In 2019, more than 1,400 reported data breaches exposed more than 160 million records in the U.S., Federal Trade Commissioner Noah Phillips told the U.S. Senate Wednesday, and nearly every week, Americans learn of a major cyberattack, breach or data vulnerability.
“The loss, corruption and ransoming of (this) data can pose serious harm to people and businesses, including identity and intellectual property theft, exposure of sensitive data, years of expensive litigation, and so on. And of course, inadequate data security is a profound national security issue,” Phillips said in his testimony at a Committee on Commerce, Science and Transportation hearing. “Considering the harms Americans have in mind when they think about privacy, data security legislation is one of the best things we can do for privacy.”
In their testimonies, FTC commissioners described federal privacy and data protection legislation as a top priority and urged lawmakers to continue work to make it happen.
Commissioner Christine Wilson said the COVID-19 pandemic — which has driven data usage via contact tracing and health monitoring and moved entertainment, education and social interactions online for millions of Americans — illustrates that the need for a federal law is more urgent now than ever before.
“These initiatives have raised new and complex issues regarding consumer privacy and have laid bare both the lack of clear guidance for businesses and the absence of comprehensive privacy protections for consumers,” she said.
Wilson said federal privacy legislation will give businesses certainty around the collection, use and dissemination of data, as well as much-needed predictability “in the face of a growing patchwork of state and international privacy regimes.” For consumers, a federal law will bring clarity around how their data is collected, used and shared. It would also address what she called “growing gaps in the sectoral coverage of our existing privacy laws.”
“For example, the Health Insurance Portability and Accountability Act covers the privacy of sensitive health data collected by a doctor or pharmacists, but not by apps or wearables,” she said.
Commissioner Rebecca Kelly Slaughter said the pandemic presents potential consequences for children, and she hopes that serves as a final push toward a federal privacy law.
“The need for comprehensive data privacy legislation with meaningful limitations on the collection and use of data and prohibitions on discriminatory practices, dark patterns and data abuses has never been greater,” she said.
Today’s educational environment during COVID-19 involves shared devices, emerging technologies being used by children with very little vetting and oversight by adults, and an unprecedented collection of personal data for contact tracing and more, Slaughter continued. And so the FTC must work aggressively to use the Children’s Online Privacy Protection Act and Section 5 of the FTC Act that prohibits “unfair methods of competition” to hold companies accountable. But, she added, current law “provides very little protection in these circumstances, particularly for applications targeting teenagers or general audiences.”
Commissioners also testified on efforts to protect consumers against issues like fraud during the COVID-19 pandemic, as well as antitrust enforcement and the recent ruling by the Court of Justice of the European Union invalidating the EU-U.S. Privacy Shield agreement and upholding standard contractual clauses.
Sen. Marsha Blackburn, R-Tenn., asked commissioners if they have talked with colleagues in Europe “about the importance to both economies of allowing data flows to continue and if you have a sense of whether or when there might be a final or collective decision on allowing data transfers to continue while a successor framework is initiated?”
Simons said the FTC is working with “the Commerce Department and other parts of the administration” to understand and implement the ruling, as well as consider future decisions. Meanwhile, he said the FTC intends to uphold companies “to the promises they made under Privacy Shield.”
“I share the disappointment in this decision,” Phillips said on the dismantling of Privacy Shield. “I do not think it is fair to hold the U.S. to a standard that other countries cannot meet. We are going to do whatever we can to support the Commerce Department in its effort and to hold companies accountable to the promises that they make.”
Photo by Sarah MacClellan on Unsplash