May 15, 2019                                                                                      

The
Honorable Janice D. Schakowsky, Chairwoman

Subcommittee
on Consumer Protection and Commerce

Energy
and Commerce Committee

U.S.
House of Representatives

2125
Rayburn House Office Building
Washington, D.C. 20515

The
Honorable Cathy McMorris Rodgers, Ranking Member

Subcommittee
on Consumer Protection and Commerce

Energy
and Commerce Committee

U.S.
House of Representatives

2322A Rayburn House Office Building
Washington, D.C. 20515

RE: Hearing on “Oversight of the Federal
Trade Commission: Strengthening Protections for Americans’ Privacy and Data
Security”

Dear
Chairwoman Schakowsky & Ranking Member McMorris Rodgers:

We at the R Street Institute (“R Street”) commend you and the Subcommittee for holding this hearing on “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”[1] Given the ongoing debates over privacy, data security and competition policy, as well as the critical role of the Federal Trade Commission (“FTC” or “Commission”) in overseeing these areas, this hearing was both appropriate and timely.

R Street’s mission is to engage in policy research and outreach to promote free markets and limited, effective government. As part of that mission, R Street has researched and commented upon multiple policy issues related to Americans’ privacy and data security protections, and how the FTC goes about developing and enforcing those protections. This work includes comments filed last summer addressing general developments at the FTC[2] and specific issues relating to broadband,[3] remedies,[4] intellectual property[5] and artificial intelligence.[6] Recent comments provided to the National Telecommunications and Information Administration aptly summarized this work as it relates to consumer privacy and data security.[7] However, for the Subcommittee’s convenience, we would like to highlight the following points for specific consideration:

Three targeted reforms that could significantly
improve the FTC’s work.

In evaluating the
FTC’s approach to consumer privacy and data security, Congress should recognize
the strengths and weaknesses of the current approach and try to identify opportunities
for targeted reforms that could significantly improve the FTC’s work. Here are
three suggestions for potential areas to reform:

The simplest and quickest way to improve the FTC’s work would be to provide it with additional resources during the appropriations process. The FTC currently has just 1,102 full-time employees, which is merely 63 percent of the staff it had in the late 1970s.[8] While Congress was rightfully concerned about administrative overreach by the FTC in the 1980s,[9] the fact remains that it currently has only 40 employees overseeing consumer privacy and data security.[10] Congress should recognize the increasing scope, complexity and importance of privacy and data security issues in the modern economy by allocating additional resources to enable the FTC to better oversee these areas.

Another simple way to improve the FTC’s work on privacy and data security issues would be to expand its jurisdiction. Currently, the FTC has jurisdiction over every industry, company and person in the United States, except for those specifically excluded by Congress in Section 5(a)(2).[11] While some of those exclusions appropriately delineate responsibilities between agencies, others are outdated or even counterproductive. Notably, common carriers and certain non-profits are exempt from FTC jurisdiction despite collecting and processing personal data that may raise significant privacy and security concerns, often without adequate oversight from any regulatory agency. Repealing these exclusions would ensure that the FTC can oversee all areas where privacy and data security concerns may arise, thereby closing a legislative loophole and providing greater protections to all consumers. Chairman Simons himself recently endorsed this proposal,[12] and Congress should incorporate this suggestion into any potential FTC reform bill.

Multiple commenters have criticized the FTC’s work on privacy and data security for relying too heavily on consent decrees, thereby failing to provide adequate guidance for industry or adequate redress for affected consumers.[13] While many of these criticisms could be addressed through internal process reforms,[14] Congress could and should take an active role here. Specifically, the FTC’s abuse of consent decrees and general inability to assess fines on violators arguably stem from the same root cause: The FTC has only limited rulemaking authority.[15] Of course, the FTC’s rulemaking authority was constrained for good reason, [16] and Congress should not seek to remake the FTC into the “national nanny” of the 1970s. However, a clear grant of rulemaking authority limited to privacy and data security issues would be prudent for at least three reasons. First, because the FTC can assess civil penalties for all “knowing violations of rules,”[17] having privacy and data security rules on the books would obviate the need for the FTC to have direct civil-penalty authority under Section 5. Second, with the ability to write rules, the FTC could provide better guidance for industry and rely less on consent decrees. And third, with an expanded grant of rulemaking authority, the FTC could pre-empt the inconsistent patchwork of state laws to provide a uniform framework for privacy and data security that not only affords equal protections to all consumers regardless of where they live, but also substantially reduces compliance costs for industry. Carefully calibrated, such a grant of rulemaking authority could dramatically improve the FTC’s work on privacy and data security matters.

Recognize that privacy, data security and
competition issues are intertwined.

In addition to those three suggestions, we also offer one note of caution. When properly balanced, the relationship between privacy, data security and competition is symbiotic—strong consumer protections promote fair competition, which in turn promotes innovation and consumer welfare. But pushing too far in one direction may generate harms that far outweigh any benefits. For example, laws like the General Data Protection Regulation in Europe may offer stronger privacy and data security protections for consumers, but they may also impose costs on industry that ultimately drive up prices, reduce investment and slow innovation.[18] Similarly, prohibiting certain data-driven business models or practices may result in higher prices and fewer choices for consumers. Thus, when considering any potential changes to the current legal framework, Congress should recognize that privacy, data security and competition issues are intertwined. Protecting consumers in the era of big data will require a careful balance between them.

* * *

We again commend
you for your efforts to protect consumer privacy and data security through
proper oversight of the FTC. We look forward to working with you and the rest
of the Subcommittee as you consider potential legislation in this area.

Sincerely,

Tom
Struble, Technology and Innovation Policy Manager

R
Street Institute

Jeff
Westling, Technology and Innovation Policy Associate
R Street Institute

Charles Duan, Technology and Innovation Policy Director

R Street Institute

CC:

The Honorable Frank Pallone, Chairman
The Honorable Greg Walden, Ranking Member


[1] Hearing
on ‘Oversight of the Federal Trade Commission: Strengthening Protections for
Americans’ Privacy and Data Security’ Before the House Committee on Energy
& Commerce
, 116th Cong. (May 8, 2019), http://bit.ly/2JiSlv3.

[2] Tom
Struble, “Comments of R Street Institute,” In
re The State of Antitrust and Consumer Protection Law and Enforcement, and
Their Development, Since the Pitofsky Hearings
, No. FTC-2018-0048 (Aug. 14,
2018), http://bit.ly/2J33Fft.

[3] Tom
Struble et al., “Comments of R Street Institute,” In re Competition and Consumer Protection Issues in Communication,
Information, and Media Technology Networks
, No. FTC-2018-0049 (Aug. 14,
2018), http://bit.ly/2J40HXX.

[4] Tom
Struble, “Comments of R Street Institute,” In
re The Commission’s Remedial Authority to Deter Unfair and Deceptive Conduct in
Privacy and Data Security Matters
, No. FTC-2018-0052 (Aug. 14, 2018), http://bit.ly/2J2uDDT.

[5] Charles
Duan, “Comments of R Street Institute,” In
re The Role of Intellectual Property and Competition Policy in Promoting
Innovation
, No. FTC-2018-0055 (Aug. 13, 2018), http://bit.ly/2J1Stj9.

[6]
Caleb Watney, “Comments of R Street Institute,” In re The Consumer Welfare Implications Associated with the Use of
Algorithmic Decision Tools, Artificial Intelligence, and Predictive Analytics
,
No. FTC-2018-0056 (Aug. 13, 2018),  http://bit.ly/2J3tiwN.

[7] Charles Duan et al., “Comments of R
Street Institute,” In re Developing the
Administration’s Approach to Consumer Privacy
, No. 180821780-8780-01 (Nov.
9, 2018), http://bit.ly/2J4Mvy5.

[8] See Federal Trade Commission, “FTC Appropriation and
Full-Time Equivalent (FTE) History” (last visited May 7, 2019), http://bit.ly/2JtqbgK.

[9] See, e.g., J. Howard Beales, Fed. Trade Comm’n, The FTC’s Use of Unfairness Authority: Its
Rise, Fall, and Resurrection
(May 30, 2003), http://bit.ly/2JmYlCV (detailing how abuse
of the FTC’s unfairness authority in the 1970s led to subsequent rebuke and
censure from Congress).

[10] See, e.g., Harper Neidig, “FTC Says it Only has 40 Employees
Overseeing Privacy and Data Security,” The
Hill
(Apr. 3, 2019), http://bit.ly/2Jo0qyu.

[11] 15 U.S.C. § 45(a)(2).

[12] See Joseph J. Simons, “Prepared Remarks of Chairman Joseph
J. Simons,” Free State Foundation Speech
at Eleventh Annual Telecom Policy Conference
(Mar. 26, 2019), http://bit.ly/2J57il1.

[13] See, e.g., Justin (Gus) Hurwitz, “Data Security and the FTC’s
UnCommon Law, 101 Iowa L. Rev. 955
(2016), http://bit.ly/2JbplX1;
Joseph Jerome, “Can FTC Consent Orders Effectively Police Privacy?” Int’l Ass’n of Privacy Profs. (Nov. 27,
2018), http://bit.ly/2J8r3s2.

[14] See,
e.g.
, Tom Struble, “Reforming the Federal Trade Commission Through Better
Process,” R Street Policy Study No. 122 (Dec.
2017), http://bit.ly/2J6AyrO.

[15] See 15 U.S.C. § 57a.

[16] See,
e.g.
, Beales, supra note 9.

[17] 15 U.S.C. § 45(m).

[18] See, e.g., Jian Jia et al., “The Short-Run Effects of GDPR on
Technology Venture Investment,” NBER
Working Paper Series
(Nov. 2018), http://bit.ly/2J6LbLc; Natasha Lomas,
“GDPR has Cut Ad Trackers in Europe but Helped Google, Study Suggests,” TechCrunch (Oct. 9, 2018), https://tcrn.ch/2JuBIg9.

Featured Publications