On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”

As in prior hearings, the Commissioners expressed almost unanimous support for passage of comprehensive, national data privacy and security legislation to be primarily enforced by the FTC.  But the hearing further highlighted certain disagreements among the key stakeholders about the scope and goals of the legislation and the FTC’s enforcement and rulemaking authority.

On that point in particular, the Commissioners generally expressed reluctance to seek broad rulemaking authority under a new privacy law in order to avoid supplanting any value judgments made by Congress in the privacy law.  Chairman Simons instead testified that Congress should grant “targeted rulemaking authority” so that the FTC may update the implementation of the law to keep up with ongoing business and technological developments.

Other discussions of key issues regarding any federal data privacy and security legislation included:

  • Federal Preemption: A majority of the Commissioners testified in favor of some form of federal preemption. Commissioners Wilson and Phillips emphasized that preemption is necessary because a patchwork of bills in various states would confuse consumers and impose substantial compliance costs on businesses.  Chairman Simons and Commissioner Wilson noted, however, that preemption should not prevent Congress from permitting enforcement by state attorneys general in partnership with the FTC.  Commissioner Chopra cautioned against broad preemption, warning that it could dilute protections based on her view that the federal preemption of state mortgage laws had robbed the states of homeowner safeguards during the 2008 financial crisis.
  • Lessons Learned from the GDPR: Several Commissioners advised Congress about potential unintended consequences of the GDPR. For example, Commissioner Wilson described research suggesting that the GDPR has resulted in increased compliance costs and decreased capital investments, causing businesses to withdraw from the European Union.  Chairman Simons and Commissioner Wilson noted that the GDPR may have entrenched the dominant positions of the biggest companies in digital advertising.

Separate from the hearing’s focus on privacy and data security, several Commissioners asked Congress to clarify the FTC’s enforcement authority to sue in federal court under Section 13(b) of the FTC Act.  In particular, Commissioner Wilson noted that the Third Circuit’s decision in FTC vs. Shire ViroPharma, Inc., which held that the FTC must show that the defendant “is violating, or is about to violate the law” to sustain a suit in federal court for injunctive relief, unduly limits the FTC’s ability to bring enforcement actions against wrongdoers for past illegal conduct that could repeat.  Such an amendment, if passed, would grant the FTC a significant enforcement tool that could be used outside the realm of cybersecurity and data privacy.