Lawmakers push to rein in tech firms after Google+ report
Exposure of user data on social-media service prompts calls from both parties for action
WASHINGTON—Top lawmakers of both parties argued Wednesday that Congress needs to take action to rein in big tech companies, citing revelations about Google+ as the latest example of questionable practices involving consumers’ private information.
The Wall Street Journal reported earlier this week that Google exposed the private data of hundreds of thousands of users of its Google+ social network. The company, a unit of Alphabet Inc., chose not disclose the issue earlier this year, in part because of worries that news of the incident would bring on regulatory scrutiny and reputational damage, according to interviews and documents.
At a Senate hearing Wednesday, Commerce Committee Chairman John Thune (R., S.D.) said it is increasingly clear from Google+ as well as Facebook Inc.’s earlier Cambridge Analytica scandal that industry selfregulation is no longer sufficient to protect users’ privacy.
“A national standard for privacy rules of the road is needed to protect consumers,” Mr. Thune said. He warned that given previous congressional struggles with the issue, all sides must keep “open minds” about the contours of a bipartisan bill.
The Federal Trade Commission is probing an incident in which data of up to 50 million Facebook users was transferred to Cambridge Analytica, a data firm that worked for President Trump during the 2016 campaign.
Google didn’t immediately respond to a request for comment on Wednesday’s hearing. As part of its response to the incident, Google on Monday announced a broad set of data-privacy measures that include permanently shutting down all consumer functionality of Google+. The company also said it is curtailing the access it gives outside developers to user data from smartphones
that run on its Android operating system and its Gmail service.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said at the time.
At the hearing, Democrats joined Republicans in their criticism of Google, including the news that it had effectively sought to keep its problems quiet to avoid the same scrutiny Facebook received.
Sen. Richard Blumenthal (D., Conn.) said he would send a letter to the Federal Trade Commission urging an investigation of the Google+ incident. “I think this kind of deliberate concealment is absolutely intolerable,” he said.
Ahead of the hearing, other lawmakers expressed concern.
“It would be great if Google was as concerned about protecting people’s privacy as it is about being lumped in with Facebook’s Cambridge Analytica scandal,” said Rep. Frank Pallone Jr. of New Jersey, the top Democrat on the House Commerce Committee.
Sen. Mark Warner (D., Va.) said the latest controversy raises serious doubt about whether the FTC—now tasked with policing privacy on the internet—is up to the job given its current regulatory powers.
“It’s clear that Congress needs to step in,” said Mr. Warner.
Congressional legislation could beef up data-privacy protections for consumers, while handing much of the work of writing detailed rules to a strengthened FTC. The FTC currently lacks much rule-making authority when it comes to
online data privacy, and also has limited ability to impose fines for violations. Congress also could push companies to do more to prevent data breaches.
For its part, the FTC said it takes data privacy seriously, while it stopped short of saying it is investigating the Google+ incident.
FTC Chairman Joe Simons said in a statement: “The FTC does not comment on specific incidents or companies. When we see a significant breach that puts consumers’ private data at risk, you can be assured that we will be looking into it.”
Meanwhile, German authorities said they had started an investigation regarding the Google+ matter, sending questions to Google’s headquarters in Hamburg. The regional data-protection authority in Hamburg has asked a number of questions
about the incident, including whether German users had been affected, what types of data were involved and when Google finally closed the security vulnerability.
The potential leak of information about Google+ users likely doesn’t fall under the European Union’s strict new General Data Protection Regulation privacy law, because it was discovered before the law went into effect. Its liability also could be limited because under older EU privacy laws, breach notifications weren’t obligatory in many EU countries.
But Google still could face a headache in Europe.
Under the EU’s older privacy rules, dating to the late 1990s, any one of the bloc’s 28 national privacy regulators would be empowered to investigate what happened—potentially leading to a patchwork of overlapping probes.