• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
B
EFORE THE
F
EDERAL
T
RADE
C
OMMISSION
.
Petition for Rulemaking onPrivacy Policies and SafeguardsFor Social Media and Internet Interaction Sites (SMIIS).
Date: April 5, 2011The petitioner, Charles Lee Thomason is an “interested person” who, pursuant to5 U.S.C. §553(e), petitions the Federal Trade Commission to institute rulemaking, and todevelop an administrative record supporting “issuance” of rules respecting the privacypolicies applicable to operators of social media and internet interaction sites (SMIIS).This petition is made pursuant to 16 C.F.R. §1.9,
et seq
., and the agency protocols thatpertain to the rulemaking mandate of the FTC.This year, the FTC has issued orders in two matters, imposing “comprehensive”privacy protocols, with audits and extensive monitoring, on SMIIS.
1
15 U.S.C.A. § 57a.
2
 In those matters, practically identical measures are mandated in Part II of the Twitterorder and in Part III of the Google Buzz order (one does use the shorthand term “coveredinformation” while the consonant term “nonpublic consumer information” is used in thelatter). The record from those two matters should provide a starting point to develop theadministrative record for the requested rulemaking.Petitioner requests that the rulemaking (A) assess the linkage, if any, between theprivacy policies commonly offered by SMIIS, and (i) the imposition of privacy, audit,and related safeguards that were developed for the financial services industry, and
or (ii)the imposition of more and more definite disclosures in privacy policies offered to SMIISusers; and, (B) develop an administrative record, after notice and public comment, todetermine what substantial evidence exists to articulate clear and uniform trade regulationstandards for privacy policies and protocols for SMISS users and operators.Interest of the Petitioner.The petitioner is interested in the promulgation of clear and appropriate traderegulation rules, based on a rulemaking record, after notice and comment. Petitioner is apracticing, registered patent attorney who deals with technology law and with clientbusiness models that operate in the SMIIS sector of commerce. Also, petitioner is anadjunct professor of law, who endeavors to keep apprised of changes in internet privacypractices and norms that provoke changes in the application of existing laws. Further, thepetitioner is a user of Twitter (twitter[
dot
]com/SPATLAW), as well as a user of theGoogle Gmail service (c.leethomason[
at
]gmail[
dot
]com), and was offered the Google
1
 
In the Matter of Twitter 
, FTC File No. 092 3093, 2011 WL 914034, and
In the Matter of Google
,
FTC File No. 102 3136,
2
15 U.S.C.A. § 57a (b)(3)(A), the agency shall institute a rulemaking regarding unfair or deceptivepractices that are “prevalent,” and one measure of that is the agency's issuance of orders “regarding suchpractices or acts.”
 
 2Buzz service when it was launched. Twitter and Google Buzz are the SMIIS servicessubject to the two recent orders, and a substantial cause for this rulemaking petition.Development of an Administrative Record, Leading to Issuance of Rules is Proper.Rulemaking should be commenced before the FTC continues to mandatestandards, protocols, and audits for SMIIS operators, which are co-extensive with thedata protection standards that the agency legally may impose on financial institutions andthose companies handling financial transactions and payment card transactions. Therequested rulemaking would address the appropriateness of the mandates, and do so inthe broader context of SMIIS privacy concerns, and too, rulemaking would air out thedoubts as to the agency imposing such stringent mandates on an ad hoc basis.The mandates ordered in the Twitter matter, as well as the Google Buzz matter,are the same as, or are coequal to those in FTC decrees with companies that plainly aresubject to the Gramm-Leach-Bliley requirements,
e.g
., 16 C.F.R. Part 313. FTC clearlyhas authority, for example, over the “acts or practices by banks, savings and loaninstitutions,” per 15 U.S.C. §57a(f). However, whether the FTC should impose theequivalent mandates on SMIIS and
non
-financial operations is not free from doubts.For FTC to engraft these administrative, technical, and physical safeguardrequirements, appropriate to highly-regulated financial services companies, onto theoperators of SMIIS may amount to
de facto
rulemaking done outside the bounds of theAPA. An agency cannot “create
de facto
a new regulation.”
Christensen v. HarrisCounty,
529 U.S. 576, 588 (2000). Before the same data protection mandates can beimposed on SMIIS and their operators, the FTC should institute rulemaking and “giveinterested persons an opportunity to participate in the rule making through submission of written data, views, or arguments.” 5 U.S.C. § 553(c).The announcement of the mandates in the Google Buzz order noted that it was the“first time” that the FTC “has required a company to implement a comprehensive privacyprogram to protect the privacy of consumers’ information.” That may or may not givedue regard to the similarities between the Twitter decree and the Google Buzz decrees
3
 and too, the Google Buzz order may takes steps beyond what the Twitter order required.
4
 Certainly the remarks about both orders underscore the appropriateness of rulemaking toestablish, on a full administrative record, rules and agency guidances, which may beappropriate to published privacy policies and to advertised measures respecting thetechnical safeguards and business practices for privacy in the SMIIS industry sector.The FTC Improvements Act authorizes the Commission to issue trade regulationrules which define unfair or deceptive acts or practices in or affecting commerce, butwithin statutory constraints. 15 U.S.C. § 57a(1)(B). The statutory mission of the FTCand its general jurisdiction has limits, and the agency “is constrained by its congressionalmandate.”
F.C.C. v. Fox Television Stations, Inc
. 556 U.S. ___ , 129 S.Ct. 1800, 1826(2009) J. Stevens, dissenting.
3
As stated in the FTC’s summary, “Part II of the proposed order requires Twitter to establish andmaintain a comprehensive information security program in writing that is reasonably designed to protectthe security, privacy, confidentiality, and integrity of nonpublic consumer information.”
4
The agency denominated the Twitter order as a “milestone” of the FTC, calling it the “First datasecurity case involving social media.”
 
 3The FTC orders mandating that Google and Twitter, which are not financialinstitutions, implement the equivalent operational safeguards, audits, and data protectionrequirements appropriate to regulated companies that handle payment card informationand financial data, hereafter should be based on FTC rulemaking instead of enforcementdiscretion.
5
In the normal course, for an agency to impose “comprehensive” privacyrequirements, broadly on all sorts of 
non
-financial and
non
-healthcare businesses, wouldrequire a rulemaking process. The results and rules as to SMIIS would be grounded onan administrative record, which together would be reviewable as agency action.The administrative, technical and physical safeguard requirements that implementGramm-Leach-Bliley requirements in 16 C.F.R. Part 313 were duly promulgated, basedon an administrative record that supports the rationale for imposing those requirementson financial institutions. 65 Fed. Reg. 33646 (May 24, 2000. No rulemaking and noadministrative record support the imposition of coequal privacy requirements on SMIIS.Rulemaking provides the platform for an objective, open forum that collects thevarying viewpoints of stakeholders, the public, and the agency. That method of settingthe standards and the rules for privacy policies and protocols in the SMIIS sector is to bepreferred over single-case, enforcement and settlement driven, consent orders.Utility of a Comprehensive Rule on Privacy Policies and Proctocols.Certainty in privacy policies, and clear direction about protection of personallyidentifying data that SMIIS collect and maintain, is highly desirable. Regularly, counselis sought about whether privacy policy language is compliant ‘with law.’ An informedopinion will take recent FTC orders into account. Also, typical contracts for SMIISmarketing include a provision that allocates risk and obligations for compliance withprivacy ‘laws’ generally. An established rule, instead of settlement-induced consentdecrees, would be useful to counsel and those tasked with enterprise risk management.An informed reader of past FTC orders pertaining to SMIIS privacy policies andprocedures, as well as enterprise risk and privacy professionals, would conclude that themandates there define ‘best practices’ or at least the agency’s current viewpoints. Basedon those orders, wrought from enforcement activity rather than rulemaking, counsel’sadvices about privacy policies and security protocols for SMIIS business would be toimplement procedures that practically are as stringent. In the alternative, some maycounsel that making privacy policies more vague or less binding might limit the sort of liability and transactional costs that were faced by Twitter and Google Buzz.
6
 The fair and worthwhile approach for establishing trade regulation rules andagency guidances is rulemaking. The SMIIS sector is ever-expanding, and the need foreffective disclosure of appropriate privacy standards is what was a provoking cause of thetwo recent orders, and also, a compelling rationale to institute the process of rulemaking.
5
In place of applying rules, based on a rulemaking procedure, the “FTC’s harm-based approach...has limitations ...it focuses on a narrow set of privacy-related harms – those that cause physical oreconomic injury or unwarranted intrusion into consumers’ daily lives.” "P
ROTECTING
C
ONSUMER
P
RIVACY
I
N
A
N
E
RA OF
R
APID
C
HANGE
," Preliminary FTC Staff Report, Dec. 2010, pg. 20.
6
 
Ibid.
“Privacy policies have become longer, more complex, and, in too many instances,incomprehensible to consumers.” Pg. 19.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...