Rachel Nemeth 

Alright, good afternoon everyone. My name is Rachel Nemeth, and I'm Director of Regulatory Affairs at the Consumer Technology Association, and today we're here to talk about innovation and privacy. Recently, concerns about privacy are growing and government is considering some new privacy laws. In this panel, we're going to discuss how data powers innovation and what we should do to protect consumers information. So right now I'm going to have the panelists will just go down the row and each introduce themselves. And tell us a little bit about who you are, where you where you work, and what your current role and how your current role relates to data and privacy.

 
Maureen Ohlhausen 

Great. Well, thank you, Rachel, for having me and to my co panelists. I think it's going to be a great discussion. I'm delighted to be at CES again. So I'm Maureen Ohlhausen. I am the co chair of the anti trust group at the law firm Baker Botts. And I also lead all their privacy work, and until recently, I was at the Federal Trade Commission. I was a commissioner, an acting chair and I spent a lot of time working privacy issues and innovation issues. And having the intersection of any trust and competition law with privacy and data, I think has just really been allowed me to focus on where these two, you know, things can either go together or collide, which is innovation and privacy protection.

 
Khaliah Barnes 

Right. Thank you. Certainly. So thank you so much, Rachel, to the consumer Technology Association for hosting this very timely panel. I'm Khaliah Barnes, a Privacy and Public Policy Manager at Facebook where I focus on us privacy, federal and state legislation. By way of background I've spent my career over the last almost decade dedicated to privacy. I started off at the Electronic Privacy Information Center epic where I focused on consumer rights. And then I joined the US Department of Justice Office of privacy and civil liberties where I advised God components on their legal obligations and policy considerations concerning privacy. So I bring that aspect to the NGO perspective and the federal government perspective to my work every day at Facebook as we work to influence public policy and legislation. And as we engage with governments and consumer groups and academics and regulators. The work that our team focuses on is to support the creation and development of strong, consistent global privacy regulations. Mark talked about this actually last year, and an op ed, and from our perspective, it's important to offer consistent privacy protections, no matter where you are, be at the US, eu, Brazil or wherever we offer our products and services.

 
Christi Barnhart 

Thank you very much. I am very excited to be here at CES and on This all female panel. I had the opportunity to take a tour before coming to this panel and from connected diapers to connected cars and AI and everything. I can't emphasize I think the importance of considering privacy and consumer privacy in our daily lives. My name is Christi Barnhart. I am the senior telecom and Technology Council for Senator Brian Schatz, who is on the Commerce Committee and the ranking member of the telecom subcommittee. In my position, I work on all tech and telecom issues that are that come through our office and as was just mentioned in the previous panel, which basically includes almost everything since everything has technology in it these days. And the senator has been very forward thinking on privacy introduced the data Care Act last year and then reintroduced it right before Christmas of this year with 16 co sponsors, and which it's, you know, provides some expectations on companies and how they use consumer data and happy to talk about that later in this panel. And we are also one of the original co sponsors on with senators Cantwell, and Marquis and closure on the consumer online Privacy Act, which provides new privacy rights for consumers. And so I think this is a very interesting and engaging time and again, thanks for inviting me to be here.

 
Evelyn Remaley 

Thank you, Rachel. So good to be here. Thank you for having NTIA join you today. Evelyn Remaley I'm with the National Telecommunications and Information Administration, which is a mouthful. So we are often known as just NTIA and Tia is the president advisor by statute on Information and Technology Policy issues. So we work on every digital policy issue that hits the federal government can all agree that what we see here at CES this week, lots of policy issues that we're grappling with their and keeping us busy. privacy, security. Those are my emphasis areas that I bring to the team. I've been working on these policy issues for over 20 years within Washington. And again, I like to say about NTIA that we like to have our cake and eat it too. And so I love the title of today's panel, wanting to have both innovation and privacy and not to sacrifice. And that's really what we do at NTIA, we try to work on those solutions that will help us to have a successful thriving market, but to address the public policy issues facing us, our society at the same time so looking forward to this very interactive discussion today. Thanks.

 
Rachel Nemeth 

Thank you. And I love having such a wide variety of voices represented again on our all women's panel. So my first question is I'll direct to Maureen, when you were the acting Chair of the Federal Trade Commission, you were in a leading role with the agency that has that that plays such a big part in US privacy policy. Now, a lot of attention is rather than being at the national level, it is at the state level, specifically in California. Would you like to give us some background about the history of the Federal approach to privacy and potentially how that relates to what's happening now with the state's

 
Maureen Ohlhausen 

Sure happy to talk about that. Everyone thinks kind of privacy got born somehow, you know, with the consumer internet, but it actually goes way back before that. And things like the Fair Credit Reporting Act. When that was passed, you look at the congressional debates going back then very similar kinds of issues or bring being brought forward. People were saying, there are big computers decisions are being made about me regarding my information. And I don't know, you know how to what's going on there. And so eventually came up with the Fair Credit Reporting Act. There's a bunch of other federal statutes as well. And then there's the very general FTC act which prevents unfair and deceptive acts or practices in reflecting commerce. So the FTC has long enforced a variety of privacy types of statutes. I mentioned the Fair Credit Reporting Act as well as one example. But under the FTC Act, the agency, particularly once the internet became a consumer oriented experience and channel really started to apply that those prohibitions on deception and unfairness To the online space, why was that the FTC when we brought our first online privacy case against geo cities, which was a deception case, and the FTC has brought hundreds of privacy related cases using this very general authority. So if your company makes a promise about how it uses, collects or shares data and breaks that promise, that's a deception. violation where if a company uses data in a way that harms consumers, causes a substantial harm that the consumer can't reasonably avoid. And that's not outweighed by benefits to competition or consumers. The FTC could bring an unfairness action and so that's generally you know, we're all familiar, I think, with HIPAA and some other you know, GLB, and some other specialized rules. So, those were the approaches that the US Federal privacy law had used for for a number of years. But as data's become ever more important as these issues about you know, What about data uses and privacy and sharing? And then we're seeing GDPR. We're seeing California. What's the state of play today? And I think we've come to a point where there is a general sense that we need a new federal privacy law. And the Federal Trade Commission has come out in support of a federal privacy law. And much of it, from what I've seen from what Congress has put forward is kind of modeled on some of this Fair Credit Reporting Act approach, which is about having, you know, the data can be used, it can be bent, you know, used to create new products and provide services to consumers. But consumers have some rights, consumers have rights to know what kind of data they have companies have about them, and to correct it and to say, Oh, you can't share it under certain circumstances. So I think kind of the state of play right now. From the federal standpoint is, you know, I always say the FTC did a pretty good job with the tools that it had. But it's time for some new tools. And Congress is really beginning to have some very serious discussions about what those tools look like.

 
Rachel Nemeth 

Thank you. Now, Khaliah. Maureen just mentioned the California consumer Privacy Act as well as Europe's general data protection regulation. I'm just wondering if if you'd like to share with us what do you see as the privacy and data security landscape now and going forward this year at the state level?

 
Khaliah Barnes 

Certainly. So at Facebook, we are really encouraged to see that privacy legislation is such a hot topic, and that there are meaningful proposals coming forward. It's something that we've been calling for for quite some time now. And also one of the reasons why we support comprehensive federal privacy legislation. Now if we are looking at the privacy Data Security landscape at the state level, we're seeing a lot of activity and expect to see even more activity going forward. And I would say that these bills would largely follow three key themes. The first is that some states will take a cue from the ccpa, like we saw with New York, or Nevada, or the GDPR, like we saw in Washington State last year and introduced similar bills. But importantly, these bills are not identical to the original. They vary in scope, applicability and implementation. Number two, we're going to see states taking a cue from the federal level, like the New York bill that would require companies to act as data fiduciaries to consumers, which Christy is familiar with as senator shots that she was saying has introduced similar legislation at the federal level. And third, it's likely that we will see Some states introduce issue specific legislation, like the smart device legislation in Illinois. Now, while it's favorable that you see a lot of legislation that is codifying robust rights, as marine was discussing, what this is creating is an overall fragmentation at the state level. And the end result of that is it makes it difficult for companies of all sizes, to understand their obligations and to implement effective controls and processes. Strong, comprehensive federal privacy legislation is the best way to ensure clear and consistent consumer privacy rights and clear company obligations. And we are so encouraged by the proposals that we're seeing at the federal levels and They have robust individual rights and company obligations and strong enforcement mechanisms, which is wonderful because this aligns with global standards like the GDPR.

 
Rachel Nemeth 

Thank you. And now, speaking of this cheerleading for a federal privacy legislation, Christie, would you like to talk a little bit more about the consumer online privacy rights act that you mentioned earlier?

 
Christi Barnhart 

Sure. So, as I mentioned a little bit ago and my previous comment a second. We we along with senators Cantwell and Marquis and Clovis Shar introduce the consumer online Privacy Act, which would provide strong protections for consumers and additional privacy rights. And included in that bill was the aspects of the fiduciary duty that we had just mentioned, that would provide Consumers with some rights about how their data is being used in alignment with the expectations that they provided it for. And you know marinas right. The majority of Americans want privacy regulation. 79% believe that it should be a priority of Congress to to create new privacy laws. And another staggering statistic was that six and 10 Americans feel like they're they can't get around their data being collected every day when they're due. They're when they do their day to day activities. So it's a real concern from Americans. And I think that the consumer online Privacy Act provides that strong protection that consumers are asking for. And I think that's the important part that it has to be. It has to provide it has to provide adequate protection for consumers. And so when we think about different stages providing different different protections in each state. We want to ensure that we are meeting the needs of consumers of where they are and what they feel their needs are and not creating a watered down privacy law, that although provides some ubiquity, it doesn't meet the needs consumers and their privacy concerns.

 
Rachel Nemeth 

Now switching gears a little bit from the legislation conversation, I'd like to ask Evelyn a little bit about the activities that NTIA has been working on the last year. So in the privacy realm.

 
Evelyn Remaley 

Sure, absolutely. And at NTIA, we've been working very closely within the administration and I crossed it on this issue. And let me just start by saying you know, again, being at CES this week and being out on the floor, I think we can all agree that the privacy issue is really on the tip of everyone's tongue. This is a now issue a today issue. Everyone is tuned into it. And I would say, at NTIA, we're, we're so encouraged by all of the activity that's occurring to within NTIA at the end of 2018. We did a request for comment out to all stakeholders on this very important issue. And we received back over 200 responses actually over 2000 pages, I think of content on this very important issue. So it's very clear that there is a lot of engagement, a lot of investment, a lot of interest and digging in and moving towards solutions on this problem. We have been since we collected that data. We have been analyzing it and sharing it within with our interagency colleagues and having those continued conversations although the administration has not come out publicly with a statement on this It's very focused on wanting to make sure that what comes out is something that's appropriate for today's economy. But again, we're here talking about innovation as well as privacy today, something that is going to stand the test of time, as we see all this great innovation at CES, to make sure that where we're going with rules and controls and best practices, is also going to be appropriate for the next economy that's emerging too. So there's a lot of emphasis about getting it right. Wanting to understand all of the the various sides of things. There was a lot of consensus in the comments that we received around issues such as preemption, you know, wanting, there's a lot of consensus that there should be some sort of federal action. And then, you know, there were lots of different ideas about how you get there. So I think again, The administration is continuing to look at this as well as all of the dialogue is continuing. So we think it's very healthy as as we're moving closer to movement on this. Right.

 
Christi Barnhart 

I just add one thing to, I mean, going on what what Evelyn said. I mean, I think it's obvious when you look at the floor at CES, and you just think about where we have come that technology is will always move faster than our legislature ever will. And I actually think that's a good thing. But I, the concern is, is though when we're thinking about a privacy regulation, we need to ensure that it is strong and enforceable, but it also has an element of future proof. And that it can that the FTC will have the opportunity to take a look at new innovations as they come down the pike and recognize whether or not they're the privacy is being used in a way that is compliant with what the consumer expectation is. So, you know, I think when we marry innovation and privacy, we need to continue to think about how do we ensure privacy of not just today, but also that the agency has the tools that it needs to ensure the privacy of consumers for tomorrow.

 
Rachel Nemeth 

Right. So that's actually a good segue into looking at some of the commonalities and differences in some of the emergency emerging privacy laws, both at the state level and looking at GDPR. And some of the Federal legislative proposals. What do you all see as the rights that a federal law should include when looking at privacy rights for the consumer, but also, what what do you think your love might not have to include in order to foster innovation?

 
Maureen Ohlhausen 

I think one of the important things is and Christy mentioned that is for data to be used in a way that's consistent with consumer expectations. And based on the sensitivity of the data that's being collected and used and shared. What we don't want is a system that causes a lot of burdens on consumers and burdens on businesses for no great benefit. I think, you know, every consumer expects that I'm giving you my address, you can ship me that sweater. Right, that, that I bought it and that, you know, a certain amount of information isn't particularly sensitive. If it's combined with other things that makes it sensitive, then, you know, consider that but not sort of overloading consumers with a lot of, you know, check the box consent kind of things. So I think I think that's really important that it that it be keyed in that regard. I also think focusing a lot on how you know, formation is conveyed to consumers. One One of the benefits, I think of having a uniform federal law could be then starting to create like a better sort of simpler privacy kind of notice or systems. That's more that's more uniform, because I think that could be beneficial for for consumers as well. One of the other things, we're talking about innovation, and I often look at it in terms of competition law, as well is also making sure that we're not creating a system that only entrenches the big players, because they're the only ones who can meet all the requirements and keep up with his new law. You know, state laws Come on, and that might be conflicting, and they might have all these different things. Look, it's great for law firms. I'll tell you that right. You know, I'm in private practice now. And you know, all this, you know, swirling things, it's

 
Maureen Ohlhausen 

like, oh, yeah, terrific. you need you need help with this and this and this and this because who knows what's gonna happen, but that's not so good for first month. Businesses that's not so good for startups. And that's one of the things that we saw with GDPR. And I think it was very predictable, which is GDPR is very regulatory. I think it's very bureaucratic. And one of the documented effects of GDPR is it has pushed some of the smaller players, particularly ad tech space out of the market, because they just simply couldn't comply. So So those are some of the kinds of issues that I would look at context, sensitivity of data and burdens on all businesses.

 
Khaliah Barnes 

And I'd like to say in addition to the issues that marine highlighted, I mean, at a baseline we look at privacy legislation having the three core tenants I mentioned earlier, strong individual rights, the right to access a men delete port, your data, also company obligations and robust enforcement, and we're seeing some of these themes in federal legislation. We think some of them are quite promising. So concepts like data security as a baseline data minimization, also the role of the FTC with the FTC approved codes of conduct for for a variety of companies. So these are some of the tenants that we are seeing, and we're looking forward to seeing more of those. And that was actually thinking about something else when we're talking about accountability. Because this is a big part of federal legislation that companies have to be accountable. And we're seeing lots of calls for privacy impact assessments, and auditing. And that's something that, you know, consumers may not immediately grasp the importance of but it really shifts the culture within a company.

 
Rachel Nemeth 

So speaking of the FTC, the agency recently undertook a comprehensive set of hearings on Competition and Consumer PR touchin for the first time in about 25 years. So I'm just wondering from this group, what you all think about the FTC his role in the technology marketplace and how it may have evolved since the last time the FTC held such comprehensive ear hearings? And what were some of the key themes you noticed during this recent effort?

 
Maureen Ohlhausen 

Well, I mean, the FTC, these were a comprehensive set of hearings. And the last time they did that, I think was in the 90s, under a chairman buttowski. And these were a global set of hearings. But of course, they've done lots of workshops and hearing some things about specific things, lots of reports and along the way, but I think looking at particularly in the privacy area, the the idea about the importance of data to competition, and to consumers, I think was really paramount. And this question of, does the agency have sufficient tools at this point, does it one of the challenges that with privacy is the ability to have the incentives in the right place for companies to take appropriate precautions. And, you know, the FTC if, up till now, if a company violated a rule, like the children's online Privacy Protection Act, or a pre existing order, then they could the agency could get money redress penalty, but otherwise, it was a couldn't unless the consumer was out of pocket for money. And so when I was the chairman, whatever case we brought the question, so as Where's the money? Where's the money? Well, you know, in privacy, it's like, well, it's very hard to put a, you know, a money value on that. So one of the challenges and I think this came out in the hearings, was disabled to put the incentives in the right place, the FTC should be given the ability to get civil penalties for first time violation and some of the things that I've seen The statute, the proposals that I think is really a great idea is also to create to use that money to create a redress fund for consumers. So, so those were I think some of the ideas that came out of these hearings. On the antitrust side, I think there's also the, you know, this sort of look at looking at what are the tools the agency has? How do we how should the agency take data and privacy into an anti trust analysis? That those remain to be addressed? But I think, certainly on the we've seen outcomes from the hearings on some of the privacy thinking at the agency already.

 
Rachel Nemeth 

Great. And what did Facebook and other industry players think of the hearings and what sorts of results were you happy to see?

 
Khaliah Barnes 

Certainly. So we found the hearings to be quite informative, and we thought it was great that the FTC convened a large swath of experts to explore these very important issues. One of the themes that arose From the panel on the FTC, his approach to consumer privacy was the role that the FTC can play in shaping comprehensive federal legislation. And, and that the FTC has a role in doing so. And we would agree. The order that we reached with FTC in July goes beyond current US law. And we hope that it becomes a model for the rest of industry concerning greater accountability mechanisms, especially at the most senior levels. So for us, we now have quarterly certifications that our privacy controls are working the way that we say that they're going to work and if we discover problems are working to fix those. The particularly interesting aspect of this accountability mechanism is that it stops at Marc's desk. He has to personally verify that we are doing what we said we're going to do. So this accountability mechanism, the order has been a catalyst for a shift. In our culture, the order isn't is not yet finalized. But we're not waiting for it to be finalized. We are turning a page, we are getting the work done now. And it has shifted in the culture. Everyone at Facebook knows that privacy is a priority. And we're all dedicated to getting it right. So we were happy to see a theme of the FTC rule and helping shape that and hope that it becomes a model for the rest of industry.

 
Rachel Nemeth 

And now turning to our government colleagues at the end of the day is how, how were each of your offices can consulted during the FTC hearing process or what were the results and how do you see a path forward in terms of working together?

 
Christi Barnhart 

Was marine mentioned, a lot of the discussions that were held, particularly during the FTC hearings are discussions that we're continuing to have now as we talk about privacy legislation, enforcement notice and choice. What whether accountability, who should who should be the one certified making the certification of your privacy policies, which are conversations we've had several times. And so I think all of the different activities at the FTC have been a part of the conversations as we've continued to think through and debate, you know, privacy policy, and I think the conversations at the FTC hearings also show that there is a not a silver bullet to any of these solutions. And that when you think about a private See regime overall, a tweak here on this issue has impacts over here on this regulation. And so when you think about privacy legislation and what you want your privacy policy to be or privacy legislation to be, you have to have a you have to be thinking at the granular level, but also, you know, at the 10,000 foot level to think about what the end goal is. And so it's it all of these have all of the all the FTC work has been a very helpful input on ours.

 
Evelyn Remaley 

And I'll just add that the processes are process and the FTC process were happening very close together in time. And so as you can imagine, we received many of the same comments in our process that also emerged in the FTC process, which you would expect and hope and was a very good thing, to have that reinforcement. You know, we heard the Such as, you know, lots of again, consensus around needing to go beyond noticing choice, that we need to move past that, obviously lots of consensus around the fact that the FTC is needed as that key enforcer. And so that that was a key aspect of what we heard that, you know, perhaps more authority, perhaps more resources in that area, but that they do play a key role. One thing I will say on the NTIA and Department of Commerce side that we're really looking at, and I think this builds on what Christy was saying. And what we talked about in the last response as well is that we're really also looking at risk based frameworks, right, because there isn't this silver bullet. And so our sister agency NIST has its draft risk based privacy framework that has emerged that's building on itself. Access on the Cybersecurity Framework. And why I think this is an important tool, as we're looking at what federal solutions might emerge as states are also acting and we're seeing on the international community act is that it helps to do that translation right between industry who, again, is creating all these new wonderful inventions. But we have a public policy issue of privacy that we want to address. Something like a risk based privacy by design framework, allows industry to incorporate those public policy, that thinking around how we need to protect privacy into how they think and a company writes about how we address risk within our company and think about the bottom line and how that translation can work. And so I think it's a really important tool, as we're continuing To have this to make a move towards solutions,

 
Maureen Ohlhausen 

I'd also like to put put in a plug for the NIST framework because they do such a good job of, you know, Christy, you mentioned this problem with future proofing things and the way rather than saying this is the, you know, end goal for all time, they have a process based approach that sort of said, you know, do you, you know, identify what data do you have, and how is it controlled? And how do you communicate that and where does it you know, it's just kind of breaks it down into a step by step approach that I think just makes it much more actionable for for company so I it's definitely something I refer to all the time in private practice.

 
Rachel Nemeth 

So a related question to looking at what NIST is doing and looking at this risk based approach. Let's talk a little bit about the relationship between privacy and security. I know specifically at the Department of Commerce, they they look at both privacy and security. So I don't know, Evelyn, if you'd like to talk a little bit

 
Evelyn Remaley 

more about Sure, absolutely. I mean, obviously, privacy security really both go hand in hand, we look at them holistically, each have their own aspects. But we look at this needing to work on them both at the same time and how they interrelate. And I will say one thing, you know, it's out Maureen has mentioned this several times, focus on the data, it's all about the data, right? data has become so important and so valuable to where our economy is going, where we're going as a society, for privacy, what we're doing with individual consumer data, but also just how we're using it for advancements and artificial intelligence and how we're looking to solve the future global problems that we have. So the data is so rich, and so we look at that holistically. Both how we need to secure it for Consumers for individuals, but then also for our larger national security goals. And so we really on the security side, we make sure that what we're doing there is focused on the ecosystem and it allows, again, flexibility, privacy controls and best practices to be layered in. One of the things that we've worked on with CTA actually, is how to combat botnets because botnets is something that affects consumer data, and it affects other data that's so essential to our economy as well. So we've worked with the private sector, CTA, our NIST again, the Department of Homeland Security, to build a roadmap for combating botnets, which has an ecosystem wide view. We've worked again with NIST and others, and CTA to come up with a baseline of best practices. For starting to build in security for IoT devices that are adding that additional layer of security risk to the ecosystem. So again, because we take that holistic ecosystem approach to how we do policy and how we're addressing both of these issues, it allows us to layer and, but also look at it holistically in terms of how we're addressing it from an economic as well as public policy perspective.

 
Rachel Nemeth 

Now, another issue that the FTC is reviewing has to do with the rules around children's privacy. And usually the agency reviews these rules about every 10 years, but they've just initiated a review a little bit ahead of that schedule to keep up with some technological changes in the marketplace. Do you all have any opinions about what issues are read for review or what the agency's goals should be during this process?

 
Maureen Ohlhausen 

One of the things that well couple of things that It that it's reviewing are there are new forms of what we would consider personal information. So we've got voice data, we've got, you know, facial recognition we've got, we have, we have things like that. And so that's one of the issues that they are looking at is how does the children's online Privacy Protection Act, which protects the data of children under the age of 13 basically says you have to get parental permission to collect personal information from children. So what's personal information and that was one of the things that when Congress passed the law kind of future proofing it. It set the line at the age, but gave the FTC the ability to update what was personal information. So that's one of the things that they're looking at. And the other thing in the children's online privacy protection act, it applies to companies that either you know that know that they're collecting information From children and, and typically it's well, either you have actual knowledge, or you have a site, or app or service that's particularly attractive to children. It's got cartoon characters and, and things and things like that. So. So the question, though, is, well, what about sites that our general audience sites at where they may know, like in the aggregate, well, if there's, you know, millions of people using this, some of they're going to be under the age of 13. So should there be a change in that that standard? So those are two to the issues that they're looking at. It's called the general audience provision. So those are two of the things that they're that they're looking at a had a workshop and they've had some interesting enforcement actions recently. So those those are some of the issues.

 
Christi Barnhart 

So, along with that, there's some potential legislation coming down from centers Holly and Marquis introduced a bill to to update copra and and and it follows a lot of the general views that I think that we are having as a as a community about that about children's engagement with online sources I think that children are watching more content online and are are participating in online more more than we been was expected and so the FTC is review is important. It's also important to take a look at those kids who are you know, 13 1415 years old. You know, I have three young children at home who they would be online all the time if their father and I let them thankfully we use it as a bribe, so they're not on me.

 
Christi Barnhart 

But the the the utilization that we see of the youngest members of our society is something that we need to be watching and in protecting them from as well as kids who are in those preteen years, who are often inundated with content that may not be appropriate for them. And that also need some guidance in this space. So Senator shots has been very supportive of these efforts. We think that we expect that there will be a companion children's update to children's privacy along with the existing privacy law that we have been working on. And so we look forward to working on that together.

 
Rachel Nemeth 

Right. So I have another question for our industry representative on the panel. How does Facebook use data to fuel innovation while also respecting users

 
Khaliah Barnes 

privacy? That's a really great question. So privacy is really at the heart of every Everything that we do. One recent example that we've used it recently relaunched our privacy checkup, so that people can see the information that they're sharing with us, and the information that they're sharing with others and for them to make various choices about that information, transparency and control underlying our strict commitment to privacy. So we encourage consumers to routinely look at the information that they're sharing and change it as they as they want to. And some of the themes that we're picking up on this panel that we want to be consistent with whenever there is privacy legislation that comes through and we hope that it will be soon that it will accommodate the evolving technology out there. We want legislation that can stand the test of time, and that can interoperate with innovative technology and whatever is coming out not the next year. years, three years, but 10 years down the line.

 
Rachel Nemeth 

Thank you. And now I've Maureen, I have another question for you. You alluded to this a little bit earlier. Now that you're back in private practice, what challenges are your clients seen when they seek to collect and use data?

 
Maureen Ohlhausen 

Well, I think a lot of it really comes from this uncertainty. So ccpa just went into effect couple days ago, right, January, January 1, there's still not entirely clear what some, you know, what the cell mean, what a you know, there's, there's a lot of different terms in there that still don't necessarily have a lot of clarity in them. So we've GDPR we've got ccpa what's next, right, what, what what's going to be happening? How do they compile their data? What can they do with it? What kind of consent do they need? What kind of notice? I mean, I think The uncertainty is one of the biggest challenges, particularly for big companies, you know, they they have the people, they have the resources, they can hire law firms, you know, to, to, to walk through this. But for some companies, you know, this is a very confusing time and they don't, you know, they don't kind of know where, you know where to look. So I think I think that's one of the biggest, the biggest challenges is, and that's, again, one of the reasons why I think, you know, a uniform federal privacy law, the time is really appropriate for that, because then, you know, the goal should be, I think, to give consumers, you know, a uniform set of protections. And, and the best way to get to that is to have, you know, a clear single uniform standard, because one of the big things that technology has done is its created one uniform one national market in the US and also something of a global market, but certain national market in the US, so to have a single standard for that, for all the companies that are engaging in that market and all the consumers that are engaging in that market, because consumers aren't necessarily sitting there saying, Well, I'm sitting in, you know, Las Vegas, but I'm contacting a site that's here, and they're going to ship from there. I mean, just kind of having uniformity and for all the different companies to because I think that we think about the big companies we think, you know, the Facebook's the Amazons, the Googles, you know, they Microsoft, saying they can figure this out, but for a lot of other companies, it's it's kind of very challenging time for them. And so I think that that's one of the big issues is like, you know, they just got over GDPR like what's next?

 
Rachel Nemeth 

So speaking of GDPR, and how the flow of data can go, literally anywhere. Evelyn, how does NTIA and the Department of Commerce look about? Look at international data flows.

 
Evelyn Remaley 

So this is something that NTIA works on quite extensively across with our Department of Commerce colleagues from ita NIST, obviously the Office of the Secretary, the entire organization is very focused. We, you know, work very closely. ita leads our Privacy Shield program. And we also have conversations in many other venues as well, to promote how we can have that type of recognition that not everyone is going to have the same laws that we do and just, you know, taking GDPR for an example. And again, I think this is another reason why we really need know that us what we heard from our stakeholders is that there is this desire for For us federal leadership, a federal solution because we are not the same as anyone else, right GDPR some aspects of that would actually potentially violate our First Amendment, for example. So these types of different problems. So one thing that we very much focus on at commerce is looking for those ways that we can have cooperation, recognize that others are going to have different nuances in their law, but ensure that we can keep those data flows going well, recognizing that others will be dealing with privacy in different ways. So that's a big emphasis. You.
 

Rachel Nemeth 

So, Christie, earlier you mentioned the privacy bill that your boss has been working with his colleagues on and I'm just wondering if privacy is an issue that you hear from the senators constituents about does it come up in town hall Do you get calls to your office about it from consumers?

 
Christi Barnhart 

Yes. I mean, to the extent that privacy is is a national issue, and that it's something that I think has gotten the notice of all members of Congress, including mine, the one that I work for senator shots. And I think, you know, when we think about privacy, the point that you just made was really, I think, a valuable one when we when we talk about what the GDPR is doing, versus what we're doing in the US. And I think the GDPR has been and also ccpa has been very helpful and that it's really focused the conversation on what federal privacy law works for us. And and before that, I think we talked about privacy at many times, in in kind of conceptual Now we're getting down to what does the actual legislation need to look at. And we look at templates that have been created. It's important to recognize as as Evelyn mentioned that that there is underlying law, right that these new privacy regulations sort of top on. Whereas we have the First Amendment, which is sacred in our country for and it's important that it is, but it also has impacts on privacy regulation and online content. Over in the EU, they have a right to privacy, which is something which is a concept that we don't have here. And so when we think about the international flows of information, it's it's helpful to think also to think about the contextual underpinnings and kind of the cultural norms there as well.

 
Christi Barnhart 

With regard to you know, as we look at the ccpa and how it influences federal legislation, I think that you know, we we Look at we have the my senator shots has looked at ccpa as well as the Commerce Committee. And I think the important part that we that we're taking from that is that we need to have some strong federal federal legislation on privacy, and that there are pieces of the ccpa that are work with that maybe should not be considered for me, maybe that should be considered the floor, not the ceiling, excuse me. And so as we think about where federal privacy legislation should go, I think that we are considering to think about what are those aspects of different of the state regulations and also international regulations that make sense for a federal law?

 
Rachel Nemeth 

So this is we are in the year 2020, which is an election year. And we all know that election years tend to be a little bit unpredictable. Is this potentially something related to data and privacy that could or that could be related to the conversation about data privacy and privacy regulations, or is there something else that could potentially happen that would really move the needle in this policy debate?

 
Maureen Ohlhausen 

Well, I mean, I would, I would say one of the things that so I testified at the hearing on the bill, and we had two discussion drafts out there, Republican and Democrat, and I was really encouraged by the great amount of common ground that there was there. So I think it's becoming, I don't think it's particularly a partisan issue. I mean, there might be about, you know, certain discrete parts of it. But I'm seeing really a lot more coming together and a lot more coming to the table than I've ever seen. In my many years of working in this field. We couldn't even get a data security bill that the FTC supported on a bipartisan basis passed a couple years ago and now data secure Just part of the bigger privacy, though. So So I think it's become something where consensus is is is building towards doing something that that both, you know, both Republicans and Democrats can can agree to. So sure at you know, anything could happen and make it an election year issue, but I see less partisanship in on this issue. Then we see see and many and certainly felt that at the hearing, it was a very engaged I thought all of the members were very engaged. They asked very substantive questions, real serious consideration, so many of them came and attended the hearing. So I thought all those were good signs about the continuing progress towards coming to you know, it's like if a bill is going to pass, you know, in this, you know, year it's going to have to be bipartisan because the Senate and the House or indifferent and are in different hands. But but I do think, as I said, it's an issue where we're getting a lot of like bipartisan agreement on, you know, not every detail, but on a lot of them.

 
Khaliah Barnes 

In addition to what marine shared, you know, everybody right now is focused on the ccpa. But there may be a ballot initiative that substantially changes the scope of the ccpa. And I think if that ballot initiative passes, that that will definitely move the policy needle. So I think that people's eyes will also be focused in that direction.

 
 

I think that will, I will thank you marine for thinking that were, you like the draft? So yeah, no, I think very encouraging.

 
Christi Barnhart 

Good, good. Um, I think that, you know, there will will continue to be interest in privacy legislation and a desire to get something done as evidenced. You know, as I said earlier, a large majority of Americans feel like privacy legislation should should be a priority of Congress. I think, though, as we see, additional states has privacy regulations that may have clauses that conflict with each other and will really create difficulties for companies to comply. Not that that is something that we want to have happen, but I think that will add some motivation to companies and to legislators to to for the for Congress to find a solution.

 
Evelyn Remaley 

And I'll just add to that, I was going to mention the fragmentation issue to again, I mean, I think they're very definitely observing very good motivation and progress and, but right I mean, that that's the fear Right to the fragmentation and the lack of clarity. And again, we're we're here to talk about how we have innovation and privacy. And we certainly don't want to lose the innovation piece. And that's kind of what the risk is. But it seems that there is awareness of what the stakes are. And so that there is some momentum to move closer to getting to that finish line. If I can pivot just a second to raise the security issue, as well, again, in the context of your question, I mean, I think, again, looking at overall digital policy, this is such an important piece at this particular time. You know, there's some husband some good progress on the security side, as we've seen with things such as the supply chain executive order that the administration put forth in all of these security movements as well also have that privacy aspect as well right at a more macro level, but being about winning To make sure that we're securing American Americans data, even if we're talking about at the ecosystem level. So you're seeing some good progress on the security side on some of these issues, areas that we've worked on for, you know, a decade plus. And I think the hope is that this is the privacy area is another one that that we can get close on at this time.

 
Rachel Nemeth 

A number of you mentioned the various state laws and the fragmentation that's already starting to happen. How many different states do you think will pass privacy bills this year? crystal ball.

 
Khaliah Barnes 

What I do know is that as I mentioned earlier, we will continue to see movement at the state level that legislative sessions already started and they're queuing back up. So to get to Christie's point, this may galvanize Congress to say how can we address this fragmentation to ensure consistent protections for consumers and consistent obligations for companies?

 
Maureen Ohlhausen 

At kinetic I mentioned one thing, which I find kind of rather ironic, which is one of the reasons behind GDPR was Europe is trying to create a single market. Right. And they had had the European data directive that each member state implemented in its own way. And they moved to GDPR to try to make a more uniform standard. And it would be very ironic if the effect of the GDPR would be in the US where we benefit. It's a huge benefit for us from generally having a national market and producing the online space for that to lead to fragmentation of markets. So it's kind of the Compare and contrast is kind of interesting there.

 
Rachel Nemeth 

So when are we doing To see the enactment of federal privacy legislation, again with the crystal ball,

 
Rachel Nemeth 

not to put the senate staff

 
Christi Barnhart 

so to Maureen's point, I think that there are a lot of areas where there is agreement. And I think that there are big you know, big areas, though, that we still need to come to some sort of compromise on and I think we know what they are right? private right of action preemption. My boss and I would include a duty of loyalty in that bucket as a central part. So federal privacy regulation. Both sides I think are committed to continuing to work these things out and I think that we are we have been working for together for year or more, and we will continue to keep working on that because of how important it is. And I want to I want to be clear that I don't think it's necessary that we have fragmented state regulation in order for Congress to move. I think, though, that the effect of that will make it more urgent and more pressing and may may make compromise easier by all parties. But, you know, at the staff level, we are continuing to work and meet and I'm going to say yes, we'll have private scene by 2020 in the 2020. year, so

 
Rachel Nemeth 

Well, on that positive note, I would like to thank our panelists. Thank you for joining us to talk about innovation and privacy.

CTATECH-PROD1