A month ago, Rep. Mary Bono Mack introduced a bill (and staff memo) “To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.” These are perhaps the two least objectionable areas for legislating “on privacy” and there’s much to be said for both concepts in principle. Less clear-cut is the bill’s data minimization requirement for the retention of personal information.
But as I finally get a chance to look at the bill on the eve of the July 20 Subcommittee markup, I note one potentially troubling procedural aspect of the bill: giving the FTC authority to redefine PII without the procedural safeguards that normally govern the FTC’s operations. The scope of this definition would be hugely important in the future, both because of the security, breach notification and data minimization requirements attached to it, and because this definition would likely be replicated in future privacy legislation—and changes in to this term in one area would likely follow in others.
The bill (p. 28) provides a fairly common-sensical definition of “personal information”:
an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual… [including a social security number, driver’s license or other identity number, financial account number, etc.]
Then the bill then gives the FTC the authority to redefine PII in the future. The bill limits that authority to situations where:
(i) … such modification is necessary … as a result of changes in technology or practices and will not unreasonably impede technological innovation or otherwise adversely affect interstate commerce; and
(ii) … if the Commission determines that access to or acquisition of the additional data elements in the event of a breach of security would create an unreasonable risk of identity theft, fraud, or other unlawful conduct and that such modification will not unreasonably impede technological innovation or otherwise adversely affect interstate commerce.
This is an admirable attempt to make the statute flexible and forward-looking without giving the FTC carte blanche to redefine “PII”—easily the single most important term in when it comes to regulating the flow of data in our information economy. But I fear even these prudent measures may not be enough if the FTC can use the streamlined Administrative Procedures Act (APA) rulemaking process. Yes, of course, that’s the same process used by most federal agencies, but it’s not what the FTC generally uses—and for good reason. Commissioner Kovacic explained “Mag-Moss” in his 2010 Senate testimony on this issue:
Magnuson-Moss rulemaking, as this authority is known, requires more procedures than those needed for rulemaking pursuant to the Administrative Procedure Act. These include two notices of proposed rulemaking, prior notification to Congress, opportunity for an informal hearing, and, if issues of material fact are in dispute, cross-examination of witnesses and rebuttal submissions by interested persons.
Kovacic isn’t against all grants of APA authority to the FTC:
In addition, over the past 15 years, there have been a number of occasions where Congress has identified specific consumer protection issues requiring legislative and regulatory action. In those specific instances, Congress has given the FTC authority to issue rules using APA rulemaking procedures….
Except where Congress has given the FTC a more focused mandate to address particular problems, beyond the FTC Act’s broad prohibition of unfair or deceptive acts or practices, I believe that it is prudent to retain procedures beyond those encompassed in the APA [i.e., Magnuson-Moss].
Kovacic’s cautiousness about this largely stems from his desire to protect the FTC from repeating the over-reach in the late 1970s that caused even the Washington Post to brand the agency the “National Nanny” and a heavily Democratic Congress to try to briefly shut down the agency, heavily slash its funding and require additional procedural safeguards—a history I’ve written about here and here, and the subject of a PFF event I ran in April 2010. (Of course, Howard Beales wrote the definitive history of this saga.) Kovacic continues:
The lack of a more focused mandate and direction from Congress, reflected in legislation with relatively narrow tailoring, could result in the FTC undertaking initiatives that ultimately arouse Congressional ire and lead to damaging legislative intervention in the FTC’s work…. Through specific, targeted grants of APA rulemaking authority, Congress makes a credible commitment not to attack the Commission when the agency exercises such authority
So what might Commissioner (and former FTC Chairman) Kovacic say about Rep. Bono-Mack’s bill? Unfortunately, he’s retiring from the Commission in September, so we may not actually hear an official answer from him (and FTC Commissioners generally don’t opine about pending legislation anyway unless asked to do so). But I’ll wager he’d applaud the requirements for redefinition and, in principle, he’d be open to giving the FTC APA authority in a narrow area. But I think he’d wonder whether redefining a term so critical as “personal information” is really a “specific”, “targeted” or “focused” given what’s at stake—in particular, the data minimization requirement, which could swallow much of online data collection if “personal information” were defined too broadly.
Rep. Bono-Mack is clearly well aware of these dangers, given the evident thought that went into writing the twin requirements for redefinition I quoted above. But it’s well worth asking whether they’ll be enough to prevent abuse of the power to redefine PII. At the very least, this seems like a question worth considering very, very carefully before the bill moves forward.
Other thoughts?
Update: It appears that an amendment passed today sponsored by Reps Marsha Blackburn (R-TN) and Pete Olson (R-TX) removing the grant of APA rulemaking authority at issue here—a relief!
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.