The agency that protects your privacy is in for big changes
As of Wednesday, the Federal Trade Commission once again has five commissioners, ending a year of neglect that reduced the government agency most directly involved with protecting our privacy is down to just two commissioners and, since Friday, only one.
Those four incoming leaders — confirmed in a unanimous Senate vote last week, led by new chairman Joseph Simons — will have an opportunity and a mandate to improve how the FTC holds companies accountable when their customers’ data goes missing, gets leaked online or is otherwise misused.
Room at the top
The personnel shortage at the FTC starts at the top, where the departures of Obama-administration nominees went almost a year without being offset by nominations of new commissioners by the Trump administration.
By last February, the FTC was down to only two commissioners: acting chair Maureen K. Ohlhausen, a Republican nominee, and Terrell McSweeny, a Democratic nominee. And last month, McSweeny announced her own resignation, leaving just Ohlhausen–whom President Trump nominated in January to serve as a federal judge.
(The Senate confirmed five FTC nominees last week, leaving one to be sworn in to take Ohlhausen’s spot once she is confirmed.)
That is … not exactly the level of attention you might expect for America’s foremost and oldest privacy cop. The FTC was created in 1914 by Congress to protect customers by halting “unfair, deceptive or fraudulent” conduct by companies — from robocalls to data breaches — and to promote competition by enforcing antitrust laws.
It’s downright strange, given all the collective angst over privacy issues we’ve had throughout the last few years. And it’s even stranger in light of the Federal Communications Commission decision to scrap its net-neutrality rules and let the FTC take action if internet providers abuse their control over broadband connections.
More money, more people
The FTC has also been hurting for resources at lower levels.
“We’ve been level-funded for the last several years, which is essentially a cut,” McSweeny said in an interview Thursday in an office strewn with moving boxes.
For fiscal year 2018, the FTC is budgeted for $306 million, down from $313 million last year.
Saying “we do have fewer people working on enforcement generally,” McSweeny suggested that having more experts on staff might speed up FTC enforcement actions that can take years to complete.
For instance, the commission’s settlement with Lenovo for abusing customers’ privacy by preloading “Superfish” ad-displaying software on its laptops came a good three and a half years after that conduct began.
“It needs more resources and staff to be able to move quickly,” said Michelle De Mooy, director of the privacy and data project at the Center for Democracy & Technology.
“It’s fair to ask what kind of resources the commission has today,” said Berin Szóka, president of the libertarian policy group TechFreedom. He also suggested that the FTC focus its budget on bringing fewer but bigger cases.
Better accountability
The FTC’s frequent remedy when it finds that a company has engaged in “unfair or deceptive acts or practices” has been to negotiate a settlement in which the company commits to meet a higher standard of privacy protection, as verified by frequent audits by third parties hired by the offending firms.
Facebook finalized such a settlement in 2012 in which it pledged not to share user data beyond existing privacy settings without express permission and undergo regular third-party audits of its privacy protections.
But that deal did not stop the heist in 2015 of tens of millions of Facebook users’ data through a personality-quiz app posted to the social network by a researcher who later sold that data to the marketing firm Cambridge Analytica. And Facebook’s auditor PriceWaterhouseCoopers didn’t flag that abuse afterwards.
A recent white paper by Stanford Law School fellow and FTC lawyer Megan Gray suggested a variety of ways the FTC could better supervise these settlements. For instance, it could require that these assessments involve actually testing the privacy features involved — and the commission could oversee these assessments itself.
“Consent decrees should be transparent, should be more responsive to actual business practices, and should be rigorously enforced by the FTC,” said CDT’s De Mooy.
Congress has work too
The preceding steps all have one advantage in that they don’t require Congress — which has been loath to take action on a variety of privacy issues.
The easy and obvious first step for Congress would be to pass a law setting standards for disclosing data breaches.
McSweeny and De Mooy both want to make it easier for the FTC to fine offenders — right now, a company has to enter a settlement and then violate that before it risks owing money to the Feds. They’d also like to see Congress grant the FTC rulemaking authority, so it can set some standards instead of waiting for an abuse to occur.
The Facebook debacle has renewed debate in Washington about the desirability of passing all-around privacy law — during Facebook founder Mark Zuckerberg’s testimony last month, even some Republican members asked if the U.S. should have something like the European Union’s sweeping General Data Protection Regulation.
“There should be comprehensive data security and privacy legislation,” McSweeny said.
But will the same Congress that rushed to cancel pending FCC broadband-privacy rules last year do any such thing now? That’s a lot to imagine — even more so than the idea that the White House would leave the government’s chief privacy regulator essentially adrift for a year.
More from Rob:
Email Rob at [email protected]; follow him on Twitter at @robpegoraro.