FTC Members Want Data Security Law; Simons Would Start Breach Proceeding—If He Could

Pallone questioned whether FTC authority is sufficient. Simons said the agency couldn’t show a violation of a pre-existing consent decree because there was none. Chopra said the lack of penalties, particularly on the first offense, means the agency doesn’t have adequate tools to deter bad behavior. All five commissioners said they favor some form of data breach legislation, which Chopra said would let the agency move forward with relevant rulemakings. Civil penalties are easily enforced when there's an existing rule or a clear violation of a consent decree, he said.

The FTC needs Administrative Procedure Act rulemaking authority, which is less burdensome and time-consuming than the agency’s current Magnuson-Moss Warranty Act rulemaking authority, said ranking member Jan Schakowsky, D-Ill. If given APA authority, Simons told Schakowsky, he would begin a data security and data breach notification rulemaking process. “We’ve had these high-profile hearings from Equifax, [Facebook CEO Mark] Zuckerberg was sitting in that chair, and yet we really haven’t moved forward on doing something about these data breaches,” said Schakowsky. Magnuson-Moss authorizes the FTC to develop regulations for written warranties.

Simons warned against competitive trade-offs possible with privacy legislation. “We’re a little nervous that if you do privacy the wrong way, have it go too far in one direction, that you might end up reducing competition, might create a situation where you entrench the large tech platforms,” he said, making it harder for new entrants and smaller firms to get the attention of the consumers. This impact is being seen in Europe with the general data protection regulation, he said. Committee Chairman Greg Walden, R-Ore., agreed with Simons that “you don’t want to do something that increases [large platforms’] dominance.”

Internet Association CEO Michael Beckerman said after the hearing his group is committed to having “a discussion with Congress and the FTC about the current regulatory framework.” Lawmakers and regulators should keep in mind “the important economic and national security benefits of having internet companies founded and based here in the U.S. as they export their products and services,” he said.

Though the FTC doesn’t comment on open investigations, Simons cited ongoing probes of Facebook and Equifax. He also discussed cases against Uber and PayPal (see 1805240049). The chairman said the agency’s Section 5 authority ultimately doesn’t allow the FTC to address all data and privacy issues, citing the lack of authority to enforce civil penalties and lack of jurisdiction over nonprofits and common carriers. The commission’s “remedial authority with respect to privacy and data security will be a key topic” during the agency's upcoming public hearings on competition and consumer protection, he said.

“Is the information being used in a way the consumer expects when they get the service, or is it being shared in some way that they don’t anticipate?” Commissioner Maureen Ohlhausen asked. “That’s where enforcement and guidance and policy concerns need to focus.”

Walden said he will evaluate the FTC’s tools closely as the investigation into Facebook’s 2011 consent decree progresses. He again invited Silicon Valley executives to testify (see 1806070017). Though others suggested the FTC lacks proper resources, subcommittee Chairman Bob Latta, R-Ohio, said the agency has “vigorously defended its jurisdiction and consumers, and we have no reason to believe that will stop any time soon.” Pallone noted the Consumer Protection Bureau has only 45 full-time employees, 35 of whom are attorneys able to bring enforcement actions. If the FTC could have fined Facebook in 2011, the U.S. might have avoided the Facebook-Cambridge Analytica privacy breach, Pallone said.