Continuing our series on the 2016 Spring Meeting, Ryan Graham, an associate in the Antitrust Group and former analyst with the FBI’s Cyber Division, summarizes the panelists’ thoughts on the FTC’s future focus as it relates to privacy and data security.
Privacy and data security lawyers would love to know what initiatives the Federal Trade Commission (FTC) will be spearheading in privacy and data security in the future. A recent panel discussion at the Spring Antitrust Meeting sponsored by the American Bar Association provided some predictive insight into this question. In the panel discussion entitled “The FTC and the New Frontier of Privacy,” the panelists were asked to discuss what role the FTC would take in technology and data security following its Section 5 authority win in Wyndham, which has been discussed in previous posts on this blog.
The panel highlighted three initiatives currently underway that will guide the FTC into the near future: (1) network-enabled devices (NEDs) and the internet of things (IOT); (2) big data and its implications in discrimination; and (3) international data transfer mechanisms. While none of these areas are necessarily shocking, they do indicate the emphasis the FTC will place on emerging technology in the near term.
Concerning NEDs, the FTC remains concerned about the expansion of the IOTs due to the boom in the market for NEDs. Many of the smaller start-up companies producing NEDs may not possess the resources necessary to effectively secure those devices. The FTC is also concerned that some NEDs do not include any Human Machine Interface (HMI), making it entirely plausible that a consumer could install a NED in the home and never be exposed to its privacy policy, even if such a policy were included in the packaging material. The FTC is considering methods to ensure that companies producing NEDs make consumers aware of their privacy policies, including by potentially mandating that NEDs connect to human interfacing devices on the network, such as a personal laptop, to display the privacy policy for acceptance by the consumer. Interestingly, a representative from Consumer Reports noted that her organization would soon be rating consumer products, such as NEDs, on the basis of privacy, perhaps indicating the increase in the relative value of privacy in the consumer marketplace. Interestingly, this increasing desire to value (and perhaps pay a premium for) privacy could impact consumers’ ability to maintain standing for data breaches, as we have discussed previously.
There was also a discussion regarding big data and discrimination. Specifically, the FTC has two primary concerns about big data. The first is that big data may be used to further discrimination. In the rise of big data analytics, companies may use factors located within their data to unfairly discriminate against people based on attributes that align with discriminatory intent. The second issue concerning big data was whether big data had the potential to be used to exclude companies from the market place. Two panelists agreed that generally, big data was a non-excludable good and could not be used to exclude a company from the marketplace. Facebook was used as an example to support this position, as it rose in prominence despite the market dominance of MySpace in the market for social media data. Of course, the ability to use big data to exclude might well depended on the nature of the data. If the data was highly particular or specialized, then it could theoretically enable a company to exclude other competitors from a market.
Finally, the panel touched upon the current state of the law and regulation for European data transfers. The panel noted that the old US-EU data transfer regime, known as Safe Harbor, had been struck down. The EU has proposed a new regime, known as Privacy Shield, and an Article 29 working group recently provided a non-binding assessment of Privacy Shield’s provisions, indicating that the Privacy Shield policy required some additional modifications. Europe is also overhauling its directive on privacy into a general regulation. This regulation will affect numerous US companies because it regulates both EU companies and companies “pointed at” EU citizens. Among other provisions, it will require data breach notifications within 72 hours and may impose fines up to 4 percent of company turnover (generally, calculated as sales / revenue). Although it will be two years until this regulation goes into effect, its introduction combined with the uncertainty in data transfers in the European market emphasize the necessity for US companies to keep one eye on European requirements in privacy and data security.
While these three initiatives do not capture every focus the FTC will have in the near-term, it does provide some indication of where the FTC sees the issues in privacy and data security heading. Companies should consider the implications of these initiatives, and recognize that the FTC has no intention of reducing or narrowing its regulation of data and privacy security any time in the near future. As always, we will keep our readers up to date on these developments as they come through to fruition. Until then, stay tuned.