by, David A. Hoffman – Associate General Counsel and Global Privacy Officer
It’s been one year since the General Data Protection Regulation (GDPR), the European Union’s regulation that attempts to direct how companies handle people’s personal data, went into effect. To mark this anniversary, Intel has published the third draft of our recommendation for a comprehensive U.S. federal privacy law. This draft has been fully vetted by all constituencies and is now ready to have Congress introduce it and enact it into law.
The year one anniversary of GDPR provides clear guidance for what the United States should and should not do to address the public’s concerns about data privacy. Intel’s proposal is not a copy of GDPR, but it does share the goal of strong enforcement with it. The Intel draft is a law tailored for the U.S.’s unique history and ethos of entrepreneurship and innovation, but it does learn from some of the main lessons from GDPR. We hope in turn that European regulators will learn from the Intel draft, as they look to further implement and hone GDPR.
One of the goals of GDPR was to create robust, harmonized and predictable enforcement in the E U. Given the amount of time necessary for privacy investigations, we are just now beginning to see GDPR enforcement actions from the member state regulatory authorities. However, early indications point towards more cooperation between EU member states to investigate alleged abuses and a ramping up of enforcement resources. This evolution in the EU raises the question of whether the U.S. will also prioritize privacy enforcement.
In the U.S., the Federal Trade Commission (FTC), has jurisdiction over privacy and consumer protection for many, but not all, industry sectors. The FTC’s resources have always been stretched thin given the huge job it has of protecting consumers, and now the growth of the data economy has pushed the FTC to do even more with the same or fewer resources. As almost every company in virtually all sectors of the economy collects, stores, shares or uses personal data, without substantial changes and additional resources, the FTC won’t be able to implement the robust privacy enforcement powers necessary to protect personal data. The U.S. needs comprehensive federal privacy legislation to empower the FTC and state attorneys general to act.
Despite these resource pressures, the FTC has admirably addressed consumer privacy concerns within its current authority and limited resources. In fact, in 2012, the FTC released a report predicting many of the privacy challenges that lay ahead. The Commission sent out a request for industry to make privacy the “default setting” and to provide individuals with control over their personal data “through simplified choices and increased transparency.” Unfortunately, the record of the past decade shows that significant portions of industry, most notably data brokers that buy and sell individuals’ personal data without consent, are unwilling to put in place effective self-regulation.
Today, the FTC lacks sufficient authority to regulate those who would like to profit by putting people’s privacy at risk. The scope of the FTC’s authority does not reach many of today’s data-driven business practices. Its enforcement program doesn’t have the teeth necessary to incentivize ethical data practices or deter bad actors from exploiting the opaque ways personal data is processed today. This must be remedied, as the FTC should have the capability to engage in narrowly tailored rulemaking, and it should have jurisdiction to investigate and regulate the different industry sectors that increasingly compete with each other on the use of personal data. Additionally, Congress should grant the FTC authority to seek civil penalties for violations of provisions included in a federal privacy law.
In order to support these additional responsibilities, the Commission will require more resources. The FTC’s research capacity, knowledge of technology and number of staff are inadequate, making it impossible for the agency to fully protect individuals. As technology has evolved, so has the complexity of the FTC’s investigations and cases, while its resources have not kept pace. The demands for privacy enforcement continue to grow, yet the Division of Privacy and Identity Protection (DPIP) within the FTC’s Bureau of Consumer Protection has fewer than 50 staff. That number should be increased by at least 500 people in order to adequately protect Americans from predatory data practices. A federal privacy law should also give concurrent jurisdiction to state attorneys general, so that they can enforce the law when the FTC cannot or will not.
The United States is experiencing a privacy crisis, and the current environment is allowing bad actors to erode the trust individuals should have in technology. State legislators have well-intentioned efforts to solve this crisis, but the enactment of a patchwork of differing state laws threatens to impede the development of emerging technology and U.S. innovation.
The U.S. needs comprehensive federal privacy legislation to address these challenges, and Congress should introduce and pass Intel’s proposal immediately. We need a strong privacy law and a strong privacy regulator. It is past time for both.