The Trump administration has announced plans to develop a “voluntary privacy framework” to address privacy issues associated with “an increasingly connected and complex environment,” including “cutting-edge” technologies such as the Internet of Things (IoT) and artificial intelligence (AI). The initiative will be led by the Commerce Department’s National Institute of Standards and Technology (NIST), which brings technical expertise and experience developing voluntary frameworks for complex technology systems. Because of this expertise we expect broad industry engagement and interest in NIST’s work to develop a privacy framework for AI and IoT applications. NIST will work to develop this framework with input from both the public and private sectors, including industry, academia, and domestic and foreign government contributors. NIST will initiate this process in its first public workshop on October 16 in Austin, Texas. Additional details can be found by visiting the NIST privacy initiative webpage.
The agency’s objective is to develop a voluntary framework that permits providers of AI, IoT and other innovative technology solutions to better identify, assess, manage, and communicate privacy risks to help ensure consumer confidence and trust. NIST also recognizes that this framework must be compatible with existing domestic and international legal and regulatory regimes in order to ensure widespread adoption and use. This, in turn, raises important questions of how this voluntary framework will address issues of data retention and data erasure as well as other challenging concepts within existing legal regimes, such as the GDPR and the California Consumer Privacy Act.
NIST appears to be basing the development of a voluntary privacy framework on its past success in developing a voluntary cybersecurity framework. NIST originally published the cybersecurity framework in 2014 and, just earlier this year, published an updated framework (version 1.1) with further guidance for businesses. NIST is positioned to develop this new privacy framework in conjunction with its sister entity, the National Telecommunications and Information Administration (NTIA), which is presently working on developing a legal and policy approach to consumer privacy in the United States as part of an initiative to ensure consistency with evolving international privacy rules and policy objectives.
NIST recognizes that the key to its success in developing a voluntary privacy framework is to obtain industry participation. Traditionally, NIST has followed a standard process similar to formal rulemaking procedure. Accordingly, NIST will host a series of public workshops that will promote open and collaborative stakeholder input. Following that process NIST will issue proposed standards for further public review and comment. Upon receiving feedback from stakeholders, NIST will revise its proposal and publish a final version of the framework.
The process is slow and deliberate because NIST knows that a voluntary framework must incorporate industry considerations—and certainly that is exactly what we anticipate NIST will do. In the meantime, the Federal Trade Commission is steadily increasing its privacy activities with requests for input on technology issues, privacy and data security enforcement actions, and issuance of updated guidance for longstanding privacy regulations; and the Senate Commerce Committee is preparing to hold a much-anticipated hearing on consumer privacy September 26, as part of renewed Congressional consideration of national privacy legislation.