Commerce Releases Privacy Report; Recommends Industry Self-Regulation and Creation of Privacy Policy Office

On December 16, 2010, the Commerce Department released its own Privacy Report, suggesting a “revitalized” privacy framework that can protect consumer privacy, dynamic businesses and innovation, and promote better global data flow. Like the Federal Trade Commission’s counterpart Privacy Report of December 1, 2010, this “green paper” is a first step inviting comment, but it adopts a markedly more balanced approach. It invites more reliance on cooperative industry self-regulation, while proposing the creation of a Privacy Policy Office within the Commerce Department which could coordinate the Administration’s privacy policies here and represent the US abroad.

Premises

The Internet Policy Task Force (IPTF) that authored the report included participants from the National Telecommunications and Information Administration (NTIA), the Patent and Trademark Office (PTO), the National Institute of Standards and Technology (NIST), and the International Trade Administration (ITA). Like the FTC, it starts from the premise that consumers don’t understand privacy notices, and feel nervous that personal information is being collected and used in ways they do not understand. But it charts a different approach:

• Rather than endorsing a European style privacy directive covering all businesses, it sees strengths in US sectoral laws—such as being tailored to the unique characteristics of different industries.
• It recognizes the “gaps” that those laws leave for most of the Internet economy, but is less inclined to fill them with sweeping new prescriptive regulations, and prefers that industry, government, academics and other stakeholders collaborate to formulate a variety of specific voluntary privacy protections. It would not rely entirely on self-regulation: voluntary industry codes would need to be enforceable and meet an overarching set of Fair Information Practice Principles, and those companies that did not meet code would be subject to enforcement action. But it believes such self-regulatory safe harbors are far more likely to fit industries, and to keep up with changes in technology, business models, and consumer expectations than would standard rulemaking.
• It asserts its own unique qualifications to exercise leadership in privacy policy, but also charts a careful course (detailed below) to respect the authority of the FTC, OMB, other agencies, and State governments, while seeking to bring better coherence to today’s patchwork of laws. It envisions a Commerce Department Privacy Policy Office as the “bully pulpit” convening stakeholders, steering discussions towards voluntary enforceable industry codes, and asserting stronger US leadership in international privacy forums. But it leaves the FTC as the principal consumer privacy enforcement agency.
• It brings a much more pronounced appreciation for business realities: the value of Internet commerce; the new jobs its supports; the rapid innovation it fosters (including through new uses of data); the need for balanced, tailored, flexible and adjustable rules; and the need to promote better cross-border data flows.
• It brings a more nuanced view of privacy interests to be protected. Without denigrating the effect that fear may have in undermining consumer confidence, it presents a range of concerns from minor nuisances and surprises at one end to discrimination and identity theft at the other.
• It scarcely mentions do not track proposals. The Report notably directs itself to protecting personally identifiable information, rather than drifting into derivative data as has the FTC.

Recommendations

The Report makes ten recommendations for commercial data, asking key questions about each.

• FIPPS. Any business that is not covered by a sectoral law should be covered by a “baseline” set of Fair Information Practice Principles, under which each industry sector could develop voluntary codes. These principles would address the usual areas: transparency, individual consent, rights of access and correction, purpose specification and use limitations, data minimization with retention limits, accuracy and security, accountability, training, and auditing. The Report does not say whether consent should be “opt-in” or “opt-out,” but recommends that informed consent should be given (or withheld) based on more transparent education of consumers. It seeks comment on whether such principles should be established by industry, legislated, created by the Executive Branch, expanded through FTC rulemaking, be subject to private class actions, or be enforceable through other means.
• Focus on Transparency. The Report calls for a “high priority” focus on transparency. Shorter, non-legalistic notices can be helpful, but clearly explained detailed purpose and use limitations can be better. It specifically calls out for comment the use of Privacy Impact Assessments (PIAs)—detailed evaluations of the data flows for new products and services, put out for public comment by businesses. It also calls for auditing (possibly via technology or through consumer access) to check departures from use limitations.
• Flexible Industry Codes. Industry sector voluntary codes, developed through open multi-stakeholder processes through the Privacy Policy Office, would implement FIPPs and apply to emerging technologies. Code compliance would provide a safe harbor from FTC or State Attorney General enforcement.
• Privacy Policy Office. The Report proposes the creation of a Privacy Policy Office within Commerce which could coordinate the Administration’s privacy policies here and represent the US abroad. The Office would not have any enforcement authority. The Report recalls how the Commerce Department effectively convened multi-stakeholder groups to develop Domain Name System (DNS) policy. Open for comment is how big the “stick” needs to be to draw industries to the Privacy Policy Office to develop a safe harbor “carrot,” and how much time will be allowed for such codes to develop.
• FTC. FTC remains the lead consumer privacy enforcement agency. Open for comment is how much rulemaking authority to give to the FTC, and whether it requires a specific new provision to enforce FIPPs.
• Cross-Border Data Flow. The US should take a greater leadership role in establishing international frameworks within which personal data may flow with less friction, protected by mutually respected national privacy regimes. It specifically envisions the Commerce Department taking a leadership role in advancing Asia-Pacific Economic Cooperation (APEC) cross-border privacy rules in 2011 and in representing US industry in international privacy discussions.
• National Security Breach Law. A federal law should borrow from the best of the “maze” of inconsistent State security breach laws to establish a national obligation to notify of security breaches and to provide incentives for implementing reasonable security measures. This would supplement, rather than displace, existing federal security breach laws like HIPAA. It invites comments on whether the threshold for notice should be based upon potential harm, number of records, or something else.
• New FIPPs Positioned as Supplemental. The Report does not propose to displace or preempt existing sectoral laws, such as financial (GLB) and health (HIPAA) laws, CPNI or the Cable Act, nor to address the privacy obligations of the federal government. It defends these as “more narrowly tailored” than general FIPPs. It invites comment on “lessons” learned under those laws.
• Ambivalence on Preemption. The Report punts on the delicate issue of preempting State laws, seeking comment on the proper “balance” between the desire for uniformity and predictability and the role of state consumer protection, the role of consumer class actions, and the potential for State Attorneys General to enforce national privacy law.
• Update ECPA. The Report recognizes that the existing Electronic Communications Privacy Act has not kept pace with technologies like cloud computing, and seeks public and law enforcement comment on what specific effects ECPA may have on adoption of new technologies and what privacy expectations are reasonable.

Next Steps

Comments will be accepted until January 28, 2011.