The FTC’s Role in Privacy

By: Nicole Kardell

Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C.  Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:

• Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.

Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs).[1]  But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.”  She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.

• FTC to present positive findings from its enforcement actions.

Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings.  Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right.  The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.

• How FCC and FTC oversight of ISPs differs.

Ohlhausen noted that the FCC has ended up with a different approach to data security oversight.  For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible.  She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.

• The Privacy Shield and the FTC’s role in working with Europe.

Ohlhausen noted that the current Administration seems committed to the Privacy Shield.  She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement.  For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield.  Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.

• Chinese forays into privacy.

Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer.  She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.

• Privacy and overlap with other areas of law

When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act.  She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen.  But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.

[1] A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.