Mass. Legislators 'Dig In' on Data Privacy
It’s time for Massachusetts to pass a data privacy bill, agreed multiple legislators at a Joint Advanced Information Technology Committee hearing Thursday. But state lawmakers must decide between two proposals -- one (H-83/S-25) based on Congress’ American Data Privacy and Protection Act (ADPPA) and another (H-60) that’s more like laws in states including Connecticut and Virginia.
“Interoperability is key,” so TechNet favors H-60 -- especially if it's amended to be even more like other state laws, said Executive Director-Northeast Chris Gilrein. H-83 is the stronger, more enforceable bill, countered witnesses from American Civil Liberties Union (ACLU), Center for Democracy and Technology (CDT), Consumer Reports and the Electronic Privacy Information Center (EPIC). Passing the ADPPA-like bill in Massachusetts “would be a watershed moment for privacy,” said CDT Privacy & Data Project co-Director Eric Null.
“It is clear that Congress will not act anytime soon to implement reasonable data privacy protections, leaving it to the states to act,” said committee Senate Chair Michael Moore (D). Individuals now have little control of how data is maintained, used, shared or sold, and data breaches have become too common, he said. Noting 13 states have comprehensive data privacy measures, House Chair Tricia Farley-Bouvier (D) said lawmakers aim to “dig in to finalize” legislation in the weeks ahead: “Without passage of a data privacy law, we are putting our residents in quite a bit of danger.”
H-60 sponsor Daniel Carey (D) had hoped Massachusetts would “be one of the first five states” with a privacy law. “Now hopefully we can get into the top 15.” Carey didn’t want to copy Connecticut or the ADPPA, he said. “We should make the best law in the country.” Massachusetts can’t "wait around for the federal government to do this,” said Sen. Barry Finegold (D). H-60 and his companion bill S-227 takes the best ideas from other states but has more teeth than some of them, he said.
Don’t wait for Congress to act, agreed H-83 sponsor Rep. Andres Vargas (D). Basing a state bill on the bipartisan ADPPA will give companies a “head start” to comply with rules that the federal government might pass, he said. Co-sponsor David Rogers (D) warned, “You don’t search Google. Google searches you.” Bills can change through the legislative process, he said, but Massachusetts “really ought to do something.” Vargas and Rogers said their bill has a clearer data minimization mandate, plus more teeth due to its broader private right of action (PRA).
Moore and Farley-Bouvier asked witnesses about the broader PRA proposed in H-83. Both Massachusetts bills include state attorney general enforcement, but whereas H-83 allows private lawsuits on any violation of the proposed law, H-60 would allow them only when individuals’ personal data is breached because of a controller's failure to use reasonable cybersecurity controls.
A broad PRA "scares them more into compliance,” said EPIC Deputy Director Caitriona Fitzgerald. “If you're complying with the law, it shouldn't be an issue." She warned that Amazon and other big tech companies played a big role writing many other state laws. The PRA should cover every possible violation, agreed Emiliano Falcon-Morano, ACLU Massachusetts Technology for Liberty Program policy counsel. And H-83 is better than the other bill on data minimization and protecting sensitive information, he said. "Less data collected and processed means less that can be misused or abused."
TechNet supports enforcement solely by the state AG, said Gilrein. Attaching a PRA to an issue as complex as privacy could lead to big legal consequences for companies that mean to comply, which is what happened with the Illinois Biometric Information Privacy Act, he said. Even a limited PRA like in H-60 could lead to “test cases” that try to expand the right to sue through the courts, as seen in California, said the lobbyist.
Passing a bill akin to other New England states like Connecticut is better for companies in the region, said Alex Spyropoulos, Computer and Communications Industry Association northeast regional policy manager. Don’t call Connecticut’s law an “industry bill,” said Andrew Kingman, State Privacy and Security Coalition general counsel. It was negotiated for two years by stakeholders including many who testified Thursday on both sides of the aisle, he said.