The paper proposes a 'Privacy Bill of Rights' - extending the rather woolly US Fair Information Practice Principles - in an ostensible effort to increase transparency regarding the online collection of user information, promote "audits and other forms of enforcement to increase accountability" and bound the use of consumer data by enterprises.
Bureaucratic empire maintenance is everything and the paper thus comes on the heels of Federal Trade Commission's even softer proposals [PDF] of earlier this month.
The Commerce paper comments that -
personal computers, mobile phones, and other devices—have been transforming the U.S. economy and social life. Uses of personal information have also multiplied, and many believe that privacy laws have struggled to keep up. The lag between developments in intensive uses of personal information and the responses of current systems of privacy regulation around the world leaves consumers with a sense of insecurity about whether using new services will expose them to harm.Give me chastity, it seems, but not quite yet.
Commercial data privacy policy must address a continuum of risks to personal privacy, ranging from minor nuisances and unfair surprises, to disclosure of sensitive information in violation of individual rights, injury or discrimination based on sensitive personal attributes that are improperly disclosed, actions and decisions in response to misleading or inaccurate information, and costly and potentially life-disrupting identity theft. In the aggregate, even the harms at the less severe end of this spectrum have significant adverse effects, because they undermine consumer trust in the Internet environment. Diminished trust, in turn, may cause consumers to hesitate before adopting new services and impede innovative and productive uses of new technologies, such as cloud computing systems.
Though existing U.S. commercial data privacy policy has enabled the digital economy to flourish, current challenges are likely to become more acute as the U.S. economy and society depend more heavily on broadened use of personal information that can be more easily gathered, stored, and analyzed. At the same time, innovators in information technology face uncertainty about whether their innovations will be consistent with consumer privacy expectations.
This green paper reviews the technological, legal, and policy contexts of current commercial data privacy challenges; describes the importance of developing a more dynamic approach to commercial privacy both in the United States and around the world; and discusses policy options (and poses additional questions) to meet today’s privacy challenges in ways that enable continued innovation. The Commerce Department’s Internet Policy Task Force began work over a year ago by consulting with
stakeholders in industry, civil society, academia, and government ...
While the green paper does not express a commitment to specific policy proposals, it does address areas of policy and possible approaches that were identified and discussed as part of the outreach efforts. More specific proposals may be considered, as appropriate, in a future white paper.
The paper goes on to indicate that
As the Task Force continues to discuss these policy areas, it will coordinate its efforts closely with the Office of Management & Budget (OMB), the Federal Trade Commission (FTC), and other key government actors that play a leadership role in these areas. To the extent that the recommendations could have a substantive effect on the privacy framework beyond a purely commercial context, OMB and other agencies have central roles.That Framework includes policy recommendations under four broad categories -
NOI respondents were virtually unanimous in calling for strengthening the US commercial data privacy framework. Though the details of the comments varied, a majority of respondents suggested that there is a compelling need to ensure transparency and informed consent, to provide additional guidance to businesses, to establish a baseline commercial data privacy framework to afford protection for consumers, and to clarify the US approach to commercial data privacy — all without compromising the current framework’s ability to accommodate customer service, innovation, and appropriate uses of new technologies. Commenters also drew our attention to the strengths of the current privacy regime: fundamental privacy values (with constitutional foundations); flexible, adaptable common law and State-based consumer protection statutes; the FTC’s strong enforcement role; open government (promoting accountability and citizens’ access to dispersed information); and policy development with the active involvement of many stakeholders and the public as a whole. To address new challenges and to draw from the best features of current privacy law and policy, the Task Force offers for consideration a Dynamic Privacy Framework.
The Framework is designed to protect privacy, transparency, and informed choice while also recognizing the importance of improving customer service, recognizing the dynamic nature of both technologies and markets, and encouraging continued
innovation over time.
1. Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs). Americans care deeply about their privacy and, in surveys, express disapproval of a variety of common commercial data practices on privacy grounds. At the same time, more and more citizens in the US and around the world chose to participate in the Internet marketplace every day. Unfortunately, there is evidence that misunderstandings of commercial data privacy protections are widespread among adult Internet users in the US. To provide consistent, comprehensible data privacy protection in new and established commercial contexts, we recommend that the US Government recognize a full set of Fair Information Practice Principles (FIPPs) as a foundation for commercial data privacy.FTC Chairman Jon Leibowitz responded with -
Revitalized FIPPs should emphasize substantive privacy protection rather than simply creating procedural hurdles. To promote informed consent without imposing undue burdens on commerce and on commercial actors, FIPPs should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability. Possible approaches include providing strong support for the development of voluntary, enforceable codes of conduct that allow for continued flexibility as technologies and business models evolve; creating safe harbors against FTC enforcement; disfavoring prescriptive rules; and lowering barriers for the global free flow of goods and services online. Consistent with our focus on commercial data privacy, we make no recommendation with respect to data privacy laws and policies that cover information maintained by the Federal Government, or those that cover specific industry sectors, such as healthcare, financial services, and education.
2. Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce. The adoption of baseline FIPPs for commercial data privacy, on its own, is not likely to provide sufficient protection for privacy in the dynamic, global Internet economy. Commercial data privacy policy must be able to evolve rapidly to meet a continuing stream of innovations. A helpful step would be to enlist the expertise and knowledge of the private sector, and to consult existing best practices, in order to create voluntary codes of conduct that promote informed consent and safeguard personal information. Multi-stakeholder bodies, in which commercial and non-commercial actors participate voluntarily, have shown that they have the potential to address the technical and public policy challenges of commercial data privacy. The US and other countries can increase their reliance on these institutions, provided that there are adequate back-stops (in the form of regulatory authority or otherwise) to fill in if the multi-stakeholder process fails to develop meaningful, enforceable commercial data privacy practices in a timely way.
The government also has an important role to play in such a multistakeholder approach to developing voluntary codes of conduct as a convener (in addition to or instead of as a traditional regulator). In this capacity, the government can provide the coordination and encouragement to bring the necessary stakeholders together to examine innovative new uses of personal information and better understand changing consumer expectations — and identify privacy risks — early in the lifecycle of new products or services.
To this end, we recommend establishing a Privacy Policy Office (PPO) in the Department of Commerce. The PPO would continue the work of the IPTF by acting as both a convener of diverse stakeholders and a center of Administration commercial data privacy policy expertise. The PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct. Companies would voluntarily adopt the appropriate code developed through this process. This commitment, however, would be enforceable by the FTC. Compliance with such a code would serve as a safe harbor for companies facing certain complaints about their privacy practices. The dynamic process of voluntary code development would provide a greater measure of certainty than many companies are currently able to obtain, but it would also be flexible enough to keep pace with commercial innovations.
Focusing exclusively on commercial data privacy, the PPO would be distinct from the existing roles and authorities of OMB and the senior privacy officers of Federal agencies. Similarly, the work of the PPO would not overlap with the Privacy & Civil Liberties Oversight Board’s mission to protect privacy and civil liberties in government collection and use of information in the exercise of its law enforcement, counter-terrorism, and foreign intelligence authorities. The PPO would work closely with OMB and other agencies and would coordinate with the FTC, which will continue to serve independent enforcement, rulemaking, agency policymaking, and education roles.
3. Encourage Global Interoperability. At the same time that decreasing regulatory barriers to trade is a high priority, disparate privacy laws have a growing impact on global competition. There is an urgent need to renew our commitment to leadership in the global privacy policy debate. All around the world, including in the EU, policymakers are rethinking their privacy frameworks. As a leader in the global Internet economy, it is incumbent on the US to develop an online privacy framework that enhances trust and encourages innovation. Congressional leadership, continued FTC enforcement efforts and Administration engagement will all be important to establish that the US has a strong privacy framework and is committed to strengthening it further. Differences in form and substance between US and other national privacy laws make it increasingly complicated for companies to provide goods and services in global markets. Nations in the European Union and other major US trading partners have adopted omnibus privacy laws, a situation that requires individual companies to demonstrate that their own practices provide privacy protections that foreign governments consider adequate. This process can be costly, complicated, and uncertain, especially as other countries and regions consider changes to their own privacy laws.
Consistent with the general goal of decreasing regulatory barriers to trade and commerce, the U.S. Government should work with our allies and trading partners to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks. While the privacy laws across the globe have substantive differences, these laws are frequently based on the same fundamental values. We should work with our allies to find practical means of bridging differences, especially those that are often more a matter of form than substance. Global privacy interoperability should build on accountability, mutual recognition and reciprocity, and enforcement cooperation principles pioneered in the OECD and APEC. Agreements with other privacy authorities around the world (coordinated by key actors in the Federal Government) will reduce the significant business global compliance costs.
4. Ensure Nationally Consistent Security Breach Notification Rules. Finally, we recommend the consideration of a Federal commercial data security breach notification (SBN) law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities. State-level SBN laws have been successful in directing private-sector resources to protecting personal data and reducing identity theft, but the differences among them present undue costs to American businesses. The FTC and individual States should have authority to enforce this law. A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the US, streamline industry compliance, and allow businesses to develop a strong, nationwide data management strategy. This recommendation, however, is not meant to suggest preempting of other federal security breach notification laws, including those for specific sectors, such as healthcare. A reinvigorated approach to commercial data privacy must be guided by open government-inspired consultation; it can work only with the active engagement of the commercial sector, civil society, academia, and the technical community. The Task Force will work closely with other Federal Government actors to further this engagement and to address new challenges.
the Green Paper is a welcome addition to the ongoing dialogue about protecting consumers' privacy. It places special emphasis on policies that will preserve the viability of the Internet as it evolves through innovation, transforms the marketplace, and spurs economic growth. We think it will make a significant contribution to the growing and critical debate about how best to protect the privacy of American consumers.Hugs all around
