Supreme Court Ruling May Question FTC Authority to Regulate Privacy and Security
2024-9-27 17:18:35 Author: securityboulevard.com(查看原文) 阅读量:8 收藏

Avatar photo

Recent Articles By Author

On June 28, 2024, as the Supreme Court term winds down, the Court issues a landmark ruling in a case called Loper Bright Enterprises v. Raimondo. The case involved a legal doctrine called “Chevron deference” – discussing when Congress grants authority to an administrative agency — say the EPA — to regulate something, and that agency interprets an ambiguous statute one way, whether the Courts are bound to defer to the way the experts at the agency have interpreted the statute, or whether the Court is free to put its own stamp on what the statute means. The doctrine required only deference to the administrative agency, not obedience — if the Court found that the administrative agency was wrong about how the statute was interpreted, the Court had final say — unless or until Congress itself acted.

The Chevron deference doctrine originates from the 1984 Supreme Court case Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc. The doctrine holds that when a statute is ambiguous, courts should defer to an agency’s interpretation of the statute as long as it is reasonable. This two-step process involves determining whether the statute is ambiguous and, if so, whether the agency’s interpretation is reasonable.
Chevron deference has been a cornerstone of administrative law, giving federal agencies significant leeway in interpreting and implementing statutes. It recognizes the expertise of agencies in their respective domains and aims to provide consistency and predictability in regulatory enforcement. An example of Chevron deference might be if a hypothetical Congress granted the EPA authority to regulate chemicals that were toxic, harmful or dangerous, and the EPA wanted to use that authority to regulate carbon dioxide – implicated in greenhouse gasses and climate change, expected to kill millions. A regulated entity might argue that CO2 is not a “chemical” or that it is not itself “toxic” or “harmful” and that it is naturally occurring, and therefore the statute is ambiguous and that a court should decide whether CO2 is “harmful” rather than some bureaucrat in Washington. Oh, and a Court in Amarillo, Texas. Rather than relying on scientific evidence, hearings, notice and comment, a court might simply look at the word “toxic”and decide that CO2 is not toxic, and therefore it was not the intention of Congress to grant the EPA the authority to regulate it.

So what does this have to do with data privacy and security?

The Federal Trade Commission (FTC) has long been a key player in regulating data privacy and security in the United States. Historically, the FTC has relied on its broad mandate to prevent unfair or deceptive practices to enforce data privacy and security standards. However, with the potential end of the Chevron deference doctrine — a judicial principle that compels courts to defer to a federal agency’s interpretation of ambiguous laws — there is growing uncertainty about the future of the FTC’s regulatory authority. This article explores the origin and history of the FTC’s regulation of data privacy and security, examines the Chevron deference doctrine, and considers the potential implications of its demise on the FTC’s enforcement actions.

The FTC’s Role in Data Privacy and Security Regulation

The FTC was established in 1914 with the primary goal of preventing unfair methods of competition and unfair or deceptive acts or practices in commerce. Over the years, the FTC’s mandate has expanded to include consumer protection, encompassing a wide range of issues, including data privacy and security. The FTC’s authority to regulate data privacy and security primarily stems from Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Although the FTC Act does not explicitly mention data privacy or security, the FTC has interpreted its mandate broadly to include these areas. This interpretation has been the basis for numerous enforcement actions against companies that fail to protect consumer data.

The FTC has found, for example, that collecting personally identifiable information without a comprehensive data privacy and security program is “unfair” and failing to comply with written privacy or security policies is “deceptive.” Is this what Congress intended in 1914? Probably not. Is it a reasonable interpretation of the broad jurisdiction of the FTC? After Loper Bright, we may have to wait and see.

Early Cases and Enforcement Actions

One of the earliest and most significant cases involving the FTC’s authority over data privacy was the 2005 case against BJ’s Wholesale Club. The FTC alleged that BJ’s failed to implement reasonable security measures to protect customer data, leading to a data breach that exposed thousands of credit and debit card numbers. The FTC’s settlement with BJ’s included requirements for the company to implement a comprehensive information security program and obtain biennial assessments of its security measures. This is typical for a FTC settlement – to require an entity to establish specific data privacy and data security programs and report to the FTC about how it is protecting sensitive data.

Another landmark case was the FTC’s action against Facebook in 2011. The FTC charged Facebook with deceiving consumers by failing to keep privacy promises, such as sharing user data with advertisers despite assurances to the contrary. The resulting settlement required Facebook to implement a comprehensive privacy program and undergo regular privacy audits for 20 years. This was based on the FTC’s authority to regulate “deceptive” practices – promising one thing and delivering another.

These cases, among others, established the FTC as a key enforcer of data privacy and security standards in the absence of comprehensive federal privacy legislation.

Challenges to FTC Authority

Despite its proactive stance, the FTC’s authority to regulate data privacy and security has been challenged on several fronts. Critics argue that the FTC’s reliance on the broad and ambiguous language of the FTC Act exceeds its statutory authority. For example, in LabMD, Inc. v. FTC, LabMD challenged the FTC’s authority to regulate its data security practices. The Eleventh Circuit Court of Appeals ultimately vacated the FTC’s order, criticizing the FTC’s approach as too vague and not providing sufficient notice of what constitutes “unfair” practices. A few examples illustrate challenges to the FTC’s authority to regulate data privacy and security. For example, in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015): Wyndham Worldwide – a hotel chain that had suffered both a data breach and a resulting FTC regulatory action, challenged the FTC’s jurisdiction, arguing that the FTC did not have clear statutory authority over data security practices and lacked fair notice of the required security standards. The Third Circuit upheld the FTC’s authority, ruling that Section 5’s prohibition of unfair practices includes unreasonable cybersecurity practices. The court found that Wyndham had fair notice through previous FTC actions against other companies, supporting the FTC’s broad interpretive authority in consumer protection matters involving data security.

In LabMD, Inc. v. FTC, 776 F.3d 1275 (11th Cir. 2015), LabMD contested the FTC’s authority to regulate its data security practices, arguing that the FTC’s interpretation of what constitutes “unfair” practices did not merit Chevron deference. The Eleventh Circuit criticized the FTC’s vague standards and vacated its order against LabMD. This decision underscores the challenges the FTC might face in enforcing data security standards without the benefit of Chevron deference, emphasizing the need for clearer statutory guidance to support FTC enforcement actions in data security.

Similarly, in American Bar Ass’n v. FTC, 430 F.3d 457 (D.C. Cir. 2005) the D.C. Circuit reviewed the FTC’s attempt to apply the Gramm-Leach-Bliley Act’s privacy provisions to attorneys. The court concluded that the FTC’s interpretation of the statute did not merit Chevron deference because it was not the only reasonable interpretation given the statutory ambiguity. This ruling highlights the potential difficulties the FTC may encounter in enforcing data privacy regulations if Chevron deference is curtailed, as courts might more frequently question whether the FTC’s interpretations are the best or only reasonable ones.

Trans Union LLC v. FTC, 295 F.3d 42 (D.C. Cir. 2002) involved the FTC’s authority to regulate the sale of consumer credit reports for marketing purposes. Trans Union challenged the FTC’s interpretation of the Fair Credit Reporting Act (FCRA). The D.C. Circuit upheld the FTC’s interpretation, applying Chevron deference to the agency’s construction of the statute. This case underscores the importance of Chevron deference in supporting the FTC’s regulatory authority over data privacy and security practices.

Potential Impact of the End of Chevron Deference

The potential end of Chevron deference could significantly impact the FTC’s ability to regulate data privacy and security. Without Chevron deference, courts may be less inclined to defer to the FTC’s interpretations of its statutory authority, leading to increased judicial scrutiny of the agency’s enforcement actions. In the absence of Chevron deference, litigants may seek to challenge the FTC’s authority in jurisdictions known for being skeptical of regulatory agencies. For example, the Fifth Circuit Court of Appeals has historically been less deferential to federal agencies compared to other circuits. Litigants may strategically file lawsuits in such jurisdictions, hoping to obtain favorable rulings that limit the FTC’s regulatory reach.

Conclusion

The potential end of Chevron deference poses significant challenges for the FTC’s authority to regulate data privacy and security. The FTC’s historical reliance on broad interpretations of its mandate under Section 5 of the FTC Act may come under increased judicial scrutiny. Without Chevron deference, courts may be less willing to defer to the FTC’s expertise, leading to more frequent and successful challenges to the agency’s jurisdiction. While the FTC has been a pivotal player in advancing data privacy and security standards, the evolving legal landscape underscores the need for clearer statutory guidance. As the debate over Chevron deference continues, stakeholders in the data privacy and security realm must closely monitor developments and adapt to the changing regulatory environment.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 208 posts and counting.See all posts by mark


文章来源: https://securityboulevard.com/2024/09/supreme-court-ruling-may-question-ftc-authority-to-regulate-privacy-and-security/
如有侵权请联系:admin#unsafe.sh