Research Programs
More
What are you looking for?
Showing 9 of 97 Results in Data Security
Presentations & Interviews ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet . . .
ICLE Director of Law & Economics Programs Gus Hurwitz discusses the European Court of Human Rights’ ruling that GCHQ’s bulk data collection practices fail to meet human rights standards, though they can be fixed without dumping bulk collection. And I marvel that France is urging the European Court of Justice, which needs little encouragement to indulge its anti-Americanism, to impose Europe’s “right to be forgotten” censorship regime on Americans and on other users around the world. That’s a position so extreme that it was even opposed by the European Commission. The full episode is embedded below.
https://www.steptoe.com/podcasts/TheCyberlawPodcast-231.mp3
Regulatory Comments In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on.
In its description of this workshop, the Commission notes that “consumers may suffer injury when information about them is misused,” and suggests that this workshop “will address questions such as how to best characterize these injuries, how to accurately measure such injuries,” and so on. While these are crucial questions, we offer these comments in order to address another set of questions that is missing from the event’s description: How should the Commission determine whether or not, in fact, the conduct leading to such injuries constitutes actionable “misuse[]?” The question is a fundamental one that must be addressed in order to evaluate how businesses, consumers, and the Commission itself do and should respond to purported informational injuries.
Fundamentally, there is a great deal of ambiguity about how consumer protection law should treat data and data breaches. When there is a data breach, the calculation of the extent of informational harm (if any) to consumers is a difficult one. This is complicated, of course, by the sometimes tenuous connection between conduct and injury. It is further complicated, even assuming that particularized harm can be accurately assessed, by the need to balance harms against the benefits conferred by decisions within the firm to optimize a product or service, to lower prices, or to promote other consumer-valued features, such as ease-of-use, performance, and so forth. Where the same conduct that may produce informational injury also produces consumer benefit, determining whether the net effect is, in fact, harmful or not is essential.
The Commission purports to evaluate injury (along with the other elements required by Section 5(n) of the FTC Act) under a so-called “reasonableness” standard. Superficially, at least, this seems sensible: Unfairness entails a balancing of risk, benefits, and harms, and a weighing of avoidance costs consistent with a negligence regime.3 Easily seen and arguably encompassed within this language are concepts from the common law of negligence such as causation, foreseeability and duty of care. The FTC collapses this into its “reasonableness” approach, specifically eschewing strict liability:
The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities…. [T]he Commission… does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law.
Giving purchase to a reasonableness approach under the Commission’s own guidance would seem to require establishing (i) a clear baseline of appropriate conduct, (ii) a company’s deviation from that baseline, (iii) proof that its deviation caused, or was significantly likely to cause, harm, (iv) substantial harm, (v) proof that the benefits of (e.g., the cost savings from) a company’s conduct didn’t outweigh the expected costs, and (vi) a demonstration that consumers’ costs of avoiding harm would have been greater than the cost of the harm.
Unfortunately, by eliding the distinct elements of a Section 5 unfairness analysis in the data security context, the FTC’s reasonableness approach risks ignoring Congress’ plain requirement that the Commission demonstrate duty, causality and substantiality, and perform a cost-benefit analysis of risk and avoidance costs.
While the FTC pays lip service to addressing these elements, its inductive, short-cut approach of attempting to define reasonableness by reference to the collection of practices previously condemned by its enforcement actions need not — and, in practice, does not — actually entail doing so. Instead, we “don’t know… whether… practices that have not yet been addressed by the FTC are ‘reasonable’ or not,” and we don’t know how the Commission would actually weigh them in an actual rigorous analysis.
At the root of this workshop is the implicit recognition that some, including the FTC itself, have asserted that the unauthorized exposure of private information may be, in and of itself, a harm to individuals, apart from any concrete economic consequences that may result from the exposure. In the FTC’s Opinion in LabMD, for instance, the Commission asserted that
the disclosure of sensitive health or medical information [that] causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n)… disclosure of the mere fact that medical tests were performed irreparably breached consumers’ privacy, which can involve “embarrassment or other negative outcomes, including reputational harm.”
We would contend, however, that defining and evaluating the types of “informational harms” that should be actionable in the case of a data breach, requires that the Commission also address fundamental problems with its overall approach to identifying cognizable injury and determining liability under Section 5.
As we discuss below and explain in detail in the attached paper, the FTC’s current “reasonableness standard” for liability under Section 5 runs the risk of being no standard at all. And it is impossible to escape the troubling conclusion that ultimately (and wrongly) the mere retention of data by a firm could be enough to violate Section 5 under this approach.
Such an approach does not comport with the scope of the Congressional grant of authority in Section 5, particularly as it was explicitly limited by Section 5(n). Instead, it converts what should be thought of fundamentally as a demanding cost-benefit requirement meant to limit the Commission’s discretion into a lenient strict liability standard. Before the Commission can understand how to fit different sorts of potential harms into its enforcement framework, it should clarify its approach, and ensure that it is in line with the text and intent of Section 5.
Amicus Brief Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 [“Section 5”], is a consumer protection statute, not a data security rule...This fundamental point has been lost in the Commission’s approach to data security.
Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 [“Section 5”], is a consumer protection statute, not a data security rule. See Commission Statement of Policy on the Scope of Consumer Unfairness Jurisdiction, Letter from the FTC to Hon. Wendell Ford and Hon. John Danforth, United States Senate (Dec. 17, 1980) [“Unfairness Statement”], reprinted in International Harvester Co., 104 FTC 949, 1073 (1984) [“International Harvester”] (quoting 83 Cong. Rec. 3255 (1938) (remarks of Senator Wheeler)) (“Unjustified consumer injury is the primary focus of the FTC Act….’”).
This fundamental point has been lost in the Commission’s approach to data security. The touchstone for Section 5 actions is not “reasonableness,” but consumer welfare: Does this enforcement action deter a preventable “unfair” act or practice that, on net, harms consumer welfare, and do the benefits to consumers from this action outweigh its costs? Section 5’s purpose is neither fundamentally remedial nor prescriptive. Concern for consumer welfare means deterring bad conduct, avoiding over-deterrence of pro-consumer conduct, minimizing compliance costs, and minimizing administrative costs (by focusing only on substantial harms) — not preventing every possible harm. Instead of weighing such factors carefully, or even performing a proper analysis of negligence, as it purports to do, the Commission has effectively created a strict liability standard unmoored from Section 5.
Across the Commission’s purported guidance on data security, it has likewise failed to articulate a standard by which companies themselves should weigh costs and benefits to determine which risks are sufficiently foreseeable that they can be mitigated cost-effectively. Thus, in addition to violating the intent of Congress, the FTC has also violated the Constitution by failing to provide companies like LabMD with “fair notice” of the agency’s interpretation of what Section 5 requires.
Presentations & Interviews The difference between privacy protection and antitrust law -Privacy is fundamentally a consumer protection or tort issue. - In theory, antitrust law can deal with privacy as a non-price factor of hard to measure against/combine competition, but this is an uneasy fit — with other effects...
ICLE Executive Director Geoffrey Manne took part in a hearing in Paris on big data and competition before the OECD’s Competition Committee. The panel included:
Manne argued that antitrust law is not well-suited to promote privacy rights, which should be a matter of consumer-protection law. As he explained, firms do not need to have market power in order to violate privacy rights and, even if they do, it would still be necessary to prove that such conduct would amount to an abuse of dominance.
He also pointed out that not all product characteristics are necessarily relevant for a competitive analysis: despite the claims that consumers value privacy, there is evidence that consumers are usually willing to disclose sensitive information for a small reward, suggesting that the value of privacy is lower than what it is usually considered. Therefore, incorporating privacy into antitrust has the risk of increasing the level of subjectivity in competition-law enforcement, due to the inherent difficulties of measuring consumers’ willingness to pay for privacy and, eventually, it could prevent companies from using data to actually improve the quality of their products.
In response to the frequent concern that data could be used to monopolize an industry, Manne reinforced Professor Varian’s arguments that data is cheap and can be collected from many alternative sources, particularly due to the massive size of the data-broker industry.
A copy of his presentation can be found here.
Regulatory Comments "Dear Ms. Dortch: I write to express my concerns regarding the consumer welfare effects of the revised broadband privacy proposal summarized in a Fact Sheet by Federal Communications Commission (“FCC”) Chairman Tom Wheeler earlier this month..."
“Dear Ms. Dortch:
I write to express my concerns regarding the consumer welfare effects of the revised broadband privacy proposal summarized in a Fact Sheet by Federal Communications Commission (“FCC”) Chairman Tom Wheeler earlier this month. While the Fact Sheet appears to indicate that the Chairman’s revised proposal includes some welcome changes from the initial broadband privacy NPRM adopted by the Commission this Spring, it also raises a number of problematic issues that merit the Commission’s attention before final rules are adopted.
While the Fact Sheet asserts that the Chairman’s new proposal is “in harmony” with the privacy framework outlined by the Federal Trade Commission (“FTC”) (as well as the Administration’s proposed Consumer Privacy Bill of Rights), the purported changes in this regard are merely rhetorical, and do not, in fact, amount to a substantive alignment of the Chairman’s proposed approach with that of the FTC.
I agree with the Chairman that, if adopted, the FCC’s rule should align with the FTC’s. But the proposed rule reflected in the Fact Sheet does not. I urge the Commission to ensure that these important deviations from the FTC’s framework are addressed before moving forward with adopting any broadband privacy rules…”
TOTM Earlier this week I testified before the U.S. House Subcommittee on Commerce, Manufacturing, and Trade regarding several proposed FTC reform bills. You can find my . . .
Earlier this week I testified before the U.S. House Subcommittee on Commerce, Manufacturing, and Trade regarding several proposed FTC reform bills.
You can find my written testimony here. That testimony was drawn from a 100 page report, authored by Berin Szoka and me, entitled “The Federal Trade Commission: Restoring Congressional Oversight of the Second National Legislature — An Analysis of Proposed Legislation.” In the report we assess 9 of the 17 proposed reform bills in great detail, and offer a host of suggested amendments or additional reform proposals that, we believe, would help make the FTC more accountable to the courts. As I discuss in my oral remarks, that judicial oversight was part of the original plan for the Commission, and an essential part of ensuring that its immense discretion is effectively directed toward protecting consumers as technology and society evolve around it.
Read the full piece here.
Written Testimonies & Filings "Congressional reauthorization of the FTC is long overdue. It has been twenty-two years since Congress last gave the FTC a significant course-correction and even that one, codifying the heart of the FTC’s 1980 Unfairness Policy Statement, has not had the effect Congress expected..."
“Congressional reauthorization of the FTC is long overdue. It has been twenty-two years since Congress last gave the FTC a significant course-correction and even that one, codifying the heart of the FTC’s 1980 Unfairness Policy Statement, has not had the effect Congress expected. Indeed, neither that policy statement nor the 1983 Deception Policy Statement, nor the 2015 Unfair Methods of Competition Enforcement Policy Statement, will, on their own, ensure that the FTC strikes the right balance between over- and underenforcement of its uniquely broad mandate under Section 5 of the FTC Act.
These statements are not without value, and we support codifying the other key provisions of the Unfairness Policy Statement that were not codified in 1980, as well as codifying the Deception Policy Statement. In particular, we urge Congress or the FTC to clarify the meaning of “materiality,” the key element of Deception, which the Commission has effectively nullified.
But a shoring up of substantive standards does not address the core problem: ultimately, that the FTC’s processes have enabled it to operate with essentially unbounded discretion in developing the doctrine by which its three high level standards are applied in real-world cases. Chiefly, the FTC has been able to circumvent judicial review through what it calls its “common law of consent decrees,” and to effectively circumvent the rulemaking safeguards imposed by Congress in 1980 through a variety of forms of “soft law”: guidance and recommendations that have, if indirectly and through amorphous forms of pressure, essentially regulatory effect.
At the same time, and contributing to the problem, the FTC has made insufficient use of its Bureau of Economics, which ought to be the agency’s crown jewel: a dedicated, internal think tank of talented economists who can help steer the FTC’s enforcement and policymaking functions. While BE has been well integrated into the Commission’s antitrust decisionmaking, it has long resisted applying the lessons of law and economics to its consumer protection work.
The FTC is, in short, in need of a recalibration. In this paper we evaluate nine of the seventeen FTC reform bills proposed by members of the Commerce, Manufacturing and Trade Subcommittee, and suggest a number of our own, additional reforms for the agency.”
TOTM The FCC doesn’t have authority over the edge and doesn’t want authority over the edge. Well, that is until it finds itself with no choice but to regulate the . . .
The FCC doesn’t have authority over the edge and doesn’t want authority over the edge. Well, that is until it finds itself with no choice but to regulate the edge as a result of its own policies. As the FCC begins to explore its new authority to regulate privacy under the Open Internet Order (“OIO”), for instance, it will run up against policy conflicts and inconsistencies that will make it increasingly hard to justify forbearance from regulating edge providers.
Presentations & Interviews The Federal Trade Commission held a conference on January 14, 2016 to bring together a diverse group of stakeholders, including whitehat researchers, academics, industry representatives, consumer advocates, and government regulators...
The Federal Trade Commission held a conference on January 14, 2016 to bring together a diverse group of stakeholders, including white-hat researchers, academics, industry representatives, consumer advocates, and government regulators, to discuss the latest research and trends related to consumer privacy and data security. The FTC called for research to be presented at the conference. Geoff Manne’s slides can be found here. Video of the event is embedded below.
