Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On May 14, Hogan Lovells’ partner Chris Wolf moderated a panel discussion at the Rayburn House Office Building presented by the Congressional Internet Caucus Advisory Committee entitled, “New Internet Privacy Legislation: What the White House, Federal Trade Commission and the European Commission Are Recommending.” Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, began the event with a brief presentation about the FTC’s recently released report, “Protecting Consumer Privacy in an Era of Rapid Change” (the “FTC Report”). Following Ms. Mithal’s remarks, Mr. Wolf led panelists in a discussion about the FTC Report; the White House’s privacy white paper entitled, “Consumer Data Privacy in a Networked World;” and the proposed EU Data Protection Regulation.
The panel was comprised of:
Justin Brookman, Director of the Center for Democracy & Technology’s Project on Consumer Privacy;
Steve DelBianco, Executive Director of NetChoice;
Rachel Thomas, Vice President of Government Affairs for the Direct Marketing Association (“DMA”); and
Peter Swire, Professor of Law at the Ohio State University Moritz College of Law.
Ms. Mithal explained that the FTC Report, released in March of this year, refines but does not change the principles set forth in the preliminary staff report released in December 2010. She noted that there are four “big picture” takeaways from the FTC Report:
Commission Report: It is a “commission report,” rather than a “staff report,” as it was adopted by a majority of the Commissioners, and as such, it carries more weight than a staff report.
Legislation: It calls on Congress to enact privacy and data security legislation, including baseline privacy legislation, data security and breach notification legislation, and legislation aimed at improving the transparency of the information practices of data brokers.
Best Practices: The Report does not prescribe “rules of the road” that the FTC will use as a template for enforcement actions. Rather, it merely sets forth recommended best practices.
Relation to White House’s Privacy White Paper: The FTC Report and the White House’s privacy white paper are “entirely complementary and consistent.” Ms. Mithal noted that the white paper focuses more on implementation, while the FTC Report focuses on providing guidance to industry.
Ms. Mithal also examined the specific principles set forth by the FTC Report. Notably, she highlighted the fact that the FTC Report demonstrates the FTC’s focus on information that can be “reasonably linked” to a specific consumer, computer, or other device, a deviation from the FTC’s former focus on “personally identifiable information” (“PII”). This shift is due to the fact that the traditional line between PII and non-PII is blurring, as it is becoming easier to re-identify non-PII data. This “reasonably linked” concept was seemingly the key to the recent FTC enforcement action against MySpace, which involved MySpace’s sharing of users’ “Friend IDs” – pieces of non-PII which were easily linked to PII – in a manner that was inconsistent with representations MySpace made in its privacy policy.
In response to questioning, Ms. Mithal stated that while the new best practices set forth in the FTC Report will not be the basis for an FTC enforcement action, a company that has otherwise committed a deceptive or unfair act or practice in violation of Section 5 of the FTC Act may be required to implement these best practices as part of the settlement with the FTC. Chris Wolf referenced the FTC’s enforcement action against MySpace, noting that the alleged violations of Section 5 seemed to be founded on the FTC Report’s concept of “reasonably linked.” But Ms. Mithal responded that the data at issue in the MySpace case was viewed by the FTC as an extension of PII, which is similar to a concept that the FTC previously set forth in its 2010 closing letter with Netflix.
Mr. DelBianco inquired whether companies that fail to have a privacy policy would be subject to FTC enforcement. Ms. Mithal stated that although not every failure to do so would be actionable under Section 5 of the FTC Act, if the failure rises to the level of a material omission, then that may be considered a deceptive practice for which the FTC may take action.
The panelists discussed many privacy issues related to the recent FTC, White House, and EU proposals, and among the highlights of the discussion were the following points:
In response to a question about what is privacy today and how does it differ from the past, Mr. Brookman stated that the scope of surveillance is much greater today, noting that tracking is prevalent and collection is the default.
With respect to a discussion about how to handle companies that refuse to abide by self-regulation standards, Ms. Thomas explained that the DMA self-regulation program allows the DMA to take action against both members and non-members, and she noted that any company (whether a member or not) that refuses to comply with the program’s self-regulatory code of conduct will be reported to the FTC for enforcement.
With respect to harmonization between the EU and US privacy regimes, most of the panelists felt that the US shouldn’t “chase” the EU, but rather – as Mr. DelBianco put it – the US should “sell our case” a little harder. Ms. Thomas agreed, stating that she feels our regime has achieved “adequacy.” Mr. Swire recalled the negotiations over the Safe Harbor framework, where the EU first took the approach that only EU law is acceptable, but softened its view over time as “reality set in,” suggesting that the EU may soften its view in other regards as well.
With respect to the EU Regulation’s “Right to Be Forgotten,” Mr. Brookman remarked that it could be implemented in a “bad way,” which would impose huge burdens on business, but stated that if implemented properly, it could be a positive.
Authored by HL Chronicle of Data Protection Team.