Outgoing U.S. Commerce Department General Counsel Cameron Kerry used the opportunity of his final public remarks to emphasize that a unified U.S. privacy framework is essential to the future of the digital economy.

Legislation should not wait for some data disaster to happen that undermines the trust essential to a successful digital economy. One byproduct of the unauthorized disclosures about NSA surveillance has been to heighten awareness of just how much data each of us generates: data about data, data from various devices, data traveling and residing on multiple networks.

Kerry spoke today at the German Marshall Fund of the United States and said that the private sector has a key role to play in demonstrating to the world that the United States is committed to consumer privacy, however, the underlying U.S. model of notice-and-choice is no longer practical or sufficient to provide consumers with a “set of baseline expectations., regardless of where they live or what business they deal with.”

“This is ultimately about trust,” Kerry said. “The government can try to create a trusted framework. But it’s up to  companies to build that trust.”

A complete text of Kerry’s remarks is here.

 

The Department of Commerce has already taken the first steps to implementing the White House’s Consumer Privacy Bill of Rights announced last month.  Commerce has invited comment on “what issues should be addressed through the privacy multi-stakeholder process and how to structure these discussions so they are open, transparent, and most productive.”

According to the Federal Register notice, the public’s views are being sought on such issues as:

  • increasing transparency of mobile device privacy notices
  • mobile applications providing location-based services
  • cloud computing services
  • browser cookies
  • services targeted to teenagers and children

Comments are due on March 26, 2012.

Colleagues Howard Symons, Chris Harvie and Stefanie Desai have prepared a paper analyzing the details of the Consumer Privacy Bill of Rights, available here –  Summary of White House Privacy Framework .

At the White House today, President Obama unveiled his administration’s framework for new privacy regulations and the long-awaited white paper entitled “Consumer Data Privacy in a Networked World:  A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”   This follows up on the Department of Commerce “green paper” issued well over a year ago.    [We compared the Commerce Department proposal and Federal Trade Commission privacy proposals last year — here for your reference.]

The blueprint includes a “Consumer Privacy Bill of Rights” along with steps to incorporate these principles into federal regulations.    Like the previous Green Paper, today’s final report calls for a comprehensive privacy framework for all data, instead of the current sector-specific approach to data protection that leaves some personal data (outside of the communications, health care, education, financial services and children’s-online sectors) largely unregulated. The Framework calls for federal legislation to create such a “privacy bill of rights” that would supplement and fill in the gaps of existing federal privacy policy and lays the groundwork for a cooperative approach between government and industry for a “4P” arrangement — a “Privacy Public Private Partnership.”

In addition, the White House announced the first by-product of this framework:  an industry agreement on “Do Not Track” technology for online behavioral advertising.   This industry agreement was signed by a group of web advertising networks, including Google, Yahoo, Microsoft and AOL, and is intended to lead to the adoption of “Do Not Track” features integrated into web browsers.  The intent is to allow consumers to opt out of behavior-based marketing, blocking ad “cookies” and preventing cross-site tracking of behavioral information.  Companies signing onto this agreement are now subject to Federal Trade Commission oversight and enforcement of its terms.

Further information:

Statement from FTC Chairman Jon Leibowitz

Statement from Intel

Statement from Center for Democracy & Technology

Privacy and security has become a major focus of the Department of Commerce.  The Department’s Internet Policy Task Force has issued its second green paper, this one proposing the creation of nationally recognized voluntary codes of conduct to help strengthen cybersecurity.  Comments will be accepted on “Cybersecurity, Innovation and the Internet Economy” through August 1, 2011.

For several months now, hacks of major commercial computer systems, including that of Citigroup and the International Monetary Fund, have been front page news.   The latest green paper from Commerce discusses how to improve the Internet security practices of companies in the Internet and Information Innovation Sector (called “I3S”) other than those classified as part of  “critical infrastructure.”   The I3S encompasses business that utilize the Internet or networking services and have a large potential economic impact, including e-commerce, social media, cloud computing, and other online providers.

As with the Department’s first green paper released last December, the Department has asked interested parties to comment on the recommendations, as well as to provide responses to specific questions it posed to help develop the recommendations.  Some of these questions include:

  • What kinds of entities should be included or excluded from the covered businesses?  How can the the covered businesses’ functions and services be clearly distinguished from critical infrastructure?
  • Should covered businesses that also offer functions and services to covered critical infrastructure be treated differently than other covered businesses?
  • Are there existing codes of conduct that covered businesses can utilize that adequately address these issues?
  • What process should the Department of Commerce use to work with industry and other stakeholders to identify best practices, guidelines, and standards in the future?
  • What are the right incentives to (a) gain adoption of best practices; (b) ensure that the voluntary codes of conduct that develop from best practices are sufficiently robust; and (c) ensure that codes of conduct, once introduced, are updated promptly to address evolving threats and other changes in the security environment?
  • How can the Department of Commerce work with other federal agencies to better cooperate, coordinate, and promote adoption and development of cybersecurity standards and policy internationally?

Stakeholders should consider providing comment to the Department to help inform the process.  Green papes on copyright and the global free flow of information are expected soon.

The Federal Trade Commission’s public comment period on its preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, has closed.   The FTC received over 300 comments during the extended comment period, including several states.

It is looking more likely that some form of privacy regulation — either at the FTC or Congress — will develop in 2011.   Several bills have been introduced in this Congress and both the FTC and the Commerce Department are working on their proposals.   “Self-regulation,” the mantra of the online advertising industry, may no longer be a viable option, unless industry acts and acts quickly to provide consumers with the level of choice and transparency that the FTC’s Privacy Framework outlines.

In fact, FTC Chairman Jon Leibowitz today recommended exactly that in an interview with Multichannel News, posted here.  “I guess I would say that the business community really has it in its hands to avoid regulation, it just has to step up to the plate,” he said.

 

Just before the end of 2010, both the Commerce Department (here) and the Federal Trade Commission (here) released their agencies’ respective proposals for privacy frameworks in the United States.   The reports make similar proposals in some respects, but in others are quite different.   We have prepared a comparison report on both.

 (Thanks to Mintz Levin Project Analyst Anagha Prasad for her contribution to this report)

Continue Reading Comparison of Commerce Department and Federal Trade Commission Privacy Proposals

Happy New Year to our readers!

The Commerce Department and the Federal Trade Commission’s privacy initiatives are proceeding apace in this new year.   We’ve prepared a summary of the Commerce Department’s “green paper” that can be read here:  Commerce Privacy Report Summary.

In the coming days, we will also post a comparison of the Commerce and FTC privacy initiatives.  Comment periods are winding down this month and it is important for stakeholders to participate in each of these proceedings by filing comments responding to the questions each agency poses.

 

 Yesterday, the Department of Commerce published a notice in the Federal Register, seeking feedback on proposals in its recently-unveiled privacy report.

    Among other questions, the Commerce Department is seeking comment on such issues as :

    • Should baseline commercial data privacy principles be enacted by statute or some other means?

    • How should baseline privacy principles be enforced?

    • As policymakers consider baseline privacy legislation, should they seek to grant the FTC the authority to issue more detailed rules?

    • Should baseline privacy legislation include a private right of action?

    • At what point in the development of a voluntary, enforceable code of conduct should the FTC review it for approval?

    • What steps or conditions are necessary to make a company’s commitment to follow a code of conduct enforceable?

    In order to ensure that view of all stakeholders are taken into account in these important proceedings, we urge business to participate and file comments responding to the Commerce Department’s (and the FTC) inquiry.   Comments are due by January 28, 2011.

 

Written by Anagha Prasad

Introduction

In an effort to reexamine and improve upon commercial data privacy, the Internet Policy Task Force (IPTF) released a green paper entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” Based on consultations, written submissions, and extensive research, the document makes various policy recommendations regarding the future of commercial data privacy. At the center of the task force’s proposals is the Dynamic Policy Framework, designed to promote efficiency and while minimizing regulatory barriers.   The full paper can be downloaded here:  IPTF Privacy Green Paper

What is the Dynamic Policy Framework?

The Dynamic Privacy Framework is intended to address emerging commercial data privacy challenges while enhancing customer service and entrepreneurial innovation, especially given the dynamic nature of markets and technologies. In the private sector, the only regulatory measure currently in place is the “notice-and-choice” method of disclosure, in which websites list their individual privacy policy, leaving consumers to choose whether to use them.

The goals of the Dynamic Policy Framework can be grouped into four general categories: 1) The implementation of Fair Information Practice Principles (FIPPs); 2) Public-private sector collaboration; 3) Global interoperability; and 4) National standardization for Security Breach Notification (SBN).

 1) Fair Information Practice Principles (FIPPs)

FIPPs emphasize increased privacy without procedural or bureaucratic hurdles. The primary purpose of FIPPs is to increase transparency across industries, making it easier for consumers to understand their choices and for industries to create sector-specific regulations. FIPPs demand greater purpose specification for corporations requesting personally identifiable information. Similarly, these principles encourage data minimization to protect consumers. Finally auditing is a crucial way to increasing transparency and accountability across industries.

2) Collaboration between the public and private Sectors

Partnering stakeholders with governmental organizations such as the FTC and Department of Commerce would not only increase the efficiency of commercial data privacy protection, but it would also encourage the voluntary implementation of codes of conduct. With the endorsement of the Executive branch and the FTC, private companies are more likely to consider seriously the benefits of voluntary codes of conduct for their business. A system of carrots and sticks—i.e., creating a safe harbor for companies who commit to and maintain a voluntary code of conduct, and stricture regulations for violations of privacy laws—would also optimize privacy protection across industries. In order to facilitate this communication between the government and stakeholders, the task force recommends the creation of a Privacy Policy Office within the Department of Commerce, which would focus uniquely on commercial data privacy.

3) Global interoperability

The role of commercial data privacy in cross-border transactions highlights the importance of understanding regulatory differences between countries. Collaborating with multinational economic organizations like OECD and APEC to identify the similarities and differences in national data security regulations would facilitate international trade. Similarly, an enhanced U.S. privacy framework would reduce regulatory barriers and compliance costs in cross-border transactions in the long run.

4) National standardization for Security Breach Notification (SBN)

A national standard for SBN would enable states to build upon the existing framework while having a common baseline for protecting commercial data privacy. This provision would enhance the existing sector-specific regulations, like HIPAA and GLBA, while permitting states to customize or add to the national standard (in limited ways). Part of this initiative would be to ensure the continued effectiveness of the Electronic Communications and Privacy Act (ECPA).

Conclusion

 Under these four broad categories, the Dynamic Policy Framework seeks to enhance individual privacy and increase awareness regarding consumer choice. It also aims to promote entrepreneurship and reduce barriers to trade, especially in cross-border transactions. Promoting consistency and efficiency across industry sectors is another important part of the proposal, especially through collaboration between stakeholders and government.

For further reading:

Tech Daily Dose

National Journal

NTIA Website