Ohlhausen Urges 'Consistent' FCC, FTC Approaches to Handling Cases on Privacy, Data Security
The FCC Enforcement Bureau’s recent data breach case against Cox Communications (see 1511050064) shows the FCC and FTC need to use “compatible” approaches on privacy and data security cases, FTC Commissioner Maureen Ohlhausen said during a Practising Law Institute event Friday. The FCC is still grappling with its final standards on ISP privacy rules, with Chairman Tom Wheeler indicating he plans to begin a rulemaking in early 2016 (see 1511170060). Ohlhausen has argued the FTC is better equipped to protect privacy (see 1509020040), while FTC Commissioner Julie Brill pushed the FCC to create strong privacy rules for ISPs (see 1509280062). Industry executives agreed with Ohlhausen during a separate PLI session Friday that joint FCC-FTC privacy jurisdiction creates uncertainty, while officials from both agencies noted similar joint jurisdiction situations have worked well in the past.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The FCC’s approach to the Cox case appeared to indicate a preference for a “strict liability” data security standard that “will actually harm consumers,” Ohlhausen said Friday. Cox agreed in November to pay $595,000 and committed to take compliance measures to end the FCC investigation, the commission’s first privacy and data security action involving a cable operator. The August 2014 breach exposed information for about 61 Cox subscribers, though there has been no evidence any of the information resulted in identity theft or other consumer harms. Ohlhausen said she's “not convinced” the ISPs the FCC regulates should be subject to the strict liability standard since it “differs significantly from the FTC’s ‘reasonable security approach,’” which applies to others in the Internet ecosystem. “There is little evidence that consumers will be better off if one portion of the Internet ecosystem operates under a different set of rules from the rest,” she said.
“If there are two cops on the beat, their rule books -- both as written and as enforced -- should be consistent,” Ohlhausen said. She said the FTC’s “case-by-case” enforcement of privacy and data security cases is the preferable “rule book” because it allows a focus on addressing actual consumer harm over “future hypothetical harms.” FCC rules that follow the case-by-case approach and emphasize “limiting action to addressing real consumer harm, would do a lot to align the rule books of the cops on the beat,” Ohlhausen said. “Focusing on consumer harm not only ensures that enforcement actually makes consumers better off -- it also creates more business certainty.”
The memorandum of understanding the FCC and FTC released in November defining their respective roles in privacy and data security regulation (see 1511160067) “does not solve the two-rule-book problem” since it “does not provide any of the principle- or process-based constraints” needed to address the agencies’ coordination on privacy and data security regulation, Ohlhausen said. The FCC’s rulemaking may provide those constraints, as could the U.S. Court of Appeals for the D.C. Circuit via its ruling on the appeal of the FCC’s net neutrality order, Ohlhausen said. The D.C. Circuit heard oral argument Friday on the net neutrality appeal (see 1512040058).
The FCC-FTC MOU merely formalizes the agencies’ existing cooperation on privacy and data security issues, FTC Associate Director-Privacy and Identity Protection Division Maneesha Mithal said. “All of this is business as usual to us,” particularly since the FTC often shares jurisdiction over regulatory issues with other federal agencies, she said. The FCC itself has its own “longstanding rules governing privacy and data security for voice services,” but decided to forbear from applying them to ISPs in the commission’s Title II reclassification, Associate Wireline Bureau Chief Lisa Hone said.
AT&T Vice President-Global Public Policy Jeff Brueggeman said he believes there eventually needs to be a single federal agency regulating privacy and data security for the communications sector. It’s problematic to have two regulatory agencies dealing with privacy issues in the communications sector since it “heightens the potential for inconsistency and uncertainty,” he said. It’s “more challenging to have a holistic end-to-end view of privacy” because of the multiple sources of data transmission to smartphones and other mobile devices raise questions about whether the FCC or FTC has privacy jurisdiction in a particular case, Brueggeman said. The FCC and FTC have mostly been “pretty consistent” in their statements about their joint privacy and data security regulatory authority, but minor differences in their approaches “will have a domino effect later on,” CTA Director-Regulatory Affairs Alex Reynolds said.