A panelist brought up an interesting tongue-in-cheek observation about the rising populist antitrust movement at a Heritage antitrust event this week. To the extent that the new populist antitrust movement is broadly concerned about effects on labor and wage depression, then, in principle, it should also be friendly to cartels. Although counterintuitive, employees have long supported and benefited from cartels, because cartels generally afford both job security and higher wages than competitive firms. And, of course, labor itself has long sought the protection of cartels – in the form of unions – to secure the same benefits.   

Read the full piece here.

In response to the Federal Communication Commission’s (FCC) proposal to rescind its so-called “net neutrality” rules, U.S. Sen. Cory Booker tweeted that the FCC is “giving corporations power over the once neutral internet.”

Booker and his social media allies think the new rules will destroy the internet as we know it. Except, they won’t.

Read the full piece here.

 

Summary

In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on. While these are crucial questions, we offer these comments in order to address another set of questions that is missing from the event’s description: How should the Commission determine whether or not, in fact, the conduct leading to such injuries constitutes actionable “misuse[]?” The question is a fundamental one that must be addressed in order to evaluate how businesses, consumers, and the Commission itself do and should respond to purported informational injuries.

Fundamentally, there is a great deal of ambiguity about how consumer protection law should treat data and data breaches. When there is a data breach, the calculation of the extent of informational harm (if any) to consumers is a difficult one. This is complicated, of course, by the sometimes tenuous connection between conduct and injury. It is further complicated, even assuming that particularized harm can be accurately assessed, by the need to balance harms against the benefits conferred by decisions within the firm to optimize a product or service, to lower prices, or to promote other consumer-valued features, such as ease-of-use, performance, and so forth. Where the same conduct that may produce informational injury also produces consumer benefit, determining whether the net effect is, in fact, harmful or not is essential.

The Commission purports to evaluate injury (along with the other elements required by Section 5(n) of the FTC Act) under a so-called “reasonableness” standard. Superficially, at least, this seems sensible: Unfairness entails a balancing of risk, benefits, and harms, and a weighing of avoidance costs consistent with a negligence regime.3 Easily seen and arguably encompassed within this language are concepts from the common law of negligence such as causation, foreseeability and duty of care. The FTC collapses this into its “reasonableness” approach, specifically eschewing strict liability:

The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities…. [T]he Commission… does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.

Giving purchase to a reasonableness approach under the Commission’s own guidance would seem to require establishing (i) a clear baseline of appropriate conduct, (ii) a company’s deviation from that baseline, (iii) proof that its deviation caused, or was significantly likely to cause, harm, (iv) substantial harm, (v) proof that the benefits of (e.g., the cost savings from) a company’s conduct didn’t outweigh the expected costs, and (vi) a demonstration that consumers’ costs of avoiding harm would have been greater than the cost of the harm.

Unfortunately, by eliding the distinct elements of a Section 5 unfairness analysis in the data security context, the FTC’s reasonableness approach risks ignoring Congress’ plain requirement that the Commission demonstrate duty, causality and substantiality, and perform a cost-benefit analysis of risk and avoidance costs.

While the FTC pays lip service to addressing these elements, its inductive, short-cut approach of attempting to define reasonableness by reference to the collection of practices previously condemned by its enforcement actions need not — and, in practice, does not — actually entail doing so. Instead, we “don’t know… whether… practices that have not yet been addressed by the FTC are ‘reasonable’ or not,” and we don’t know how the Commission would actually weigh them in an actual rigorous analysis.

At the root of this workshop is the implicit recognition that some, including the FTC itself, have asserted that the unauthorized exposure of private information may be, in and of itself, a harm to individuals, apart from any concrete economic consequences that may result from the exposure. In the FTC’s Opinion in LabMD, for instance, the Commission asserted that

the disclosure of sensitive health or medical information [that] causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n)… disclosure of the mere fact that medical tests were performed irreparably breached consumers’ privacy, which can involve “embarrassment or other negative outcomes, including reputational harm.”

We would contend, however, that defining and evaluating the types of “informational harms” that should be actionable in the case of a data breach, requires that the Commission also address fundamental problems with its overall approach to identifying cognizable injury and determining liability under Section 5.

As we discuss below and explain in detail in the attached paper, the FTC’s current “reasonableness standard” for liability under Section 5 runs the risk of being no standard at all. And it is impossible to escape the troubling conclusion that ultimately (and wrongly) the mere retention of data by a firm could be enough to violate Section 5 under this approach.

Such an approach does not comport with the scope of the Congressional grant of authority in Section 5, particularly as it was explicitly limited by Section 5(n). Instead, it converts what should be thought of fundamentally as a demanding cost-benefit requirement meant to limit the Commission’s discretion into a lenient strict liability standard. Before the Commission can understand how to fit different sorts of potential harms into its enforcement framework, it should clarify its approach, and ensure that it is in line with the text and intent of Section 5.

Summary

As the Commission’s NPRM notes, the 2015 Open Internet Order “has weakened Americans’ online privacy by stripping the Federal Trade Commission — the nation’s premier consumer protection agency — of its jurisdiction over ISPs’ privacy and data security practices.”1 The Restoring Internet Freedom NPRM further notes that:

To address the gap created by the Commission’s reclassification of broadband Internet access service as a common carriage service, the Title II Order called for a new rulemaking to apply section 222’s customer proprietary network information provisions to Internet service providers. In October 2016, the Commission adopted rules governing Internet service providers’ privacy practices and applied the rules it adopted to other providers of telecommunications services. In March 2017, Congress voted under the Congressional Review Act (CRA) to disapprove the Commission’s 2016 Privacy Order, which prevents us from adopting rules in substantially the same form.

The Restoring Internet Freedom NPRM proposes to return to the status quo in place before the Commission adopted its 2015 Open Internet Order with respect to privacy rules: not to adopt any new FCC rules, and leave regulation of privacy to the FTC.3 We offer these comments in response to the Commission’s request regarding that proposal.

ICLE Associate Director for Innovation recently debated Sasha Moss of the R Street Institution on the nature of copyright law, its constitutional foundations, and the proper contours of its function in the modern economy. Video of the event is embedded below

 

Summary

“Federal administrative agencies are required to engage in “reasoned decisionmaking” based on a thorough review and accurate characterization of the record. Their analysis must be based on facts and reasoned predictions; it must be rooted in sound economic reasoning; it must be logically coherent; it must not entail subterfuge or misleading statements. On even these most basic grounds the 2015 OIO falls short.

The entire open Internet rulemaking enterprise is an exercise in post hoc rationalization — the formulation of policy, not statutory interpretation. Net neutrality was determined by certain activists to be “necessary;” proponents were unable to get it from Congress; the FCC was willing; and it tried at least three times to cobble together some statutory basis to justify its preference for open Internet rules, as opposed to determining that such rules were necessary to enforcing a particular statutory provision.

The post hoc/ultra vires problem with the 2015 OIO is disturbingly similar to the one at issue in State Farm, which sets the standard by which the sufficiency of the Commission’s analysis is judged. In that case, the Court held that an agency’s (NHTSA’s) decisionmaking did not follow from the anal- ysis it undertook, nor the statutory purpose it purported to further. The same is true here. If deployment really were the aim of the 2015 OIO, the FCC could have directly encouraged it through any number of more direct (and almost certainly more effective) means. Instead, the Commission concocted a regulatory Rube Goldberg apparatus to do so only, at best, indirectly — and in a way that happened also to further a different, arguably ultra vires objective. Perhaps most tellingly, the

Commission was forced to undertake a series of actions, superficially independent of the 2015 OIO, in order to engineer several of the factual predicates necessary to enable it to justify its rule under the statute. An agency properly acting within the scope of its au- thority would not have to work so hard to fit the round peg of its chosen policy into the square hole of its statute.”

R Street’s Sasha Moss recently posted a piece on TechDirt describing the alleged shortcomings of the Register of Copyrights Selection and Accountability Act of 2017 (RCSAA) — proposed legislative adjustments to the Copyright Office, recently passed in the House and introduced in the Senate last month (with identical language).

Read the full piece here.

At an oversight hearing on Wednesday, the Senate Commerce Committee confronted Federal Communications Commission Chairman Pai with questions over last week’s partial stay of the commission’s broadband privacy order. While privacy rules are certainly highly complicated, comments from some senators telegraphed a fundamental misunderstanding of what has been done to date to protect consumers, and given the current ecosystem, what the FCC’s proper role should be going forward.

Read the full piece here.