All posts in FTC

Speaking at the FTC Hearing on Data Security on December 12

Daniel Solove
Founder of TeachPrivacy

12/13/18 Update: Here is the video from the session described below.

On Wednesday, December 12, 2018, I’ll be speaking at the Data Security hearing, part of the FTC Hearings on Competition and Consumer Protection in the 21st Century.  My panel begins at 1:00 PM:

The U.S. Approach to Consumer Data Security

Wednesday, December 12, 2018 from 1:00 PM to 2:30 PM

Participants:

Chris Calabrese
Center for Democracy & Technology

Daniel J. Solove
George Washington University Law School

David Thaw
University of Pittsburgh

Janis Kestenbaum
Perkins Coie LLP

Lisa J. Sotto
Hunton Andrews Kurth LLP

Moderator: James Cooper
Federal Trade Commission, Bureau of Consumer Protection

I previously spoke at an earlier hearing in this series back in September on a panel about consumer privacy protection (video / transcript).  The upcoming hearing focuses on data security.

Continue Reading

FTC Hearings on Competition and Consumer Protection in the 21st Century

Daniel Solove
Founder of TeachPrivacy

I’ll be speaking at the FTC Hearings on Competition and Consumer Protection in the 21st Century on a panel about consumer data on Thursday, September 13, 2018 at 3:15 PM.

UPDATE: You can see video of my panel at that hearing here.  Here’s a transcript.

My panel information is here:

The Regulation of Consumer Data
Participants:

Maureen K. Ohlhausen
Federal Trade Commission

Howard Beales
George Washington University School of Business

Daniel Solove
George Washington University Law School

David Vladeck
Georgetown University Law Center

Moderator: James Cooper
Federal Trade Commission, Bureau of Consumer Protection

More information about the day’s schedule is here.

Continue Reading

Did the LabMD Case Weaken the FTC’s Approach to Data Security?

Daniel Solove
Founder of TeachPrivacy

Federal Trade Commission - Washington, DC

Co-Authored by Prof. Woodrow Hartzog

On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.

While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).

Continue Reading

Why I Love the GDPR: 10 Reasons

Daniel Solove
Founder of TeachPrivacy

GDPR Love 01

I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.

There, I said it. . .

In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.

But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law.  Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.

The GDPR is the most profound privacy law of our generation.  Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition.  Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.

Here are 10 reasons why I love the GDPR:

(1) Omnibus and Comprehensive

EU GDPRUnlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.

This baseline is important.  In the US, protection depends upon not just the type of data but the entities that hold it.  For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities.  Health data people share with a health app, for example, might not be protected at all by HIPAA.  This is quite confusing to individuals.  In the EU, the baseline protections ensure that nothing falls through the cracks.

Continue Reading

Will the FTC Remain a Leader on Privacy and Security?

Daniel Solove
Founder of TeachPrivacy

FTC and Privacy and Security

In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:

Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D

FTC LogoIt is difficult to predict how the FTC will approach privacy.  The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States.  There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in.   In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.

The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year.  Effectively, for many companies, the regulators they are paying attention to are across the pond.

The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference.  Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers.  This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.

Continue Reading