International Trade Today is a Warren News publication.
‘A Full Investigation’

Blumenthal Calls for FTC Probe of Google+ Security Flaw

Sen. Richard Blumenthal, D-Conn., told us Tuesday he would call for a full FTC investigation of Google’s recently disclosed Google+ privacy vulnerability (see 1810090056). He repeated that demand Wednesday during a Senate Commerce Committee hearing in which lawmakers discussed policy and FTC authority with privacy experts.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

There has to be a full investigation by the FTC,” Blumenthal told us. Asked about the agency’s ability to enforce privacy standards, he said that “if [tech companies] fail to take the FTC seriously, they do so at their peril -- because the FTC certainly takes them seriously. … There has to be additional steps that the FTC is authorized to take in the event there are violations of present or future law.”

Asked about Blumenthal’s request for an FTC probe while leaving the hearing, Sen. Amy Klobuchar, D-Minn.., told us: “The chairman of the FTC -- I want to talk to him about it, but I want to look at Sen. Blumenthal’s statement. I do think we need the FTC looking more into online issues.”

FTC Chairman Joe Simons in an emailed statement said that “when we see a significant breach that puts consumers’ private data at risk, you can be assured that we will be looking into it. We are committed to holding companies accountable if their practices violate the law.”

Federal privacy law won't be written by industry, said Chairman John Thune, R-S.D., calling the current debate an effort to “promote privacy without stifling innovation.” The Facebook-Cambridge Analytica breach (see 1808220030) and Google’s recent issue show federal privacy rules are needed, Thune said.

Sen. Brian Schatz, D-Hawaii, continued his call for the FTC to have greater rulemaking authority under any new privacy law. California’s privacy law lets the state attorney general issue new regulations related to the measure, in line with Schatz’s proposal. California privacy activist Alastair Mactaggart said the AG’s additional regulatory authority allows the flexibility to adapt: “You don’t want a bill stuck in time.” The Children's Online Privacy Protection Act, which gives the FTC some rulemaking authority, proved to be a flexible law, said Georgetown Law Center on Privacy & Technology Deputy Director Laura Moy.

EU regulators since Oct. 1 have opened some 270 general data protection regulation-related cases, EU chief data privacy regulator Andrea Jelinek said, adding that the complaints “mostly” concern consent issues. Data Protection Commission Ireland is probing the Google+ incident, Jelinek told the committee, but it’s unclear if it will be subject to the EU’s GDPR, which went into effect in May. Google’s vulnerability was reportedly discovered in March, and lawmakers have voiced concern about the delay in public notification. ​​​​​​​Jelinek described fines as a “last resort” under the GDPR. Fines will be levied “only after a thorough investigation of the facts and always on the basis of the specific circumstances of each case,” she said.

​​​​​​​Center for Democracy & Technology CEO Nuala O’Connor agreed with Schatz the FTC should have rulemaking authority under any new privacy law. The agency should have direct fining authority, she added, saying the FTC’s current reliance on consent decrees results in “a lot of time and water under the bridge.” Waiting to test the boundaries of harm isn't working, she said, arguing the new law should draw clears lines on what is a violation. Moy called for the FTC to levy “substantial” penalties. Google’s $22.5 million penalty related to a consent decree violation in 2012 (see 1208100031) was a nominal amount for the platform, she said.

Jelinek played down Google’s estimation that it spent “hundreds of years” of human time complying with the GDPR, as Chief Privacy Officer Keith Enright told the committee in September. With some 88,000 employees, 200 years of human time would mean about an average of 3.5 hours per employee, she said.

Privacy Notebook ​​​​​​​

Verizon Tuesday called for collaboration in developing national privacy framework. “The U.S.’s ability to strike the right policy balance on privacy will determine the trajectory of U.S. innovation for years to come,” Senior Vice President Kathy Grillo wrote. Like AT&T, Verizon is calling for a uniform set of privacy requirements for all industries that collect data. Rules should be enforced by the FTC, which should be able to provide “guidance” on statutory requirements so they don’t quickly become outdated, Grillo said. Verizon seeks both opt-in and opt-out consent from users for data collection and sharing. The FTC should be able to levy capped civil penalties, and state AGs should enforce federal law, the telco said.​​​​​​​