On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related topics such as Big Data, Privacy, and Competition, and Algorithms, Artificial Intelligence (AI), and Predictive Analytics. The FTC will seek comments on the privacy and data security hearings through March 13, 2019.
These hearings serve as a signpost of a long-standing movement within the FTC to establish itself as the governing body over consumer data privacy and data security in the United States.[2] [3] This move however runs counter to the power that Congress has afforded it throughout the years. In particular, some of the most powerful enforcement tools for data breaches, such as the Computer Fraud and Abuse Act (CFAA) have been created outside of the FTC’s toolbox of enforcement. There are many reasons for this, including that acts like the CFAA include both criminal provisions and private causes of action, but it also speaks to a wider question of industry specific agency enforcement of data protection and privacy. As every industry and sector of American life becomes more digitally data-centric, the question of which government agency or agencies are best suited to ensure that sector-specific data is private and secure becomes more pressing.
As Congress considers following the European Union in increasing data privacy and security laws, it will have essential decisions to make regarding which agency is in charge of citizen data. Should this data be regulated by sector? Or should this data be regulated by a central agency? From the actions of the FTC, it is clear that the agency sees itself as a large part of the solution.
[1]https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its?mkt_tok=eyJpIjoiTlRWalpqZzFOV0ptWVRobCIsInQiOiJFSTc1UkdqZ0YyUWpKZG1WK3Z3K0RjbHNhd3ZQXC9SemtGelkzeVp6bGZyaXpwSGVaUUEzUU96bUtIRlpWdThuWmhsbGdhNmszb1U0TDhaelVCRExuXC9ieDd6Zk9VUTdvT3lKemJYZzJwdnBmTnozSUNHd3F0OGxTQzJJY1VaaTU3In0%3D
[2] 83 FR 38307
[3] https://www.law360.com/articles/495364/ftc-head-wants-more-power-to-penalize-for-data-breaches