With the number of privacy and data-breach bills on Capitol Hill increasing almost daily, the Federal Trade Commission is making a play to become the lead federal enforcement agency for any new law that goes on the books.
Right now, the FTC has some authority to enforce privacy regulations, but it all flows from one section of the Federal Trade Commission Act. That section applies to unfair and deceptive trade practices and the FTC has used it many times over the years to bring cases against companies that violated regulations on health care, financial, and other types of privacy. But in July, FTC Chairman Joseph Simons told the House Energy and Commerce Committee that the commission needed more resources and authority to take action against companies that run afoul of privacy regulations.
“Privacy and data security will continue to be an enforcement priority at the Commission, and it will use every tool at its disposal to redress consumer harm. Many of the FTC’s investigations and cases involve complex facts and well-financed defendants, often requiring outside experts, which can be costly. It is critical that the FTC have sufficient resources to support its investigative and litigation needs, including expert work, particularly as demands for enforcement in this area continue to grow,” Simons said.
Section 5 has broad language, but it has some exceptions, as well. For example, it doesn’t give the FTC the power to impose civil penalties. There are other limitations, as well, and on Wednesday Simons and several other members of the commission testified in front of the same House committee and encouraged Congress to pass federal privacy legislation and give the FTC the power to enforce it.
“[Section 5] also excludes non-profits and common carriers from the Commission’s authority, even when the acts or practices of these market participants have serious implications for consumer privacy and data security. To better equip the Commission to meet its statutory mission to protect consumers, we urge Congress to enact privacy and data security legislation, enforceable by the FTC, which grants the agency civil penalty authority, targeted APA rulemaking authority, and jurisdiction over non-profits and common carriers,” the FTC’s prepared testimony says.
The FTC’s advocacy for federal privacy and security legislation is not new nor is it unique. Privacy focused organizations and security experts have been urging Congress to pass broad federal legislation in this area for many years but things haven’t moved in that direction. There is some support for the idea on Capitol Hill, and in fact Frank Pallone (D-NJ), chairman of the Energy and Commerce Committee, said in his opening statement Wednesday that the committee plans to move on it soon and that the FTC should have the authority to not only enforce existing regulations, but to help stop violations ahead of time.
“The FTC also needs more authority to prevent privacy abuses from happening in the first place and to ensure that companies properly secure the personal data entrusted to them,” Pallone said.
“Congress must pass strong, comprehensive privacy legislation, and this Committee will take action. The legislation should give consumers control over their personal data, including giving consumers the ability to access, correct, and delete their personal information. And it should shift the burden to companies to ensure they only use the information consistent with reasonable consumer expectations.”
The FTC’s push for more authority is at odds with the sentiment from many in the privacy community, who believe there should be a separate agency with authority over privacy. Last week, leaders from the Electronic Privacy Information Center sent a letter to the Senate Committee on Commerce, Science and Transportation urging the creation of an independent agency.
“Given the enormity of the challenge, the United States would be best served to do what other countries have done and create a dedicated data protection agency. An independent agency could more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information and would be staffed with personnel who possess the requisite expertise to regulate the field of data security,” the letter from EPIC President Marc Rotenberg and Policy Director Caitriona Fitzgerald says.
Another key consideration is how any new privacy legislation would apply to federal agencies themselves and the data they collect and store on citizens. Most of the myriad draft bills circulating in Washington right now focus on penalties for private companies that violate regulations and make no mention of federal agencies.