OCR of the Document

View the Document >>

Memorandum Of Chairman Frank Pallone To The Subcommittee On Consumer Protection And Commece, U.S. House Of Representatives Committee On Energy And Commerce, Regarding Hearing On “Oversight Of The Federal Trade Commission: Strengthening Protections For Americans’ Privacy And Data Security.” May 3, 2019. Unclassified.

MEMORANDUM May 3 2019 To Subcommittee on Consumer Protection and Commerce Members and Staff Fr Committee on Energy and Commerce Staff Re Hearing on “Oversight of the Federal Trade Commission Strengthening Protections for Americans’ Privacy and Data Security” On Wednesday May 8 2019 at 10 30 a m in the John D Dingell Room 2123 of the Rayburn House Office Building the Subcommittee on Consumer Protection and Commerce will hold a hearing entitled “Oversight of the Federal Trade Commission Strengthening Protections for Americans’ Privacy and Data Security ” I BACKGROUND The Federal Trade Commission FTC is an independent civil law enforcement agency with the dual mission of “ p rotecting consumers and competition by preventing anticompetitive deceptive and unfair business practices through law enforcement advocacy and education without unduly burdening legitimate business activity ” 1 The FTC carries out this mission through law enforcement advocacy data collection education and rulemaking 2 The FTC enforces a variety of antitrust and consumer protection laws affecting broad sectors of the economy 3 Its primary consumer protection mandate stems from Section 5 of the FTC Act which states that “unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful ” 4 The FTC has used the FTC Act to address concerns relating to privacy and data security deceptive claims in advertising and marketing protecting consumers in the financial marketplace robocall scams internet fraud and fraudulent schemes against veterans seniors and small businesses among other things 5 In addition to its general “unfair or deceptive acts or practices” authority under Section 5 of the FTC Act the FTC enforces a variety of more specific laws related to its consumer protection 1 Federal Trade Commission About the FTC www ftc gov about-ftc accessed Apr 22 2019 2 Federal Trade Commission A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority July 2008 www ftc gov about-ftc what-we-do enforcementauthority 3 Federal Trade Commission What the FTC Does www ftc gov news-events mediaresources what-ftc-does accessed Apr 22 2019 4 5 15 U S C § 45 See Federal Trade Commission Fiscal Year 2020 Congressional Budget Justification Mar 11 2019 mission including the Children’s Online Privacy Protection Act of 1998 COPPA 6 the Fair Credit Reporting Act FCRA 7 and the Gramm-Leach-Bliley Act GLB 8 In total its enforcement and administrative responsibilities derive from more than 70 laws 9 II LIMITATIONS ON FTC’S AUTHORITIES Unlike most other agencies the FTC’s general rulemaking authority is limited by the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act which added steps to FTC’s rulemaking procedures including requirements that the FTC show “substantial evidence in the rulemaking record” that a practice is “prevalent” or “widespread” before it can be declared an unfair and deceptive act or practice 10 Since passage of that Act in 1975 the FTC has rarely issued regulations under its general rulemaking authority Instead the FTC has issued regulations when Congress has granted rulemaking authority under the Administrative Procedure Act for specific issues such as under COPPA or FCRA 11 The FTC also does not have authority to obtain civil penalties for initial violations for most unfair or deceptive acts or practices 12 For a first violation the FTC may generally only obtain injunctive relief and an order prohibiting the challenged conduct 13 Only after the FTC has obtained a final order can it pursue civil penalties for violations of the order 14 Congress limited the FTC’s jurisdiction to exclude certain types of companies including common carriers banks and air carriers 15 Also the FTC Act only applies to a corporation “organized to carry on business for its own profit or that of its members ” 16 This limitation has made it more difficult for the FTC to pursue non-profit organizations engaged in unfair or deceptive practices Recently Chairman Simons expressed his support for privacy and data security legislation that would provide the FTC with APA rulemaking authority civil penalty authority and jurisdiction over common carriers and non-profits 17 6 15 U S C § 6501 et seq 7 15 U S C § 1681 et seq 8 Public Law 106-10 1999 codified as amended in scattered sections of 12 and 15 U S C 9 Federal Trade Commission Statutes Enforced or Administered by the Commission www ftc gov enforcement statutes accessed Apr 22 2019 10 15 U S C § 57a b - c e 11 See e g Children’s Online Privacy Protection Rule 16 C F R Part 312 12 See Government Accountability Office Internet Privacy Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility Jan 2019 GAO-19-52 at 10 13 Id 14 15 U S C § 45 m 1 B 15 15 U S C § 45 a 2 16 15 U S C § 44 17 Letter from Hon Joseph J Simons Chairman Federal Trade Commission to Rep Frank Pallone Jr Chairman House Committee on Energy and Commerce Apr 1 2019 2 III FISCAL YEAR 2020 BUDGET REQUEST The FTC has requested $312 million for Fiscal Year 2020 which would be a $6 million increase from the $306 million enacted for FY 2019 18 The consumer protection and competition allocations in FY 2020 are $172 million and $140 million respectively The budget request assumes offsetting collections from Hart-Scott-Rodino Act pre-merger notification filing fees in the amount of $136 million and Do-Not-Call fees in the amount of $15 million The $6 million increase would be for agency critical investments in IT infrastructure increased costs related to the Consumer Sentinel Network an online database of consumer complaints available to law enforcement and expert witnesses required for complex litigation in the Bureau of Competition IV NOTABLE TOPICS SUBJECT TO OVERSIGHT A Facebook Cambridge Analytica In March 2018 the FTC announced an investigation into Facebook’s privacy practices 19 after Facebook disclosed that Cambridge Analytica a political consulting firm had improperly obtained access to the personal information of more than 87 million Facebook users 20 Facebook is already subject to a 2011 consent decree settling charges that Facebook had deceived consumers by failing to disclose when information its users designated as private was made public and by failing to inform users of how their personal information could be used by third-party applications 21 As a result Facebook could face significant civil penalties if the FTC determines that Facebook’s conduct violated the 2011 order News reports have described a series of other privacy and security failures at Facebook including a security breach in which attackers stole personal information of more than 50 million Facebook users 22 a security vulnerability that allowed third-party applications to view the private 18 See note 5 19 Federal Trade Commission Statement by the Acting Director of FTC’s Bureau of Consumer Protection Regarding Reported Concerns About Facebook’s Privacy Practices Mar 26 2018 press release 20 See Facebook Suspending Cambridge Analytica and SCL Group from Facebook Mar 16 2018 press release See also Memorandum from Democratic Staff to Democratic Members of the House Committee on Energy and Commerce Hearing on “Facebook Transparency and Use of Consumer Data” Apr 9 2018 21 Federal Trade Commission Facebook Settles FTC Charges That It Deceived Consumers by Failing to Keep Privacy Promises Nov 29 2011 press release 22 Facebook Security Breach Exposes Accounts of 50 Million Users New York Times Sept 28 2018 3 photos of up to 6 8 million Facebook users 23 and a secret sharing agreement with large tech companies like Netflix and Spotify that granted access to Facebook users’ private messages 24 B Data Security In April 2019 the FTC settled two data security matters with commercial website operators that failed to provide reasonably security over sensitive personal information 25 In both cases the FTC ordered the companies to establish a data security program and obtain biennial third-party assessments The orders included new provisions that added required elements of a data security program and required annual certifications of compliance from a corporate officer in charge of security 26 The FTC’s investigation of the Equifax data breach which the agency publicly disclosed in September 2017 remains ongoing 27 Although the details of that investigation remain nonpublic Equifax’s recent filings with the Securities and Exchange Commission indicate that the company expects the FTC to seek damages arising from the company’s security failures 28 C FTC’s Limited Resources and Lack of Technological Expertise The FTC recently reported that it has only 40 full-time staff devoted to privacy and data security far fewer than many foreign data protection authorities despite the larger population of the United States 29 For example the U K Information Commissioners’ Office has about 500 employees and the Irish Data Protection Commissioner has about 110 employees 30 The FTC has said it could hire 160 new full time employees with $50 million of additional funding which would allow the agency to substantially increase its monitoring and enforcement activities 31 Although privacy and security investigations often require significant technical expertise the agency only has five full-time employees classified as technologists 32 Chairman Simons unlike other recent administrations has not appointed a Chief Technologist Critics have raised concerns about the agency’s lack of 23 Facebook Exposed 6 8 Million Users’ Photos to Cap Off a Terrible 2018 Wired Dec 14 2018 www wired com story facebook-photo-api-bug-millions-users-exposed 24 As Facebook Raised a Privacy Wall It Carved an Opening for Tech Giants New York Times Dec 18 2018 25 Id 26 Id 27 The FTC Is Investigating the Equifax Breach Here’s Why That’s a Big Deal Washington Post Sept 14 2017 28 Equifax Says US Regulators Seek Damages Related to 2017 Breach Reuters Feb 22 2019 29 See note 17 30 Id 31 Id 32 Id 4 technology expertise particularly in light of the significant privacy and security matters currently before the Commission 33 D FTC’s Hearings on Competition and Consumer Protection in the 21st Century At the last oversight hearing during the 115th Congress Chairman Simons stated that the FTC intended to evaluate its practices in both competition and consumer protection through a series of hearings in 2018 and 2019 34 Since then the FTC has held more than 13 hearings on topics including privacy and data security artificial intelligence and big data but has not yet issued any statement about how these hearings will affect the agency’s actions going forward 35 V WITNESSES The following witnesses have been invited to testify Hon Joseph J Simons Chairman Federal Trade Commission Hon Noah Joshua Phillips Commissioner Federal Trade Commission Hon Rohit Chopra Commissioner Federal Trade Commission Hon Rebecca Kelly Slaughter Commissioner Federal Trade Commission Hon Christine S Wilson Commissioner Federal Trade Commission 33 Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites New York Times Dec 30 2018 34 House Committee on Energy and Commerce Hearing on Oversight of the Federal Trade Commission 115th Cong July 18 2018 35 Federal Trade Commission Hearings on Competition and Consumer Protection in the 21st Century www ftc gov policy hearings-competition-consumer-protection accessed Apr 25 2019 5