy laws will have \nboth direct and indirect impacts on the economy, best seen in the wake \nof the GDPR and estimates from the CCPA. First, privacy regulation will \nforce firms to retool data processes, known as refactoring, to comply \nwith new demands. This refactoring is generally a one-time fixed cost \nthat raises the cost of all information-using entities. Second, the \nregime will add risk compliance costs, causing companies to staff up to \nensure compliance. Finally, privacy laws change the investment dynamics \nof the affected industries, as the market shifts to account for the \nnewly expected returns.\n    Currently, the retooling costs and risk compliance costs are going \nhand in hand, so it is difficult to determine the costs of each. Still, \nthey are substantial. A McDermott-Ponemon survey on GDPR preparedness \nfound that almost two-thirds of all companies say the regulation will \n``significantly change'' their informational workflows. According to \nthis survey, the average budget for getting to compliance tops $13 \nmillion. The International Association of Privacy Professionals \nestimated that GDPR will cost Fortune 500 companies around $7.8 \nbillion, and these won't be one-time costs since ``Global 500 companies \nwill be hiring on average five full-time privacy employees and filling \nfive other roles with staff members handling compliance rules.'' A PwC \nsurvey on the rule change in Europe found that 88 percent of companies \nsurveyed spent more than $1 million on GDPR preparations, and 40 \npercent more than $10 million.\n    Refactoring and compliance costs are adding up for CCPA as well. \nCalifornia's standardized regulatory impact assessment (SRIA) for CCPA \ncalculated the total costs at $55 billion, which is nearly 1.8 percent \nof the total gross State product.\\38\\ The range of affected firms is \nmassive. On the bottom end of the estimate, 15,643 businesses could \nfeel an impact. On the top end, 570,066 companies will have to come \ninto compliance with the law. Most alarming, the authors conclude that \n``economic impact of the regulations on these businesses located \noutside of California [that serve California consumers] is beyond the \nscope of the SRIA and therefore not estimated.'' If something akin to \nthe California law were applied to the United States, the Information \nTechnology and Innovation Foundation estimated the cost at $122 billion \nper year.\\39\\\n---------------------------------------------------------------------------\n    \\38\\ Berkeley Economic Advising and Research, ``Standardized \nRegulatory Impact Assessment: California Consumer Privacy Act of 2018 \nRegulations,'' available at: http://www.dof.ca.gov/Forecasting/\nEconomics/Major_Regulations/Major_Regulations_Table/documents/CCPA_\nRegulations-SRIA-DOF.pdf.\n    \\39\\ Alan McQuinn & Daniel Castro, ``The Costs of an Unnecessarily \nStringent Federal Data Privacy Law,'' available at: https://itif.org/\nsites/default/files/2019-cost-data-privacy-law.pdf.\n---------------------------------------------------------------------------\n    Finally, privacy laws will surely change the investment and market \ndynamics in countless industries. When the EU adopted the e-Privacy \nDirective in 2002, Goldfarb and Tucker found that advertising became \nfar less effective, which reverberated throughout the ecosystem as \nventure capital investment in online news, online advertising, and \ncloud computing dropped by between 58 to 75 percent. In Chile, for \nexample, credit bureaus were forced to stop reporting defaults in 2012, \nwhich was found to reduce the costs for most of the poorer defaulters, \nbut raised the costs for nondefaulters. Overall the law led to a 3.5 \npercent decrease in lending and reduced aggregate welfare. Early \nresearch on the GDPR has also found drops in investment. While much \nsmaller than the United States, EU venture funding decreased by \ndecreased 39 percent while the total number of deals saw a 17 percent \ndrop.\\40\\\n---------------------------------------------------------------------------\n    \\40\\ Jian Jia, Ginger Jin & Liad Wagman, ``The short-run effects of \nGDPR on technology venture investment,'' available at: https://\nvoxeu.org/article/short-run-effects-gdpr-technology-venture-investment.\n---------------------------------------------------------------------------\nConclusion\n    The dilemma for this Committee and others within Congress is hardly \nenviable. America's privacy pandect is complex, making difficult the \ntask of creating new laws to enhance consumer privacy. While there is \nmuch disagreement in the privacy community, there is widespread \nagreement that data property rights are an unwieldy way of doing \nthings. There should be no delusions, however, about the impacts. There \nwill be serious costs involved with any new law. As Seth Godin once \nremarked, ``The art of good decisionmaking is looking forward to and \ncelebrating the tradeoffs, not pretending they don't exist.'' That is \nsage advice for any privacy legislation.\nTechnical Appendix\n    One way to understand this bargain is through the Grossman-Hart-\nMoore model, which considers a relationship between two risk-neutral \nparties, a buyer and a seller, or B and S. For this exercise, let's \nassume that the buyer of the data, B, is the platform, and the seller \nof the data, S, is the user, and again let's just work with the \nsingular transaction. As such, the platform buys data, which is an \nintermediate good, from the users to create a final output. The value \nof the final good is V(e), which is contingent on e, a variable for the \ninvestment into the process by the platform. Similarly, the cost of the \nintermediate good is C(i), which is contingent on the investment, i, in \nthe process conducted by the user.\n    There are two periods. In the first period, each party undertakes \nsome kind of investment and in the second period, they decide to trade \nat a specific price, p. If they don't end up trading, they can turn to \nothers and do so. A key assumption of this model is that the \ninvestments in the first time period are not contractible.\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Because the parties will have to bargain over how to split the \ntotal surplus, each will get half of the benefits from their \ninvestment. See Aghion and Holden (2011) for further details on the \nNash bargaining.\\41\\ Thus, each party will underinvest relative to the \nfirst best.\n---------------------------------------------------------------------------\n    \\41\\ Philippe Aghion & Richard Holden, ``Incomplete Contracts and \nthe Theory of the Firm: What Have We Learned over the Past 25 Years?'' \navailable at: https://www.aeaweb.org/articles?id=10.1257/jep.25.2.181.\n---------------------------------------------------------------------------\n    If the parties instead have vertically integrated, the result is \nslightly different. If, say, B controls the total gains from the \nproduction processes, then B will invest at their first best level \nwhile S will underinvest. Similarly, if S were to own total gains, then \nS will invest at their first best, while B will underinvest.\n    This model yields some interesting insights. It is important to \nnote that, like the rest of the literature in this space, the \ninvestment elasticities are key. Since S or users, have extremely \ninelastic investment decisions, that is, they don't change that much \nwith the possibility of B appropriating them, it is the case that B \nshould own the total gains.\n    This makes sense in the case of platforms. The investment that \nmatters the most lies in the inference data of the platform. Users have \nindeed tried to sell their own ``investment,'' but these transactions \ndon't yield much. Moreover, the relative investments speak to why data \nownership efforts are likely to fail. Since the marginal returns for \nany user S is much higher when a platform B controls both, as compared \nto when users simply ``own their data,'' independent ownership is \nlikely to lead to inefficient gains for all sides.\n                PREPARED STATEMENT OF MICHELLE DENNEDY *\n---------------------------------------------------------------------------\n    * Statement is an excerpt from The Privacy Engineer's Manifesto. \nMichelle Dennedy, Jonathan Fox, & Thomas R. Finneran (2014). Apress.\n---------------------------------------------------------------------------\n                Chief Executive Officer, Drumwave, Inc.\n                            October 24, 2019\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n RESPONSES TO WRITTEN QUESTIONS OF SENATOR JONES FROM JEFFREY \n                             RITTER\n\nDiscrimination\nQ.1. In the Banking Committee, we often discuss discrimination \ninvolving loans and housing. As technology helps companies \nbecome more sophisticated it is easier to put in place \ndiscriminatory policies. Are there are protections currently in \nplace that prevent data discrimination by race, gender, or \nreligion? If not, what methods should Congress consider to \ndecrease discrimination within data?\n\nA.1. Discrimination of any nature, whether by machine or by \nhuman conduct, is the result of two actions. First, an \nindividual or class is assigned a classification. It does not \nmatter if that assignment is accurate; what matters is that the \nclassification is paired or linked to the individual or class. \nSecond, rules are constructed, and applied, which differentiate \nbetween classes in the allocation or availability of benefits \nor the imposition of sanctions.\n    When business is conducted through machines, both of these \nactions require specific inputs. A classification scheme must \nbe composed, and the rules must be authored to expressly rely \nupon the classification scheme. Both the scheme and the rules \nmust be inputted into the machine in order for any application \nor process to execute consistently with the scheme and the \nrules.\n    To prevent discrimination, I suggest the key is to prohibit \nthe use of classification schemes and, in turn, prevent those \nschemes being used to associate a classification with an \nindividual or class. It is not sufficient to prohibit \ndiscrimination; Congress must enable regulators to be able to \ninspect the operating systems of those companies and financial \ninstitutions within their purview and affirmatively confirm the \nabsence of the classification schemes or their connections to \nindividuals or classes.\n    Of course, if any institution wishes to establish and \nadminister discriminatory policies, and not be caught doing so, \nthen either the scheme or the rules can be cleverly designed. \nAs just one example, rather than discriminate explicitly based \non race, ZIP Codes or housing locations were historically \nintroduced as a classification scheme that was not expressly \nracial, but still advanced the intended policies of those \nseeking to discriminate.\n    Therefore, diligence will be required from the regulators \nto also evaluate the relevant rules. Unfortunately, \ndiscriminatory rules will often be embedded into decision \nalgorithms that require competent analysis to both recognize \nand sanction inappropriate rules. Therefore, Congress must \nauthorize suitable funding to both recruit, train, and support \ncompetent professionals capable of conducting the required \nanalysis.\n    Whether we like it or not, effective nondiscrimination \nregulatory frameworks in the 21st century will require \nincreased transparency and real-time availability of the \noperating data of regulated entities to regulators. While much \nprogress has been made, particularly in SEC-regulated areas, \ntoward those outcomes, Congress must recognize that \nnondiscrimination regulatory frameworks will not be effective \nwithout increased transparency and real-time data availability.\n    Given the global nature of competition, the United States \nmust recognize that limiting governmental oversight of \nfinancial institutions will impair their trustworthiness in \nlarger markets, handicapping both their strength in entering \nnew non-U.S. markets, as well as attracting and retaining \ncustomers within the United States who increasingly find the \nstronger privacy-based oversights under which foreign \ninstitutions operate to be more appealing.\nData Privacy\nQ.2. So much of data privacy is having the choice to share \ninformation. For example, many people find targeted ads to be \ndisturbing and others find it serves as a helpful reminder. How \nshould policymakers consider different preferences as they \nwrite legislation on personal data privacy and how it is used?\n    Many services require information from one site to be \nshared to another in order for the consumer to have access to \nthe website's services. Sometimes this information sharing is \nhelpful and makes the website more user friendly, but sometimes \nthe data shared does not have any obvious benefits to the \nconsumer.\n\nA.2. In my oral statement and written testimony, I advocated \nfor the principle that we must answer the question: who owns \ndata information? During the hearing, we did not address the \nmany technology innovations which are advancing (and, most \nnotably, almost without exception, outside the United States) \nthat allow individuals greater exercise of control over their \ndata. ``Control'' is the digital equivalent of ``possession'' \n(as in ``possession is \\9/10\\th of the law'') and, by enabling \nindividuals to gain control of their data, they are aligning \nthemselves with the essential basis for ownership to be \nasserted. And, in doing so, the individual can then better \nassert and exert their preferences on the use of their personal \ninformation.\n    To date, individuals have enabled the collection, use and \nsharing of their information without much protest. But the real \ndeficiency has been the absence of the technologies that allow \nthe individual to exercise their control.\n    While in many instances, such as a patient arriving at a \nhospital in an ambulance, data ownership is not relevant to \nsecuring the appropriate medical care. But in commercial \nengagements such as those involving data sharing between \ndifferent companies to gain access, having the technologies to \nexercise control will be vital and appropriate for use.\n    Rather than attempting to regulate specific preferences, \nconsumers may or may not assert, I urge Congress to put in \nplace the regulatory foundation for enabling consumers to own \ntheir information and, in turn, exercise the appropriate \ncontrols on how that data can be used.\n\nQ.3. I am concerned that Congress will enact data privacy \nlegislation but then websites will deny access to consumers for \nsimply not approving sharing their data. Should consumers be \ndenied access for not approving data sharing?\n\nA.3. This is an entirely appropriate concern but one for which \nI strongly believe there is no basis.\n    In the 21st century, data is becoming a different type of \ncurrency. In virtually every transaction, whether commercial or \nconsumer-oriented, the ``buyer'' and ``seller'' are negotiating \nto establish equivalent value for what each is offering to the \nother. Since data is a new kind of property, it has become part \nof that valuation discussion. So, moving forward any \ntransaction involves calculating the values for goods, services \n(such as access to a website), money, and data.\n    If a business conditions access on a consent to data \nsharing, that is just one variable that the consumer can \nconsider. The great thing about the internet is its capacity to \nfoster competitive alternatives. While we view the big tech \ncompanies as big, we overlook how well competitive alternatives \n(such as Alibaba in China) developed. So, if consumers have \noptions on how to access web-based services, where a competitor \nmay offer different ``terms'' for data sharing, that is a \ntremendous, positive outcome.\n    Indeed, I would encourage companies that wish to condition \naccess on data sharing to do so, in order to foster the \nenvironment where competition can arise.\n    From the consumer side, as anticipated in the proposed \nCalifornia regulations, it is also possible to imagine that \nadditional incentives might be offered to secure the consent of \na consumer to share their data--such as discounts, coupons, or \nadded services. Wouldn't it be great if consumers had choices \nin which their ``price-shopping'' among competitors might also \ninclude comparing the relevant values being offered to enable \ndata sharing.\n    If the overall value of access is ``worth'' data sharing, \nthat is entirely acceptable in my opinion. But its critical to \nmake the affirmative decision to share part of the \nnegotiation--unlike today's environment. Alternatively, though \nI do not support this option, legislation and regulation could \nrequire any website that conditions access on data sharing to \noffer a more limited alternative that does not require data \nsharing.\n                                ------                                \n\n\nRESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM CHAD A. \n                             MARLOW\n\nQ.1. In 2018, pharmaceutical company GlaxoSmithKline announced \na partnership with genetic testing kit company 23andMe. The \ncompanies touted the move as a step toward future scientific \nbreakthroughs and cures. But critics cautioned that the \ncompanies will just use this data for marketing and may put \ncustomers' genetic data at risk.\n\nQ.1.a. Should consumers be concerned that pharmaceutical \ncompanies have access to their personal genetic data?\n\nA.1.a. Yes. Personal genetic data contains highly sensitive \ninformation about the person from whom it was gathered.\n\nQ.1.b. How can we ensure that pharmaceutical companies are \nusing this data for the benefit of society and population \nhealth, for example to discover new treatments?\n\nA.1.b. The sharing of genetic data with third parties, such as \na pharmaceutical company, should be limited to only that which \nis essential to complete the transaction or other purpose for \nwhich the data was originally provided. Further, where such \ndata is shared by necessity, it should be mandated that the \ndata cannot be used or shared by the third-party recipient for \nany purpose beyond the essential one for which it was provided, \nand that it should not be retained any longer than is needed to \ncomplete the task for which it was provided, regardless of \nwhether the party in possession of the data is the original \nrecipient of the genetic material/data or a third-party \nrecipient.\n    Most importantly, even where the use of the genetic data \nmay be for a societally beneficial purpose, a well-designed \nprivacy law must empower people who provide their genetic \nmaterial to decide what their personally identifiable genetic \nmaterial, and the data derived therefrom, may and may not be \nused for. They must also be empowered to demand their genetic \nmaterial be destroyed, and the data derived therefrom be \nerased.\n    Providing a meaningful privacy right with respect to \ngenetic material and the data derived therefrom goes beyond \njust seeking individual consent to share it. The consent \nmandated by law must be fully informed, discretely requested \nand provided, and narrowly tailored, so that the granting of \npermission to use private genetic material/data for one purpose \nis not broadly construed to allow many additional uses that \nhave not, in the mind of the person sharing the genetic \nmaterial, been agreed upon. To that end, for example, \nrequesting permission in the body of a multi-page customer \nagreement or dense package insert is not sufficient and should \nbe prohibited. Assuming permission has been granted because a \nconsumer did not object (``opt-out permission'') is also not \nadequately protective of privacy. Consumers should have to \naffirmatively and clearly give specific permission for their \ngenetic material/data to be used for a purpose beyond that for \nwhich it was provided (``opt-in permission'').\n    A final point bears making here. The recent disturbing \nrevelation that Google, in a partnership with Ascension, the \nNation's second largest health system, has been gathering and \nsharing the personal health information of tens of millions of \npatients\\1\\ highlights the problem here. In defense of the \nprogram--called ``Project Nightingale''--Tariq Shaukat, the \nPresident of Industry Products and Solutions for Google Cloud, \nstated that the goal of the program was to ``help healthcare \norganizations like Ascension improve the healthcare experience \nand outcomes.''\\2\\ Even if this stated goal is accurate, it \nraises two critical problems. First, whether pursuing a \npositive societal goal is worth surrendering deeply personal \nhealth information is a decision that should be made by \nindividual patients, not by the companies seeking to collect \nand use their private health information. Federal laws need to \nbe adopted and revised to ensure the right of individuals to \ndecide if and how their genetic and other health information is \ncollected and used is clear, unequivocal, and not placed at \nrisk by unintended loopholes. Second, even if the patients' \nhealth information is collected by Google for a benevolent \npublic health purpose, there is no certainty that data will not \nalso be used for other purposes that have little or no \nconnection to public health. Federal privacy laws need to be \nadopted that protect personal privacy through real, enforceable \nlimits on when and under what conditions personal data can be \ncollected, retained, and shared, and a private right of action \nmust be provided to help individuals enforce those rules.\n---------------------------------------------------------------------------\n    \\1\\ https://www.wired.com/story/google-is-slurping-up-health-\ndataand-it-looks-totally-legal/.\n    \\2\\ https://cloud.google.com/blog/topics/inside-google-cloud/our-\npartnership-with-ascension.\n\nQ.1.c. If Congress were to pass legislation allowing \nindividuals to sell their own data, how should we think about \nthe implications of allowing an individual would to sell their \n---------------------------------------------------------------------------\ngenetic data?\n\nA.1.c. Persons already have the right to sell their personal \ndata, including their genetic data, so Congress does not need \nto pass legislation to provide that right. Congress should not \npass any data-as-property laws that have the effect of \nencouraging or persuading people to forgo their privacy and \nsell their data, as doing so would undermine existing and \nfuture privacy laws, especially among poorer Americans for whom \nit is very difficult to say no to additional income, even if \nthe amount promised is uncertain and likely to be small.\n\nQ.1.d. What rights should one individual have to share private \nhealth information that describes not only themselves, but also \ntheir family members?\n\nA.1.d. While genetic information contains sensitive information \nabout the person providing it, as well as their family members, \nindividuals have the right to share their own personal genetic \ninformation.\n\nQ.2. Equifax has repeatedly shown that it is not a proper \ncaretaker for consumer information. In the most recent example, \nEquifax was found to use the word ``admin'' as both password \nand username for a portal that contained sensitive information.\n\nQ.2.a. Do consumers have any recourse against companies like \nEquifax, companies that repeatedly place sensitive consumer \nfinancial information at risk?\n\nA.2.a. While some State data breach and data security laws may \nprovide some consumer recourse rights in this area, there is no \nbroad Federal law that provides such recourse rights to all \nAmericans. In cases where the handling or protection of \npersonal data is negligent, common laws tools may provide \nrecourse. This questions highlights why a comprehensive Federal \nprivacy law should include a robust private right of action.\n\nQ.2.b. How would a property rights in data regime change this \nsituation?\n\nA.2.b. While a strong Federal privacy law could help here, a \nproperty rights in data law would, if anything, undermine \nindividual privacy. Passing an unnecessary Federal data-as-\nproperty law would have the effect of encouraging people to \nsell their data, rather than to protect it. That would feed \ninto, rather than reduce, the risk presented by Equifax-type \ncompanies, especially for poorer Americans who will find it \nmore difficult to say no to selling away their private \ninformation.\n\nQ.3.a. It is important to recognize that consumer data outlives \nthe relationship with the institution that collects the data.\n    What happens to a consumer's data after a consumer \nterminates their relationship with an institution collecting \ntheir data? Does the company delete the consumer's data? Does \nit encrypt the data?\n\nA.3.a. There are no Federal laws that create universally \napplicable rules governing consumer data collection, retention, \ndeletion, or security. Each of these constitutes a major gap in \nprivacy protections that urgently need to be addressed in a \nFederal data privacy law. A strong Federal data privacy law \nshould include a ``right of erasure,'' which is the right of \nindividuals to demand the personal data they furnished to a \ncompany be deleted when they terminate their relationship with \nthe company or at any other time upon their request.\n\nQ.3.b. Is there any uniform requirement that mandates \ninstitutions treat consumer data a certain way once a consumer \ndecides to no longer conduct business with an institution?\n\nA.3.b. There are no Federal laws that create universally \napplicable rules governing consumer data retention, deletion, \nor security once a commercial relationship ends or is \nterminated. Each of these constitutes a major gap in privacy \nprotections that urgently need to be addressed in a Federal \ndata privacy law.\n\nQ.3.c. If the data collecting company is breached after the \nconsumer has terminated their relationship, is the consumer's \ndata is still vulnerable?\n\nA.3.c. Yes.\n\nQ.3.d. To ensure consumer's data is protected, should consumers \nbe allowed to request their personally identifiable information \nbe made nonpersonally identifiable, after the consumer ends \ntheir business relationship?\n\nA.3.d. Yes, but Federal law should also give them the option to \nrequest their data be deleted.\n                                ------                                \n\n\n RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN FROM CHAD A. \n                             MARLOW\n\nQ.1. In your written testimony, you expressed concerns \nregarding the data-as-property model. Specifically, you \nmentioned that data-as-property model creates a ``hedge'' \nagainst potential future privacy laws enacted at the State and \nFederal level. Can you explain further how a data-as-property \nmodel could interact with current and potential future privacy \nlaws?\n\nA.1. Presently, with the exception of Federal laws governing \nfinancial, health, and children's data, and a few strong State \nlaws, there are very few barriers to prevent private, personal \ndata from flowing from individuals to data collectors to \nenumerable third parties. This has allowed the marketplace for \npersonal data to flourish at the expense of Americans' personal \nprivacy.\n    A strong Federal data privacy law, and strong State data \nprivacy laws, would interrupt this flow. Such laws, where \nadopted, are likely to end the corporate practice of collecting \nand sharing individual's private, personal information without \ntheir knowledge and meaningful consent. To that end, such laws \nmay and should empower individuals to decide what personal data \nof theirs may be collected and what may be shared. They may and \nshould empower individuals to demand the use of their data be \nlimited to the purpose for which it was collected. They may and \nshould empower individuals to demand their data be deleted \nafter the purpose for which it was collected is completed, or \nupon a deletion request by the consumer. They may and should \nempower individuals to make pro-privacy choices without being \npunished or otherwise disadvantaged compared to those who do \nnot. And they may and should empower individuals to directly \nsue those who violate their data privacy rights. Not all \nindividuals will take advantage of these privacy protections, \nbut many will. The result will be, in the absence of some \ncountervailing force, that the availability of personal data in \nthe marketplace, and the profits that can be made therefrom, \nwill be reduced.\n    The data-as-property model is a hedge against stronger \nprivacy laws because it seeks to use the levers of Government \npower to place that countervailing force directly in front of \nconsumers at the time they would be contemplating exercising \ntheir newly bestowed data privacy rights. Specifically, \nconsumers will be reminded of their right to sell their data \nand, more importantly, of the availability of companies that \nwill facilitate that sale and their receipt of a ``royalty \npayment'' for doing so. While the amount individuals will \nreceive for selling their personal information will not be \nstated, as it will be unknown at the time sales permission is \nsought, for Americans who are struggling to pay their bills or \nput food on their tables, the opportunity to earn any extra \nmoney--no matter how little and uncertain it may be--may be \nimpossible to refuse.\n    And so, even if tougher Federal and State privacy laws are \npassed, the ability to offer people financial incentives to not \nexercise those new rights will serve as an important hedge \nagain those laws and as an effective way to undermine them, \nespecially when it comes to the most financially needy \nAmericans. These harms are a significant reason why data-as-\nproperty bills were rejected by every one of the 11 State \nlegislatures that considered them in 2019.\n\nQ.2. How could a company's incentives change under a data-as-\nproperty model with respect to the services they offer \nconsumers?\n\n  <bullet> LWould companies be likely to change their business \n        models in certain circumstances to target consumers of \n        different income levels?\n\n  <bullet> LWould these potential responses conflict with \n        recent State and Federal efforts regarding privacy? If \n        so, how?\n\nA.2. It is difficult to imagine all the ways in which companies \nmight adjust their business models under a data-as-property \nregime. Could we see startup companies and existing tech giants \nracing to serve as the ``transaction agents'' for personal data \nsales so they can capture the substantial revenues to be made \ntherefrom? Perhaps. Could we see companies paying more money \nfor the\npersonal data of wealthy individuals compared to poorer \nindividuals because the former would be less likely to consent \nto selling their data for trivial sums of money? Perhaps. Could \nwe see companies investing huge sums of money in advertising \ncampaigns to encourage individuals to sell their personal \ninformation? Perhaps? Could we see a system emerge where \ncorporate data re-sellers and purchasers make huge profits off \nthe sale of personal data, but very little trickles down to the \nindividuals who actually sell their private, personal \ninformation? Perhaps.\n    In the end, the question to ask isn't about if the data-as-\nproperty model would conflict with recent Federal and State \nprivacy efforts, but rather if it would undermine them. To \nthat, for the reasons discussed in my answer to your first \nquestion, the answer is an unequivocal yes.\n\nQ.3.a. What are the potential tracking requirements that would \nneed to be put in place with a data-as-property model?\n\nA.3.a. The data-as-property model is based on the premise that \npeople should get paid when their data is sold and re-sold. To \ndo that, an elaborate tracking and monitoring system would need \nto be deployed. That system would have two major components. \nFirst, it would require some sort of unique, universal tracking \nnumber be attached to all personal data. This is needed to \ntrack data as it moves through the virtual world so sellers can \nascertain if permission to sell the data has been granted, if \nany limitations have been placed on its sale, and so the person \nwho originally sold the data can get paid. It is possible that \nall data will need to be tagged with a tracking number, so \npotential sellers can determine if sales permission has been \ngranted or denied, and so they know who to request permission \nfrom where it has not been granted. The use of these tracking \nnumbers as a unique identifier would have serious negative \nimpacts on data privacy and online anonymity. Second, it would \nrequire a comprehensive system of data monitoring to ensure \nthat payments that are due are actually made. Other than \nproceeding through a weak honor system--because it is easy to \ncopy data and allude tracking--it is hard to imagine how it \nwill be possible to ensure payments are made and how to avoid \nthe development of a black market for commission-free personal \ndata. Undoubtedly, companies that track data and facilitate \n``royalty'' payments will charge fees for their services that \nmay leave little compensation left for those who sell their \npersonal information.\n\nQ.3.b. How would such a model function in the absence of those \nrequirements?\n\nA.3.b. It could not.\n\nQ.4. You have advocated for Congress passing strong privacy \nlaws in lieu of a data-as-property model. What would you \nconsider to be the key elements of a strong privacy law?\n\nA.4. At a minimum, a strong Federal privacy law should:\n\n  1) LPlace limits on how personal information can be \n        collected, used, and retained. Legislation must include \n        real protections that consider the modern reality of \n        how people's personal information is collected, \n        retained, and used. The law should limit the purposes \n        for which consumer data can be used,\n        require purging of data after permissible uses have \n        completed, prevent coercive conditioning of services on \n        waiving privacy rights, and limit so called ``pay for \n        privacy'' schemes. A well-designed Federal privacy law \n        would empower people to choose what degree of privacy \n        they want for themselves. To make this right \n        meaningful, it must go beyond just seeking individual \n        consent. The consent mandated by law must be fully \n        informed, discretely requested and provided, and \n        narrowly tailored, so that the granting of permission \n        to transfer one's data to one third party for a \n        specific purpose is not broadly construed to allow many \n        additional transfers and uses that have not, in the \n        mind of the person sharing the data, been agreed upon. \n        To that end, for example, requesting permission in the \n        body of a multi-page user agreement is not sufficient \n        and should be prohibited. Assuming permission has been \n        granted because a consumer did not object (``opt-out \n        permission'') is also not adequately protective of \n        privacy. Consumers should have to affirmatively and \n        clearly give specific permission for their data to be \n        used for any purposes beyond that for which it was \n        provided (``opt-in permission'').\n\n  2) LNot prevent States from putting in place stronger \n        consumer protections or taking enforcement action. Any \n        Federal privacy standards should be a floor--not a \n        ceiling--for consumer protections. The ACLU strongly \n        opposes legislation that would, as some industry groups \n        have urged, preempt stronger State laws. Such an \n        approach would put existing consumer protections, many \n        of which are State-led, on the chopping block and \n        prevent additional consumer privacy protections from \n        ever seeing the light of day. We also oppose efforts to \n        limit the ability of State Attorneys General or other \n        regulators from suing, fining, or taking other actions \n        against companies that violate their laws.\n\n  3) LContain strong enforcement mechanisms, including a \n        private right of action. Federal privacy legislation \n        will mean little without robust enforcement. Thus, any \n        legislation should grant greater resources and \n        enforcement capabilities to the FTC and permit State \n        and local authorities to fully enforce Federal law. To \n        fill the inevitable Government enforcement gaps, \n        however, the ACLU urges Congress to ensure that Federal \n        legislation also grants consumers the right to sue \n        companies for privacy violations.\n\n  4) LGuard against discrimination in the digital ecosystem. \n        Existing Federal laws prohibit discrimination in the \n        credit, employment, and housing context. Any Federal \n        privacy legislation should ensure such prohibitions \n        apply fully in the digital\n        ecosystem and are robustly enforced. In addition, we \n        urge Congress to strengthen existing laws to guard \n        against unfair discrimination, including in cases where \n        it may stem from algorithmic bias.\n                                ------                                \n\n\n  RESPONSE TO WRITTEN QUESTION OF SENATOR SINEMA FROM CHAD A. \n                             MARLOW\n\nQ.1. Opponents of the data-as-property model argue the user is \nnot the sole creator of data and therefore does not deserve \nsole ownership. This argument is underpinned by the belief that \ndata is a joint-creation of the user and platform because the \nplatform creates an environment and technology to process the \ndata. Most Arizonans are not aware when data brokers collect \ntheir data and typically find out when they search their own \nnames and find information about themselves, accurate or \notherwise. How would data brokers' practices be treated under a \ndata-as-property model? Would this model provide recourse to \nArizonans who wish to address inaccuracies in the personal \ninformation data brokers choose to sell?\n\nA.1. To your first question, data-as-property laws would allow \nconsumers to choose to have their data sold to third parties, \nsuch as data brokers, or to not have it sold; however, strong \nFederal data privacy laws could establish this same right \nwithout advancing a profit-driven system that influences and \nencourages persons to sell their data--an approach that would \nhave a particularly deleterious effect on persons with greater \nfinancial needs.\n    A well-designed Federal privacy law would give people \ncontrol over their information and empower people to choose \nwhat degree of privacy they want for themselves. In the \nscenario presented here, that would mean empowering people to \nchoose whether or not their private information is sold or \nshared by the original collector with third parties such as \ndata brokers. To make this right meaningful, it must go beyond \nthe broken ``inform and consent'' model that currently \ndominates the technology sector. The consent mandated by law \nmust be fully informed, discretely requested and provided, and \nnarrowly tailored, so that the granting of permission to \ntransfer one's data to one third party for a specific purpose \nis not broadly construed to allow many additional transfers and \nuses that have not, in the mind of the person sharing the data, \nbeen agreed upon. To that end, for example, requesting \npermission in the body of a multi-page user agreement is not \nsufficient and should be prohibited. Assuming permission has \nbeen granted because a consumer did not object (``opt-out \npermission'') is also not adequately protective of privacy. \nConsumers should have to affirmatively and clearly give \nspecific permission for their data to be used for any purposes \nbeyond that for which it was provided (``opt-in permission'').\n    To your second question, the data-as-property model \ncontains no right for consumers to request the correction of \ninaccurate information about them, but such a right could be \nincluded in a comprehensive Federal privacy law.\n                                ------                                \n\n\n RESPONSES TO WRITTEN QUESTIONS OF SENATOR JONES FROM CHAD A. \n                             MARLOW\n\nDiscrimination\nQ.1. In the Banking Committee, we often discuss discrimination\ninvolving loans and housing. As technology helps companies \nbecome more sophisticated it is easier to put in place \ndiscriminatory\npolicies. Are there are protections currently in place that \nprevent data discrimination by race, gender, or religion? If \nnot, what methods should Congress consider to decrease \ndiscrimination within data?\n\nA.1. Existing Federal laws prohibit discrimination in the \ncredit, employment, and housing context. However, our existing \ninfrastructure is insufficient to safeguard against \ndiscrimination in the digital world for several reasons.\n    First, many online providers have been slow to fully comply \nwith Federal antidiscrimination laws--and in many cases \nplaintiffs face challenges in getting the information necessary \nto raise discrimination claims. For example, Facebook recently \nsettled a lawsuit brought by ACLU and other civil rights \norganizations amid allegations that it discriminated on the \nbasis of gender and age in targeting ads for housing and \nemployment.\\1\\ The lawsuit followed\nrepeated failures by the company to fully respond to studies \ndemonstrating that the platform improperly permitted ad \ntargeting based on prohibited characteristics, like race, or \nproxies for such characteristics. The company is also now the \nsubject of charges brought by the Department of Housing and \nUrban Development (HUD), which includes similar allegations.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ ACLU, Facebook Agrees to Sweeping Reforms to Curb \nDiscriminatory Ad Targeting Practices (Mar. 19, 2019), https://\nwww.aclu.org/news/facebook-agrees-sweeping-reforms-curb-discriminatory-\nad-targeting-practices.\n    \\2\\ Complaint of Discrimination Against Facebook, FHEO No. 01-18-\n032308, https://www.hud.gov/sites/dfiles/Main/documents/\nHUD_v_Facebook.pdf.\n---------------------------------------------------------------------------\n    Second, there have been efforts to weaken existing laws in \nways that would make it more difficult to address algorithmic \ndiscrimination. For example, HUD recently proposed amending the \nexisting Disparate Impact Rule, codified at 24 C.F.R. \x06 \n100.500, to make it more difficult for plaintiffs to raise \ndiscrimination claims based on disparate impact. Among other \nthings, the Proposed Rule would allow a defendant to avoid \nliability for using an algorithmic model that \ndisproportionately excludes members of protected classes if the \ndefendant can prove one of three defenses, any of which will \noperate as a complete defense, with no opportunity for a \nplaintiff to prove the existence of less discriminatory \nalternatives to achieve any legitimate business objectives.\n    Third, our existing laws need to be expanded to address \ndigital discrimination that occurs outside the housing, credit, \nand employment context. For example, commercial advertisers \nshould not be permitted to offer different prices, services, or \nopportunities to individuals, or to exclude them from receiving \nads offering certain commercial benefits, based on \ncharacteristics like their gender or race. And regulators and \nconsumers should be given information and tools to address \nalgorithms or machine learning models that disparately impact \nindividuals on the basis of protected characteristics.\n    Federal law must be strengthened to address these \nchallenges. First, Federal privacy law should make clear that \nexisting antidiscrimination laws apply fully in the online \necosystem, including in online marketing and advertising. \nFederal agencies that enforce these laws, like HUD, the EEOC, \nand the Consumer Financial Protection Bureau, should be fully \nresourced and given the technical capabilities to vigorously \nenforce the law in the context of these new forms of digital \ndiscrimination. In addition, companies should be required to \naudit their data processing practices for bias and privacy \nrisks, and such audits should be made available to regulators \nand disclosed publicly, with redactions if necessary to protect \nproprietary information. Finally, researchers should be \npermitted to independently audit platforms for bias, and \nCongress should not permit enforcement of terms of service that \ninterfere with such testing.\nData Privacy\nQ.2.a. So much of data privacy is having the choice to share \ninformation. For example, many people find targeted ads to be \ndisturbing and others find it serves as a helpful reminder. How \nshould policymakers consider different preferences as they \nwrite legislation on personal data privacy and how it is used?\n\nA.2.a. Privacy is not a condition to be imposed upon \nindividuals, but a right to be meaningfully provided. That \nmeans a well-designed privacy law would empower people to \nchoose what degree of privacy they want for themselves. In the \nscenario presented here, that would mean empowering people to \nchoose if they want to allow their personal data to be \ncollected and used to provide them with targeted ads or if they \ndo not.\n    But providing a meaningful right goes beyond just seeking \nindividual consent. The consent mandated by law must be fully \ninformed, discretely requested and provided, and narrowly \ntailored, so that the granting of permission to use private \ninformation for one purpose is not broadly construed to allow \nmany additional uses that have not, in the mind of the person \nsharing the data, been agreed upon. To that end, for example, \nrequesting permission in the body of a multi-page user \nagreement is not sufficient and should be prohibited. Assuming \npermission has been granted because a consumer did not object \n(``opt-out permission'') is also not adequately protective of \nprivacy. Consumers should have to affirmatively and clearly \ngive specific permission for their data to be used for any \npurposes beyond that for which it was provided (``opt-in \npermission'').\n    In addition, the law should be made unambiguously clear \nthat the data cannot be used to discriminate against users. At \na minimum, with respect to targeted advertising, discriminatory \npractices that are prohibited in the physical world should be \nequally prohibited on the internet.\n\nQ.2.b. Many services require information from one site to be \nshared to another in order for the consumer to have access to \nthe website's services. Sometimes this information sharing is \nhelpful and makes the website more user friendly but sometimes \nthe data shared does not have any obvious benefits to the \nconsumer.\n\nA.2.b. The vast majority of data sharing among web sites takes \nplace for the purpose of advertiser-driven consumer tracking--\nsomething polls find Americans remain deeply uncomfortable with \nbut feel helpless to stop. Where the sharing of data with third \nparties is genuinely necessary for providing a service \nconsumers find useful, such sharing should be limited only to \ndata that is essential to complete the transaction or other \npurpose for which it was\noriginally provided. Further, where such data is shared by \nnecessity with a third party, it should be mandated that the \ndata cannot be used or re-shared by the third-party recipient \nfor any purpose beyond the essential one for which it was \nprovided. Beyond that, should Federal law put strong opt-in \nprivacy protections in place, data should be sharable beyond \nthe purpose for which it was originally provided if--and only \nif--the user-provider has given clear, well-informed, and \ndiscrete opt-in consent.\n\nQ.3. I am concerned that Congress will enact data privacy \nlegislation but then websites will deny access to consumers for \nsimply not approving sharing their data. Should consumers be \ndenied access for not approving data sharing?\n\nA.3. This is an important concern. Privacy rights will be of \nlittle value if individuals who choose to exercise them can be \npunished or denied benefits for doing so. Federal law should \nprotect those who elect to exercise their privacy rights by \nprohibiting companies from denying service, providing worse \nservice, or charging higher prices to those who exercise their \nprivacy rights, as well as prohibiting them from providing \nbetter service, lower prices, or other benefits to those who do \nnot exercise their privacy rights.\n                                ------                                \n\n\n  RESPONSES TO WRITTEN QUESTIONS OF SENATOR WARREN FROM WILL \n                            RINEHART\n\nQ.1. In your written testimony, you mentioned that creating a \nproperty right for data could make it more difficult for \nconsumers to control their data. Can you provide further detail \nregarding how a data-as-property model could interact with \nprivacy protections in current laws, such as the Fair Credit \nReporting Act?\n\nA.1. Response not received in time for publication.\n\nQ.2. Your written testimony also discusses the different \nmethodologies to value data.\n\n  <bullet> LHow could information asymmetry between companies \n        and consumers impact the valuation of data under the \n        different methods you described?\n\n  <bullet> LUnder any of the models you mentioned, do you \n        believe that customers will have the ability to \n        determine the value of their data before a given \n        transaction?\n\nA.2. Response not received in time for publication.\n\nQ.3. How could a company's incentives change under a data-as-\nproperty model with respect to the services they offer \nconsumers?\n\n  <bullet> LWould companies be likely to change their business \n        models in certain circumstances to target consumers of \n        different income levels?\n\n  <bullet> LWould these potential responses conflict with \n        recent State and Federal efforts regarding privacy? If \n        so, how?\n\nA.3. Response not received in time for publication.\n                                ------                                \n\n\n   RESPONSES TO WRITTEN QUESTIONS OF SENATOR JONES FROM WILL \n                            RINEHART\n\nDiscrimination\nQ.1. In the Banking Committee, we often discuss discrimination \ninvolving loans and housing. As technology helps companies \nbecome more sophisticated it is easier to put in place \ndiscriminatory policies. Are there are protections currently in \nplace that prevent data discrimination by race, gender, or \nreligion? If not, what methods should Congress consider to \ndecrease discrimination within data?\n\nA.1. Response not received in time for publication.\nData Privacy\nQ.2. So much of data privacy is having the choice to share \ninformation. For example, many people find targeted ads to be \ndisturbing and others find it serves as a helpful reminder. How \nshould policymakers consider different preferences as they \nwrite legislation on personal data privacy and how it is used?\n    Many services require information from one site to be \nshared to another in order for the consumer to have access to \nthe website's services. Sometimes this information sharing is \nhelpful and makes the website more user friendly but sometimes \nthe data shared does not have any obvious benefits to the \nconsumer.\n\nA.2. Response not received in time for publication.\n\nQ.3. I am concerned that Congress will enact data privacy \nlegislation but then websites will deny access to consumers for \nsimply not approving sharing their data. Should consumers be \ndenied access for not approving data sharing?\n\nA.3. Response not received in time for publication.\n                                ------                                \n\n\n    RESPONSES TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM \n                        MICHELLE DENNEDY\n\nQ.1. It is important to recognize that consumer data outlives \nthe relationship with the institution that collects the data.\n\nQ.1.a. What happens to a consumer's data after a consumer \nterminates their relationship with an institution collecting \ntheir data? Does the company delete the consumer's data? Does \nit encrypt the data?\n\nQ.1.b. Is there any uniform requirement that mandates \ninstitutions treat consumer data a certain way once a consumer \ndecides to no longer conduct business with an institution?\n\nQ.1.c. If the data collecting company is breached after the \nconsumer has terminated their relationship, is the consumer's \ndata still vulnerable?\n\nQ.1.d. To ensure consumer's data is protected, should consumers \nbe allowed to request their personally identifiable information \nbe made nonpersonally identifiable, after the consumer ends \ntheir business relationship?\n\nA.1.a.-d. Response not received in time for publication.\n                                ------                                \n\n\n RESPONSES TO WRITTEN QUESTIONS OF SENATOR JONES FROM MICHELLE \n                            DENNEDY\n\nDiscrimination\nQ.1. In the Banking Committee, we often discuss discrimination \ninvolving loans and housing. As technology helps companies \nbecome more sophisticated it is easier to put in place \ndiscriminatory policies. Are there are protections currently in \nplace that prevent data discrimination by race, gender, or \nreligion? If not, what methods should Congress consider to \ndecrease discrimination within data?\n\nA.1. Response not received in time for publication.\nData Privacy\nQ.2. So much of data privacy is having the choice to share \ninformation. For example, many people find targeted ads to be \ndisturbing and others find it serves as a helpful reminder. How \nshould policy makers consider different preferences as they \nwrite legislation on personal data privacy and how it is used?\n    Many services require information from one site to be \nshared to another in order for the consumer to have access to \nthe website's services. Sometimes this information sharing is \nhelpful and makes the website more user friendly but sometimes \nthe data shared does not have any obvious benefits to the \nconsumer.\n\nA.2. Response not received in time for publication.\n\nQ.3. I am concerned that Congress will enact data privacy \nlegislation but then websites will deny access to consumers for \nsimply not approving sharing their data. Should consumers be \ndenied access for not approving data sharing?\n\nA.3. Response not received in time for publication.\n\n              Additional Material Supplied for the Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                            [all]\n\n</pre></body></html>\n"