Privacy bill would give FTC actual authority, land lying executives in jail

 arstechnica.com  10/17/2019 19:27:02   Kate Cox
Men in suits talk into microphones.
Enlarge / Sen. Ron Wyden questions witnesses during a Senate Intelligence Committee hearing on social media influence in the 2016 US elections in Washington, DC, on Nov. 1, 2017.

Sen. Ron Wyden (D-Ore.) would like tech and data companies to mind their own business and get their noses out of yours. To that end, he has introduced a bill that would penalize them, potentially with jail time for executives, for not doing so.

The proposed bill (PDF), actually called the "Mind Your Own Business Act of 2019," is in many ways an updated version of a discussion draft Wyden published last November.

The draft does not name any company specifically, instead focusing on the general concepts of personal data and company responsibility. That said, Wyden did name names in a statement, and Facebook is clearly front and center on his radar.

"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences," Wyden said. "A slap on the wrist from the FTC won't do the job, so under my bill he'd face jail time for lying to the government."

Not only do companies need to be more transparent and to give consumers more control, Wyden added, but also "corporate executives need to be held personally responsible when they lie about protecting our personal information."

The proposal zeroes in on a few big challenges. First, consumers are tracked and monetized but do not have an effective way to control that tracking or to even know what's done with the data collected from them. Second: businesses that siphon up and trade in consumer data have a terrible track record when it comes to securing that data and preventing unauthorized access. And third: the Federal Trade Commission, which is the closest thing we have to a privacy regulatory body, is woefully underpowered and under-resourced for addressing the challenge.

Sen. Wyden's bill, then, would address those concerns by 1) imposing minimum privacy and security standards for user data, 2) increasing transparency for consumers to access their own data and learn what has been done with it, 3) creating steep penalties for companies that blow it, and 4) expanding the FTC's authority and resources so that it would be able to enforce those penalties. The bill would allow companies to charge for higher-privacy versions of services, but it would exempt from those fees anyone using a Lifeline subsidy` (a small credit that low-income individuals and families can use to pay for phone or broadband services)`. This would be a gesture against reserving privacy as a luxury good.

Putting someone on the beat

The FTC recently established a small division dedicated to technology enforcement issues, but Wyden's proposal would beef it up substantially.

FTC chairman Joseph Simons has said several times this year that he feels his agency is hamstrung by its inability to impose stiff penalties for first-time violations of the FTC Act or of the Safeguards Rule, which requires financial institutions to take special care with consumer data.

"The CFPB and the states were able to obtain civil penalties for this massive breach by a major financial institution. The FTC could not," Simons said in a July press conference explaining the agency's settlement with Equifax. "Fortunately, other agencies were able to fill in the gap this time. That will not always be the case, which sends the wrong signal regarding deterrence."

A few days later, when discussing the $5 billion settlement between the FTC and Facebook, Simons again called on Congress for a new bill. "We are a law enforcement agency without the authority to promulgate general privacy regulations," Simons said at the time. "Our authority in this case comes from a 100-year-old statute that was never intended to deal with privacy issues like the ones that we address today."

If Sen. Wyden's bill were to become law, the FTC would gain 175 additional staff members to help enforce data and privacy standards`and the penalties could be steep. A first offense, which currently carries no fine, would cost a company up to 4% of its annual revenue. In the case of the Equifax data breach, for example, that would have been an additional $136 million to the FTC, on top of the existing $500 million agreement.

Corporate officers would also be held personally accountable for their company's behavior. If a business, such as Facebook or Google, were found to be filing incorrect reports about privacy, executives would be subject to penalties equaling 5% "of the largest amount of annual compensation received during the previous 3-year period," or $1 million, whichever is greater, and up to 10 years in prison.

That's just for an "oops." If those officers were found to have lied intentionally on those reports, the penalties jump up to 25% of compensation or $5 million, whichever is greater, and up to 20 years in prison.

The challenge

Nearly everyone with a stake in the matter, including politicians from both major parties, agree that we in the United States are badly overdue for some kind of update to privacy law and regulation. The questions of what such a law should cover, what it should allow, and who should benefit, however, are contentious at best.

More than 50 of the nation's largest companiesincluding Amazon, AT&T, and Comcast, among dozens of othersin September signed onto a letter (PDF) to Congress asking for federal privacy legislation.

The companies wrote:

We are committed to protecting consumer privacy and want consumers to have confidence that companies treat their personal information responsibly... We are also united in our belief that consumers should have meaningful rights over their personal information and that companies that access this information should be held consistently accountable under a comprehensive federal consumer data privacy law.

The Electronic Frontier Foundation and other critics called the corporate campaign "disingenuous," saying it amounted to a "ploy to undermine real progress on privacy" being made at the state level nationwide.

The poster child for those state efforts is California's Consumer Privacy Act, which becomes effective in less than three months, on January 1. California's high population and influence as a tech center have in the past caused its privacy-related regulations to effectively become de facto national standards, and companies that rely on the ability to collect, remix, and exploit user data are not enthralled with that idea. They likely won't love Wyden's federal proposal, either, as it explicitly does not preempt states from setting their own, more stringent guidelines.

Beyond the issue of corporate money and corporate preferences, however, the greatest challenge to getting anything through Congress this decade is Congress. Astute observers may have noticed that the political process in Washington, DC, is somewhat acrimonious these days. Not only is there a significant partisan divide to contend with, but in the immediate sense, both chambers are occupied with questions such as "Can we keep this government funded past November, please?" and "Are we impeaching the president?"

That said, Wyden's bill could easily become a template to which he and other senators return in future sessions of Congress, when conditions for making actual law may become more favorable.

« Go back