European Union General Data Protection Regulation shield icon. Photo by Shutterstock.com. European Union General Data Protection Regulation shield icon. Photo by Shutterstock.com.

U.S. senators designing a possible federal data privacy law heard input from Ireland's data protection commissioner and U.S. consumer advocacy groups at a hearing Wednesday.

It's the latest in a series of congressional committee hearings in Washington, D.C., meant to shape policy ideas for the proposed law, which has gained bipartisan traction this year in the wake of numerous data breaches, the European Union's General Data Protection Regulation and the California Consumer Privacy Act.

Members of the Committee on Commerce, Science and Transportation raised their concerns with data privacy regulation on a federal level with witness Helen Dixon, the Irish data protection commissioner, whose agency oversees GDPR compliance for Facebook, Twitter, Uber and other U.S. tech companies incorporated in Ireland.

Sen. Ted Cruz, R-Texas, asked about the GDPR's impact on small- and medium-sized businesses in Europe and whether the law's implementation last May reduced employment opportunities. Irish officials are “not aware of evidence that the GDPR is effecting jobs adversely,” Dixon said. 

That's in part because certain GDPR articles don't apply to smaller companies, Dixon said earlier in the hearing. The law dictates businesses implement new processes “appropriate to the risks and scale of personal data processing they're undertaking,” not a one-size-fits-all approach, she added.

Neema Singh Guliani, a hearing witness and senior legislative counsel for the American Civil Liberties Union, suggested a federal data privacy law's penalties should vary based on the size of the business.

Senators also questioned Dixon on the value of pre-emption in a U.S. federal data privacy law. Sen. Marsha Blackburn, R-Tennessee, said GDPR is an “EU-wide regime” versus a law specific to Ireland. Dixon noted GDPR is a “hybrid” state and EU-level law, with “members state flavors in terms of choices” on certain aspects of the regulation, such as the country's digital age of consent.

Guliani and James Steyer, the chief executive officer and founder of Common Sense Media, both said they would have “serious concerns” with a federal data privacy law that pre-empted state law, particularly the CCPA. Both witnesses said CCPA should be a “floor” for federal privacy regulation, not a ceiling, and would not back a nationwide law with looser consumer protections that undermined California's law.

Google, Twitter and other tech companies have pushed for a federal law that would pre-empt CCPA, which goes into effect on Jan. 1, 2020. In a September 2018 Senate Committee on Commerce, Science and Transportation hearing, Google chief privacy officer Keith Enright and Amazon.com Inc. associate general counsel Andrew DeVore said CCPA's definition of impacted personal information was unclear and backed the idea of a regulation with pre-emption.

At Wednesday's hearing, Dixon was also hit with questions on Ireland's enforcement of GDPR violations against EU versus U.S. companies by Sen. Roy Blunt, R-Missouri. Dixon said Ireland's Data Protection Commission hasn't issued any GDPR-related fines yet, but the agency is currently investigating 51 companies, 12 of which are U.S. tech companies, for violations.

Her agency plans to wrap the first wave of GDPR investigations up this summer, she said. That could include an investigation launched against Facebook in October after the Menlo Park, California-based company revealed a data breach impacting millions of users. The highest fine a company can face under the GDPR is 4% of its annual turnover, more than $1.5 billion for Facebook.