what is the u.s. federal communication commission’s role in regard to internet access
The Federal Government's Appropriate Role in Internet Privacy Regulation
Report
The Federal Government'south Advisable Role in Net Privacy Regulation
October 27, 2016 twenty min read Download Report
Alden Abbott
Former Deputy Director, Meese Middle
Alden Abbott served equally Deputy Managing director of Edwin Meese III Centre for Legal and Judicial Studies at The Heritage Foundation.
The Online Privacy Problem
While the Internet-based economy provides many benefits, it also raises new concerns for maintaining the privacy of data. "Internet privacy is the privacy and security level of personal data published via the Net. Information technology is a broad term that refers to a diversity of factors, techniques and technologies used to protect sensitive and private data, communications, and preferences."[one]
Equally the federal government's National Telecommunications and Information Assistants (NTIA)[2] explains:
Every 24-hour interval, billions of people around the world utilize the Net to share ideas, carry fiscal transactions, and proceed in touch with family, friends, and colleagues. Users send and shop personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must go on to trust that their personal information will exist secure and their privacy protected.
Internet privacy concerns are warranted. According to a July 2015 survey of Internet-using households,[iii] 19 pct of such households (representing nearly xix meg households) reported that they had been affected by an online security breach, identity theft, or similar malicious activeness during the 12 months prior to the survey. Security breaches appear to be more common among the almost intensive Cyberspace-using households—31 percent of those using at least five different types of online devices suffered such breaches. Security breach measures, of course, exercise not take into account consumer concerns almost the unauthorized use of the personal data they supply to Internet service providers and to websites that they visit.
Furthermore, the total cost of information breaches is enormous.[4] A 2016 survey of corporate data breaches funded past IBM showed that the average almanac per-company cost of data breaches rose from $3.8 million to $4.0 one thousand thousand between 2014 and 2015.[5] A 2014 study estimated that the aggregate almanac data breach-specific cost to the U.S. economic system was $140 billion (including direct costs to businesses, indirect costs to their customers, and indirect police force enforcement-related costs), and that 500,000 jobs a twelvemonth were lost due to such breaches.[6]
Online security failures often result in identity theft. The U.S. Federal Merchandise Commission (FTC) explains, "identity theft occurs when someone uses or attempts to use the sensitive personal information of another person to commit fraud. A broad range of sensitive personal information tin be used to commit identity theft, including a person'southward name, accost, engagement of birth, Social Security number (SSN), driver'due south license number, credit card and bank account numbers, phone numbers, and even biometric data similar fingerprints and iris scans."[7] According to the U.Southward. Justice Department's Bureau of Justice Statistics, "an estimated 17.6 million Americans—about vii% of U.Southward. residents age 16 or older—were victims of identity theft in 2014."[8]
Some examples highlight the calibration and the nature of the damage identity theft inflicts on consumers and businesses. For case, a 2013 hack of Target involved the theft of forty million credit menu records, leading to $443 million in losses for that visitor, a $i billion fine, and substantial costs to customers whose credit card information was compromised.[ix] In another example, AOL publicized the search history of 658,000 consumers from which those consumers could reportedly exist identified.[10]
Data can be stolen if companies practice not pay enough attention to the red flags of possible software problems. For instance, Sony incorporated a copy-protection engineering science called XCP into the CDs it produced. As a side event of this technology, information technology became possible to runway consumer IP addresses, thereby undermining the security of these personal devices.[11] Depending upon the privacy settings and policies of social media and online dating sites, ane's individual photos and proper noun may be readily bachelor through general online search engines for an indefinite period of time.[12] Several social media sites accept likewise had scandals that involve the tracking of consumers. According to The Wall Street Journal, Foursquare, purveyor of a mobile app that allows one to learn nigh popular dining spots near i's current location, continues to track users' every motion—even after the app has been closed.[thirteen]
Public attention has focused primarily on Cyberspace data breaches by third political party hackers and thieves, since the financial harm stemming from those harmful deportment (and, in particular, identity theft), can exist estimated. However, regime regulators are also concerned almost other sorts of misuses of sensitive not-public consumer information that is obtained online—even when particularized financial losses cannot readily be measured. Perhaps the virtually severe such misuse involves the stalking of individuals by predators who obtain private data online (either directly from vulnerable individuals such as children and teenagers, or through information breaches).[14] Less obviously harmful are online companies' unauthorized uses of consumers' private information to brand money through the sale of that information to advertisers and other commercial websites, or through the tracking of consumers' concrete movements or web browsing patterns. Some consumers (although non all) may strongly resent and experience themselves harmed by such types of behavior, even if it does not consequence in direct out-of-pocket losses. Such a business concern is in harmony with the long-recognized legal American doctrine that individuals take a limited "privacy interest" in preventing certain personal information from being publicized.[15]
What is the correct overall approach government should take in dealing with Internet privacy issues? In addressing this question, it is important to focus substantial attention on the effects of such regulation on economic welfare. In particular, policies should address Net privacy issues in a manner that does non unduly harm the private sector or deny opportunities to consumers. The U.S. Federal Trade Committee (FTC), the federal authorities's primary consumer protection agency, has been the principal federal regulator of online privacy practices. Very recently, nevertheless, the U.South. Federal Communications Committee (FCC) has asserted the authority to regulate the privacy practices of broadband Internet service providers, and is proposing an extremely burdensome approach to such regulation that would, if implemented, have harmful economic consequences. Congress may wish to have this into business relationship in deciding whether to reallocate and constrain regulatory responsibilities in this surface area, which is and then important to the 21st century innovation-driven economy.
The FTC and Privacy[16]
The FTC uses a variety of legal instruments in protecting consumers, and, in detail, individuals' privacy. As the FTC explains:
The FTC'southward primary legal say-so comes from Section 5 of the Federal Trade Committee Deed, which prohibits unfair or deceptive practices in the market. The FTC too has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the Tin-SPAM Act, the Children'south Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Deed, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad dominance allows the Commission to address a wide array of practices affecting consumers, including those that sally with the development of new technologies and business models.
The FTC uses a variety of tools to protect consumers' privacy and personal information. The FTC's principal tool is to bring enforcement deportment to stop police force violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by contained experts, monetary redress to consumers, disgorgement of sick-gotten gains, deletion of illegally obtained consumer data, and provision of robust detect and option mechanisms to consumers. If a company violates an FTC society, the FTC can seek ceremonious budgetary penalties for the violations. The FTC can also obtain ceremonious monetary penalties for violations of certain privacy statutes and rules, including the Children's Online Privacy Protection Act, the Fair Credit Reporting Human activity, and the Telemarketing Sales Rule. To date, the Committee has brought hundreds of privacy and data security cases protecting billions [sic] of consumers.[17]
More specifically, "[t]he FTC has brought enforcement deportment addressing a wide range of privacy issues, including spam, social networking, behavioral advertising, pretexting, spyware,[xviii] peer-to-peer file sharing, and mobile. These matters include over 130 spam and spyware cases and more than than 50 general privacy lawsuits."[19] A very large portion of these matters involved online commercial activity.
As stated in a higher place, nigh of the FTC's privacy-related piece of work is based on its cadre general authority to proscribe unfair or deceptive acts or practices under Section 5(a)(ane) of the Federal Trade Commission Act (Section 5).[twenty] Although charade and unfairness are covered in the same statutory section, they represent different concepts.
The FTC defines "charade" as involving a "representation, omission or practice that is likely to mislead the consumer interim reasonably in the circumstances, to the consumer'due south detriment."[21] Thus, deception occurs simply when business conduct causes tangible harm to consumers who acted reasonably and were, nonetheless, misled. Past comparison, acquit is "unfair" if it involves "an human action or practice [that] causes or is probable to cause substantial injury to consumers which is non reasonably avoided by consumers themselves and not outweighed by countervailing benefits to consumers or to contest."[22] This necessarily calls for price-benefit analysis, since it weighs potential efficiencies against consumer harm, which makes information technology a more stringent test than deception.[23] Primal to both the "charade" and "unfairness" cases is the concept of "materiality," which means that the behavior under scrutiny must really impact consumer choices—if consumer choices are unaffected, consumers are not harmed, and thus the behavior does not violate Department 5. In a voice communication on Net privacy protection, FTC Commissioner Maureen Ohlhausen summarized the interplay between Section 5 unfairness and charade:
[U]nfairness establishes a baseline prohibition on practices that the overwhelming majority of consumers would never knowingly approve. Above that baseline, consumers remain free to find providers that match their preferences, and our deception potency governs those arrangements. . . . The FTC's case-by-case enforcement of our unfairness authority shapes our baseline privacy practices. Similar the mutual law, this incremental arroyo has proven both relatively predictable and adaptable every bit new technologies and concern models sally.[24]
A brief review of representative Section 5 privacy cases provides a sense of how the FTC applies the unfairness and deception standards in that context. Applying these standards, the FTC has successfully resolved investigations (through settlements and final litigated decisions) in which it alleged that companies made deceptive claims virtually how they collect, apply, and share consumer data; failed to provide reasonable security for consumer information; deceptively tracked consumers online; spammed and defrauded consumers; installed spyware or other malware on consumers' computers; shared highly sensitive, private consumer information with unauthorized third parties; and publicly posted such data online without consumers' noesis or consent.[25] The many companies nether FTC orders include Microsoft, Facebook, Google, Equifax, HTC, Twitter, Snapchat, and Wyndham Hotels.[26]
Although various specialized statutes (such as the Children'south Online Privacy Protection Act) require special privacy frameworks for the conduct they comprehend, the general FTC Act does not legally obligate companies to produce an online privacy policy. Still, nigh strange jurisdictions (including the Eu) and private U.S. states (such as California) require that commercial website operators that collect personally identifiable information accept such policies.[27] Thus, it makes sense for U.South. commercial providers to develop and mail service their policies regarding their data drove and dissemination practices.
For companies that adopt and post online privacy policies, a further issue is whether they decide to offering website users the selection of "opt in" or "opt out" data sharing frameworks. (Companies may choose to exercise neither and simply describe their privacy practices.) Under opt in, personal data obtained from website visitors cannot be shared with third parties (such equally advertisers or marketers) unless and until the individual visiting a website grants permission for such use, typically by checking a box on a discover provided past the website. Under opt out, personal information tin exist shared unless the individual specifically requests that the website not do so. Past its nature, opt in tends to restrict the dissemination of information, while opt out promotes more than liberal information sharing. This departure is the issue of the fact that many consumers may cull not to have their information shared if they have to make an initial election under opt in, while many consumers may not bother to human action affirmatively to prevent information sharing under opt out.
Opt-in and opt-out policies also pose a welfare merchandise-off. The "upwardly-front reminder" provided by opt in policies volition be beneficial to consumers who highly value their privacy. But less privacy-sensitive consumers who value more highly the extra online services that are financed by websites' greater power to monetize consumer information (by selling it to third parties) would do good from opt out policies. In addition to these full general considerations, the greater the sensitivity and potential consumer harm that may arise from a website's transfer of personal data, the more probable opt in policies will prove beneficial for the bulk of that website'southward customers. In reviewing complaints in this area (for example, the claim that a company has sold the private information of consumers who opted confronting information sharing), the FTC applies its general Section five charade and unfairness principles on a example-by-case basis.[28]
The FCC Steps In
Until very recently, the FTC was the only federal agency scrutinizing online privacy practices. On April 1, 2016, even so, the FCC, which is the federal communications regulatory agency,[29] published a Notice of Proposed Rulemaking (NPRM) entitled "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services."[30] This "Privacy NPRM" sets forth detailed rules that, if adopted, would impose onerous privacy obligations on "Broadband Internet Access Service" (BIAS) Providers, the firms that provide the cables, wires, and telecommunications equipment through which Internet traffic flows—primarily cable (Comcast, for example) and telephone (Verizon, for example) companies.[31] The Privacy NPRM reclassifies BIAS provision equally a "common carrier" service, thereby totally precluding the FTC from regulating BIAS Providers' privacy practices (since the FTC is barred by law from regulating common carriers).[32] Put simply, the NPRM required BIAS Providers "to obtain express consent in advance of practically every utilize of a customer['s] data,"[33] without regard to the furnishings of such a requirement on economic welfare. All other purveyors of Net services, all the same—in particular, the large numbers of "border providers" that generate Internet content and services (Google, Amazon, and Facebook, for example) —are exempt from the new FCC regulatory requirements.
In short, the Privacy NPRM establishes a two-tier privacy regulatory organisation, with BIAS Providers subject field to tight FCC privacy rules, while all other Net service firms are subject to more nuanced, instance-past-instance, effects-based evaluation of their privacy practices past the FTC. This disparate regulatory arroyo is peculiar (if not wholly illogical), since edge providers in full general have greater access than BIAS Providers to consumers' non-public information, and thus may announced to pose a greater threat to consumers' interest in privacy.[34]
The FCC's proposal to regulate BIAS Providers' privacy practices represents bad law and bad economic policy, in several respects.
First, the Privacy NPRM undermines the rule of law by extending the FCC'southward authority beyond its congressional mandate. The FCC justifies its privacy rules by invoking Section 222 of the Telecommunications Human activity of 1996,[35] which empowers the FCC to regulate information Customer Proprietary Network Data (CPNI) over vocalism telephony. CPNI just covers a narrow category of information—telecommunications providers' collection and utilise of individualized subscriber information regarding the time and length of calls, phone numbers called, and consumer voice billing when such information "is fabricated available to the carrier past the customer solely by virtue of the carrier-customer human relationship."[36] Past dissimilarity, the Privacy NPRM proposes to regulate the far broader category of "personally identifiable data," or PII, defined equally information that "tin be used on its own, in context, or in combination to identify an private or to logically acquaintance with other information nigh a specific individual."[37]
In brusk, under the NPRM, the FCC cites its authorization over a very limited category of "telephone bill" data unrelated to Internet communications to justify regulating vast amounts of private information transmitted over the Internet. This is "a gross overextension of the authority conferred by Congress nether Section 222. It is legally improper for the Commission to reinterpret its circumscribed privacy mandate regarding phone services and overextend that authority to the competitive broadband services."[38] Moreover, this expansive approach is at odds with the overall guidance Congress provided the FCC in enacting the 1996 Telecommunications Act, which emphasizes reliance on competitive forces, rather than FCC regulation,[39] and provides for FCC forbearance from regulating telecommunications services to the greatest extent possible,[40] including when regulation "is not necessary for the protection of consumers."[41]
Second, the Privacy NPRM imposes a fix of sweeping opt-in consent requirements on BIAS Providers, without regard to private sector burdens or actual consumer welfare.[42] In the name of protecting online privacy, the NPRM requires that BIAS Providers seek affirmative opt-in consent from each customer for virtually all uses of any consumer data.[43] A BIAS Provider would have to inform customers of its intended use of their data then obtain their consent—even if the Provider had no plans to disclose the data and even if the data already was being used by other Internet businesses for advertising and marketing purposes. In contrast, the FTC has reserved its imposition of opt-in requirements to very limited situations, involving "specific uses similar making retroactive changes to privacy representations, or collecting sensitive information, such every bit information most children, fiscal and health information, Social Security numbers, and precise geolocation information."[44] The FTC'south express utilise of opt-in requirements reflects the fact that "opt in mandates unavoidably reduce consumer choice" by setting a privacy baseline that is likewise loftier and by preventing unanticipated beneficial uses of consumer information.[45] In a like vein, old FTC Commissioner Joshua Wright wrote that the Privacy NPRM imposes "a rigid, i-size-fits-all regulatory approach, forgoing the individualized analyses that exit space for innovative, welfare-enhancing uses of customer data."[46] In detail, Wright aptly summarized the nature of the costs the FCC'south approach would impose on consumers and the economy every bit a whole:
[The Privacy NPRM] presumes that consumers with strong privacy preferences somehow cannot effectively protect these interests by opting-out when doing so would make them amend off, and, instead, imposes the burdens to act upon those consumers with weak preferences. Far from benefiting consumers, this regime eliminates the power of firms to compete and experiment with business organisation models to maximize consumer value and would impose significant costs upon many firms in the online ecosystem—costs that consumers would ultimately bear. These costs would far outweigh the very limited and speculative benefits the NPRM proffers.[47]
3rd, the Privacy NPRM, if implemented, volition reduce BIAS Provider revenues and thereby dampen investment that is vital to the continued growth of and innovation in Net-related industries. Opt-in restrictions will sharply limit the ability of BIAS Providers to monetize consumer data by selling it to advertisers and marketers, thereby reducing funds bachelor to finance new Internet services and improving existing services. Furthermore, the financial health of BIAS Providers would be undermined. As the U.S. Bedchamber of Commerce explained, in its annotate on the Privacy NPRM:
The NPRM threatens the long-term economic health of broadband and other telecommunications providers. According to Moody'due south Investors Services, the FCC's proposed privacy rules pose "a long-term risk to the current Television receiver advertizing business model, as well as all broadband providers whom likewise have ad sales exposure." Given the regulatory imbalance created past the proposed rule, the credit bureau also predicts that NPRM volition exist "credit-negative" for Cyberspace service providers.[48]
Fourth, and relatedly, Edge providers (Google, for instance), which are non covered past the NPRM (and whose ability to monetize consumer data is subject merely to "lighter touch" FTC oversight), volition experience less competitive pressure from BIAS Provider offerings, and have a weaker incentive to innovate and compete in Internet service provision.[49]
Fifth, the Privacy NPRM, if implemented, will harm consumer welfare and, in detail, raise consumer prices for Internet services and deny discount programs desired by consumers. NPRM-related limitations on the ability of BIAS Providers to monetize consumer data will, by reducing ad revenue used to help defray broadband service costs, incentivize the Providers to raise consumer broadband service prices.[50] In addition, by disallowment BIAS Providers from offering discounted Internet broadband services in exchange for greater access to consumer data, the NPRM volition deny a valuable option to consumers who value service discounts more than additional information privacy.[51]
In sum, the Privacy NPRM would, if implemented, undermine the economic welfare of both businesses and consumers in a manner that ignores clear limitations on the FCC's statutory authority. Every bit a matter of sound economics and law, the FCC should abandon this disastrous proposal and get out the federal oversight of online Net privacy where information technology now resides—with the FTC.
International Considerations
While the previous give-and-take has centered on the federal government's approach to Internet privacy, foreign governments increasingly have sought to regulate privacy (and, in detail, data protection) practices,[52] generally in a far more intrusive fashion than that employed by the FTC. Because the Cyberspace is global in scope, American businesses (particularly those with a significant international achieve) need to take into business relationship foreign privacy regulations in planning their operations.
The U.S. authorities has negotiated with the European Matrimony (Eu),[53] the multi-jurisdictional entity with the most comprehensive privacy policy, in seeking to avoid excess burdens on individual entities. On February 2, 2016, the EC (the European Union'southward administrative and regulatory body)[54] and the U.S. government agreed on a new regulatory framework covering transatlantic exchanges of personal data for commercial purposes (for example, depository financial institution or corporate transmissions of such data)—the EU-U.S. Privacy Shield.[55] The Privacy Shield responded to a 2015 European Court of Justice ruling invalidating a prior Eu-U.Due south. "Safe Harbor" Agreement for dealing with data exchange.[56] The Shield allows companies to subject themselves to specified principles governing their U.Southward.-EU and Eu-U.S. data transfer. (Notably, the FTC, not the FCC, played a primal role in Privacy Shield negotiations and is endowed with pregnant Shield-related enforcement responsibilities.) Central elements of the agreement include:
- Commitments by Companies to Robust Data Protection. U.S. companies participating in the new framework volition be required to commit to robust obligations regarding the processing of personal data from Europe. Companies handling human resources data from Europe will be further required to agree to comply with the decisions of the Information Protection Authorities ("DPAs") of the various EU member states.
- FTC Enforcement. The [FTC]…volition have enforcement potency regarding U.S. companies' compliance with the new framework, just as it did with the erstwhile Rubber Harbor understanding. The U.S. Department of Commerce will have overall responsibility for monitoring companies' compliance with the Privacy Shield framework.
- Redress for EU Citizens. EU citizens who believe that their data has been misused by a U.South. company volition take several avenues of redress. For example, DPAs may refer EU citizen complaints to the Department of Commerce and the FTC. In addition, a new Ombudsperson will be established to handle complaints of admission to personal information by national intelligence regime.
- Restrictions on U.Southward. Government Surveillance. Access to EU personal data by U.Due south. law enforcement and national security authorities will be subject field to clear limitations and oversight, and the U.S. has provided the European union with written assurances to this effect. The absence of such protections was a cardinal gene in the…[European Court of Justice's 2015] determination that invalidated the Safe Harbor understanding. The European Commission and the U.Due south. Department of Commerce will comport annual articulation reviews regarding the issue of national security access.[57]
Membership in the Privacy Shield is entirely voluntary. In deciding whether to bring themselves under the Shield, which imposes meaning and costly regulatory obligations and severe sanctions for violations of Shield commitments, American businesses may wish to consider instead using standardized contractual terms to govern their U.South.-EU data transfers.[58] Whether or not they "opt in" to Shield commitments, even so, American firms doing business in the Eu will exist subject to potentially large and uncertain liability and European regulatory oversight.
Furthermore, given the very significant influence of European data protection and privacy norms on international thinking,[59] the implementation and development of Shield and European DPA policies will be a major ongoing business concern for American companies, wherever they do concern. The Privacy NPRM (if implemented) heightens that concern for BIAS Providers, since they will have to evaluate the implications of new FCC regulation (rather than merely rely on FTC oversight) in deciding whether to opt in to the Shield'due south standards and obligations.
Recommendations
The FCC'due south Privacy NPRM is at odds with the pro-competitive, economic welfare enhancing goals of the 1996 Telecommunications Human activity. It ignores the limitations imposed by that act and, if implemented, would impairment consumers and producers and slow innovation. This prompts four recommendations.
- The FCC should withdraw the NPRM and leave it to the FTC to oversee all online privacy practices under its Section five unfairness and deception say-so. The adoption of the Privacy Shield, which designates the FTC every bit the responsible American privacy oversight agency, farther strengthens the instance against FCC regulation in this area.
- In overseeing online privacy practices, the FTC should employ a very calorie-free touch on that stresses economic analysis and cost-benefit considerations. Moreover, it should avoid requiring that rigid privacy policy conditions exist kept in place for long periods of time through consent prescript atmospheric condition, in order to allow changing market weather to shape and meliorate business privacy policies.
- Moreover, the FTC should borrow a page from former FTC Commissioner Joshua Wright by implementing an "economical approach" to privacy.[60] Under such an arroyo:
- FTC economists would assistance make the commission a privacy "thought leader" by developing a rigorous academic research calendar on the economic science of privacy, featuring the economic evaluation of manufacture sectors and practices;
- The FTC would bear the burden of proof in showing that violations of a company's privacy policy are cloth to consumer decision-making;
- FTC economists would report independently to the FTC about proposed privacy-related enforcement initiatives; and
- The FTC would publish the views of its Agency of Economics in all privacy-related consent decrees that are placed on the public record.
- The FTC should encourage the European Commission and other foreign regulators to take into account the economics of privacy in developing their privacy regulatory policies. In and then doing, it should emphasize that innovation is harmed, the beneficial development of the Internet is slowed, and consumer welfare and rights are undermined through highly prescriptive regulation in this area (well-intentioned though it may be). Relatedly, the FTC and other U.S. authorities negotiators should argue against adoption of a "1-size-fits-all" global privacy regulation framework.[61] Such a global framework could harmfully freeze into identify over-regulatory policies and forestall beneficial experimentation in culling forms of "lighter-touch" regulation and enforcement.
Although not a panacea, these recommendations would aid deter (or, at to the lowest degree, constrain) the economically harmful government micromanagement of businesses' privacy practices in the U.s. and abroad. The Net economy would in plow do good from such a restraint on the grasping hand of big government.
—Alden F. Abbott is Deputy Director of and John, Barbara, and Victoria Rumpel Senior Legal Fellow in the Edwin Meese III Eye for Legal and Judicial Studies at The Heritage Foundation. He gratefully acknowledges the research aid of Heritage Foundation Intern Jessica Higa, who participated in the Young Leaders Programme.
[1] Internet Privacy, techopedia.com, https://www.techopedia.com/definition/24954/internet-privacy (last visited Aug. 18, 2016).
[two] NTIA is the Executive Branch agency that is principally responsible past police force for advising the President on telecommunications and information policy issues. About NTIA, NTIA.gov, https://world wide web.ntia.doc.gov/virtually (last visited Aug. 18, 2016).
[3] See Rafi Goldberg, NTIA, Lack of Trust in Net Privacy and Security May Deter Economic and Other Online Activities, NTIA Weblog (May thirteen, 2016), https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economical-and-other-online-activities.
[4] For a comprehensive chronological summary of data breaches suffered by businesses, meet eg., Chronology of Data Breaches/Security Breaches 2005 – Present (2016), Privacy Rights, http://www.privacyrights.org/data-breach (last visited Aug. 19, 2016).
[v] See Ponemon Institute, 2016 Cost of Data Breach Written report: Global Analysis, IBM (June 2016), http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN.
[6] Matthew Zajechowski, How Consumers Human foot the Bill for Information Breaches, Smart Information Collective, http://world wide web.smartdatacollective.com/matthew-zajechowski/223676/how-consumers-pes-nib-data-breaches.
[7] Guide for Assisting Identity Theft Victims, FTC (Sept. 2013), https://world wide web.consumer.ftc.gov/articles/pdf-0119-guide-profitable-id-theft-victims.pdf.
[8] Victims of Identity Theft, Agency of Justice Statistics (Sept. 2015), http://www.bjs.gov/content/pub/pdf/vit14_sum.pdf.
[9] See id.
[x] Michelle Kessler & Kevin Maney, AOL's Tech Chief Quits After Breach of Privacy, USA Today (Aug. 21, 2006), http://usatoday30.usatoday.com/tech/news/Internetprivacy/2006-08-21-aol-privacy-departures_x.htm.
[11] See Fred Von Lohmann, Are You Infected by Sony-BMG's Rootkit?, Electronic Frontier Foundation (Nov. eight, 2005), https://www.eff.org/deeplinks/2005/eleven/are-you-infected-sony-bmgs-rootkit.
[12] See Rainey Reitman, Six Heartbreaking Truths nigh Online Dating Privacy, Electronic Frontier Foundation (Feb. ten, 2012), https://www.eff.org/deeplinks/2012/02/six-heartbreaking-truths-about-online-dating-privacy.
[13] Douglas MacMillan, Foursquare Now Tracks Users Fifty-fifty When the App is Closed, Wall St J. (Aug. vi, 2014), http://blogs.wsj.com/digits/2014/08/06/square-now-tracks-users-fifty-fifty-when-the-app-is-closed/.
[14] See, e.g., Children & Teen Statistics, OnlineSentry, http://www.sentrypc.com/home/statistics.htm (last visited Aug. 18, 2016); Sexual Exploitation & Abuse/Kid Porn, Enough Is Enough, http://plenty.org/stats_exploitation (last visited July 12, 2016); Online Predator Statistics and Facts, Keylogger Review (May 21, 2016), http://keyloggers.mobi/online-predator-statistics/ (citing statistics regarding exposure by teens and children to online pornography and online sexual solicitations, and related online stalking problems).
[xv] The offset noteworthy scholarly give-and-take of an individual "right to privacy" under Anglo-American law is Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, four Harvard L. Rev. 193 (1890), http://faculty.uml.edu/sgallagher/Brandeisprivacy.htm.
[16] For a detailed word of the appropriate FTC's function in regulating online information security, an important attribute of privacy, see Alden Abbott, The Federal Merchandise Commission'south Part in Online Security: Information Protector or Dictator?, Heritage Foundation Legal Memorandum No. 137 (Sept. 10, 2014), http://world wide web.heritage.org/research/reports/2014/09/the-federal-merchandise-commissions-office-in-online-security-information-protector-or-dictator#_ftn1. This memorandum deals more generally with online privacy.
[17] FTC, Privacy & Data Security Update (Jan. 2016), https://world wide web.ftc.gov/reports/privacy-data-security-update-2015#privacy. See as well id. for more than particular on the Fair Credit Reporting Human action, the Children's Online Privacy Protection Human activity, and the Telemarketing Sales Rule.
[xviii] Spyware involves the insertion of a software "virus" that can monitor or control your figurer apply. It may be used to ship consumers popular-up ads, redirect their computers to unwanted websites, monitor their Cyberspace surfing, or tape their keystrokes, which, in plow, could atomic number 82 to identity theft. Combating Spyware and Malware, FTC , https://www.ftc.gov/news-events/media-resources/identity-theft-and-data-security/spyware-and-malware (last visited Aug. 19, 2016 ).
[19] FTC, Privacy & Data Security, supra note 17.
[20] fifteen UsC. § 45(a)(1).
[21] James C. Miller 3, Chairman, FTC, Policy Statement on Deception to The Honorable John D. Dingell, Chairman, Energy and Commerce, U.Due south. House of Representatives (Oct. 14, 1983), appended to Clifford Assembly, Inc., 103 F.T.C. 110, 174 (1984), http://www.ftc.gov/ftc-policy-argument-on-deception.
[22] 15 U.S.C. § 45n.
[23] See, east.g., J. Howard Beales Three, Director, Agency of Consumer Protection, FTC, Accost at the Marketing and Public Policy Briefing: The FTC's Employ of Unfairness Authority: Its Rising, Fall, and Resurrection (May thirty, 2003), http://world wide web.ftc.gov/public-statements/2003/05/ftcs-utilise-unfairness-authorization-its-ascension-fall-and-resurrection. Current FTC Commissioner Josh Wright besides has stressed the importance of toll-benefit assay. Encounter, e.one thousand., Joshua D. Wright, Commissioner, FTC, Remarks to the George Mason Academy Law & Economics Heart and Alliance of California Judges: The Economic science of Access to Civil Justice: Consumer Law, Mass Torts, and Class Actions (Mar. 16, 2014), http://www.ftc.gov/system/files/documents/public_statements/293621/140316civiljustice-wright.pdf.
[24] Maureen K. Ohlhausen, Commissioner, FTC, Remarks at the Free State Foundation Eighth Annual Telecom Policy Conference: Privacy Regulation in the Internet Ecosystem four–5 (Mar. 23, 2016), https://www.ftc.gov/system/files/documents/public_statements/941643/160323fsf1.pdf. Old FTC Commissioner Joshua Wright has expressed some skepticism well-nigh the FTC.
[25] See Comment of the Staff of the Bureau of Consumer Protection of the Federal Merchandise Committee to the Federal Communications Commission, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, WC Docket No. 16-106, FCC 16-39, at four-5 (May 27, 2016), https://www.ftc.gov/system/files/documents/advocacy_documents/comment-staff-bureau-consumer-protection-federal-trade-commission-federal-communications-committee/160527fcccomment.pdf.
[26] Id. at 5.
[27] Meet Privacy Policies Are Required Everywhere, Iubenda, http://www.iubenda.com/en/privacy-legal-requirements (accessed Aug. 19, 2016).
[28] Onetime FTC Commissioner Joshua Wright has expressed business organisation that FTC consumer protection analysis in general, and privacy analysis in item, are insufficiently attuned to economic considerations, in detail, the "tradeoffs between the value to consumers and society of the costless flow and exchange of information and the creation of new products and services on the one hand, confronting the value lost by consumers from any associated reduction in privacy." Joshua D. Wright, The FTC and Privacy Regulation: The Missing Role of Economics, George Mason University Law & Economics Ctr 7 (Nov. 12, 2015), http://masonlec.org/site/rte_uploads/files/Wright_PRIVACYSPEECH_FINALv2_PRINT.pdf.
[29] The FCC is an independent federal government agency charged by Congress with "regulating] interstate and international communications by radio, tv set, wire, satellite, and cable in all fifty states, the Commune of Columbia and U.Southward. territories." The FCC'due south Mission, FCC, https://www.fcc.gov/nigh/overview (final visited Aug. 19, 2016).
[xxx] FCC, In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. xvi-106 (released Apr. i, 2016), WC Docket No. sixteen-106, https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-39A1.pdf. Consistent with the Administrative Procedure Act, an NPRM soliciting public comments on a proposed rule may be followed by the FCC's issuance of a terminal binding rule. Encounter Rulemaking, FCC, https://www.fcc.gov/full general/rulemaking (last visited Aug. nineteen, 2016).
[31] The Privacy NPRM defines BIAS equally a "mass-market retail service past wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the communications service, but excluding punch-upwards Internet access service." Privacy NPRM, id., at ¶ 29.
[32] See 15 U.Southward. Code § 45(a)(2) (the FTC'due south authority to prevent firms from using "unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" does not extend to "common carriers subject to the Acts to regulate commerce".
[33] Harold Furchtgott-Roth & Arielle Roth, The FCC Wants To Regulate Your Internet Privacy Now, Also, Forbes (Mar. xiv, 2016), http://www.forbes.com/sites/haroldfurchtgottroth/2016/03/14/why-the-fccs-proposed-privacy-rules-would-hurt-consumers/#32dca1ac4c49.
[34] Edge provider websites such every bit Google and Amazon, unlike BIAS Providers, routinely request large amounts of consumer data. Moreover, a large proportion of the information transmitted through BIAS Provider networks (70 percent or higher past latest count) is encrypted, sharply limiting the power of those Providers to misuse non-public consumer data. Meet Thomas Lenard & Scott Wallsten, An Economic Analysis of the FCC's Privacy Notice of Proposed Rulemaking, Applied science Policy Inst. (May 2016), https://techpolicyinstitute.org/wp-content/uploads/2016/05/Lenard_Wallsten_FCCprivacycomments.pdf.
[35] 47 U.S.C. § 222.
[36] 47 UsC. § 222(h)(one)(A).
[37] Privacy NPRM, at ¶¶ sixty, 61.
[38] In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, WC Docket No. xvi-106 (released Apr. 1, 2016), Comments of the Costless Land Foundation, at five (May 27, 2016), http://www.freestatefoundation.org/images/FCC_Privacy_Comments_-_Final_052716.pdf.
[39] See, e.g., 47 UsaC. preamble (the Deed's unmarried goals is "[t]o promote competition and reduce regulation"); 47 U.s.a.C. § 706(c) (the "Internet and other interactive computer services have flourished . . . with a minimum of government regulation"); and 47 U.s.a.C. § 257(b) (the FCC's mandate is to promote policies favoring "vigorous economic contest").
[40] See 47 The statesC. § 160 ("Competition in telecommunications service").
[41] 47 U.s.C. § 160(a)(2).
[42] This discussion draws heavily upon Gerald R. Faulhaber & Hal J. Vocalizer, The Curious Absence of Economic Analysis at the Federal Communications Commission: An Agency in Search of a Mission 52–53 (July 2016 draft), http://world wide web.calinnovates.org/curious-absenteeism-economic-assay-federal-communications-committee-agency-search-mission/ (accessed Aug. xix, 2016).
[43] See Privacy NPRM ¶¶ 62, 127–133.
[44] FCC NPRM, Dissenting Argument of FCC Commissioner Michael O'Rielly, at 3 (Apr. i, 2016), https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-39A6.pdf.
[45] Encounter Ohlhausen, supra note 24.
[46] Joshua D. Wright, An Economic Analysis of the FCC's Proposed Regulation of Broadband Privacy vi (May 27, 2016) (footnote reference deleted), https://world wide web.ustelecom.org/sites/default/files/documents/ExParte_re_Wright_Privacy_FINAL.pdf.
[47] Id. at 11 (footnote reference deleted).
[48] Alphabetic character from the U.S. Chamber of Commerce to Marlene Dortch, Secretary, FCC, Commenting on the Privacy NPRM, at six–7 (footnote references omitted), https://www.uschamber.com/sites/default/files/documents/files/five.26.16-_comments_to_fcc_on_proposed_broadband_privacy_rules.pdf.
[49] Run across Faulhaber & Vocalist , supra notation 42, at 53.
[50] Meet Wright, supra note 46, at 6.
[51] See FCC Overreach: Examining the Proposed Privacy Rules: Hearing Before the Subcomm. on Communications and Technology of the H. Comm. on Energy & Commerce 114th Cong., 2nd Sess. (2016) (Statement of Jon Leibowitz, Co-Chairman, 21st Century Privacy Coalition), http://docs.firm.gov/meetings/IF/IF16/20160614/105057/HHRG-114-IF16-Wstate-LeibowitzJ-20160614.pdf (final visited Aug. 19, 2016).
[52] See, due east.chiliad., What is Information Protection? Privacy International, https://www.privacyinternational.org/node/44 (final visited Aug. 19, 2016); David Banisar, National Comprehensive Data Protection/Privacy Laws and Bills 2016 Map (Apr. xxx, 2016) (compilation of over 100 jurisdictions with privacy/data protections laws), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416 (last visited Aug. 19, 2016); Data Protection Laws of the World, DLA Piper (2016) (providing short summaries of dissimilar jurisdictions' laws), https://world wide web.dlapiperdataprotection.com/#handbook/globe-map-department (last visited Aug. 19, 2016).
[53] The European union in Brief, European Wedlock (May xiii, 2016), http://europa.eu/about-eu/basic-information/about/index_en.htm. As of today, the European union comprises 28 European nations.
[54] See Well-nigh the European Committee, European Union (July 7, 2016), http://ec.europa.eu/about/index_en.htm.
[55] See Press Release, European Commission, European Commission Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows (July 12, 2016), http://europa.eu/rapid/press-release_IP-xvi-2461_en.htm. The EC formally adopted the Shield on July 12, 2016, making it immediately applicable within EU Fellow member States.
[56] See id.
[57] U.Due south. and European union Agree to New "Privacy Shield" Framework to Replace Safety Harbor, Water ice Miller LLP (Feb. 3, 2016), http://www.icemiller.com/ice-on-burn down-insights/publications/u-southward-and-eu-agree-to-new-privacy-shield-framework-t/.
[58] See Aaron Tantleff, To Bring together or Not to Bring together: Is the Eu-U.S. Privacy Shield Right for You lot? Foley & Lardner LLP (April. 11, 2016), https://www.foley.com/to-join-or-not-to-join-is-the-eu-us-privacy-shield-right-for-you/.
[59] See, east.g., Christopher Kuner, The European Matrimony and the Search for an International Data Protection Framework, 2 Groningen J. Int'fifty L 55 (2014), https://groningenjil.files.wordpress.com/2015/04/grojil_vol2-issue2_kuner.pdf.
[threescore] Run across Wright, supra note 28, for a word of such an arroyo.
[61] Notably, the EU and other nations have called for a global data protection framework. Come across Kuner, supra notation 59, at 56–61.
Authors
Alden Abbott
Old Deputy Manager, Meese Center
Source: https://www.heritage.org/report/the-federal-governments-appropriate-role-internet-privacy-regulation