FTC Releases Redacted Uber Privacy Results; Slaughter Seeks Transparency
The FTC released a highly redacted version of Uber’s third-party privacy assessment related to its 2016 data breach (see 1810260040) Tuesday. Commissioner Rebecca Kelly Slaughter and advocates quickly called for greater transparency. After the FTC reached a no-fine settlement with Uber in October, Slaughter and Commissioner Rohit Chopra urged the agency to release the Uber assessment. Though the commission didn’t release the document then, Chopra and Slaughter noted it could be accessed through a Freedom of Information Act request, which is how we obtained it Tuesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Conclusions and privacy test results from the third-party assessor, PricewaterhouseCoopers, are omitted. That includes key findings in the document’s introductory summary and test results that span 19 pages that are redacted almost entirely from the 52-page document.
Slaughter declined comment on the Uber assessment specifically. “I have consistently called for greater public transparency in our data-privacy orders, balanced with the need for assessors and the FTC to access truly proprietary and sensitive information,” she said in a statement Wednesday. “My strong preference is complete, readable assessments where any redacted information is limited to appendices or, at a minimum, a public summary of all key findings and conclusions.”
The agency declined comment. Offices for Chopra and Uber didn’t comment now.
Congress should demand an unredacted copy from the FTC and release it, wrote Center for Digital Democracy Executive Director Jeff Chester in an email. The document shows the agency’s system for third-party assessment is “totally meaningless and an affront to those who care about protecting the privacy of the public,” Chester said: “It is highly irresponsible” for Chairman Joe Simon and the agency to allow Uber and other companies to claim “so-called trade secrets or proprietary data that must be kept ‘confidential’ from public scrutiny.” He accused the FTC of “bowing down to the digital data giants.”
Slaughter said in 2018 she would have preferred to see the “proactive release” of the assessments because of the “objectively high level of public interest in this matter.” She noted such documents don’t provide a complete picture of order compliance, noting the likelihood of redactions.
Portions of the document fall under one or more exemptions to FOIA disclosure requirements, the agency said in its FOIA response to us. It cited two exemptions concerning commercial, financial and trade secret information considered “privileged and confidential.”
Much of the unredacted portions of PwC’s assessment describe what the FTC’s order requires of Uber, which is already publicly available. The company must establish and maintain a comprehensive privacy program “reasonably designed” to address privacy risks for consumers and protect personal information. It requires initial and biennial assessments from third parties to assess the privacy program. PwC assessed Uber’s privacy controls between October and April. “Uber’s key risks stem from development of products, services, and other development initiatives that use consumer data,” the report said.
About a month before the 2018 settlement, the ride-sharing provider agreed to pay $148 million to settle with all 50 states and Washington, D.C., (see 1809260055) on the data breach impacting some 600,000 drivers and riders. Various offices for state attorneys general involved in the settlement didn’t comment now.