New GAO Report Says It's Time for Federal Data Privacy Legislation. But What Kind?

In an age of constant platform scandals and record-breaking data breaches, more voices call for some kind of federal data privacy by the day. The US government watchdog agency, the Government Accountability Office (GAO), recently added its imprimatur to efforts for a federal privacy law in a new report called, “Internet Privacy: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility.”

After consulting with experts from the academy, industry, government, and advocacy organizations, the GAO concluded that a growing consensus has emerged on the need for federal legislation to address privacy problems in the US. However, this is about as far as the agreement goes. Much debate remains over just what that legislation should look like.

Participants disagree about which agency should be tasked with data policy enforcement or whether a new office should be created. Furthermore, opinions differ on the level of authority the selected agency should have. Should this policy merely clarify and enforce pre-established rules and current practices, or should it also have the authority to promulgate new rules under the Administrative Procedures Act (APA)?

The GAO report provides a helpful and nuanced summary of the social and legal background and implications related to federal data privacy legislation. Many of these same concepts have been addressed in Mercatus research.

The Current Data Privacy Landscape

The US has not yet designated a single agency to oversee data privacy issues. Some agencies have jurisdiction to enforce statutes relating to data privacy or issue regulations authorized by legislation. For example, the Department of Health and Human Services enforces data privacy policies outlined under the Health Insurance Portability and Accountability Act (HIPAA). This expertise-oriented approach is sometimes called the “piecemeal” or “sectoral” approach to privacy. So far, privacy legislation has addressed specific issues related to especially sensitive information or vulnerable individuals.

As Jennifer recently noted at The Bridge, some states have attempted to fill the gap left by a lack of federal data privacy legislation with their own state-level remedies. The California Consumer Privacy Act (CCPA) is a famous and far-reaching example.

While Congress has not designated a specific agency to handle data privacy, we are not without a de facto data watchdog. The Federal Trade Commission (FTC) has emerged as America’s top data privacy cop on the beat through an evolution of its authorities to root out “unfair” or “deceptive” consumer practices established in the Federal Trade Act of 1934. Additionally, the Children’s Online Privacy Protection Act (COPPA), which took effect in 2000, directs the FTC to issue and enforce regulations on the collection of data on children under 13.

We described the development of the FTC’s data privacy enforcement with Adam Thierer and Christopher Koopman in a public comment to the agency called, “Informational Injury in FTC Privacy and Data Security Cases.”

The GAO report picks up where our discussion of FTC enforcement left off, shedding light on the current state of the debate. Some experts agree with our contention that the FTC is the appropriate body to manage data privacy enforcement. They have decades of experience and a flexible approach that can leave space for innovation while curbing abuses.

The problem is that the FTC is reaching the limits of what it can accomplish with its ad hoc authorities slapped together using the creaking bones of a Depression-era piece of legislation. If the FTC is to continue its role as our chief data watchdog, clearer guidance would benefit both regulators and industry. Legislation can outline the authorities the FTC needs to fulfill this mission.

A Consensus: We Must Protect Innovation

First, it is important to consider how the GAO frames the problem.

The GAO report is noteworthy for its consistent reiteration of the need to protect innovation. The US houses some of the most dynamic and productive technology firms in the world, in part because of our largely permissionless stance towards trying new and better ways of doing things, as Thierer writes in his book Permissionless Innovation. The challenge is to maintain this permissionless posture while adequately tackling the data issues of our day.

It has become fashionable to call for the US to adopt restrictive and precautionary, or ex ante, regulations on specific data uses, as the European Union has already done. The CCPA is one attempt to bring a weaker version of the European privacy approach to the US.

The EU’s General Data Protection Regulation (GDPR) is a sprawling law outlining how internet users can and cannot use data. Much of the language is vague and broad. (Indeed, many GDPR enforcers admit they do not know what “compliance” looks like.) The punishment for failing to comply even by accident can be extreme: either €20 million or four percent of global revenues, whichever is higher.

Mercatus scholars have pointed out that the GDPR serves as an expensive barrier to entry for new innovators, which has the counterproductive effect of strengthening market incumbents and locking in the status quo. Requiring companies to comply with more new regulations like the CCPA so soon after they spent millions on GDPR compliance would likely further burden smaller players and innovators.

Refreshingly, the GAO seems to have internalized lessons from the GDPR experience. The report does not come close to advocating for anything like a GDPR. Instead, the report wisely recommends that federal data privacy legislation merely augment the existing flexible approach to these questions.

Indeed, the authors specifically call upon Congress to consider “how to balance consumers’ need for internet privacy with industry’s ability to provide services and innovate” in their concluding remarks.

FTC, FCC, or Someone Else?

The GAO report suggests three possible bodies to undertake federal data privacy provision. We can either shore up the FTC’s authorities, transfer some or all authorities over data privacy matters to the Federal Communications Commission (FCC), or create an entirely new purpose-specific data agency.

For a brief period of time starting in 2015, the FCC was actually the de facto privacy regulator for many internet services. Most people are familiar with the debates over so-called “net neutrality,” which was really the FCC reclassifying internet service providers (ISPs) as “common carriers” regulated under Title II of the Communications Act of 1934. (Mercatus senior research fellow Brent Skorup has written extensively on Title II reclassification for those who wish to learn more.) But few people realize that common carriage rules also meant ISPs were subject to different consumer data privacy standards.

Because the FCC later reversed the Title II decision in 2017, these data privacy authorities returned to the FTC. Some advocacy groups would prefer that data matters return to the FCC since that body has more robust rulemaking authorities (more on that below). As such, those who support a more interventionist approach to data privacy tend to favor housing this power within the FCC or a special purpose agency with broad APA rulemaking authority.

Others advance the idea of a custom-built agency to address most or all data privacy issues. There are examples in other countries. Canada, for instance, created the Office of the Privacy Commission, which investigates possible privacy violations and reports directly to the Parliament. In the EU, there is the European Data Protection Supervisor, a role which the current supervisor self-characterizes as “an ambassador on EU privacy and data protection.”

One important issue when balancing the costs and benefits of creating a new agency to address data privacy is the broad jurisdiction this agency could have. Most areas of the economy deal with data in some way. A too-broad grant of power could mean an equally significant influence in economic matters, often times in domains where the agency does not have expertise. In other words, a “data privacy” regulator could come to be an “internet regulator,” with problematic effects on innovation and growth.

To Regulate or Not to Regulate?

Finally, the GAO report raises the question of whether the body entrusted with data privacy enforcement should also have expanded authority to regulate. That is, to what extent should we empower the agency to craft their own rules in the future, if at all?

The FTC’s rulemaking abilities are more limited than some other agencies because of the Magnuson-Moss Act. This law imposes additional steps the FTC must take when promulgating Section 5 rules, including enhanced notice of rulemaking procedures and provisions for hearings and appeals. This can make rulemaking, which is often already a lengthy process, even more time-consuming.

Some, including former FTC officials, would like to see the FTC’s rulemaking powers expanded if it is to continue as the top data privacy enforcer. The GAO report does not provide opposing arguments on whether there are downsides to this approach.

But there are good reasons to be wary of granting open-ended rulemaking authorities to a data privacy regulator. Formal regulation can be less adaptive to rapidly changing norms and technology. This can present a double quandary, where beneficial regulations come too late and harmful regulations take too long to be corrected.

Open-ended rulemaking could tend towards a more precautionary regulatory environment, as Mercatus research on the FCC and Food and Drug Administration suggests. Because data-driven technologies constitute some of our most dynamic economic drivers, it would be prudent to scrutinize any reforms that could unduly burden them.

Our Take

We think it makes sense to keep data privacy matters within the FTC’s house. We believe that their ex post approach of investigating and redressing harms can correct bad practices and serve as a warning to would-be ne’er-do-wells while leaving ample space for innovation. Keeping and shoring up the processes we have within the same agency also helps with procedural continuity for industry.

This is not to say the FTC cannot improve. As we noted in our public comment, the FTC currently favors a case-by-case approach based on unclear guidance and ad hoc settlements. This has created an uncertain environment for innovators. Because these settlements do not typically go through the courts, the so-called “common law of consent decrees” can make it difficult for companies to know whether they are compliant with expectations.

Additionally, these consent decrees do not adapt to changes that may occur while a company is under them. Companies, therefore, can end up left behind or prohibited from actions that would allow them to remain competitive in the market.

Legislation could provide more regulatory certainty to industry, formalizing the procedures that have worked well and adding the authorities needed to clarify uncertainties.

Still, such legislation and its potential tradeoffs should be carefully considered and not merely a reaction to headlines or scandals. Policymakers should consider not just the impact on innovation and online actions, but also speech rights, competition, and individual preferences. Data increasingly touches a number of aspects of everyday life and such legislation is likely to impact not only typical online concerns like search engines and social media but also emerging technologies like driverless cars and the Internet of Things.

The GAO correctly identifies the importance of preserving America’s role as a leader in innovation. Federal policy could clarify current uncertainties while maintaining a permissionless approach. To achieve this delicate balance, policymakers should keep in mind that focusing on worst case scenarios could result in sacrificing the consumer benefits of future innovation.