Congress Could Design a New Data Protection Agency that Addresses Many of the Shortfalls of the FTC’s Authority

The FTC’s bounded mandates and capacity, as well as its limited rulemaking authority and mixed record on enforcing privacy, raise questions as to whether the agency would provide robust privacy enforcement even if granted additional authority and resources. As an alternative, several panelists proposed that Congress could consider establishing a new data protection agency.

Setting up a new agency would also provide opportunities to create a structure that is better suited to enforcing privacy, including by maintaining some degree of stability or independence across presidential administrations. Medine advocated for establishing a new agency as a commission because if the new agency were headed by an individual director instead, there could be “wild swings on how the agency operates” with each new president, “whereas in a commission structure, usually the new president gets one or two appointees, and maybe the opportunity to appoint the chairman, but it's a much more gradual process.”¹ For instance, the FTC’s commission structure allows the possibility for an outgoing Chairman to stay on as a Commissioner after a presidential transition, which, Medine suggested, can lead to a smoother transition.

A new agency could also more easily procure resources for enforcing privacy. Medine noted that if the issue of privacy and data protection stayed within a larger agency with jurisdiction over other issues, it would compete for limited funds against these issues and departments within that agency. On the other hand, “if there [were] a separate freestanding agency, it could make its own case for its budget, and have that be the entire budget that went towards the issue of protecting both data protection and for security issues,” Medine said.

The primary concern with creating a new agency, as Medine and Banker emphasized, is that it might be logistically difficult and take a long time to set up. Banker recalled the time and effort it took to set up the Department of Homeland Security. “There was really a pretty long period of time before it started functioning the way you would expect an agency to function,” she cautioned, adding that there were many disparate pieces that had to be brought together to create a new department. Though Congress passed the Homeland Security Act in 2002, there were several modifications over the next seven years, with multiple reorganizations and reviews of its mission and basic policies, operations, and infrastructure.² Medine recommended that if a new agency were to be created, it should “sit on the structure of the old agency until it's ready to separate.” He said this structure was particularly helpful in the case of the Consumer Financial Protection Bureau, which benefited from the existing infrastructure—such as payroll, email, and website systems—within the Treasury Department, where it was housed initially before spinning off into a separate agency. He compared this example to his experience as the first Chairman of the PCLOB, which had been challenging to stand up because it was established as a completely independent agency.

With regard to the substance of a new agency’s authority, Gellman suggested that the agency be given mostly soft power, which would enable it to create rules and regulations necessary to fulfill its mission to protect privacy. A set of high-level principles, like the Fair Information Practice Principles, could guide the authority.³ If this flexible approach does not work, Gellman added, the agency could be given stronger rulemaking and enforcement authority.

Finally, a new agency dedicated to the cause of privacy enforcement and data protection could also improve relations with authorities abroad “in terms of having [an equivalent] chairman … and a central focus in the United States government for them to deal with,” as Medine suggested at the event. Currently, the FTC serves only part of the role of protecting privacy, and no single federal law comprehensively regulates the collection and use of personal data. Further, the United States is one of the few countries around the world—and the only country among its Organisation for Economic Co-operation and Development peers—that lacks a federal agency explicitly dedicated to data protection.⁴ Creating a new agency explicitly dedicated to privacy and data protection could therefore streamline interactions with international counterparts, as such an agency may be better suited to interact with other international data protection authorities.