In her first keynote speech since leaving the FTC, former commissioner Julie Brill at the inaugural meeting of the IAPP Privacy Law Bar Section hinted as to where she sees the agency going in its future as a privacy regulator.
“As practitioners in this area, it’s going to be our job to look around the corner to anticipate upcoming challenges” and to be “vigilant leaders in what will be a constantly changing field,” she said.
Noting that states have passed their own legislation on privacy and EU and member state DPAs have exerted consistent influence, Brill said the FTC’s broad authority under Section 5 will be an “increasingly importance force.” That’s in part due to the fact that an increasing amount of technology escapes the purview of existing law. Take health information, for example. While HIPAA is a crucial source of privacy protection, increasingly popular wearable devices – Fitbits, the Apple Watch, and others – are not covered by the law. They just didn’t exist when the law was made. And in a case like that, with information that’s “just as sensitive as what our physicians collect,” the FTC’s authority can step in and provide “an important source of protection for data flows outside of the HIPAA context."
“I expect the FTC to rely upon its unique authority and broad jurisdiction to find ways to take action when consumers’ sensitive data is lost or misused,” Brill said, adding the speed with which the agency has exerted its authority as yet sends a pretty clear message to companies, both brick and mortar and tech online, that no one gets a free pass from the FTC.
That doesn’t mean every company is going to face an enforcement action from the FTC at its first misstep. But that’s what warning letters are for, Brill said, noting the agency sent 12 letters to app makers using technologies that allegedly may allow third parties to monitor consumers’ TV viewing habits.
The FTC recently stated it will be taking a closer look at smart TVs in the coming year.
Brill also said, and a quick email check may have meant you’d miss this, something that may have made ears perk up for anyone complying with PCI DSS. As reported by The Privacy Advisor earlier this year on the Wyndham case, there’s been some issue with the requirement that PCI DSS audits are done by an “independent” auditor. It’s often true, some say, that there’s strategy behind deciding which kind of auditor to pick, and there are even some dotted line connections that aren’t always obvious to the naked eye but which may in some way influence an auditor to greenlight the company it's assessing.
Brill said the “PCI-plus” agreement it came to with Wyndham is indicative of what can be expected of future cases in the next couple of years, in that the FTC has authority under Section 6(b) of the FTC Act to conduct “wide-ranging economic studies that do not have a specific law enforcement purpose.” Under that authority, Brill said, it’s possible the FTC will focus on “a firm’s independence examining procedures and interactions with clients. Given the role PCI DSS assessments play in Wyndham and in other security orders ... This focus makes sense,” she said.
Finally, asked what kind of cases the FTC might bring to show there’s been a harm and whether it might pursue cases in which the definition of harm is expanded to include things like emotional harm, Brill said the agency is really already starting to do that and she expects that will continue.
She mentioned the Aaron’s case, which the FTC settled in the end and which was based on the idea that consumers suffered because Aaron’s placement of webcams in rent-to-own computers and the photos captured as a result were a violation of their expectation of privacy in their own homes.
Brill delivered the speech at the offices of event-host Hogan Lovells, where she’s just spent her first week on the job in private practice.
If you want to comment on this post, you need to login.