FTC to Focus on Data Throttling Offenses, New Consumer Protection Chief Says
Data throttling will be a top enforcement priority when FTC jurisdiction over broadband providers is restored June 11, said Consumer Protection Bureau Director Andrew Smith Friday. When the FCC net neutrality order takes effect, the FTC will look to publicly expose “issues with respect to fast-tracking of certain traffic and slowing down to less speed with respect to other traffic,” Smith said at a George Mason University event, citing recent throttling allegations against AT&T.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
AT&T said it won't continue challenging FTC broadband authority (see 1805310071). An FTC lawsuit in the Northern District of California (No. 14-cv-04785-EMC) alleged AT&T Mobility promised millions of wireless customers unlimited data, then throttled their speeds.
“We’re planning to examine current practices in the industry,” Smith said. “We’re looking for areas in which ISPs may be engaged in unfair or deceptive practices, and we will bring enforcement action as appropriate.” A particular focus will be transparency of ISP disclosures of terms of service, performance characteristics, network management practices and privacy protections for consumers, he added.
Smith argued U.S. privacy law better protects consumers than the EU’s recently adopted general data protection regulation. He called GDPR requirements “unrealistic,” claiming only large companies like Google and Facebook will face enforcement action. “I feel as though we actually protect consumers’ privacy, and in Europe, there’s a whole lot of noncompliance and very little enforcement,” he said. Under the GDPR, companies operating in the EU are prohibited from shipping data out of the EU to jurisdictions with “inadequate” data protection laws, which includes the U.S. Smith cited the U.S.-EU Privacy Shield, which is up for renegotiation annually, as a proper U.S. enforcement tool. The key will be to convince Europe that the mechanism makes U.S. privacy protections adequate, he said: “Whatever we have to do to do that, I suspect that we will.” The U.S. needs to “forcefully, proudly and confidently” convince Europe that the American risk-based approach to privacy is sufficient.
On consumer protection, Smith said to expect continuity from previous FTC enforcement regimes. The agency has brought more than 60 data security cases, he said. It recently settled with Lenovo on allegations that to deliver ads to consumers the company preloaded software onto its laptops that compromised security protections. “I think these are the kinds of cases you’re going to continue to see coming out of the FTC,” Smith said. He's expected to recuse himself from some of the agency's most high-profile investigations because of his prior work with Equifax and Facebook (see 1805170066).
Charles Koch Institute senior research fellow Neil Chilson, who recently stepped down as FTC acting chief technologist, spoke earlier Friday on a panel on antitrust issues. He said it’s clear consumers care about privacy, but they spend a lot of time on platforms that collect mass amounts of data. Significant privacy challenges remain, he said, but heavy-handed antitrust tools aren't the right answer. Sidley Austin lawyer Jonathan Nuechterlein said privacy is primarily a regulatory issue. University of Nebraska assistant law professor Justin Hurwitz said Facebook should be regulated, but it’s not wise to do so through the FTC’s consumer welfare standard. Mozilla Foundation Tech Policy Fellow Caroline Holland said it’s possible increased competition could improve privacy standards, but it won’t solve all issues.
A panel discussed GDPR implications in the U.S. Reed Smith's Gerard Stegmaier, who focuses on IP, tech and data issues, called the GDPR a “mattress tag” that's going to damage U.S. innovation. “We won’t see the companies that won’t be created because of red tape,” he said, adding the GDPR isn't the answer to privacy issues. Center for Democracy & Technology Policy Counsel-Privacy and Data Joseph Jerome countered that the GDPR is a modest update to existing European law. The law is about being more transparent and accountable with data practices, which companies should have been focused on before, he said.
Both sides of the net neutrality debate meantime saw something to like with AT&T dropping its challenge to FTC broadband authority. "Vindication of @FTC oversight of ISPs good news for consumers!" tweeted FTC Commissioner Maureen Ohlhausen Thursday.
Andrew Schwartzman, senior counselor at Georgetown Law's Institute for Public Representation, said it's a "relief" AT&T didn't follow through "on its previously announced intention" to seek Supreme Court review of a 9th U.S. Circuit Court of Appeals en banc ruling that the FTC has authority over the non-common-carrier activities of common carriers, such as telco broadband (see 1805070060). FTC jurisdiction "is not a substitute for restoring the [FCC's] power to regulate internet providers’ privacy and other abuses, [but] it is nonetheless a critical component of the nation’s consumer protection powers,” he emailed. Citing FTC enforcement authority, the FCC maintained transparency rule requirements that telco and cable ISPs disclose network management practices despite its reversal of net neutrality regulation of common carriers.