America’s top consumer watchdog will face questions from congressional lawmakers this week concerning a veritable laundry list of privacy-related incidents, including many that will be centered around Facebook’s own protracted series of failures.
The House Energy and Commerce Committee is holding its first oversight hearing for the Federal Trade Commission (FTC) in nine months, and the first since the Democrats won control of the House last fall. Privacy concerns, stemming from major security incidents over the past two years, including Facebook’s Cambridge Analytica incident and the commission’s ongoing investigation into the Equifax data breach, will largely dominate the conversation.
Additionally, Wednesday’s hearing will center around the long-voiced, bipartisan calls for comprehensive data security legislation; specifically, with an eye on expanding the FTC’s rulemaking authority when it comes to corporate negligence on privacy.
Agency officials will also face questions around their handling of the repeated privacy mishaps at Facebook. The FTC has been investigating the publicly embattled, and yet ever-profitable social network for more than a year. The agency is reportedly poised to slap the company with a historic fine on the belief that it violated a settlement Facebook reached with the watchdog years ago.
In 2011, the commission ruled that Facebook had engaged in “unfair and deceptive” practices after it allowed advertisers to secretly glean personal information about its users. As part of a settlement, Facebook agreed to regular privacy audits and vowed to expressly inform its users when their personal data was being shared. The FTC’s five commissioners are said to be mostly in agreement that Facebook violated that settlement; namely, when Cambridge Analytica, a political consulting firm that worked for the Trump campaign, inappropriately acquired data on millions of Facebook users for the purpose of targeted political messages.
In April, Facebook disclosed that it expects to be fined anywhere between $3 billion and $5 billion.
On Saturday, the New York Times reported, citing multiple sources with knowledge of the matter, that the commission is more divided that outwardly appears; not only on the dollar amount of the fine, but on whether Facebook’s chief executive, Mark Zuckerberg, should be held personally liable.
In addition to its rulemaking authority, Democrats are seeking to enhance the FTC’s enforcement power. At present, the commission can’t levy civil penalties on first-time violators of rules against unfair acts or practices.
After the ride-sharing company Uber suffered two data breaches—one in 2014 and one in 2016—and admitted to paying a hacker to keep the latter breach under wraps, the FTC re-negotiated a settlement that says Uber could be subject to penalties if it again fails to notify the FTC about any future breaches. The company must also submit to regular privacy audits.
The only fine Uber ultimately paid came in September as the result of an investigation carried out not by the federal government, but by a one-time confederation of state attorneys general. (The company settled for $148 million.)
Crafting new rules at the FTC requires its members to jump through an inordinate number of hoops. Unlike the Federal Communications Commission (FCC), whose streamlined procedures require only public notice, followed by public-comment period prior to a vote, the 1975 Magnuson-Moss Act places numerous other bureaucratic hurdles on the FTC’s rulemaking path. The FTC official position has been, at least in years’ past, that any future data security legislation needs to simplify its rulemaking process, so as not to immediately hamstring the agency’s ability to enforce it.
The commissioners are also expected to be questioned over concerns about the agency’s lack of technological expertise. The FTC is oft-criticized for what some privacy hawks see as a complete failure to keep up with its European counterparts. Democrats on the Energy and Commerce Committee noted in a memorandum last week, for example, that the FTC only has 40 full-time staff devoted to privacy. This, compared to the 500 privacy staffers working for the U.K. Information Commissioners’ Office.
“Although privacy and security investigations often require significant technical expertise, the agency only has five full-time employees classified as technologists,” the Democrats said.
In a letter last month to the committee’s chair, Rep Frank Pallone Jr., FTC Chairman Joseph Simons reportedly stated that it would cost approximately $50 million in additional funding to hire 160 new full-time employees. The agency has only requested a $6 million increase in its 2020 budget, most of which is allocated for IT advancements and expert witnesses.
“FTC needs more enforcement power, rulemaking authority, and resources to effectively safeguard Americans’ privacy and data security,” said Pallone in a joint statement with Commerce Subcommittee chair Jan Schakowsky. Wednesday’s hearing would serve as a “critical step” towards crafting comprehensive legislation, the pair asserted.
Congress must act, they concluded, “to ensure that FTC has the tools it needs to protect consumers.”