As the keynote speaker for the Winnik Forum, U.S. Federal Trade Commission (FTC) Commissioner Maureen Ohlhausen sat down with Christopher Wolf, Co-Director of Hogan Lovells’ Privacy and Information Management Practice to discuss the evolving role of the FTC as we enter an era of “Big Data” and the “Internet of Things.” Commissioner Ohlhausen offered her views on a flexible approach to protecting consumer data privacy as connected devices continue to evolve. As opportunities arise for additional potential uses of collected data, Commissioner Ohlhausen said organizations and policymakers should consider a “harms-based approach” in which new uses of data would be allowed as long as they do not cause consumer harm and as long as they remain consistent with earlier promises that organizations have made to consumers. The key for Commissioner Ohlhausen is that companies should disclose what data is being collected and keep the promises that they make to consumers about the collection and uses of that data.
Commissioner Ohlhausen expressed optimism about the potential for new technologies to “provide benefits to consumers as well as to competition,” but acknowledged that there are many concerns surrounding the collection and use of personal data. Commissioner Ohlhausen explained that when faced with a new technology, she takes an approach of “regulatory humility,” educating herself fully on the benefits and risks and looking at whether there are already laws to address the possible harms before considering new regulations.
Ohlhausen emphasized the flexibility offered by the FTC’s case-by-case oversight. By allowing the FTC to analyze whether there are unfair practices or deception based on concrete facts before the Commission, Ohlhausen explained that the FTC avoids the “knowledge problem” that occurs in issuing ex ante regulations. With its case-by-case approach, the FTC can more easily avoid unintended consequences resulting from a lack of information at the time the regulation is made.
Meanwhile, Ohlhausen explained that the FTC’s ex post approach nonetheless provides sufficient predictability to businesses to know when they will be subject to potential enforcement actions. Commissioner Ohlhausen explained that the FTC’s unfairness standard inherently contains a cost-benefit analysis that limits enforcement risk to situations where a company has truly failed to take reasonable precautions, and that the FTC also educates companies on key risk areas, such as protecting consumer information.
“I don’t think we are pushing up too close to the line of what is reasonable,” Commissioner Ohlhausen said. According to Commissioner Ohlhausen, the FTC’s case-by-case enforcement generally only targets data breaches that are more serious or extensive. Taking precautions and having plans in place to respond to a data breach allows companies to minimize the risk of enforcement actions.
Turning more specifically to the issues presented by the “Internet of things” and “Big Data,” Commissioner Ohlhausen reflected that the current regulatory scheme of fair information practice principles may not be suitable in an environment of ubiquitous data collection, particularly the notice and choice aspects of those principles. Because, for example, the advantage of Big Data lies in using analytical tools on previously gathered data sets, Commissioner Ohlhausen said that the burden of giving notice to consumers from whom information was collected decades ago might not make sense and would devalue Big Data analysis. Instead, according to Ohlhausen, a harms-based approach would be superior for some types of data, especially data that is not tied to a specific individual. She also said that she was “hopeful” about de-identification as a possible solution to the risks of data collection. However, Commissioner Ohlhausen maintained that notice and choice are still important for certain sensitive individual personal data, such as health insurance information.
Finally, Commissioner Ohlhausen discussed bridging the gap between EU and US approaches to privacy. Commissioner Ohlhausen offered two ideas for working with Europe on privacy issues. First, she said that it is important to explain to the Europeans the sector-by-sector privacy protections the U.S. already has in laws like the Health Insurance Portability and Accountability Act (“HIPAA”) and in FTC enforcement, which protect privacy in the absence of an overarching regulatory scheme. Second, she said that the Safe Harbor program has been a “useful tool” for interoperability between the two regimes, and that the FTC has been an enforcer of Safe Harbor. Companies that complete the self-certification process under the Safe Harbor framework are deemed to have “adequate” privacy protection under the European Commission’s Directive on Data Privacy, and can avoid interruptions in business dealings with EU organizations.
A “big believer” in the benefits of technology, Commissioner Ohlhausen described an open-minded approach towards new products and data uses while pursuing the FTC’s twin goals of protecting consumers and fostering competition. As the Internet of Things continues to expand, presenting a growing wave of privacy issues, companies and the public can expect Commissioner Ohlhausen to lead the FTC in employing a measured case-by-case approach and relying on a harms-based approach for new data uses.