May 07, 2019

Crapo Statement at Data Privacy Hearing

WASHINGTON – U.S. Senator Mike Crapo (R-Idaho), Chairman of the U.S. Senate Committee on Banking, Housing and Urban Affairs, delivered the following remarks at a hearing entitled: “Privacy Rights and Data Collection in a Digital Economy Hearing.” 


The text of Chairman Crapo’s remarks, as prepared, is below.  


“On February 13, Senator Brown and I invited feedback from the public on the collection, use and protection of sensitive information by financial regulators and private companies in light of the immense growth and use of data for a multitude of purposes across the economy. 


“The Committee appreciates the insights and recommendations of respondents, who expressed a range of views on the topic of data collection, use and sharing and how individuals can be given more control over their data.  


“Building on that effort, today the Committee will take a closer look at the European Union’s General Data Protection Regulation, or GDPR, and other approaches to data privacy, including the impact on the financial services industry and how companies collect and use information in marketing and decision-making related to credit, insurance or employment. 


“Providing testimony to the Committee today are three data privacy experts, including Peter Chase, Senior Fellow, The German Marshall Fund of the United States; Jay Cline, Privacy and Consumer Protection Leader, Principal, PwC US; and Maciej Ceglowski, Founder, Pinboard. 


“Each witness brings a unique perspective on the practical implications of implementing and complying with new data privacy laws; what has worked and what has not worked to give individuals more control over their data; and considerations for the Committee as it explores updates to federal data privacy laws within the Banking Committee’s jurisdiction. 


“My concerns about big data collection go back as far as the creation of the CFPB, which was collecting massive amounts of personal financial information without an individual’s knowledge or consent.  


“In 2014, the GAO reported that the Bureau alone was collecting information on upwards of 25 to 75 million credit card accounts monthly, 11 million credit reports, 700,000 auto sales, 10.7 million consumers, co-signers and borrowers, 29 million active mortgages and 5.5 million private student loans.  


“Consumers deserve to know what type of information is being collected about them, what that information is being used for and how it is being shared.   


“Financial regulators are not the only ones engaged in big data collection; private companies are also collecting, processing, analyzing and sharing considerable data on individuals. 


“The data ecosystem is far more expansive, granular and informative than ever before.   


“As the U.S. economy becomes increasingly digital, people are using the Internet, including search engines and social media, mobile applications and new technologies to manage and carry out more parts of their everyday lives. 


“The digitization of the economy allows for seamless access to both more generalized and granular pieces of data on individuals and groups of individuals, including data collected, with or without consent, directly from individuals, tangentially to individuals’ activities, or gathered or purchased from unrelated third parties. 


“In particular, data brokers play a central role in gathering vast amounts of personal information—many times without ever interacting with individuals—from a wide range of public and private sources, which is then sold or shared with others. 


“In 2014, the Federal Trade Commission issued a report entitled, ‘Data Brokers: A Call for Transparency and Accountability,’ in which it highlighted data brokers’ big role in the economy and concerns around their transparency and accountability. “In many cases, an individual’s data or groups of individuals’ data is used in ways that provide value, such as risk mitigation, fraud prevention, and identity verification, or to meet the requirements of laws or regulations. 


“However, in many other cases, that data can be used in ways that have big implications for their financial lives, including to market or make decisions on financial products or services that impact a consumer’s access to or cost of credit and insurance products, or in ways that impact their employment prospects. 


“In any case, the way that an individual’s or groups of individuals’ data is used matters immensely.  


“As its rightful owner, an individual should have real control over his or her data. 


“A complete view of what data is collected, the sources of that data, how it is processed and for what purposes, and who it is being shared with is vital to individuals exercising their rights.  


“People should also be assured that their data will be reflected accurately, and have the opportunity to opt out of it being shared or sold for marketing and other purposes. 


“In 2016, the European Union took steps aimed at giving individuals more control when it replaced a 1995 Data Protection Directive with the General Data Protection Regulation.  


“The EU’s principals-based GDPR is broader in scope, applying to a more expansive set of companies, including some based in the United States, and more types of personal information than its previous Directive. 


“The GDPR also imposes specific responsibilities on both data controllers and data processors, and enumerates rights for individuals with respect to their personal information. “In contrast to the European Union, the US has adopted federal laws focused on data privacy within particular sectors. 


“Two such federal laws in the Banking Committee’s jurisdiction are the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. 


“Today, I look forward to hearing more about the principles, obligations and rights underlying GDPR and how those differ from the previous 1995 Data Protection Directive; how GDPR addresses data brokers and other companies that collect and disseminate personal information, often without an individual’s knowledge, and ways the Fair Credit Reporting Act may be adjusted to account for activities by such entities; challenges US financial institutions have faced in implementing and complying with GDPR; how financial institutions’ privacy practices have evolved since its enactment; and how individuals have responded to this additional information and rights with respect to their data; whether individuals actually have more control over their data as a result of GDPR, and what the EU did right and wrong in GDPR; and considerations for the Banking Committee as it looks to update and make improvements to federal laws within its jurisdiction.  


“Thanks to each of you for joining the Committee today to discuss GDPR, data privacy and individual rights.” 


###