May 15, 2019                                                                                      

The Honorable Janice D. Schakowsky, Chairwoman

Subcommittee on Consumer Protection and Commerce

Energy and Commerce Committee

U.S. House of Representatives

2125 Rayburn House Office Building
Washington, D.C. 20515

The Honorable Cathy McMorris Rodgers, Ranking Member

Subcommittee on Consumer Protection and Commerce

Energy and Commerce Committee

U.S. House of Representatives

2322A Rayburn House Office Building
Washington, D.C. 20515

RE: Hearing on “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security”

Dear Chairwoman Schakowsky & Ranking Member McMorris Rodgers:

We at the R Street Institute (“R Street”) commend you and the Subcommittee for holding this hearing on “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”[1] Given the ongoing debates over privacy, data security and competition policy, as well as the critical role of the Federal Trade Commission (“FTC” or “Commission”) in overseeing these areas, this hearing was both appropriate and timely.

R Street’s mission is to engage in policy research and outreach to promote free markets and limited, effective government. As part of that mission, R Street has researched and commented upon multiple policy issues related to Americans’ privacy and data security protections, and how the FTC goes about developing and enforcing those protections. This work includes comments filed last summer addressing general developments at the FTC[2] and specific issues relating to broadband,[3] remedies,[4] intellectual property[5] and artificial intelligence.[6] Recent comments provided to the National Telecommunications and Information Administration aptly summarized this work as it relates to consumer privacy and data security.[7] However, for the Subcommittee’s convenience, we would like to highlight the following points for specific consideration:

Three targeted reforms that could significantly improve the FTC’s work.

In evaluating the FTC’s approach to consumer privacy and data security, Congress should recognize the strengths and weaknesses of the current approach and try to identify opportunities for targeted reforms that could significantly improve the FTC’s work. Here are three suggestions for potential areas to reform:

  • Supplement the FTC’s work with additional resources.

The simplest and quickest way to improve the FTC’s work would be to provide it with additional resources during the appropriations process. The FTC currently has just 1,102 full-time employees, which is merely 63 percent of the staff it had in the late 1970s.[8] While Congress was rightfully concerned about administrative overreach by the FTC in the 1980s,[9] the fact remains that it currently has only 40 employees overseeing consumer privacy and data security.[10] Congress should recognize the increasing scope, complexity and importance of privacy and data security issues in the modern economy by allocating additional resources to enable the FTC to better oversee these areas.

  • Broaden the scope of the FTC’s work with expanded jurisdiction.

Another simple way to improve the FTC’s work on privacy and data security issues would be to expand its jurisdiction. Currently, the FTC has jurisdiction over every industry, company and person in the United States, except for those specifically excluded by Congress in Section 5(a)(2).[11] While some of those exclusions appropriately delineate responsibilities between agencies, others are outdated or even counterproductive. Notably, common carriers and certain non-profits are exempt from FTC jurisdiction despite collecting and processing personal data that may raise significant privacy and security concerns, often without adequate oversight from any regulatory agency. Repealing these exclusions would ensure that the FTC can oversee all areas where privacy and data security concerns may arise, thereby closing a legislative loophole and providing greater protections to all consumers. Chairman Simons himself recently endorsed this proposal,[12] and Congress should incorporate this suggestion into any potential FTC reform bill.

  • Strengthen the FTC’s work with clear but limited rulemaking authority.

Multiple commenters have criticized the FTC’s work on privacy and data security for relying too heavily on consent decrees, thereby failing to provide adequate guidance for industry or adequate redress for affected consumers.[13] While many of these criticisms could be addressed through internal process reforms,[14] Congress could and should take an active role here. Specifically, the FTC’s abuse of consent decrees and general inability to assess fines on violators arguably stem from the same root cause: The FTC has only limited rulemaking authority.[15] Of course, the FTC’s rulemaking authority was constrained for good reason, [16] and Congress should not seek to remake the FTC into the “national nanny” of the 1970s. However, a clear grant of rulemaking authority limited to privacy and data security issues would be prudent for at least three reasons. First, because the FTC can assess civil penalties for all “knowing violations of rules,”[17] having privacy and data security rules on the books would obviate the need for the FTC to have direct civil-penalty authority under Section 5. Second, with the ability to write rules, the FTC could provide better guidance for industry and rely less on consent decrees. And third, with an expanded grant of rulemaking authority, the FTC could pre-empt the inconsistent patchwork of state laws to provide a uniform framework for privacy and data security that not only affords equal protections to all consumers regardless of where they live, but also substantially reduces compliance costs for industry. Carefully calibrated, such a grant of rulemaking authority could dramatically improve the FTC’s work on privacy and data security matters.

Recognize that privacy, data security and competition issues are intertwined.

In addition to those three suggestions, we also offer one note of caution. When properly balanced, the relationship between privacy, data security and competition is symbiotic—strong consumer protections promote fair competition, which in turn promotes innovation and consumer welfare. But pushing too far in one direction may generate harms that far outweigh any benefits. For example, laws like the General Data Protection Regulation in Europe may offer stronger privacy and data security protections for consumers, but they may also impose costs on industry that ultimately drive up prices, reduce investment and slow innovation.[18] Similarly, prohibiting certain data-driven business models or practices may result in higher prices and fewer choices for consumers. Thus, when considering any potential changes to the current legal framework, Congress should recognize that privacy, data security and competition issues are intertwined. Protecting consumers in the era of big data will require a careful balance between them.

* * *

We again commend you for your efforts to protect consumer privacy and data security through proper oversight of the FTC. We look forward to working with you and the rest of the Subcommittee as you consider potential legislation in this area.

Sincerely,

Tom Struble, Technology and Innovation Policy Manager

R Street Institute

Jeff Westling, Technology and Innovation Policy Associate
R Street Institute

Charles Duan, Technology and Innovation Policy Director

R Street Institute

CC:

The Honorable Frank Pallone, Chairman
The Honorable Greg Walden, Ranking Member


[1] Hearing on ‘Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security’ Before the House Committee on Energy & Commerce, 116th Cong. (May 8, 2019), http://bit.ly/2JiSlv3.

[2] Tom Struble, “Comments of R Street Institute,” In re The State of Antitrust and Consumer Protection Law and Enforcement, and Their Development, Since the Pitofsky Hearings, No. FTC-2018-0048 (Aug. 14, 2018), http://bit.ly/2J33Fft.

[3] Tom Struble et al., “Comments of R Street Institute,” In re Competition and Consumer Protection Issues in Communication, Information, and Media Technology Networks, No. FTC-2018-0049 (Aug. 14, 2018), http://bit.ly/2J40HXX.

[4] Tom Struble, “Comments of R Street Institute,” In re The Commission’s Remedial Authority to Deter Unfair and Deceptive Conduct in Privacy and Data Security Matters, No. FTC-2018-0052 (Aug. 14, 2018), http://bit.ly/2J2uDDT.

[5] Charles Duan, “Comments of R Street Institute,” In re The Role of Intellectual Property and Competition Policy in Promoting Innovation, No. FTC-2018-0055 (Aug. 13, 2018), http://bit.ly/2J1Stj9.

[6] Caleb Watney, “Comments of R Street Institute,” In re The Consumer Welfare Implications Associated with the Use of Algorithmic Decision Tools, Artificial Intelligence, and Predictive Analytics, No. FTC-2018-0056 (Aug. 13, 2018),  http://bit.ly/2J3tiwN.

[7] Charles Duan et al., “Comments of R Street Institute,” In re Developing the Administration’s Approach to Consumer Privacy, No. 180821780-8780-01 (Nov. 9, 2018), http://bit.ly/2J4Mvy5.

[8] See Federal Trade Commission, “FTC Appropriation and Full-Time Equivalent (FTE) History” (last visited May 7, 2019), http://bit.ly/2JtqbgK.

[9] See, e.g., J. Howard Beales, Fed. Trade Comm’n, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection (May 30, 2003), http://bit.ly/2JmYlCV (detailing how abuse of the FTC’s unfairness authority in the 1970s led to subsequent rebuke and censure from Congress).

[10] See, e.g., Harper Neidig, “FTC Says it Only has 40 Employees Overseeing Privacy and Data Security,” The Hill (Apr. 3, 2019), http://bit.ly/2Jo0qyu.

[11] 15 U.S.C. § 45(a)(2).

[12] See Joseph J. Simons, “Prepared Remarks of Chairman Joseph J. Simons,” Free State Foundation Speech at Eleventh Annual Telecom Policy Conference (Mar. 26, 2019), http://bit.ly/2J57il1.

[13] See, e.g., Justin (Gus) Hurwitz, “Data Security and the FTC’s UnCommon Law, 101 Iowa L. Rev. 955 (2016), http://bit.ly/2JbplX1; Joseph Jerome, “Can FTC Consent Orders Effectively Police Privacy?” Int’l Ass’n of Privacy Profs. (Nov. 27, 2018), http://bit.ly/2J8r3s2.

[14] See, e.g., Tom Struble, “Reforming the Federal Trade Commission Through Better Process,” R Street Policy Study No. 122 (Dec. 2017), http://bit.ly/2J6AyrO.

[15] See 15 U.S.C. § 57a.

[16] See, e.g., Beales, supra note 9.

[17] 15 U.S.C. § 45(m).

[18] See, e.g., Jian Jia et al., “The Short-Run Effects of GDPR on Technology Venture Investment,” NBER Working Paper Series (Nov. 2018), http://bit.ly/2J6LbLc; Natasha Lomas, “GDPR has Cut Ad Trackers in Europe but Helped Google, Study Suggests,” TechCrunch (Oct. 9, 2018), https://tcrn.ch/2JuBIg9.