During a House Energy and Commerce Committee consumer protection and commerce subcommittee oversight hearing on the Federal Trade Commission today, lawmakers and FTC commissioners focused on elements they believe should be included in comprehensive federal privacy legislation, such as some degree of rulemaking authority for the agency, increased authority for it to impose civil fines, and jurisdiction over nonprofit entities and common carriers.
The extent of rulemaking authority and the potential preemption of state privacy laws were among the issues on which disagreement was most evident.
In her opening statement, subcommittee Chair Jan Schakowsky (D., Ill.) said that the ongoing privacy concerns about Facebook, Inc., against which the FTC is believed to be preparing a "record-breaking" fine over violations of a 2011 consent decree (TR Daily, April 24), "underscores the need for comprehensive privacy legislation."
Rep. Schakowsky said that in order to defend consumers’ privacy, the FTC needs more tools, increased funding, and Administrative Procedure Act rulemaking authority "at a minimum." She noted the lack of FTC authority to impose civil fines for violations of section 5 of the FTC Act, which is the authority it generally uses for privacy enforcement, and she compared the FTC’s full-time staff of 40 employees devoted to privacy and data security issues, compared to 500 government officials policing those issues in the United Kingdom, with a much smaller population than the U.S. She also noted that current FTC Chairman Joseph Simons has not appointed a chief technologist, as his recent predecessors had.
In her opening statement, subcommittee ranking minority member Cathy McMorris Rodgers (R., Wash.) called for preemption of state privacy laws, saying, "Protections shouldn’t change depending on which state you’re in."
She also suggested limiting any additional grant of rulemaking authority to the FTC, saying, "I remain skeptical of Congress delegating broad authority to FTC or any agency. However, we must be mindful of the complexities" involved in privacy issues. The FTC "must not be transformed from a law enforcement agency into a vast rulemaking agency," she said. She added that "oversight must be part of the conversation so Congress does its job to hold the FTC accountable."
Rep. Rodgers also emphasized during her questioning of the panel that "any federal privacy bill should focus on protecting consumers from concrete harms."
Full committee Chairman Frank Pallone Jr. (D., N.J.) said, "Companies shouldn’t be collecting information they don’t need and shouldn’t be using it for purposes consumers wouldn’t expect without consent." Privacy legislation should grant consumers the rights to access, correct, and delete their information, he added.
Full committee ranking minority member Greg Walden (R., Ore.) emphasized the benefits to be gained from using data collected from consumers, including innovation and growth that relies on "the free flow of information."
"I believe it’s important that we work toward a bipartisan, national privacy bill," Rep. Walden said. He warned that if the legislation is not "crafted" correctly, it will just protect "entrenched" large companies that can easily bear the compliance costs.
In his prepared testimony, FTC Chairman Simons noted that section 5 of the FTC Act "does not allow us to reach nonprofits and common carriers." He said that the agency recently exercised its authority under section 6(b) of the Act to direct Google Fiber, Inc., and six major wireline and wireless Internet service providers (ISPs) to supply information on their collection, retention, use, and disclosure of information about consumers and their devices (TR Daily, March 26). He said that the agency will use the responses to inform its work on privacy issues.
Republican FTC Commissioner Christine Wilson said that Congress can help address privacy issues by enacting privacy legislation to be enforced by the FTC. "The prospect of myriad conflicting [state] bills has created confusion in the business community," she said, adding, "Even more important, consumers need clarity about how their information is collected [and used]."
Commissioner Wilson said that legislation should include FTC authority to impose civil monetary penalties, agency jurisdiction over nonprofits and common carriers, and "targeted, narrow" APA rulemaking authority.
She also suggested that Congress could address the issue of when the FCC can seek injunctive relief in the courts. "Earlier this year the Third Circuit held that the FTC can’t seek injunctive relief if conduct isn’t on-going or imminent," but parties often cease their harmful activity when they learn of the FTC’s investigation, she said.
Democratic FTC Commissioner Rebecca Kelly Slaughter asked lawmakers to pass privacy legislation that includes civil penalty authority, targeted APA rulemaking authority, and authority over nonprofits and common carriers. She noted that consent to data collection and use is often obtained using "lengthy click-through forms" in an environment in which consumers have no negotiating power and no option of seeking services from a competing more privacy-sensitive company. "When it comes to our digital lives, neither notice nor consent feel particularly meaningful today," she said.
Democratic Commissioner Rohit Chopra cited "estimates" that it would take Americans 250 hours a year to read all the terms of service they have to sign to obtain access to apps and online services and websites. Hidden in those seldom-read forms are terms such as the right claimed by a photo-sharing platform to use consumers’ names and photos for any purpose.
During the question-and-answer portion of the hearing, Rep. Robin Kelly (D., Ill.) asked if it would be helpful if companies were required to disclose their privacy practice.
Chairman Simons said yes, because the FTC’s "privacy program depends in large part on [the FTC’s] deceptive acts provision," which generally cannot be invoked if a company does not make any representations about its privacy practices.
Rep. Walden asked about any concerns that would be raised by congressional delegation of broad rulemaking authority to the FTC.
Chairman Simons responded, "Please do not do it. … Give us targeted rulemaking authority." He added, "We want Congress to come up with federal privacy legislation, [and] have it fairly well-defined … and give us targeted rulemaking authority [to deal with] developments in technology or business methods."
Rep. Walden asked the commissioners for their views on preemption of state privacy legislation.
Commissioner Slaughter said that it would depend on whether national protections meet or exceed state protections and whether preemption leaves the states the power to "fill any gaps."
Republican FTC Commissioner Noah Joshua Phillips said Congress should preempt state privacy laws, and also that it should consider international interoperability of privacy policies.
Rep. Larry Bucshon (R., Ind.) asked what kind of privacy protections should apply to health data collected by connected devices such as fitness trackers.
Chairman Simons said that if the collected data is the same kind of data that is covered by the Health Insurance Portability and Accountability Act (HIPAA), "you have to think about covering it."
Commissioner Chopra said that "Something that makes this even harder is that with artificial intelligence and big data, even if we don’t hand over our data," companies may be able to infer health conditions and other sensitive information from Internet searches and online behavior.
Commissioner Phillips said that HIPAA "isn’t working because doctors can’t talk to each other" and patients have to repeat their information to each new medical professional they consult.
Rep. Ben Ray Luján (D., N.M.) asked Chairman Simons why he hasn’t appointed a chief technologist.
Chairman Simons said, "That was one of the first things I looked at [after becoming chairman]." The chief technologist is "appended" to the chairman’s office and has "no direct reports," he noted. The Bureau of Consumer Protection already had a technology group, so he created a technology task force within the Bureau of Competition and "transferred the chief technologist FTE to the Bureau of Competition," he said.
Rep. Greg Gianforte (R., Mont.) asked whether having section 5 authority over common carriers would enable the FTC to go after "neighbor spoofing" robocallers that disguise their phone to appear to be a local call.
Chairman Simons said that it would in the sense that the FTC could then pursue the carriers that carry the traffic.
Rep. Gianforte asked "why it’s so important to focus on the privacy harms to consumers."
Chairman Simons said, "In the privacy sector, harm is very tricky, and also in data security." He added, "Harm [regarding privacy] is hard to measure in any specific way."
Rep. Earl (Buddy) Carter (R., Ga.) said, "It’s very important [to recognize] that the private right of action proposed in the California law would be on top of what FTC would do. We don’t need plaintiffs’ attorneys involved in this." —Lynn Stanton, [email protected]
MainStory: FederalNews Congress FTC Privacy
Interested in submitting an article?
Submit your information to us today!Learn More