Data Security, Privacy Dominate House FTC Oversight Hearing
Privacy and data security were key issues during a wide-ranging House Commerce, Manufacturing and Trade Subcommittee hearing Tuesday on the FTC’s changing jurisdiction. Though praising the FTC’s work, lawmakers questioned -- and at times sparred with -- the commission’s four members over the agency’s expanding role in ensuring privacy in new technologies: How the FTC’s Section 5 authority relates to data security; the commission’s role in regulating the Internet of Things; whether the FTC should have authority to enforce a potential federal data breach notification law; whether promoting net neutrality should fall to the FTC; what the FTC’s role should be in regulating commercial drone use; and how the FTC should deal with European Union concerns about trans-Atlantic data security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
As did other lawmakers, Jan Schakowsky, D-Ill., praised the “strong agency” for its work, but lamented the commission’s limited resources. With a FY 2013 $296 million budget, the FTC is one of the smaller agencies, said Chairwoman Edith Ramirez. But it’s a great investment, she said. In the past three years, the FTC has saved consumers about $3 billion by stopping anticompetitive practices and mergers, returned $196 million to fraud victims, and passed $117 million in “ill-gotten gains” over to the Treasury Department, she said. But Rep. Bill Johnson, R-Ohio, said the commission’s budget had still doubled over the last decade due to its expanding jurisdiction. And Marsha Blackburn, R-Tenn., warned against the federal government’s “propensity to overreach.” In total, 22 members showed up to weigh in on the FTC’s changing role, according to Subcommittee Chairman Lee Terry, R-Neb. “We all have a stake in the FTC’s current mission,” Terry said, citing “the sheer breadth of the FTC’s jurisdiction."
"I'm a little bit befuddled about the FTC’s intended approach to the Internet of Things,” said Blackburn, who co-chairs a congressional privacy working group (http://1.usa.gov/18kkVzE). Blackburn criticized Commissioner Julie Brill for “trying to drive policy in The New York Times,” by publishing a short piece (http://nyti.ms/1hwn5EJ) two months before the commission’s Nov. 19 workshop on IoT (WID Nov 20 p4). “Do you think it was appropriate to write such a piece” ahead of an “exploratory workshop?” Blackburn asked, accusing the FTC of trying to “lay the groundwork for new regulations.” Brill disputed the claims. “A close and fair reading of my piece would show it was raising questions,” she said. “It’s raised questions for some of us,” Blackburn responded. Schakowsky, who’s also on the privacy working group, said she agreed with the “general conclusion” of the FTC’s workshop, that companies must “build in privacy from the outset” in the IoT.
Blackburn also expressed hesitation that the FTC might soon become the “de facto arbiter” for net neutrality if the U.S. Court of Appeals for the D.C. Circuit overturns parts of the FCC net neutrality order, which it’s widely expected to do (WID Nov 25 p1).
Terry urged the FTC to clarify how it uses Section 5 authority “to address the use and security of data.” Absent “a coherent statement of policy on how the commission plans to enforce Section 5, many businesses -- large and small -- are left to examine past decisions to see how they may fit into the specific facts of that case,” he said. Rep. John Dingell, D-Mich., asked Ramirez -- in a series of rapid fire “yes” or “no” questions -- whether the FTC has the authority under Section 18(a)(1)(B) to enforce a hypothetical federal data breach notification law. “Yes,” Ramirez said, also answering “yes” to Dingell’s question of whether having one agency enforce such a law would “provide a significantly greater protection for consumers than that which now exists.” The commission would not need to expand its budget to take on such a role, Ramirez said. Dingell closed his remarks by calling on his Congressional colleagues to establish this “common sense” federal data breach notification law. Ramirez also urged Congress “to enact baseline privacy legislation,” she said: “There are limits to what we can do."
Rep. Joe Barton, R-Texas, asked all four commissioners to weigh in on the recently reintroduced Do Not Track Kids Act (WID Dec 2 p1). They each supported the bill’s aims, but fell short of supporting the bill itself. Commissioner Maureen Ohlhausen said she “would like to get more deeply into the issue,” and see what privacy protections for teens the market might be able to provide. Ramirez said she supported “giving more control to teens and consumers over their information."
Barton also asked whether the FTC should “have a role to play in issuing privacy guidelines,” for the commercial use of drones, a topic that has received much attention since Amazon CEO Jeff Bezos announced Sunday his company had a prototype for a drone to deliver packages (WID Dec 3 p10). “I do believe we have a role to play,” Ramirez said, which could include enforcement actions if companies fail to respect their own privacy policies. But companies already have an “appropriate lens” through which to judge whether any new technology, such as a drone, meets the FTC’s privacy standards, she said, referring to the agency’s March 2012 privacy report (http://1.usa.gov/1avQg2d). The policy framework “outlined concepts which are applicable” in many areas, said Commissioner Brill. Ohlhausen cautioned that the FTC should first get an idea of “what new technologies are occurring what benefits and risks they may offer,” before “perhaps issuing some forms of guidance,” she said. “Who knows, maybe we'll have a workshop on drones in the future.”