The Eleventh Circuit’s LabMD opinion came out last week and has been something of a rorschach test for those of us who study consumer protection law.

Read the full piece here.

Summary

In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on. While these are crucial questions, we offer these comments in order to address another set of questions that is missing from the event’s description: How should the Commission determine whether or not, in fact, the conduct leading to such injuries constitutes actionable “misuse[]?” The question is a fundamental one that must be addressed in order to evaluate how businesses, consumers, and the Commission itself do and should respond to purported informational injuries.

Fundamentally, there is a great deal of ambiguity about how consumer protection law should treat data and data breaches. When there is a data breach, the calculation of the extent of informational harm (if any) to consumers is a difficult one. This is complicated, of course, by the sometimes tenuous connection between conduct and injury. It is further complicated, even assuming that particularized harm can be accurately assessed, by the need to balance harms against the benefits conferred by decisions within the firm to optimize a product or service, to lower prices, or to promote other consumer-valued features, such as ease-of-use, performance, and so forth. Where the same conduct that may produce informational injury also produces consumer benefit, determining whether the net effect is, in fact, harmful or not is essential.

The Commission purports to evaluate injury (along with the other elements required by Section 5(n) of the FTC Act) under a so-called “reasonableness” standard. Superficially, at least, this seems sensible: Unfairness entails a balancing of risk, benefits, and harms, and a weighing of avoidance costs consistent with a negligence regime.3 Easily seen and arguably encompassed within this language are concepts from the common law of negligence such as causation, foreseeability and duty of care. The FTC collapses this into its “reasonableness” approach, specifically eschewing strict liability:

The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities…. [T]he Commission… does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.

Giving purchase to a reasonableness approach under the Commission’s own guidance would seem to require establishing (i) a clear baseline of appropriate conduct, (ii) a company’s deviation from that baseline, (iii) proof that its deviation caused, or was significantly likely to cause, harm, (iv) substantial harm, (v) proof that the benefits of (e.g., the cost savings from) a company’s conduct didn’t outweigh the expected costs, and (vi) a demonstration that consumers’ costs of avoiding harm would have been greater than the cost of the harm.

Unfortunately, by eliding the distinct elements of a Section 5 unfairness analysis in the data security context, the FTC’s reasonableness approach risks ignoring Congress’ plain requirement that the Commission demonstrate duty, causality and substantiality, and perform a cost-benefit analysis of risk and avoidance costs.

While the FTC pays lip service to addressing these elements, its inductive, short-cut approach of attempting to define reasonableness by reference to the collection of practices previously condemned by its enforcement actions need not — and, in practice, does not — actually entail doing so. Instead, we “don’t know… whether… practices that have not yet been addressed by the FTC are ‘reasonable’ or not,” and we don’t know how the Commission would actually weigh them in an actual rigorous analysis.

At the root of this workshop is the implicit recognition that some, including the FTC itself, have asserted that the unauthorized exposure of private information may be, in and of itself, a harm to individuals, apart from any concrete economic consequences that may result from the exposure. In the FTC’s Opinion in LabMD, for instance, the Commission asserted that

the disclosure of sensitive health or medical information [that] causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n)… disclosure of the mere fact that medical tests were performed irreparably breached consumers’ privacy, which can involve “embarrassment or other negative outcomes, including reputational harm.”

We would contend, however, that defining and evaluating the types of “informational harms” that should be actionable in the case of a data breach, requires that the Commission also address fundamental problems with its overall approach to identifying cognizable injury and determining liability under Section 5.

As we discuss below and explain in detail in the attached paper, the FTC’s current “reasonableness standard” for liability under Section 5 runs the risk of being no standard at all. And it is impossible to escape the troubling conclusion that ultimately (and wrongly) the mere retention of data by a firm could be enough to violate Section 5 under this approach.

Such an approach does not comport with the scope of the Congressional grant of authority in Section 5, particularly as it was explicitly limited by Section 5(n). Instead, it converts what should be thought of fundamentally as a demanding cost-benefit requirement meant to limit the Commission’s discretion into a lenient strict liability standard. Before the Commission can understand how to fit different sorts of potential harms into its enforcement framework, it should clarify its approach, and ensure that it is in line with the text and intent of Section 5.

At an oversight hearing on Wednesday, the Senate Commerce Committee confronted Federal Communications Commission Chairman Pai with questions over last week’s partial stay of the commission’s broadband privacy order. While privacy rules are certainly highly complicated, comments from some senators telegraphed a fundamental misunderstanding of what has been done to date to protect consumers, and given the current ecosystem, what the FCC’s proper role should be going forward.

Read the full piece here.

ICLE Executive Director Geoffrey Manne took part in a hearing in Paris on big data and competition before the OECD’s Competition Committee. The panel included:

• Maurice Stucke (Professor of Law at the University of Tennessee and co-founder
  of the Konkurrenz Group)
• Hal Varian (Chief Economist at Google and Professor at Berkeley School of
  Information)
• Geoffrey Manne (Executive Director of the International Centre for Law and
  Economics and member of the FCC’s Consumer Advisory Committee)
• Annabelle Gawer (Professor of Digital Economy at the University of Surrey)
• Alec Burnside (Managing Partner at Cadwalader)

Manne argued that antitrust law is not well-suited to promote privacy rights, which should be a matter of consumer-protection law. As he explained, firms do not need to have market power in order to violate privacy rights and, even if they do, it would still be necessary to prove that such conduct would amount to an abuse of dominance.

He also pointed out that not all product characteristics are necessarily relevant for a competitive analysis: despite the claims that consumers value privacy, there is evidence that consumers are usually willing to disclose sensitive information for a small reward, suggesting that the value of privacy is lower than what it is usually considered. Therefore, incorporating privacy into antitrust has the risk of increasing the level of subjectivity in competition-law enforcement, due to the inherent difficulties of measuring consumers’ willingness to pay for privacy and, eventually, it could prevent companies from using data to actually improve the quality of their products.

In response to the frequent concern that data could be used to monopolize an industry, Manne reinforced Professor Varian’s arguments that data is cheap and can be collected from many alternative sources, particularly due to the massive size of the data-broker industry.

A copy of his presentation can be found here.

 

Next week the FCC is slated to vote on the second iteration of Chairman Wheeler’s proposed broadband privacy rules. Of course, as has become all too common, none of us outside the Commission has actually seen the proposal. But earlier this month Chairman Wheeler released a Fact Sheet that suggests some of the ways it would update the rules he initially proposed.

According to the Fact Sheet, the new proposed rules are…

Read the full piece here. 

Summary

“Dear Ms. Dortch:

I write to express my concerns regarding the consumer welfare effects of the revised broadband privacy proposal summarized in a Fact Sheet by Federal Communications Commission (“FCC”) Chairman Tom Wheeler earlier this month. While the Fact Sheet appears to indicate that the Chairman’s revised proposal includes some welcome changes from the initial broadband privacy NPRM adopted by the Commission this Spring, it also raises a number of problematic issues that merit the Commission’s attention before final rules are
adopted.

While the Fact Sheet asserts that the Chairman’s new proposal is “in harmony” with the privacy framework outlined by the Federal Trade Commission (“FTC”) (as well as the Administration’s proposed Consumer Privacy Bill of Rights), the purported changes in this regard are merely rhetorical, and do not, in fact, amount to a substantive alignment of the
Chairman’s proposed approach with that of the FTC.

• First, unlike the FTC’s framework, the proposal described by the Fact Sheet ignores the crucial role of “context” in determining the appropriate level of consumer choice before affected companies may use consumer data, instead taking a rigid approach that would stifle innovation and harm consumers.
• Second, the Fact Sheet significantly expands the scope of information that would be considered “sensitive” well beyond that contemplated by the FTC, imposing onerous and unnecessary consumer consent obligations that would deter welfare-enhancing uses of data.

I agree with the Chairman that, if adopted, the FCC’s rule should align with the FTC’s. But the proposed rule reflected in the Fact Sheet does not. I urge the Commission to ensure that these important deviations from the FTC’s framework are addressed before moving forward with adopting any broadband privacy rules…”

Summary

The Commission’s interest in protecting the privacy of its citizens is commendable. This concern, however, should be well tempered by humility, and the Commission’s ultimate decision should be guided by the understanding that contemporary technology and market innovations have afforded consumers a degree of choice unparallelled in the history of the European Union. While some firms may build their products with the requirement that consumers allow them to use personal information, others will not. And when consumers defect from products that do not meet their individual mix of privacy, price, and other preferences, firms will take notice and change their behavior accordingly.

This leads to another related point: innovation moves so quickly today that uniform prescriptive regulation intended to govern the behavior of many thousands of firms and millions of consumers is doomed to frustration if not outright failure. Moreover, broad regulations meant to bring industry to heel frequently work to the benefit of incumbents, driving out smaller competitors or making entry nearly impossible, only further narrowing consumer choices and guaranteeing less than optimal results for all of society.

With that said, there are certainly actions for the Commission to take that ensure a competitive environment in which consumer interests are adequately protected. Chief among these areas would be to enact regulations that control the damaging effects of costly data localization rules. Overall, however, the Commission would do best to leave much of the implementation of privacy regulations to the individual EU members who are most in touch with the challenges and desires of their own constituents.

Summary

The Commission’s NPRM would shoehorn the business models of a subset of new economy firms into a regime modelled on thirty-year-old CPNI rules designed to address fundamentally different concerns about a fundamentally different market. The Commission’s hurried and poorly supported NPRM demonstrates little understanding of the data markets it proposes to regulate and the position of ISPs within that market. And, what’s more, the resulting proposed rules diverge from analogous rules the Commission purports to emulate. Without mounting a convincing case for treating ISPs differently than the other data firms with which they do or could compete, the rules contemplate disparate regulatory treatment that would likely harm competition and innovation without evident corresponding benefit to consumers.

Concerns relating to online privacy have been extensively studied by regulators and others over the past two decades. By and large, regulators responded to these concerns with a combination of a general case-by-case approach alongside tailored rules derived from the relevant information involved in particular areas of privacy concern. Few, if any, regulators have adopted an “opt-in” privacy regime for non-sensitive data such as the FCC proposes. The FCC’s proposed regime may have been cutting-edge in the 1980s and 1990s — but it makes no sense in today’s information economy in which firms from different segments of the economy fluidly enter each other’s markets and effectively compete in a separate, cross- sector, informatics and advertising market. The proposed rules instead dig in the heels of the Commission against the irresistible tide of progress, attempting to maintain arbitrary industry firewalls between firms.

The “problem” the Commission attempts to fix with this proposed rulemaking is not one of preventing ISPs from using personal information to prevent new entrants from effectively competing with their incumbent businesses — which was, in fact, the genesis of the CPNI rules.1 Rather, these rules are designed to keep ISPs from competing with edge providers like Google, Facebook, and Netflix. But, in truth, both edge providers and ISPs actually need general rules of broad applicability. This is what the FTC and other regulators have largely done to date. Such broadly applicable rules are designed to be competitively neutral, and to offer the flexibility needed to address the various concerns that may come up in these markets while balancing legitimate economic and privacy interests and providing an adequate level of notice to those subject to regulation about their expected norms of conduct.

In short, the Commission has not made a convincing case that discrimination between ISPs and edge providers makes sense for the industry or for consumer welfare. The overwhelming body of evidence upon which other regulators have relied in addressing privacy concerns urges against a hard opt-in approach. That same evidence and analysis supports a consistent regulatory approach for all competitors, and nowhere advocates for a differential approach for ISPs when they are participating in the broader informatics and advertising markets. Absent the collection and analysis of substantial evidence — which at this point has not been articulated by the Commission or those advocating the Commission’s proposed approach, and which is far beyond the scope of the present NPRM — the proposed approach is not supportable.

And all of the foregoing is particularly perplexing in light of the fact that the Commission will inadvertently create more consumer harm than benefit. At the same time, the Commission has not shown that regulatory efficacy, administrative efficiency or anything else demands such rules. Particularly given TerraCom and the demonstrated ability of the Commission to handle harms as they arise even absent prescriptive rules, the need for these aggressive new rules simply cannot be justified.

Earlier this week I testified before the U.S. House Subcommittee on Commerce, Manufacturing, and Trade regarding several proposed FTC reform bills.

You can find my written testimony here. That testimony was drawn from a 100 page report, authored by Berin Szoka and me, entitled “The Federal Trade Commission: Restoring Congressional Oversight of the Second National Legislature — An Analysis of Proposed Legislation.” In the report we assess 9 of the 17 proposed reform bills in great detail, and offer a host of suggested amendments or additional reform proposals that, we believe, would help make the FTC more accountable to the courts. As I discuss in my oral remarks, that judicial oversight was part of the original plan for the Commission, and an essential part of ensuring that its immense discretion is effectively directed toward protecting consumers as technology and society evolve around it.

Read the full piece here.