In an unprecedented transition, the FTC just got a full slate of 5 new commissioners, three Republicans and two Democrats:
Joe Simons (Chairman) – R
Noah Phillips – R
Christine Wilson – R
Rohit Chopra – D
Rebecca Slaughter – D
It is difficult to predict how the FTC will approach privacy. The new commissioners will be inheriting some high-profile investigations (Equifax and Facebook), and they will also be inheriting the legacy of the FTC as serving as the leading privacy regulator in the United States. There are some, such as Berin Szóka, who argue that the FTC’s power needs to be reigned in. In contrast, I posit that just the opposite is in order: the FTC must pursue a bold enforcement agenda.
The reason is that we don’t live in an isolated world. The European Union (EU) has seized the scepter of leading regulator of multinational companies. Nearly every chief privacy officer at a large multinational company tells me that their focus is 90% or more on the General Data Protection Regulation (GDPR) — the massive and rigorous privacy regulation in the EU that will start being enforced on May 25 of this year. Effectively, for many companies, the regulators they are paying attention to are across the pond.
The US shouldn’t let itself fade into irrelevance. For years, the FTC has been working to convince the EU that there really is meaningful privacy regulation in the US — and I believe that this effort made a difference. Perhaps it didn’t convince all EU policymakers, but it definitely had an effect on some policymakers. This was how the US was able to establish the Privacy Shield Framework, built in the smoldering ashes of the Safe Harbor Arrangement that the European Court of Justice demolished in one swift stroke.
Regulatory laxity rarely does companies any favors. There seems to be an almost reflexive anti-regulation view in industry — that regulation stifles innovation, and all efforts must be taken to weaken, stifle, or kill any efforts to regulate.
But such a view is shortsighted. A more anemic FTC will just embolden other regulators who will fill the void. States (such as California and others) will step up to regulate more. California has a ballot initiative this year that will provide strong transparency requirements and sharing restrictions on personal data. If FTC enforcement weakens, then EU regulators might increase their enforcement activity. Weakening the FTC in this ecosystem will not remove all regulatory “predators” but will just shift the balance to others.
Moreover, strong privacy protection and enforcement might be a friend, not an enemy. The activities of the bad apples often hurt the reputation of many companies in an industry, including those who are doing the right thing. These days, the tech sector is facing growing public concern and distrust. Weaker enforcement just fans the flames.
Now is the time for the FTC to be bold and powerful in its enforcement of privacy and security. More than ever, with so much attention on the Cambridge Analytica incident and with major data breaches growing in number and severity each year, this is the time for consumers to feel assured that someone is watching their back. It shouldn’t just be the Europeans who are protecting consumer privacy. It would thus be wise for the FTC to remain active in privacy and security enforcement — and, in the long run, good for business too.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event designed for seasoned professionals. This February, Professors Solove and Schwartz are launching a new event, the International Privacy+Security Forum (Feb. 26-27, 2018 In Washington, DC).