A bill that would allow consumers to sue Internet companies that mishandle their personal information moved a step closer to passage today, despite staunch opposition from Republicans and
business groups.
The Senate Commerce Committee voted 15-8 to approve legislation offered by committee Chairman Ernest "Fritz" Hollings (D-S.C.) that
would give consumers more control over how their personal information is used by Internet companies.
The bill would require companies to ask consumers' permission before collecting or sharing sensitive information such as medical records, financial data or religious affiliation.
The legislation also would preempt state privacy laws and allow consumers to sue companies that mishandle their personal data.
With the help of Republican Sens. Conrad Burns of Montana and Ted Stevens of Alaska, the panel managed to fend off attempts from
ranking Republican John McCain of Arizona and Sen. George Allen (R-Va.) to dilute the bill.
Concerned that the measure unfairly singles out online companies
with restrictive privacy regulations, McCain offered an amendment
that would have applied the same rules to bricks-and-mortar
companies.
While McCain's effort was defeated, new language in the bill
requires the Federal Trade Commission to devise a plan to apply the
same rules to offline companies. If the FTC fails to act within one
year of the bill's enactment, the online rules would apply to
bricks-and-mortar businesses.
The panel also killed several Allen amendments, including one that
would have barred consumers from suing companies that violate their
privacy policies. Echoing a criticism offered by many technology and
business groups, Allen said the litigation right would "open a
floodgate of class action lawsuits."
Hollings and other Democrats on the panel said legal liability
protections were needed to prevent another Eli Lilly fiasco.
Last year, the pharmaceutical giant accidentally disclosed e-mail
addresses of almost 700 Prozac users. Privacy groups had
pressed the FTC to impose fines on the company, but the commission
said it lacked the authority to exact such measures.
"All Eli Lilly got was a slap on the wrist," Hollings said. "Let's
have some real enforcement."
Under language included in the original version of Hollings' bill,
Eli Lilly would have been required to pay millions of dollars in
damages.
Yet, the draft of the bill approved today does contain some
important enforcement compromises. The revised bill lowers the
damages victims could seek from $5,000 per violation to $500 per
incident, and allows that level of damages only in cases where
companies fraudulently misrepresent their data collection and use
practices.
The measure also would exempt companies from civil lawsuits for
privacy violations, provided they are in compliance with an
FTC-approved self-regulatory agency - such as Truste or
BBBOnline - that meets the bill's baseline privacy principles.
Even with the last-minute changes, Hollings acknowledged that "a good
segment" of industry opposes his bill. Yet, he also shamed American
companies for their reluctance to offer their domestic customers the
same privacy protections they afford to European consumers via the U.S.-EU "safe harbor" agreement.
The Safe Harbor accord was drafted to help U.S. e-commerce and other
corporations comply with an EU policy that prohibits data transfers to companies that do not adhere to EU-style privacy policies.
"This sort of nonplusses me because 180 American businesses have signed up to provide Europeans virtually identical privacy
protections via Safe Harbor, yet they oppose this legislation ... which simply codifies industry's best practices on
the Internet," Hollings said.
The committee approved three largely non-controversial amendments,
including a measure that would exempt small Internet businesses from
the regulations.
But Senate lawmakers were prevented from considering other amendments before voting on the bill, after Senate Minority Leader Trent Lott (R-Miss.) invoked a procedural move to halt committee action.
Senate staffers privately concede that the Senate will take its time before scheduling a vote on the bill, now that committees
will begin spending more time on appropriations measures in the coming weeks.
Senate Republicans also are apt to employ other parliamentary tactics to stall the bill, though the Commerce Committee plans to try again on Friday to report the proposal to the Senate floor.
"I suspect that the implications of this bill may well lead to holds placed on it once it is reported," McCain said.
In the House of Representatives, Rep. Cliff Stearns (R-Fla.) has proposed a more industry-friendly privacy bill that would permit
businesses to trade consumer information unless consumers say otherwise.
