As the Senate prepares to hold another hearing on potentially creating a comprehensive privacy framework, experts are urging legislators to go the extra step and create a standalone agency to enforce existing privacy regulations as well as any future laws.
Various congressional committees have been convening hearings on privacy regulations, data breaches, and the possibility of building a privacy framework for several months now, without any tangible results. The mishmash of state data breach laws and industry specific privacy regulations can be difficult for enterprises to wade through, and privacy advocates and security experts have been urging Congress for many years to pass federal legislation, but it hasn’t happened. On Wednesday, the Senate Committee on Commerce, Science and Transportation will hold a hearing on the need for a federal privacy framework, with testimony from the American Civil Liberties Union, the Future of Privacy Forum, and the data protection commissioner from the Republic of Ireland.
The inclusion of privacy advocates and experts is progress in and of itself, as many of these hearings mainly focus on testimony from ad-industry executives or lobbyists from the technology industry. In February, the Commerce Committee held a similar hearing on the need for a federal framework and most of the witnesses were from industry associations and coalitions.
Ahead of Wednesday’s hearing, the Electronic Privacy Information Center (EPIC) sent a letter to the leaders of the committee, asking them to consider not just the need for federal privacy legislation, but also for an agency to enforce it.
“Given the enormity of the challenge, the United States would be best served to do what other countries have done and create a dedicated data protection agency. An independent agency could more effectively utilize its resources to police the current widespread exploitation of consumers’ personal information and would be staffed with personnel who possess the requisite expertise to regulate the field of data security,” the letter from EPIC President Marc Rotenberg and Policy Director Caitriona Fitzgerald says.
The idea of a new federal agency to take charge of data privacy and protection has been kicking around Washington and Silicon Valley for years now, but lawmakers have proven to be nearly allergic to it. Many lawmakers favor giving the Federal Trade Commission the authority to enforce any new privacy legislation, and in December a large group of senators introduced the Data Care Act, a bill that would provide steep financial penalties for companies that violate its provisions and appoint the FTC as the enforcement agency. A month earlier, Sen. Ron Wyden (D-Ore.) began circulating a similar bill, the Consumer Data Protection Act, that would fine companies up to four percent of their annual revenue for violations. That measure also nominates the FTC as the enforcement arm.
But the FTC is not a privacy focused agency. It is set up to enforce a wide variety of regulations for industry as a whole, but has an indifferent record on privacy enforcement.
“The Federal Trade Commission helps to safeguard consumers and to promote competition, but the FTC is not an effective data protection agency. Even when the FTC reaches a consent agreement with a privacy-violating company, the Commission rarely enforces the Consent Order terms,” the EPIC letter says.
Privacy advocates such as EPIC and the Electronic Frontier Foundation (EFF) have encouraged legislators not to hand privacy enforcement authority to the FTC, but to instead establish a separate agency. Where that agency would sit and what its authority and structure would like are in question, as is the shape of any federal legislation it would be tasked with enforcing.