Shortly after receiving the IAPP’s 2014 Leadership Award at this year’s Global Privacy Summit, Federal Trade Commissioner Julie Brill sat down with DLA Piper Partner Jim Halpert for an intimate discussion about the agency’s priorities moving forward. Among the most pressing challenges for Brill and the agency are the effects emerging technology is having on the Fair Information Practice Principles paradigm, ensuring that organizations apply robust data security measures and assuaging international concerns about the data collection practices of U.S. government and business.
Speaking in front of a packed room of privacy professionals, Brill applauded their efforts. “You are all on the front lines,” she said, “and we’re in the same endeavor.”
Her candid, one-hour discussion provides a window into the efforts and concerns of the FTC.
Data Brokers and Transparency
All through her Reclaim Your Name project, Brill has been candid about her concerns with the data broker industry and its lack of transparency for consumers. During her Global Privacy Summit conversation, she explained some of her reasoning. Data brokers, she said, often share deeply sensitive data and are often not consumer-facing, challenging the concepts of notice and choice. Consumers have no idea their data is being collected and shared among a complex network of businesses. “I think long notices are still important,” said Brill, “as with other things, but with data brokers, there’s not opportunity for that. The Internet of Things (IoT) has similar issues. Many devices will not have a consumer interface,” she said.
Sen. Jay Rockefeller’s (D-WV) staff report, the Government Accountability Office’s study and the work of a slew of investigative reporters all point to a network of data flows with consumer information that is often highly sensitive, she noted. Data brokers often know if a person is suffering from diseases like cancer or obesity or diabetes. Similarly, data brokers, in some cases, have been known to categorize consumers into “second city urban strugglers” or recent widows.
“Whatever these titles are,” she warned, “these are euphemisms for race and economic status, and that is deeply concerning.”
In addition to being tracked and categorized, consumers, for the most part, do not have a means to access and correct the data collected about them. For Brill, that’s where transparency should play a role. Consumers should have a right to interact with these organizations, particularly if decisions about eligibility are being made based on the data.
Industry has noted that consumer access to data broker profiles raises a host of security and authentication risks. Brill cited the work of Acxiom in providing consumers with a web portal, saying it was a “good first step,” but more should be done. And with security, Brill said she’s heartened to hear industry is concerned about security but noted the credit reporting industry has figured out how to provide consumers with access to highly sensitive credit reports.
“I don’t think it’s rocket science,” she said. “It’s a big issue, and it must be dealt with.”
De-identification and the Ethics of Privacy
Yet transparency, for Brill, is only part of a larger tapestry of solutions. The oft-cited, male, “silver-bullet” solution is not a realistic path to take, she said. Rather, “We need a Jungian female solution” that addresses challenges using multiple tools.
“We need to focus more on de-identification with respect to Big Data,” she said, and think about the best practices of de-identification. People like newly appointed FTC Technologist LaTanya Sweeney have an important role to play here, and Brill said she looks forward to working with Sweeney more thoroughly. “We don’t have her for long,” she said, “but we’ll milk it.”
Along with de-identification best practices, companies should think about the ethics of what they’re doing. Brill said she’s also a supporter of algorithmists—professionals who embed ethical standards within algorithms—and Prof. Ryan Calo’s proposed consumer subject review boards.
“We also need legislation,” she said, “Some baseline to level the playing field.” The Health Information Portability and Accountability Act, for example, is not covering all health data, just covered entities. What about data generated from mobile health apps or other wearable devices?
“We need to move away from silos because of the way information is now flowing,” she said.
And the business community is starting to change its tune. Microsoft’s Brad Smith, for example, has recently opined on the importance of privacy, while a McKinsey & Company blog post recently said privacy is the third rail and if the business community doesn’t get this right, it won’t move forward.
The Risk-Based Approach and Regulating Use
With a movement in the European Union toward a risk-based approach, there was a lot of talk at the Summit as to whether that will be enough.
“It’s very important,” said Brill, and “necessary but not sufficient. It can’t replace some of the other things we need to do to protect privacy. The bottom line is that a focus on privacy as risk is good; I want businesses to be thinking about that.” The more that’s done, she said, the more the issue will migrate to the C-suite.
Though Brill said she supports a risk-based framework, it cannot replace notice and choice. “We need to get advertisers and lawyers into the space,” she said. “The lawyers can’t be the only ones making decisions on how to communicate with consumers.”
Who decides what harm is? For Brill, it should be everyone—from the algorithmist and consumer data review board member to the CEO and privacy pro. “Congress, the public, we all need to be in the what-is-harm-discussion. I want us all to have a role in thinking about what is harmful to the uses we’re seeing.”
This is all “part of the tapestry we need to be reweaving in this country,” Brill said.
Data Security and Breach Notification
The recent Wyndham case has brought up questions on the role the FTC should play in regulating business data security practices. Additionally, all but four U.S. states have a data breach notification law on the books, making what some call a patchwork quilt and corresponding encumbrance to businesses.
Brill said the FTC will “keep chugging away” at data security issues.
“I want to make this clear: We don’t play the gotcha game. We don’t look for perfect security,” she said. “Stuff happens, and we recognize there’s a nuclear arms race” in the cybersecurity world. She noted that, often, businesses with which they do have contact have good security. “And that’s what we’re looking for,” she said.
As more businesses move toward mobile and the IoT, security becomes an even greater challenge, meaning a greater challenge for privacy professionals as well.
Brill also said the agency has been unanimous in supporting breach notification legislation but warned that if the federal government were to preempt state laws and draft federal legislation, it must be robust enough to truly protect consumers. A good law, she said, hinges on the trigger point of notification. Additionally, if federal legislation is enacted, it should give enforcement powers to state AGs.
FTC Authority and Global Interoperability
Some have argued that the FTC should be granted greater enforcement authority to keep up with Big Data and IoT issues. Brill, however, said she thought Section 5 of the FTC Act has given the agency sufficient authority. Section 5, she said, was meant to be flexible as markets and technologies changed.
Criticisms in Europe about the Safe Harbor reached almost fever pitch in 2013 after the Snowden revelations, but earlier this year, the FTC brought cases against 12 companies for violating the agreement. Brill said she’s a strong believer in Safe Harbor.
“I don’t want to take away a tool that I have to enforce and protect citizens,” she said.
Part of the problem, she said, is that the agency, in the past, has not received many complaints against companies violating the Safe Harbor. She also said she’s asked European data protection authorities to tell the FTC when they find violations. She also noted that European DPAs should clearly link to the Safe Harbor page on their websites and help educate EU citizens on it so they know where to go if they have a concern or problem with a company.
Brill said she backs improvements to the Safe Harbor but not a full renegotiation. She hinted that there are some “low-hanging fruit” to help ease European concerns. One solution Brill had for Safe Harbor? Get rid of alternative dispute resolution fees.
On the world stage, the FTC is proactively working with fellow privacy regulators around the world.
“We are working to try to have a better mutual understanding of what enforcement is,” she said. “Part of that dialogue is showing how much we do at the FTC.”
She noted that she is currently on the Executive Committee representing the International Conference of Data Protection and Privacy Commissioners. She also speaks with her European counterparts regularly.
“We do enforcement work really well,” she said, adding, “It may not be the same system as in the EU, but we do a good job as well.”