On the keynote stage at the IAPP Global Privacy Summit 2022, U.S. Federal Trade Commission Chair Lina Khan highlighted an “interdisciplinary approach” to data privacy and security taken “through both a consumer protection and competition lens.”
“Given the intersecting ways in which the wide scale data collection and commercial surveillance practices can facilitate violations of both consumer protection and antitrust laws, we are keen to marshal our expertise in both areas to ensure we are grasping the full implications of particular business conduct and strategies," she said.
Meanwhile, speaking during a separate GPS session moderated by Future of Privacy Forum CEO Jules Polonetsky, CIPP/US, FTC Commissioner Noah Phillips disagreed, saying addressing privacy through competition is “wrong, wrong, wrong.”
“The theory is that privacy harms, privacy violations are a symptom of monopoly, that it is the big guys and market power that enables the bad things we see on privacy,” Phillips said. “It’s not that competition will never yield privacy, surely it sometimes does. But on average, over time we see big guys creating privacy problems, but we also see little guys. To take our focus off the little guys would be putting a lot of privacy harms aside.”
The shifting data privacy, security landscape
Khan, who was appointed FTC chair last June, used her first public address on privacy to discuss how the state of data privacy and security today has shifted "significantly," leading the FTC to consider "how we might need to update our approach further again." Khan pointed to the commission’s consideration of a rulemaking process to address commercial surveillance and data security practices, saying, “market-wide rules could help provide clear notice and render enforcement more impactful and efficient.”
She added a reassessment of current frameworks may be necessary, pointing to the current notice and consent paradigm which she said may be “outdated and insufficient” given “present market realities.”
“Going forward I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place,” she said. “The central role digital tools will only continue to play invites us to consider whether we want to live in a society where firms can condition access to critical technologies and opportunities on users having to surrender to commercial surveillance. Privacy legislation from Congress could also help usher in this type of new paradigm.”
With a proliferation of state laws “making it harder for businesses” and consumers, the amount of “complexity to privacy policy and privacy practice,” and increased consumer awareness, Phillips said the time has come for a national privacy law. He expressed concerns with an FTC rulemaking process around privacy, saying changes are better suited to be made by Congress.
“Rules do have consequences, there are unintended consequences as well, and the attitude that the more rules we make, the better society will be, I don’t think is right,” he said. “One of the big reasons is competition. One of the rules we may adopt may be bad for competition. Sometimes it’s worth it to offset competition to avoid some kind of harm.”
‘Effective remedies’
Khan said the FTC is focused on “designing effective remedies that are directly informed by the business incentives that various markets favor and reward. This includes pursuing remedies that fully cure the underlying harm, and where necessary, deprive lawbreakers of the fruits of their misconduct.”
The FTC is also seeking to evolve remedies “to reflect the latest best practices in security and privacy,” she said, citing a recent enforcement action against customized merchandise website CafePress.com that included a data minimization requirement, mandate to use multifactor authentication, direct notice to consumers with an admission of wrongdoing, and monetary relief. Khan said the action reflects “the latest thinking in secure credentialing.”
Recent enforcement actions, including action against WW International, are guided by what she called a focus “on adapting the commission’s authority to address and rectify unlawful data practices,” and an “interdisciplinary approach” that assesses data practices through a consumer protection and competition lens.
“We’re seeking to harness our scarce resources to maximize impact, particularly by focusing on firms whose business practices cause widespread harm. This means tackling conduct by dominant firms as well as intermediaries that may facilitate unlawful conduct on a massive scale,” she said. “We intend to hold accountable dominant middlemen for consumer harms that they facilitate through unlawful data practices.”
In the enforcement action against WW International, stemming from Children’s Online Privacy Protection Act violations, the FTC issued a $1.5 million fine and ordered the fitness and diet service provider to destroy algorithms or artificial intelligence models built using collected data.
The FTC's Phillips cautioned that further technological advances could pose an issue for such enforcement actions.
“As the world becomes more complex, as we use more data, train more AI and so forth, what constitutes the algorithm, what constitutes the ill-gotten gain can be hard to spot,” he said.
Building its enforcement team
Khan and Phillips agreed on the need for more staffing at the FTC. While Phillips said the agency could “do more with more,” Khan said it is working to grow its reliance on technologists, as well as lawyers, economists and investigators to lead enforcement work.
“We have already increased a number of technologists on our staff, drawing from a diverse set of skill sets including data scientists and engineers, user design experts and AI researchers with a plan to continue building up this team,” Khan said.
The FTC has been operating under a 2-2 party deadlock, while Founding Director of the Center on Privacy and Technology at Georgetown Law and privacy advocate Alvaro Bedoya is anticipated to be appointed soon. Phillips said Bedoya “will be a real asset to the FTC” and that he anticipates the commission’s ability to explore and discuss issues with an eye toward reaching consensus “will remain true.”
“I think what you will see is we are going to continue to be aggressive on data security practices and continue to push in a bipartisan way for data protection legislation,” he said.
