From Inside Cybersecurity:

The R Street Institute says the Federal Trade Commission can take steps to protect consumer data but that a sweeping regulatory proposal exceeds the FTC’s authority and should be pulled back and await congressional action on data privacy and security.

“At the outset, we appreciate the FTC’s interest in this area. However, we believe the [FTC’s advance notice of proposed rulemaking] is premature and too expansive in scope. This is especially true since Congress is actively considering a comprehensive federal data privacy and security bill that would cover many of the same areas,” R Street said in comments submitted in October.

R Street pointed to the House Energy and Commerce-passed American Data Protection and Privacy Act and said, “We believe it is premature for the FTC to act without clear direction from Congress, especially while this legislation is pending a floor vote.”

The bipartisan ADPPA cleared the Energy and Commerce Committee on a strong bipartisan vote but has not been scheduled for a House floor vote amid concerns from House Speaker Nancy Pelosi (D-CA) and members of the California delegation. Senate Commerce Chairwoman Maria Cantwell (D-WA) also opposes the bill and has not moved similar legislation through her committee.

R Street, a self-described “free market solutions” think tank, said, “There are also consequential policy questions that need to be decided, and the FTC’s authority to reach into multiple of the areas outlined should be clarified. There are nonetheless actions the FTC can take now in anticipation of this bill and under existing authority.”

Such steps could include “outlining a standard of reasonableness for data security, which also benefits consumers and national security. However, any action on data security should be constrained and not used as an attempt to get broader measures through,” according to R Street.

“Data security is one area where the FTC could provide greater clarity, as explained below. In addition, the FTC should be preparing for possible federal legislation and supporting Congress with technical advice during the drafting and debating stages,” R Street said. “While the exact details of that are not known, it is almost certain that the FTC will take on a greater enforcement role.”

“A helpful addition,” R Street said, “would be for the FTC to streamline its data security rules, rather than use a case-by-case approach that can lead to uncertainty on what is needed to comply. This would serve as a way to put the public and industry on notice for what acts are needed and are reasonable, which could result in broader security compliance, more efficient enforcement for violations and enhanced data protection overall.”

But R Street took aim at the scope and substance of the FTC proposal, saying, “We recognize that the ANPR is not yet a proposal of final rules, but its breadth belies claims that the purpose is inquisitive in nature. If the ANPR focused on a narrower set of questions, like those highlighted by Commissioner Alvaro Bedoya, it would be easier to see the exercise as developing a useful record of information and collective understanding that could inform either future FTC proceedings or Congress’s continued legislative plans.”

“Instead,” according to the group, “the ANPR’s relitigation of long-discussed data protection matters with normative merits that have been discussed in congressional proceedings (and many, many other places) for several years makes this appear not as an inquiry, but rather the FTC’s first procedural step to shape the future themselves, directly, without waiting on or deferring to Congress.”

It said, “Congress has deliberately included areas for FTC rulemaking and action in the ADPPA, but the ANPR goes beyond them and does so prematurely without a federal law. … In contrast to acting under Congress’s narrower view for the FTC, the ANPR sets forth 95 questions” on a wide variety of issues.

“The rules’ themes can even extend beyond this, since the ANPR states that it does not identify the full scope of potential approaches the FTC might undertake by a rule. If passed, final rules would impact many industries and multiple technologies—all without further congressional action. … [W]e believe this scope goes far beyond what Congress has authorized and is significantly beyond clarifying existing authorities,” R Street said.

It specifically quoted Supreme Court Justice Neil Gorsuch in the June West Virginia v. Environmental Protection Agency ruling as saying agencies are using “regulations as substitutes for laws.” Congressional Republicans have been citing that ruling in letters to agencies including the FTC and Securities and Exchange Commission demanding to know the statutory authority for rulemakings on issues including cyber.

The comments were written by resident senior fellow for cyber and emerging threats Brandon Pugh and resident senior fellow for internet governance Chris Riley.

The FTC recently extended the comment deadline on the ANPR until Nov. 21. The advance notice was approved in August and seeks “public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.”