This is the third in a series of blog posts about EPIC’s proposal for a data minimization standard to limit commercial surveillance and protect consumer privacy. In our first post, my colleague Suzanne Bernstein explained that data minimization is a framework for limiting the collection, use, transfer, and retention of personal information and discussed how minimization is a way to fulfill the reasonable expectations of consumers concerning the use and protection of their personal data. In our second post, my colleague Sara Geoghegan talked about the harms that often flow from secondary uses of personal data and how purpose limitations—a critical part of any data minimization framework—fit into the Federal Trade Commission’s authority to regulate unfair commercial data practices.
Today’s post highlights the important role data minimization can play in data security while also underscoring that a robust minimization framework must do more than protect against breaches and unauthorized access of personal data.
Last summer, the FTC published a lengthy request for comment signaling that it intended to adopt new rules governing the commercial processing of personal data—something EPIC had previously urged the Commission to do. In November, EPIC filed extensive comments with the FTC setting out the scale of today’s data privacy crisis, discussing the Commission’s legal authority to establish robust rules, and identifying specific harmful business practices that the Commission should regulate. Those comments cover a lot of ground (summary here), but they lead with EPIC’s long-running call for a data minimization rule—specifically, a declaration by the FTC that:
It is an unfair trade practice to collect, use, transfer, or retain personal data beyond what is reasonably necessary and proportionate to the primary purpose for which it was collected, consistent with consumer expectations and the context in which the data was collected.
By defining the above as an unfair practice, the FTC can unlock the ability to impose significant fines on violators that collect, process, and transfer excessive personal data. Briefly stated, the Commission’s authority to issue trade rules extends to business practices that are both (1) unfair or deceptive, and (2) prevalent. A business practice is considered “unfair” if it’s likely to cause substantial injury that consumers can’t reasonably avoid and which isn’t outweighed by countervailing benefits to consumers or competition, and it’s considered “deceptive” if it involves a representation or omission likely to mislead consumers. To establish that a harmful business practice is “prevalent,” the Commission can rely on two types of evidence: (1) past cease and desist orders concerning that business practice, or (2) “any other information available to the Commission indicates a widespread pattern of unfair or deceptive acts or practices.”
Data Security Means Data Minimization
Alongside commercial surveillance, data security is one of the two principal areas of concern highlighted in the FTC’s initial proposal for the (aptly named) Trade Regulation Rule on Commercial Surveillance and Data Security. EPIC has often criticized the FTC’s failure to safeguard the privacy of consumers over the past…