How the FTC Became a "Super CNIL"

By Winston Maxwell

European data protection authorities are quick to remind citizens and companies that the U.S. lacks adequate protection of personal data. Many Europeans therefore assume that the U.S. is a privacy no-man’s-land. Yet on July 24, 2019 the FTC levied a privacy fine against Facebook that is far above GDPR levels, and imposed accountability obligations that come straight out of the GDPR playbook. The Facebook settlement order highlights a U.S. privacy paradox: The U.S. has inadequate privacy laws, but in some respects the US has the toughest privacy enforcement in the world. How can that be? In an August 11, 2019 article, I try to explain to French readers how the FTC uses Section 5 of the FTC Act and settlement orders to become a world class privacy enforcer. The title of the article – intentionally provocative – is “how the FTC transformed itself into a super CNIL”.

Some French readers objected to my calling the FTC the “most powerful privacy regulator in the world.” Others objected to my comparing the FTC to a “super CNIL”; others pointed out that Facebook’s market value increased after announcement of the fine, so the FTC’s sanction must have been too low. The purpose of my article was not to defend the Facebook settlement on the merits, but to explain how the FTC got there. The article draws on an article on the FTC and the New Common Law of Privacy by Professors Daniel J. Solove and Woodrow Hartzog, which explains how the FTC transformed the words “unfair and deceptive practices” in Section 5 of the FTC Act into a full corpus of privacy law, on par with many parts of the 1995 Data Protection Directive, and now the GDPR. Gaps remain, of course. A recent Op-Ed by Jessica Rich highlights the challenges faced by the FTC, and the huge gaps left open by the 100-year-old FTC Act. After reading Ms. Rich’s article, I would probably no longer call the FTC the “most powerful privacy regulator in the world.” But it is important for Europeans to understand how much the FTC has done to apply the FTC Act’s consumer protection language to new threats raised by massive data processing. The European Commission’s second annual review of the Privacy Shield framework does justice to the FTC’s work, noting the FTC’s enforcement program and its activities in fields such as algorithmic decision-making.

Of particular interest for Europeans is the FTC’s creative use of settlement orders. The FTC Act does not give the FTC direct sanctioning authority for violations of the “unfair and deceptive practices” rule. As pointed out by FPF CEO Jules Polonetsky, this is a big statutory gap that should be filled. Under current law the FTC needs to bring (or ask the DOJ to bring) a separate action in court. However, the FTC Act does give the FTC the right to impose penalties for breaching a prior consent order. The reason the FTC could act forcefully against Facebook in 2019 was that Facebook violated provisions of a previous settlement, signed in 2012. Settlement orders also permit the FTC to impose ongoing accountability and reporting obligations. When I tell privacy students in France that the FTC’s audit and reporting obligations under settlement orders last for 20 years, they are amazed – for digital businesses, 20 years is an eternity.

Christopher Wolf and I have tried for years to dispel the impression in Europe that the U.S. lacks any effective privacy protection outside of special sectors like health care. While it’s true that the U.S. does not have anything close to a GDPR, the FTC’s recent fine shows that the FTC can do a lot with little, sometimes going beyond the GDPR. Obviously there are limits on what the FTC can do under the FTC Act, particularly when it comes to prohibiting certain business practices that might be challengeable under the GDPR but are not challengeable under current U.S. legislation. Federal privacy legislation would help fill the remaining gaps and give the FTC the resources it needs to be more effective.

Yet Europeans can still learn from the FTC’s existing playbook. Settlement orders are frequent for competition law violations in Europe (they are called “behavioral commitments”), but so far nonexistent for privacy violations. Article 58 of the GDPR might be improved to expressly allow data protection regulators to accept behavioral, or even structural, commitments in the context of sanction proceedings.[1] Another interesting aspect of the Facebook settlement order is the FTC’s requirement that Facebook’s CEO, Mark Zuckerberg, sign a personal attestation. This measure is inspired by anti-corruption laws, which frequently require senior officers to sign attestations. The attestations increase the risk of personal liability and might add a useful layer to the GDPR’s already impressive array of accountability tools.

Whatever one thinks of the Facebook fine, it is by far the largest fine ever imposed for a privacy violation. And the 20-year-long governance and reporting obligations are far from trivial. Those in Europe who continue to think that the U.S. has no privacy laws should read the 2019 settlement order and the European Commission’s second review of the Privacy Shield framework, which together paint a more accurate picture of the U.S. situation.

Winston Maxwell is Director, Law and Digital Technology, for TELECOM Paris.

[1] A resourceful DPA could potentially include something that resembles commitments in a sanction order under the GDPR, and that may or may not be valid. My point is just that unlike competition law, European privacy law does not envisage commitments as a standard tool in the regulator’s toolbox.