Data privacy has gotten out of the government’s control, according to a report released Wednesday.
The Government Accountability Office report recommends the passage of a federal privacy law with real consequences for companies that violate it.
The report found that over the last 10 years, most of the Federal Trade Commission’s actions against data privacy abuses didn’t come with any civil penalties because the agency doesn’t have the authority to fine companies for those violations.
In the past, the FTC has fined companies like Google and Vizio for tracking your data. But the GAO found that of the 101 data privacy violations the FTC investigated since 2009, nearly all of them ended with settlement agreements.
The report is the result of a 2017 request by Rep. Frank Pallone, a Democrat from New Jersey who is now chairman of the House Energy and Commerce Committee.
“Since I requested this report, the need for comprehensive data privacy and security legislation at the federal level has only become more apparent,” Pallone said in a statement. “From the Cambridge Analytica scandal to the unauthorized disclosures of real-time location data, consumers’ privacy is being violated online and offline in alarming and dangerous ways.”
Privacy concerns seemed to reached a boiling point last year, following a flurry of breaches and data abuses from household tech names like Facebook and from phone companies that enable location tracking. The European Union’s General Data Protection Regulation kicked in last May, but the US has no equivalent data law.
Lawmakers have pushed for federal regulation of data privacy, such as the Data Care Act, introduced by 15 senators in December. In November, Sen. Ron Wyden, a Democrat from Oregon, introduced the Consumer Data Protection Act, which would jail CEOs for lying about data protection.
The GAO interviewed Apple, Google and Facebook for the report, as well as internet service providers like Verizon and Comcast. The report found that most of the companies prefer the current model of regulation on data privacy — the one that prevents the FTC from fining them unless they have agreed to a consent decree for a previous violation.
At a congressional hearing in November, the FTC told lawmakers that under the current structure, the agency doesn’t have the resources to protect consumers from data abuse.
Consumer advocacy groups and former FTC and FCC commissioners told the GAO that there should be penalties for first-time violations. Some are calling for a new agency specifically for overseeing data privacy.
The GAO recommends that Congress pass a federal privacy law that would give an agency authority to punish companies.
With the report, Pallone announced a Feb. 26 hearing on data privacy.
“Congress needs to act, and this hearing is an important first step,” Rep. Jan Schakowsky, a Democrat from Illinois and chairwoman of the Consumer Protection and Commerce Subcommittee, said in a statement.
Cambridge Analytica: Everything you need to know about Facebook’s data mining scandal.
Infowars and Silicon Valley: Everything you need to know about the tech industry’s free speech debate.