America's Potemkin Privacy and the Role of the Federal Trade Commission
Anthony M. Salas - The University of Arizona James E. Rogers College of Law (Class of 19’)
-- In the digital era, it cannot be overstated how vital the internet is to social, economic, and political functions. In a matter of 30 years, developed nations across the globe have gone from seeing the internet as a novelty with research potential, to utilizing it every day as an economic driver, a news source, a communications hub and a medium for social interaction. Families have gone from accessing the internet in public spaces and workplaces, to housing an army of data-connected devices in their home. From smart TV’s to personal computers, tablets to smart phones, the list of technology connected to the “internet-of-things” has never been larger.
And with this new technology has come new ways of monetizing the public’s internet interactions and digitizing their most sensitive information. The data market is alive and well in 2020, and in the specter of Covid-19, companies are poised to harvest and utilize more of your personal data than ever.
My recent paper “Data Breaches and Potemkin Privacy: How FTC Regulation Can Restore Authority and Agency to Online Users and Destroy the Data Oligarchy," published in The University of Arizona Law Journal of Emerging Technologies (June 2020), is perhaps even more relevant today than it was at the time of its original completion in 2019. In it, I argue that Federal Trade Commission regulation of the data market is the only reasonable solution to 6 distinct problems:
Lack of user autonomy and notice as to how and when data is harvested, used and sold.
Negligent data security practices by private companies that store, trade and sell data (leaving themselves and their customers open to devastating breaches).
Lack of uniform federal protocols to guide companies in developing better data security practices.
Lack of corporate incentive to change data management and sales practices (because the costs of data breaches affect users and corporations differently).
Lack of potential legislative solutions (outside of FTC regulation), as there remains partisan and philosophical gridlock within both political parties in the United States on the issue of online privacy. These divisions are further exacerbated by the gulf of interests/power between Silicon Valley and privacy advocates.
Failure of contract and tort claims to catalyze change and compensate data breach victims.
My paper assesses the startling inefficiencies of our present data security regime. I outline how the present system has failed to regulate the data market and assign liability to corporations that negligently handle, misuse and traffic our data. I review how the contract, tort and privacy law frameworks have failed to create a meaningful recognized interest in personally identifiable information. I also brief several high-profile data breaches as case studies to explore the motives that drive them.
The failure of policy-makers to create new systems that protect the consumer against negligent data practices is a function of both lack of interest and lack of technical expertise. While most legislative efforts and public debate in the United States has focused on data breaches in the context of foreign actors and election interference; the more insidious and persistent issue remains the lack of corporate accountability for data that they harvest, compile, resell and lose.
I argue that regulation by the Federal Trade Commission, under the auspices of 15 U.S.C. § 45 (“Unfair and Deceptive Trade Practices”) and through FTC consent orders, represents the best opportunity for progress in reigning in bad actors in the data market and protecting companies and individuals alike from data breaches.
Despite recent, abundant criticism of the Federal Trade Commission, FTC oversight continues to be the best vehicle for data regulation in the United States. Especially given the regulatory challenges posed by uniting Wall Street, Silicon Valley’s and online users’ disparate interests and goals in regulation. FTC regulation can articulate uniform security protocols within the data market by its use of consent orders, and can create financial relief judgements for data breach victims in a way that existing legal frameworks have not.
In the era of CovId-19, concerns over data breaches and online privacy have only become more pronounced as many Americans turn to online telecommuting and interact with others. In the absence of central data regulation laws, this has created new opportunities for hackers to exploit vulnerabilities. This is especially the case in light of recent high profile data breaches on Zoom and reported hacks stemming from Covid-19 tracking apps.
Congressional skepticism about the FTC leadership should be set aside, especially during the global Covid-19 pandemic. The United States should affirm the FTC as a reliable and responsive regulator of the data market and future legislative efforts should focus on expanding the FTC’s role in data regulation, rather than in minimizing it.