Brevity is the soul of wit, and of durable legislation. I admire the core principles in Intel’s proposed bill but suggest that it could be made much simpler, placing confidence in the expanded enforcement powers of the FTC, State AGs and the courts, to implement core privacy principles in a wise manner.
Congress, guided by Intel, should recognize that durable privacy rules must protect a growing range of individual lives and and expanding number of innovative businesses. Flexibility, agility and resistance to political interference are essential. We should follow the example of laws that have successfully regulated broad swaths of the economy with simplicity and technological neutrality. The Copyright Act, responsible for regulating rights of authors, readers, listeners and other users of artistic expression, is remarkably simple given the complexity of the market. The operative part of the Act is really just the first nine short sections with no rule-making required for enforcement. The antitrust laws are equally brief. The Sherman Antitrust Act is only seven sections filling a few pages, and the other key competition statutes are similarly brief. Indeed, the portion of the Federal Trade Commission Act the governs more or less the whole of consumer protection, along with privacy and security, today is just one brief section filling less than a page.
These examples show that the US legal system has done well governing complex parts of the economy with simple legislative rules that are subsequently enforced directly by expert agencies (the FTC or Department of Justice), governed on important questions of scope and reach by the courts. This builds on the best of our common law tradition of making progress case-by-case, in response to real social and technical circumstances, as opposed to trying to predict the future or legislate certainty in every edge case.
FTC common law of privacy (to borrow a phrase from Profs Dan Solove and Woody Hartzog) as reflected in its enforcement actions has developed well but with constraints: First, the FTC has had to rely on the limited ‘deception’ authority and has been very cautious about use of the broader ‘unfairness’ provisions of the FTC Act for fear of igniting judicial challenges to its enforcement authority. Congress can change that by creating clear and directly enforceable privacy rules to empower FTC enforcement. And, the large new fining authority proposed by Intel is wise addition to this mix.
When Congress tried to dictate in exhaustive detail how broad principles are to be interpreted and how the authority of enforcement agencies are to be used, the process can easily become inflexible and bogged down in the uncertainty of cycles of appeals of administrative rule-making procedures. A failure mode to avoid is recent additions to the Communications Act such as the Telecommunication Act of 1996, including contentious and ultimately failed efforts to create a more competitive telecommunications market and endless controversy and uncertainty over net neutrality. These are important fights which I supported, but they gave rise to decades-long rule-making disputes, leaving consumers often unprotected on issues that mattered deeply, including broadband privacy and non-discriminatory internet access service. Protracted rule-making or litigation are likely to advantage companies that seek to narrow consumer protection and evade privacy principles. Privacy rights must not be held hostage to this kind of delay.
As drafted, it is not entirely clear to me whether Intel intends that rule-making is required in advance of enforcement. Section 6(b)(4) contains a reference to the existing FTC rule-making authority under 15 USC 57a. I would ask Intel to clarify whether that is meant to avoid or require additional rule-making to enable enforcement.