Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D
It is difficult to predict how the FTC will approach privacy. The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States. There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in. In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.
The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year. Effectively, for many companies, the regulators they are paying attention to are across the pond.
The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference. Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers. This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.
In a very important decision, FTC v. AT&T Mobility (9th Cir. 2018 en banc), the U.S. Court of Appeals for the 9th Circuit en banc reversed an earlier panel decision that severely limited the FTC’s jurisdiction to protect privacy and data security. I strongly criticized the panel decision in an previous blog post.
The FTC has taken the lead role in protecting privacy and data security through the FTC Act Section 5, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts” affecting commerce. Section 5(a)(2) contains a list of industries that are carved out from FTC jurisdiction. This list includes banks, airlines, and common carriers. A “common carrier” is defined in the Communications Act of 1934, 47 U.S.C. § 153: “The term ‘common carrier’ or ‘carrier’ means any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy.” Common carriers are regulated by the Federal Communications Commission (FCC).
In FTC v. AT&T Mobility the FTC brought a Section 5 enforcement action against AT&T for a part of AT&T’s business that was not regulated by the FCC. However, the 9th Circuit panel concluded that the common carrier exception to FTC jurisdiction was status-based — it applied to common carriers no matter what activities they were engaged in. This means that if a company engages in a non-minor amount of common carrier activities, then everything that it does, including many activities beyond its functions as a common carrier, fall outside the FTC’s power to regulate under Section 5. Because these are non-common-carrier activities, the FCC often can’t regulate them either. This opens up an odd no man’s land where a company can engage in certain activities and escape regulatory enforcement while other companies engaging in the same activities cannot.
Here’s what I wrote about why the earlier 9th Circuit panel decision was problematic:
The FTC released the above chart showing the history of Commissioners, Chairwomen and Chairman of the FTC from 1915 through the present day. According to the chart, The Federal Trade Commission is composed of five Commissioners, and their terms extend for seven years. The Commissioners are appointed by the President with the advice and consent of the Senate. At any given time, not more than three Commissioners may be members of the same political party. The President designates one Commissioner as Chairman, and the Chairman is given the responsibility for the administration of the Commission.
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
The Federal Trade Commission is the most important federal agency regulating privacy and security. Its actions and guidance play a significant role in setting the privacy agenda for the entire country. With the Trump Administration about to take control, and three of the five Commissioner seats open, including the Chairperson, a lot could change at the FTC. But dramatic change is not common at the agency. What will likely happen with the FTC’s privacy and security enforcement over the next four years?