麻豆果冻传媒

Close

shutterstock_1831684282.png

Does Data Privacy Need its Own Agency?

Table of Contents

Introduction

There is general consensus among members of the U.S. Congress, industry, civil society, and the public that the United States needs federal privacy legislation, but there is no consensus on how such legislation would be enforced and by whom.1 While the seemingly constant barrage of consumer data breaches and pervasive tracking across the internet have numbed the public and led to a sense of 鈥減rivacy nihilism,鈥 two major scandals in 2017 and 2018 managed to grab the public鈥檚 attention and cause Congress to consider policy solutions. Credit bureau Equifax announced in September 2017 that it exposed the personal information of 143 million (later revealed to be 147 million) people.2 Then, in March 2018, journalists broke the story that Facebook鈥檚 data practices enabled the harvesting of 50 million (later revealed to be 87 million) users鈥 personal data, which was sold to political analytics firm Cambridge Analytica.3 Congress held a series of hearings on both incidents and introduced various privacy and data security bills, but ultimately did not pass legislation. The Federal Trade Commission (FTC), however, brought enforcement actions in response to both events and reached settlements with the companies.

The FTC worked with the Consumer Financial Protection Bureau (CFPB) and state attorneys general to reach a settlement with Equifax that created a fund to offer affected consumers a cash payment of $125 or free credit monitoring.4 However, the fund was capped at $300 million,5 and high demand for cash payments led the FTC to encourage consumers to accept the free credit monitoring option.6 If every affected person filed a claim, the payout would only be 21 cents. So Equifax added an additional hurdle requiring that people had credit monitoring services before the breach to obtain the cash award.7 The demand for cash payments should have come as no surprise, given that the breach affected half the U.S. population and consumers were unlikely to trust the company that breached their personal information to protect them from identity theft.

The FTC also reached consent orders with both Facebook and Cambridge Analytica, levying a record-breaking $5 billion fine against Facebook.8 However, senators called the fine a 鈥渇ar cry from the type of monetary figure that would alter the incentives and behavior of Facebook and its peers.鈥9 麻豆果冻传媒鈥檚 Open Technology Institute (OTI) commented that Facebook 鈥渨as rewarded on the stock market for the settlement, the settlement imposed no meaningful restrictions on Facebook鈥檚 data collection and sharing practices, and structural changes require a tenacious overseer to ensure compliance or they may lead to nothing.鈥10 Facebook was already under a consent order with the FTC when the Cambridge Analytica event occurred, and yet the third-party assessors responsible for monitoring compliance did not report it. The new consent order contained several changes to Facebook鈥檚 privacy practices, but the past failures of the FTC鈥檚 compliance system call its efficacy into question.

These two incidents helped Congress recognize that the privacy status quo is not working for consumers鈥攂ut is it just because the United States lacks adequate privacy laws, or is the FTC also to blame? If Congress passes comprehensive privacy legislation, should the FTC be tasked with enforcing it? Or should Congress create a new agency?

OTI hosted an event and wrote a report in 2019 that explored different mechanisms of enforcement: federal agency (whether FTC or a new agency), state attorneys general and state legislation, and a private right of action empowering individuals to sue.11 This report builds on that work to compare the relative merits of FTC enforcement versus enforcement by a new agency. Data privacy has become an issue of national economic, political, and social significance over the past few decades. The implementation of the European General Data Protection Regulation (GDPR) in 2018,12 the California Consumer Privacy Act (CCPA) in 2020,13 and the passage of the Virginia Consumer Data Protection Act in 202114 have heightened political impetus to implement a comprehensive federal privacy law. Moreover, the California Privacy Rights Act,15 an extensive amendment to CCPA, established a new agency鈥攖he California Privacy Protection Agency鈥攖o enforce the CCPA/CPRA rather than relying on attorney general enforcement.16

Discussions regarding enforcement of proposed federal privacy laws prior to late 2019 tended to focus on the question of whether or not enforcement should be shared between the FTC and state attorneys general. A lengthy Congressional Research Service (CRS) report on data privacy laws from March 2019 only addresses the possibility of creating a new agency to enforce federal privacy laws in one footnote.17 However, growing recognition of the weak enforcement of the GDPR in the first three years of its existence has heightened the importance of enforcement mechanisms in U.S. privacy legislation.18

This report explores the question of whether comprehensive federal data privacy legislation should be enforced by the FTC or a new agency created by Congress. This report will use the acronym 鈥淒PA鈥 to refer to the general concept of a new agency to enforce federal privacy law in the United States. In Europe, this acronym refers to Data Protection Authorities that enforce the GDPR鈥攊n this report, those will be referred to as European DPAs.19 In the U.S. context, the acronym DPA covers the different agency titles鈥擠ata Privacy Agency, Digital Privacy Agency, Data Protection Agency, and Data Protection Authority鈥攖hat appear in various bills and proposals. To avoid confusion, this report will discuss particular DPA proposals in reference to their authorizing legislation.

A number of lawmakers, members of civil society, and privacy experts have called for the creation of a dedicated regulatory body to enforce federal privacy law. In 2019, Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) introduced the Online Privacy Act of 2019, which would create a DPA.20 In 2020, senators also introduced two additional federal privacy bills that would establish DPAs: Senator Sherrod Brown鈥檚 (D-OH) Data Accountability and Transparency Act,21 and Senator Kirsten Gillibrand鈥檚 (D-NY) Data Protection Act.22 This report will compare these three bills to one another and to FTC enforcement. We will also draw comparisons between the DPA proposals and two relatively new federal agencies: the CFPB and the Privacy and Civil Liberties Oversight Board (PCLOB). This report will not cover proposals like the Digital Platform Agency proposed by former FCC Chairman Tom Wheeler23 and Public Knowledge鈥檚 Harold Feld,24 which are sector-specific agencies that would have jurisdiction much broader than privacy.

Comprehensive privacy legislation will only have a substantive effect on business practices if there is a federal agency with the will, ability, and resources to enforce the law rigorously. We do not conclude that a new agency or an enhanced FTC is inherently a better enforcement agency. Rather, we argue that Congress should assess the effectiveness of proposals for either type of enforcement model using key metrics: authority, independence, resistance to regulatory capture, effectiveness of enforcement, budget, and feasibility.

This report first explains the differences between proposals that empower the FTC and proposals that create a DPA to enforce privacy legislation. It then explains the similarities and differences between the DPAs proposed by the Eshoo-Lofgren, Gillibrand, and Brown bills. The final section of the report defines each metric, explains why it is important for Congress to consider, and evaluates how an empowered FTC and DPA would compare along the metrics.

Editorial disclosure: This report discusses policies by Facebook and Google, both of which are funders of work at 麻豆果冻传媒 but did not contribute funds directly to the research or writing of this piece. 麻豆果冻传媒 is guided by the principles of full transparency, independence, and accessibility in all its activities and partnerships. 麻豆果冻传媒 does not engage in research or educational activities directed or influenced in any way by financial supporters. View our full list of donors at www.newamerica.org/our-funding.

Citations
  1. Sam Sabin, 鈥淪tates Are Moving on Privacy Bills. Over 4 in 5 Voters Want Congress to Prioritize Protection of Online Data,鈥 Morning Consult, April 27, 2021,
  2. 鈥淓quifax Announces Cybersecurity Incident Involving Consumer Information,鈥 Equifax, September 7, 2017,
  3. Carole Cadwalladr and Emma Graham-Harrison, 鈥淩evealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach,鈥 Guardian, March 17, 2018,
  4. 鈥淓quifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach,鈥 Federal Trade Commission, July 22, 2019,
  5. Alfred Ng and Steven Musil, 鈥淓quifax data breach may affect nearly half the US population,鈥 CNET, September 7, 2017,
  6. Robert Schoshinski, 鈥淓quifax data breach: Pick free credit monitoring,鈥 Federal Trade Commission, July 31, 2019,
  7. Charlie Warzel, 鈥淓quifax Doesn鈥檛 Want You to Get Your $125. Here鈥檚 What You Can Do.鈥 New York Times, September 16, 2019,
  8. 鈥淔TC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook,鈥 Federal Trade Commission, July 24, 2019, ; 鈥淔TC Grants Final Approval to Settlement with Former Cambridge Analytica CEO, App Developer over Allegations they Deceived Consumers over Collection of Facebook Data,鈥 Federal Trade Commission, December 18, 2019,
  9. Senators Markey, Blumenthal, and Hawley Demand Answers from FTC over Reported Facebook Settlement, July 16, 2019,
  10. 鈥淔TC Announces Historic, Yet Insufficient, Settlement with Facebook for Privacy Violations,鈥 press release, Open Technology Institute, July 24, 2019, source
  11. Becky Chao, Eric Null, and Claire Park, 鈥淓nforcing a New Privacy Law: Who Should Hold Companies Accountable?,鈥 Open Technology Institute, November 20, 2019, source
  12. 鈥淕eneral Data Protection Regulation: GDPR,鈥 Intersoft Consulting, June 3, 2017,
  13. 鈥淐alifornia Consumer Privacy Act (CCPA),鈥 Xavier Becerra: Attorney General, August 14, 2020,
  14. Rebecca Klar, 鈥淰irginia governor signs comprehensive data privacy law,鈥 The Hill, March 2, 2021,
  15. 鈥淭he California Privacy Rights Act of 2020,鈥 IAPP, February 5, 2021,
  16. 鈥淐alifornia Officials Announce California Privacy Protection Agency Board Appointments,鈥 Office of Governor: Gavin Newsom, March 17, 2021,
  17. 鈥淒ata Protection Law: An Overview,鈥 Congressional Research Service, March 25, 2019,
  18. 鈥淕DPR: Three years in, and its future and success are still up in the air,鈥 AccessNow, May 25, 2021,
  19. 鈥淲hat are Data Protection Authorities (DPAs)?,鈥 European Commission, June 22, 2018,
  20. 鈥淗.R.4978 – Online Privacy Act of 2019,鈥 Congress.gov, December 18, 2019,
  21. 鈥淒ata Accountability and Transparency Act of 2020,鈥 United States Senate Committee on Banking, Housing, and Urban Affairs, June 18, 2020, www.banking.senate.gov/imo/media/doc/Brown%20-%20DATA%202020%20Discussion%20Draft.pdf
  22. 鈥淪.3300 – Data Protection Act of 2020,鈥 Congress.gov, February 13, 2020,
  23. Tom Wheeler, Phil Verveer, and Gene Kimmelman, 鈥淣ew Digital Realities; New Oversight Solutions,鈥 Shorenstein Center on Media, Politics and Public Policy, August 20, 2020,
  24. Harold Feld, 鈥淭he Case for the Digital Platform Act: Market Structure and Regulation of Digital Platforms,鈥 Roosevelt Institute and Public Knowledge, May 8, 2019,

Close

Introduction

View as PDF

Table of Contents

Close

Does Data Privacy Need its Own Agency?