President Obama doesn’t want to talk about surveillance—and is once again trying to change the subject to regulating the companies that have made the Internet great. If he actually wants to get new privacy and data security legislation through Congress, he’ll have to negotiate with Republicans over how the Federal Trade Commission regulates new technologies—or find a way to break the long deadlock over legislation.
Almost three years ago, the White House issued a press release headlined “We Can’t Wait: Obama Administration Unveils Blueprint for a ‘Privacy Bill of Rights’ to Protect Consumers Online.”
Well, wait we did.
Yesterday, buried beneath a flurry of other more minor announcements (student privacy, data breach notification, free credit scores, etc.), President Obama announced that the Commerce Department would soon release the privacy and data security legislation derailed by Edward Snowden’s revelations on NSA surveillance in June 2013.
After the White House released its “Consumer Privacy Bill of Rights” in early 2012, I testified before Congress against the Administration’s “constitutional sleight-of-hand.” The report alluded to the “birth of our republic,” but said nothing about Fourth Amendment privacy protections or the intrusions the Founders feared most: those by government. I lamented that, “while the White House embraces the ‘Consumer Bill of Rights’ rhetoric, the real Bill of Rights is in peril.”
Snowden’s leaks proved me right. The White House fumbled its response badly, initially insisting it had done nothing wrong. With little credibility left on privacy, the administration struggled to find Democrats willing to introduce the “Bill of Rights” in Congress.
Obama’s speech again invoked the spirit of the Fourth Amendment—but directed blame at the private sector. Obama said nothing about NSA surveillance or the USA Freedom Act, the bipartisan surveillance reform that nearly passed in the last Congress (with almost no help from the White House). The speech also failed to mention CISPA, the highly controversial cybersecurity bill reintroduced last Friday that would encourage companies to share information about cybersecurity threats with the government, including emails and other personal information. The legislation is written so broadly that, despite the promises of the bill’s sponsors, it could bar enforcement of privacy promises made in contracts or terms of service.
After two years, the White House still hasn’t responded to a petition signed by 110,000+ Americans, urging Obama to oppose warrantless searches of cloud data—by updating the outdated 1986 Electronic Communications Privacy Act (ECPA). (The White House has, however, found time to respond to a gag petition to construct a Death Star). Two-hundred-seventy-two Congressmen (including 98 Democrats) supported ECPA reform legislation. The White House has dawdled—and may even have sabotaged new privacy protections.
Delivering this speech at the FTC is ironic, given the FTC’s rumored role in blocking the Senate’s ECPA overhaul—by insisting that regulatory agencies be exempt from any warrant requirement. The FTC has also reportedly killedFOIA reforms that would have made it easier for citizens to get access to government information.
The FTC will likely fight twice as hard for the real prize—new authority to write rules governing how private companies collect, use and secure data about consumers—and even harder against Republican efforts to constrain the FTC’s vast discretion. Congress has struggled with how to write privacy legislation since the FTC first requested it in 2000, but last Congress, House Republicans launched a bipartisan task force to draft legislation. The White House is trying to beat lawmakers to the punch.
Can the two sides reach a deal?
The 2012 Report did try to craft a middle ground, attempting to adapt and flexibly apply the 1973 Fair Information Practice Principles for a more dynamic era (not entirely successfully). But in the end, what matters most is implementation. The key sentence of the 2012 Report was this: “The Administration supports open, transparent multistakeholder processes because, when appropriately structured, they can provide the flexibility, speed, and decentralization necessary to address Internet policy challenges.” In other words: They have no idea how to legislate the right answers—and they realize regulators don’t either… so they need someone else to do the heaving lifting.
This isn’t a political dodge. It’s the kind of humility Washington needs more of. Data is the lifeblood of the digital economy. We need a regulatory framework that doesn’t hamstring American companies—the way EU privacy regulation crippled Europe’s anemic tech sector—while also addressing real consumer protection problems.
Back in 2013, the Commerce Department’s general counsel described the administration’s planned (and since stalled) legislation as focused on essential principles or frameworks that provide baseline parameters meant to be nimble, without detailed prescription, especially by government. Instead, our approach operates by convening open and inclusive multistakeholder processes to flesh out these principles for the real world with consensus-based standards.
In other words, the FTC would enforce high-level standards, much as it does today, but also alternative regulatory “safe harbors” that companies could opt into instead. Some version of this is probably inevitable: Regulators just can’t impose comprehensive rules on a moving target like data security or privacy. Standards-setting bodies are less likely to get the technology wrong and can adapt far faster than government. That’s what’s made the Internet work for over 20 years: Having engineers, not regulators, set best practices.
Understandably, the FTC wants to ensure that consumers don’t get short-changed. That’s why the 2012 Report called for “multistakeholder processes” that are “open, transparent and … appropriately structured.” The obvious implication: legislation should require FTC certification of safe harbors based on their substance as well as the process that produced them.
But what will constrain the FTC’s discretion?
At worst, the FTC’s Safe Harbor certification process could mirror FCC merger review: just delay approval until the applicants agree to your demands, however groundless. Republicans tried to fix this gaping loophole last year by barring the FCC from requiring merger conditions it couldn’t issue as regulations, but House Democrats fought to strip it from the otherwise uncontroversial FCC Process Reform Act. So FCC merger approval remains a back door for free-wheeling regulation without the normal procedural safeguards of rulemaking or the constraints of judicial review.
Sadly, that’s standard operating procedure at the FTC’s Bureau of Consumer Protection. In 1980, a heavily Democratic Congress added additional procedural safeguards for FTC rulemaking—so the FTC simply stopped doing it. Instead, for well over a decade, the FTC has built what Democratic Commissioners have called “common law of consent decrees” on privacy and data security (i.e., enforcement actions settled out of court). Under Obama, the FTC has stepped up that approach, and also begun using informal reports as de facto rules for things like privacy and security “by design.” (A report on the Internet of Things is expected shortly.) Many inside the FTC and the administration seem to share the “enforcement philosophy” an Obama EPA official in 2012 candidly compared to the Roman practice of crucifying the first five adult males they found in a conquered village—to set an example.
The FTC has stubbornly resisted calls for further guidance on how it uses its sweeping powers over deception and unfairness. If they’re smart, Republicans will insist on both substantive constraints on the FTC’s discretion and procedural reforms designed to ensure that the courts, and not the FTC, ultimately shape how the FTC’s “flexible” law “evolves.”
Unless Obama suddenly masters the Clintonian art of compromising with Republicans, the safest bet is that nothing will happen this Congress: Both sides will simply wait and see if the next election strengthens its hand. Meanwhile, the FTC will continue on its merry way: regulation by crucifixion—with no clear guidance to industry, resisting any constraints on its discretion. And everyone else will keep waiting for an approach that reconciles regulatory humility with consumer protection, and flexibility with fundamental values of transparency and the rule of law.
But it doesn’t have to be this way. Instead, Obama and Congressional Republicans could create a bipartisan Privacy Law Modernization Commission, whose expert recommendations would be far more likely to be adopted than is either side’s proposal alone.