[INTERVIEW] The legislative process for the Digital Services Act: 3 questions to Felix Reda
26 April 2022
[INTERVIEW] When oligarchs control the media: an interview with Victor Pickard
29 April 2022

[INTERVIEW] Missed opportunities in privacy regulation: 5 questions to Marc Rotenberg

In 2011, the US FTC issued a consent decree restricting how Facebook could use and share user data. How was your organisation, the Electronic Information Privacy Center, involved in this and how have things developed since then?

Our oversight of Facebook began early on. Around 2007 we noticed that the company was engaging in business practices that appeared unfair to consumers. Personal data gathered for one purpose was used for a different purpose. Facebook also changed its privacy policies after acquiring personal data. And even as the company gathered more data from consumers, it was becoming more secretive about its business practices.

We had previously had success bringing consumer complaints to the Federal Trade Commission concerning the business practices of Microsoft, Choicepoint (a data broker), and other companies. In 2009 we decided to bring a complaint against Facebook to the FTC. We prepared detailed submissions, filled with evidence and legal analysis. Our complaints were supported by several US consumer organisations. We spent two years pursuing the complaint. And I was often asked to speak before Congress about consumer privacy. In several of those hearings, I described our FTC complaint against Facebook and also a similar complaint against Google.

Eventually, in 2011, the Federal Trade Commission issued a sweeping decision, based on our complaint, to prevent Facebook (and later Google) from engaging in similar unfair business practices in the future. But almost immediately we could see that the FTC would not enforce the legal authorities we had helped establish. Google went ahead with plans to consolidate user data which was clearly prohibited by that settlement. Even the FTC chair acknowledged this. But he would not act. So, we sued the FTC in federal court to enforce its settlement. The judge was sympathetic to our legal argument but said she lacked the authority to compel the FTC to act. So, Google went ahead, as did Facebook, with more unfair business practices, and the FTC stood on the sidelines and watched.


The EIPC also challenged Facebook’s acquisition of WhatsApp in 2014. What was the basis for this complaint and how did the FTC respond?

We objected to Facebook’s acquisition of WhatsApp for two different reasons. First, it violated the WhatsApp privacy policy and was therefore an unfair business practice. But we also warned the FTC that if the consumer agency failed to block the acquisition, consumer choices would become meaningless. Our point was that over 500 million users of WhatsApp were willing to pay a small subscription for better privacy protection. Others went with the free Facebook messaging app. That was their choice. Because the FTC did not protect the WhatsApp users’ choice, the market for messaging services collapsed. And consumers learned that their decisions would not matter. That was terrible not only for privacy but also for the market for online services. And not surprisingly Facebook also began the process of ingesting the WhatsApp user data.

Again, the FTC’s failure to act when it could has had long-term consequences.

What has been the long-term impact of this regulatory inaction on the industry?

It’s been disastrous. The failure of the US FTC to enforce its own orders with the legal authorities we helped establish is the reason the tech giants spun out of control. It may have been the reason for Brexit and also the reason for the radical polarisation of American politics. As the tech giants became bigger, the problems became bigger. And as they became bigger, they became less accountable.

This all could have been prevented.

As FTC chair, Biden has appointed Lina Khan, a noted critic of ‘big tech’ who has now stated her intention to regulate data privacy more actively. How do you think the outlook for privacy policy will change under the new FTC?

I have mixed views. I know Chairman Khan. She is smart, competent, and supports consumers. But her recent remarks about privacy and also the path forward have raised concerns. First, I think she was simply wrong to describe privacy protection in terms of ‘notice and choice.’ That has never been the basis for privacy protection. It is almost the precise opposite. Privacy protection, in the modern age, is fundamentally about the rights and responsibilities associated with the collection and use of personal data. And those rights and responsibilities must be established in law. That is the starting point. Notice and choice exist in the world where there is no data protection.

Second, I believe it is a mistake to view consumer protection through a partisan lens, as if only one political party cares about the rights of consumers and the other doesn’t. It is very important for the head of a US federal agency to pursue the mission purposefully but also on a non-political basis. We need to see privacy protection and consumer protection as a common mission and we need political support for meaningful outcomes from across the political spectrum.

What lessons do you think we can draw in Europe from the failings of regulatory enforcement in the US?

First, you must use enforcement powers in the early days. You cannot wait. The problems you identify will never solve themselves. They will only get worse. I begged and pleaded with Helen Dixon, the Data Protection Commissioner of Ireland, to bring enforcement actions once she had found problems and had good cases. It wasn’t that I was against big tech. It was that I didn’t want her to repeat the mistakes that the US Federal Trade Commission had made. Unfortunately, she chose not to act when she could. Not surprisingly the problems became much greater

Second, you must be very careful about the influence of money on think tanks, public intellectuals, consumer organisations, and even media groups. I have always enjoyed democratic debate. And I always welcomed the opportunity to debate issues of privacy protection with business representatives and technical experts at Congressional hearings, agency meetings, and even at the White House. That process is necessary and important for good policy decisions. But I became increasingly aware that many of the ‘experts’ I was debating, and even some of the so-called consumer organisations, were being paid by the tech industry. We need much greater transparency to ensure that those who provide advice to the government are open and honest about their sources of funding

Third, there are big challenges to achieving effective regulatory enforcement, but you can never give up. Regulatory enforcement is vital to ensure that businesses that play by the rules succeed.  Agencies that fail to use their regulatory powers put public safety at risk.

Author bio: Marc Rotenberg is a co-founder of the Electronic Information Privacy Center and the President and founder of the Center for AI and Digital Policy. He is also a professor at Georgetown University and has published widely on privacy law and AI regulation.