Government watchdog finds weak enforcement of US privacy regulations
According to a report published in this month (February 209), data privacy is not under government control.
In the report, by the Government Accountability Office (GOA), a recommendation is made for the implementation of a federal internet privacy law, with serious consequences for companies that fail to comply.
The report found that during the past ten years, most of the actions taken by the Federal Trade Commission (FTC) against data privacy abuses did not involve financial penalties. Apparently, this is because the agency does not have the authority to impose fines for those specific violations.
Historically, the FTC has fined companies like Google and Vizio for tracking people’s data. However, the GAO found that almost all of the 101 data privacy violations the FTC has investigated since 2009 resulted in settlement agreements without fines.
The GOA report is in response to a request in 2017 by Rep. Frank Pallone. Mr Pallone is a Democrat from New Jersey and is chairman of the House Energy and Commerce Committee.
Pallone said in a statement:
"Since I requested this report, the need for comprehensive data privacy and security legislation at the federal level has only become more apparent, …From the Cambridge Analytica scandal to the unauthorized disclosures of real-time location data, consumers' privacy is being violated online and offline in alarming and dangerous ways."
Along with the report, Pallone announced a Feb. 26 hearing on data privacy.
"Congress needs to act, and this hearing is an important first step," Rep. Jan Schakowsky, a Democrat from Illinois and chairwoman of the Consumer Protection and Commerce Subcommittee, said in a statement.
According to an article by CNET in December last year, concerns over privacy appeared to have reached boiling point, following a cascade of breaches and data misuse, from giant tech firms like Facebook and also from telecoms companies that enable location tracking. The European Union's General Data Protection Regulation (GDPR) came into effect last May, but so far, the US has no equivalent data privacy law at federal level.
Meanwhile, lawmakers have been pushing for federal regulation of data privacy. One such example is the Data Care Act, which was introduced in December 2018. Last November, Sen. Ron Wyden, a Democrat from Oregon, introduced the Consumer Data Protection Act, which would impose jail sentences for CEOs who lie about data protection.
Several tech giants have reiterated demands for federal regulation. Tim Cook, Apple’s CEO, has called for a US data privacy law, while others including Google and Amazon look to shape any such legislation.
The GAO interviewed Facebook, Apple and Google for the report. Internet service providers like Verizon and Comcast were also approached for comment. The report revealed that most companies prefer the present regulation model for data privacy, whereby the FTC cannot impose fines unless they have agreed to a consent decree for a previous violation.
During a congressional hearing last November, the FTC told lawmakers that the agency does not have the resources to protect consumers from data abuse under the current structure.
Consumer advocacy groups and former FTC and FCC commissioners told the GAO that there should be civil penalties for first-time violations. Some are calling for a new agency specifically for overseeing data privacy.
It’s no secret that, when it comes to passing new laws, Congress is well known for its ‘analysis paralysis’. Consequently, those who want to see action had better hope that Congress can overcome its dysfunctionality and make timely decisions to move hastily forward.
While states like California, continue to improve its rapidly-maturing Consumer Privacy Act (CCPA) Congress needs get its act together, if there is ever to be federal privacy legislation.
… It will also need to be stronger than the California privacy law.
Once again, we invite your comment and opinion on this topic.
Are you in favour of federal data privacy law?
Do you think each state should be responsible for implementing its own privacy regulation?