On August 11, 2022, the Federal Trade Commission issued a Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security. The notice kicks off what could be a lengthy process to develop one or more of what the FTC calls trade regulation rules. Public comments on this first phase of the regulations will be expected in mid-October.
The ANPRM does not contain any proposed regulatory language. This would come in a later Notice of Proposed Rulemaking. Instead, the ANPRM invites public comment on three broad themes: (a) the nature and prevalence of harmful commercial surveillance and lax data security practices, (b) the balance of costs and countervailing benefits of such practices to consumers and competition, as well as the costs and benefits of any given potential trade regulation rules, and (c) proposals to protect consumers from harmful and widespread commercial surveillance and lax data security practices.
Within this framework, the opinion asks 95 numbered questions, some comprising several subsections. Many relate to privacy, which I leave to others to comment on. Six relate specifically to data security, defined in the notice as breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices. Among the issues raised:
- Should the new rules require companies to implement administrative, technical and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality or integrity of data covered?
- If so, how accurate should these measurements be?
- Do the data security requirements under COPPA or the GLBA Safeguard Rule provide constructive guidance for a more general business regulation rule on data security across industries?
- To what extent, if at all, should the Commission require companies to certify that their data practices meet clear security standards? If so, who should set these standards, the FTC or a third-party entity?
In addition to these, the last two sets of ANPRM questions relate to remedies and obsolescence. They are formulated with specific reference to commercial surveillance, but they are equally applicable to data security. I hope FTC commenters will discuss what remedies should be available in cybersecurity cases (for example, whether an enforcement order may order cybersecurity measures that go beyond the specific practices required under a rule) and how a cybersecurity rule can stay up to date. date with rapid changes in threats and defenses.
Under Section 18(a)(1) of the Federal Trade Commission Act, 15 USC § 57a(a)(1), the Commission may prescribe “rules that specifically define acts or practices that are or unfair or deceptive practices in or affecting trade. As the communication indicates, the Commission comes up against two substantive limitations in adopting rules. First, he must have reason to believe that the unfair or deceptive acts or practices that are the subject of the proposed regulation are widespread. Secondly, the Commission cannot declare any unfair act or practice, unless the act or practice (i) causes or is likely to cause substantial harm to consumers (ii) which cannot reasonably be avoided by consumers themselves and (iii) which is not not offset by compensating benefits to consumers or competition.
For decades, the unique regulatory procedures that Congress has imposed on the FTC had been presumed inside and outside the Commission so cumbersome that they are impossible to use. However, in 2020 Commissioner Rebecca Kelly Slaughter started arguing that the real obstacles to effective regulation came not from the law but from self-imposed requirements. In July 2021, under its new chairman, Lina Khan, the FTC voted to streamline its rulemaking procedures, essentially adopting Commissioner Slaughter’s vision. The May 11, 2022 confirmation of Alvaro Bedoya as the third Democratic FTC commissioner enabled the 3-2 vote to endorse the ANPRM.
As ANPRM notes, a business regulation rule could provide much more clarity and predictability than the FTC’s case-by-case enforcement of cybersecurity. But it won’t be easy. Currently, the FTC’s data security cases consist of complaints with long lists of breaches by the respondent company that the Commission alleges were unfair and misleading, with no indication of the threshold that tipped the respondent’s practices in the area of unreasonable and therefore illegal practices, and regulations with long lists of security measures that the respondent agrees to, without the agency’s decision that each practice is necessary to be reasonable and therefore legal. The FTC will face the same challenge in making the rules: no matter how long the list of security measures required by the FTC, it can still argue that the absence of another security measure not listed has rendered an entity’s practices unreasonable and therefore illegal. Ultimately, any rule will have to include some sort of balancing test that allows the full set of circumstances to be considered on a case-by-case basis.
There is a huge caveat to the launch of this rule-making process: the Supreme Court’s decision of June 30, 2022 in West Virginia vs. EPA may have questioned the FTC’s authority to issue privacy or data security rules. In the EPA case, the court said that, “in some extraordinary cases,” regulators could not issue rules on “major issues” affecting “a significant portion of the U.S. economy” without “clear authority.” of Congress”. In terms of data security, the FTC has such express permission for financial institutions under its jurisdiction and for online services collecting data about children, but it has none for the rest of the economy. So later there will likely be a Supreme Court ruling on whether the word “unfair” is enough to sustain this momentous undertaking. All of this would be resolved by a one-sentence amendment to the FTC Act, which would be a logical but unlikely alternative to the impending failure of the privacy bill passing through the House of Representatives.