Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.
Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.
Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda.
The Commission’s lack of civil penalty authority was a common theme throughout the hearing, especially with members of Congress questioning the number of large-scale data breaches that have occurred in the past few years. Although the Commissioners did not speak on the current Facebook or Equifax cases, Chairman Simons articulated his view that civil penalty authority would be an effective deterrent to ensure that companies take data privacy and security seriously. As it stands, the FTC can only impose financial penalties on defendants or respondents who violate a specific rule, or an existing order (absent violation of a rule that includes civil penalty authority, such as the Children’s Online Privacy Protection Act (COPPA) or the Fair Credit Reporting Act (FCRA)). The FTC can impose equitable monetary awards based on measurable financial harm, such as consumer harm or ill-gotten profits, but measuring the financial impact of incidents such as data breaches is difficult. The other Commissioners echoed Chairman Simons regarding the FTC’s need for specific civil penalty authority.
Four of the five Commissioners also advocated for general rulemaking authority under the Administrative Procedure Act (APA), with Commissioner Phillips noting that he had yet to make a decision about the issue. Although the agency can promulgate rules under the Magnuson-Moss Act, it is a much more burdensome and difficult process than under the APA, which most other agencies can employ. Commissioner Chopra emphasized that specific rules would aid in the Commission’s enforcement goals. He also noted his support for the passage of specific data privacy legislation, explaining that although the EU and California have taken steps to develop their own privacy laws, the U.S. should be leading the way. In this same vein, Representative Janice Schakowsky of Illinois offered that she has introduced the Secure and Protect Americans’ Data Act, which would give the FTC both rulemaking and civil penalty authority regarding data breach notification. All of the Commissioners, except Commissioner Phillips regarding rulemaking, voiced approval for such authority.
Although privacy and data security were popular topics for the day, the Commissioners did speak on other topics, such as the lack of competition in the pharmaceutical market, robocalls, general antitrust matters, and the U.S. Safe Web Act (which Commissioner Phillips noted has a sunset provision for 2020). Still, it was clear that both Congress and the Commission have privacy and data security at the forefront of their agendas, which may mean that we will see more action on both the legislative and regulatory fronts in the near future.