Federal Trade Commission members said during a House hearing Wednesday that the FTC does not have the authority to adequately punish companies that misuse consumer data.
Several data privacy scandals over the last year and a half prompted the House Energy and Commerce Committee hearing.
Equifax’s data breach in 2017, for example, released personal information on roughly 143 million Americans, including Social Security and driver’s license numbers. And Facebook’s Cambridge Analytica scandal in March sparked a new wave of public distrust in social media after the Republican-affiliated firm gathered user data on 50 million accounts without permission.
With the EU’s General Data Protection Regulation now in effect – and the FTC overseeing the legal transfer of personal data from the EU to the US – the agency has added incentives to alleviate consumers’ privacy concerns.
At Wednesday’s hearing, Republican and Democrat commissioners implored Congress to grant the agency rule-making authority on data privacy issues and the ability to seek civil penalties.
Although the FTC explicitly notes on its website that it is tasked with protecting consumer data, commissioners and experts at the hearing drew attention to the obstacles that prevent it from doing so. Some attendees noted the agency’s limited legal and financial resources in hopes of getting more members of Congress to lobby on the FTC’s behalf.
President Trump’s government spending plan, released in May, cut FTC’s 2018 fiscal budget by about $6 million. Rep. Frank Pallone, D-NJ, said the FTC’s data privacy and security division has only 45 full-time staffers. Just 35 are lawyers able to bring enforcement actions.
To add to this uphill battle, the FTC cannot fine first-time violators of data privacy laws. At most, it can get an injunction to curb bad behavior after a first offense. The FTC can only seek financial punishment if a company breaks the rules again after signing a consent decree stating it won’t commit the same violation.
“Just a few months ago we were here listening to Mark Zuckerberg apologize yet again for Facebook’s failure to properly inform users of how their data could be shared,” Pallone said. “If the FTC was able to fine Facebook in 2011, the first time it found it failed to properly notify users, we may not have seen the Cambridge Analytica scandal.”
All five commissioners said they could better protect consumers if the committee had rule-making authority, which can only be granted by Congress. FTC Chairman Joe Simons said the committee will hold a series of public hearings in the fall to more critically address data privacy concerns.
“The FTC cracks down on illegal practices whenever we can, but I think our existing toolkit won’t do the trick,” FTC Commissioner Rohit Chopra said. “We need the ability to deter misconduct through financial penalties and sensible safeguards that can evolve with the marketplace.”