Telecom Privacy Group: House Should End FCC Data Breach Authority
Congress should eliminate the FCC’s data breach notification authority and instead allow the FTC to regulate through a federal privacy law, a privacy-focused telecom association told House Commerce Committee members Wednesday (see 2404160034).
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The committee’s bipartisan American Privacy Rights Act would preempt the FCC’s privacy and data security authority in favor of FTC regulation, but it “stops short” of preempting the FCC’s data breach notification authority, testified Maureen Ohlhausen, a former FTC commissioner who now co-chairs the 21st Century Privacy Coalition. Members of the coalition are AT&T, Comcast, Cox Communications, CTIA, DirecTV, T-Mobile and USTelecom.
The FCC’s data breach order, adopted on a 3-2 vote in February (see 2402090035), shows the agency “lacks the expertise to impose requirements in this area, and that it is willing to overstep its authority and ignore Congress’s clear direction,” Ohlhausen testified. The agency’s data breach rules are “inconsistent with the requirements of other federal agencies, making the case yet more compelling that the FCC’s authority should be eliminated and replaced with a holistic approach to enforcing the bill’s privacy and data security requirements,” she said. The FCC didn’t comment.
It’s interesting Ohlhausen mentioned data breach regulation in the context of privacy legislation, given that AT&T recently announced a breach where 7.6 million customers and 65.4 million former account holders were affected, House Commerce Committee Chair Cathy McMorris Rodgers, R-Wash., said during Wednesday’s hearing, which the House Innovation Subcommittee hosted. “I’m sure that had nothing to do with one of those members recently being in the news.”
AT&T announced the breach in March, saying “data-specific fields were contained in a data set released on the dark web,” which contained personal information like social security numbers. Rodgers made her comments at the end of her questions and yielded back her time without allowing Ohlhausen to respond. The coalition didn’t comment Wednesday.
Members of the committee expressed optimism they can advance a federal privacy law. All six witnesses agreed this is “the best chance” Congress has had to pass a privacy law. This is a “unique moment in history” to make the internet a “force for good,” Rodgers said.
The bill remains a “work in progress,” but the committee is “making progress right now,” said House Innovation Subcommittee ranking member Jan Schakowsky, D-Ill. There will be hurdles in negotiations, but “I’m absolutely confident” in the group’s ability to move forward, she said.
The bill lacks some of the child protections included in the committee’s original bipartisan privacy bill, the American Data Privacy Protection Act, ranking member Frank Pallone, D-N.J., said. That includes the ADPPA’s ban on targeted advertising for children and privacy-by-design requirements for companies, said Pallone. He suggested establishing a youth privacy division at the FTC that will ensure resources are devoted to the issue.
The subcommittee considered two kids’ privacy proposals during the legislative hearing: the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and the Kids’ Online Safety Act (KOSA). More than 10 senators recently signed as co-sponsors of COPPA 2.0: Ed Markey, D-Mass., and Bill Cassidy, R-La., announced Thursday: Richard Blumenthal, D-Conn.; Laphonza Butler, D-Calif.; Shelley Moore Capito, R-W.Va.; Mike Crapo, R-Idaho; Angus King, I-Maine; Amy Klobuchar, D-Minn.; Ben Ray Lujan, D-N.M.; Joe Manchin, D-W.Va.; Gary Peters, D-Mich.; Brian Schatz, D-Hawaii; Peter Welch, D-Vt.; and Ron Wyden, D-Ore. “We must put an end to the pervasive online tracking and targeting of our young people,” Markey and Cassidy said in a statement.
Ohlhausen credited authors of the draft proposal on comprehensive privacy for granting the FTC civil penalty authority for first violations. She welcomed language giving the FTC limited Administrative Procedure Act rulemaking authority and jurisdiction over common carriers. The agency is “well-suited to draw on its experience and knowledge in the field to vigorously enforce the law, while still allowing consumers to enjoy the benefits of the many innovative products offered in today’s dynamic marketplace,” said Ohlhausen.
Rep. Diana Harshbarger, R-Tenn., suggested a dual regulatory regime for common carriers could harm innovation. Designating the FTC as the enforcer would provide a uniform standard, helping businesses and consumers, said Ohlhausen. A uniform regulatory framework for startups would promote innovation and give strong guidance on addressing third-party risk, National Technology Security Coalition board member Katherine Kuehn testified. David Brody, managing attorney for Lawyers’ Committee for Civil Rights Under Law, agreed the FTC should have “strong powers” regulating common carriers but said Congress shouldn’t “squander” the FCC’s telecommunications expertise, which the FTC lacks.