The United States confronts a crisis. Digital giants invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit. The FTC has failed to protect consumers. The system is broken. A Data Protection Agency is needed now.
The United States is one of the few democracies in the world that does not have a federal data protection agency, even though the original proposal for such an institution emerged from the U.S. in the 1970s. The United States was once a global leader on privacy. The Fair Credit Reporting Act, passed in 1970, was viewed at the time as the first modern privacy law—a response to the growing automation of personal data in the United States.
But today, Europe has surpassed the United States in protecting consumer data. The General Data Protection Regulation, which took effect last year, strengthens the fundamental rights of individuals and puts consumers back in control of their personal data. It gives European data subjects rights to breach notification (within 72 hours of breach), right to access (whether or not personal data concerning them is being processed, where and for what purpose), right to be forgotten (to have the data controller erase his/her personal data, and data portability (the right for a data subject to receive the personal data concerning them and to transmit that data to another controller). American data subjects have none of these rights. American companies will be required to provide these protections to Europeans but not to Americans, creating a digital lower class. U.S. companies are leaders in technology, and the U.S. government should be a leader in technology policy.
There is an urgent need for leadership from the United States on data protection. Virtually every other advanced economy has recognized the need for an independent agency to address the challenges of the digital age. Current law and regulatory oversight in the United States is woefully inadequate to meet the challenges. The Federal Trade Commission is fundamentally not a data security agency. The FTC only has authority to bring enforcement actions against unfair and deceptive practices in the marketplace, and it lacks the ability to create prospective rules for data security. The Consumer Financial Protection Bureau similarly lacks data protection authority and only has jurisdiction over financial institutions. Neither of these agencies possess the resources needed to address data security.
As the data breach epidemic reaches unprecedented levels, the need for an effective, independent data protection agency has never been greater. An independent agency can more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information. An independent agency would also be staffed with personnel who possess the requisite expertise to regulate the field of data security.
Our current privacy laws are woefully out of date and fail to provide the necessary protections for our modern age. We also now face threats from foreign adversaries that target the personal data stored in U.S. companies and U.S. government agencies. The U.S. urgently needs a Data Protection Agency. Because data can't protect itself.
Why does the U.S. Need a Data Protection Agency?
- The U.S. is the only OECD country without a Data Protection Agency.
- The FTC has failed to enforce its own orders.
- The FTC failed to enforce the consent order against Google even after the FTC chair warned that Google’s consolidation of Internet services would be bad for consumers
- The FTC failed to enforce the consent order against Facebook even after repeated violations, including the transfer of user data to Cambridge Analytica, were widely known
- The transfer of 87 million user records to Cambridge Analytica could have been avoided if the FTC had enforced its Consent Order with Facebook.
- The FTC has failed to block mergers that stifled competition and innovation.
- The FTC approved Google’s acquisition of DoubleClick
- The FTC approved Google’s acquisition of Nest
- The FTC approved Facebook’s acquisition of WhatsApp and Instagram
- The FTC has failed to impose fines even when it could. For example, Uber was found twice in violation of a consent order and the FTC imposed no fines.
- In contrast, EU antitrust authorities fined Facebook $122 million for making false representations, and German competition authorities recently cited privacy concerns to block Facebook’s integration of WhatsApp and Instagram user data.
- The Federal Communications Commission (FCC) has also used its fining authority to impose substantial fines on telecommunications companies that violate user privacy. In 2015, the FCC fined AT&T $25m for a data breach. In 2014, the FCC fined Verizon $7.4m to settle a privacy case.
- The FTC has failed to act on dozens of detailed consumer privacy complaints alleging unfair practices concerning data collection, marketing to children, cross-device tracking, consumer profiling, user tracking, discriminatory business practices, and data disclosure to third-parties.
- Over the last decade, because of the FTC’s failure to act, the problem has grown dramatically from cookie tracking to ubiquitous, cross-device mass surveillance of individuals and communities.
The United States needs a new approach. While the FTC helps to safeguard consumers and promote competition, it is not a data protection agency.
The US needs a federal data protection agency focused on privacy protection, compliance with data protection obligations, and emerging privacy challenges.
Federal law must establish a data protection agency with resources, rulemaking authority and effective enforcement powers.
What Would a Data Protection Agency Do?
- Assess current threats to data protection in the U.S.
- Promulgate rules to protect the privacy and security of individuals’ personal information
- Ensure that privacy practices and processing are fair, non-discriminatory, and comply with Fair Information Practices.
- Oversee the use of algorithms to ensure fairness, accountability, and transparency.
- Ensure fair contract terms in the market, including the prohibition of “pay-for-privacy provisions” and “take-it-or leave it” terms of service.
- Promote privacy innovation, such as Privacy Enhancing Techniques (PETs) that minimize or eliminate the collection of personal data.
- Take complaints and provide information to the public on data protection matters.
- Make annual reports to the public and Congress on the state of privacy in the United States and issue other reports as appropriate.
- Convene public workshops and conferences, conduct polls and research, meet with stakeholders, and pursue other activities to obtain public input on data protection issues.
- Enforce privacy statutes and rules as authorized by Congress, with a broad range of tools including civil penalties, injunctive relief, and equitable remedies.
- EPIC: Facebook 2011 FTC Consent Order
- EPIC: Enforce the Order
- Privacy and Digital Rights for All: A Framework for Comprehensive Privacy Protection and Digital Rights in the United States
- CNIL (France), Data Protection Around the World (interactive map showing which countries have DPAs)
- International Conference of Data Protection & Privacy Commissioners
- International Conference of Data Protection & Privacy Commissioners: Links to DPA Annual Reports
- EPIC Statement, Hearing on "Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security," House Committee on Energy and Commerce (May 6, 2019)
- Letter from Chairman Joseph Simons to Chairman Frank Pallone, House Committee on Energy and Commerce (Apr. 1, 2019)
- Marc Rotenberg, After Latest Facebook Fiasco, Focus Falls on Federal Commission, Techonomy (December 21, 2018)
- EU Observer, Are EU data watchdogs staffed for GDPR? (May 22, 2018)
- EPIC Statement, Hearing on "Facebook: Transparency and Use of Consumer Data," House Committee on Energy and Commerce (Apr. 10, 2018)
- Marc Rotenberg, The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11, SSRN (Sept. 2006).
- Marc Rotenberg, In support of a data protection board in the United States, Gov’t Information Quarterly (1991).