On December 16, 2010, the U.S. Department of Commerce issued its long-awaited report on consumer privacy, proposing a framework with recommendations for addressing online privacy issues in the United States. Representing a departure from the past hands-off approach, the Obama administration recommends increased government activity in the area of consumer privacy protection. Entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, the report provides a detailed analysis of current privacy issues and makes various proposals with respect to certain core privacy principles in order to assure baseline consumer protections. The Commerce Department seeks to improve the state of privacy domestically and advance interoperability among the various privacy regimes around the world so that Internet-based products and services can continue to grow.
Coming on the heels of the FTC’s privacy report issued December 1, 2010,1 the Commerce Department report notes that during the past 15 years, technology has been transforming the economy and social life, with privacy laws struggling to keep up. The gap between the ability to acquire and use personal information and the current privacy framework leaves consumers with a sense of insecurity about whether using new technologies will expose them to unwanted loss of privacy and misuse of their personal information.
The report is an outgrowth of the Commerce Department’s Internet Policy Task Force work that began more than a year ago with the input from stakeholders in industry, civil society, academia, and government. The Task Force proposes consideration of a Dynamic Privacy Framework, with four broad principles:
1. Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles (FIPPs). The FTC has long been a proponent of the FIPPs of notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. The report notes that, notwithstanding these efforts, Internet users largely do not understand current data privacy protections. The Task Force recommends the government recognize a full set of FIPPs as the foundation for commercial data privacy. As a sort of privacy “bill of rights,” FIPPs can promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses, and expanded use of robust audit systems to bolster accountability. For example, companies could develop voluntary enforceable codes of conduct, and safe harbors could be created with respect to FTC enforcement actions. The report suggests that companies should obtain permission before using personal information for a purpose other than that for which it was originally collected.
The Task Force also suggested the use of privacy impact assessments (PIAs), which are used to identify and evaluate privacy risks arising from the use of personal information. If properly conducted, PIAs could be made public to provide consumer awareness of privacy practices and risks as companies develop new products, services, and technology. PIAs also help businesses determine the risks associated with information collection and use practices, leading to alternative approaches, where needed, that would help reduce privacy risks.
3. Encourage global interoperability. The report recognizes that differences between U.S. and other national privacy laws make it increasingly difficult, complex, and burdensome for companies to comply, which in turn affects their ability to provide goods and services in a global economy. With the goal of decreasing regulatory barriers to trade and commerce, the United States would work with other countries to promote efficient cross-border data flow. The Task Force suggests that global privacy interoperability should be based on accountability, mutual recognition, and reciprocity of enforcement.
4. Ensure nationally consistent security breach notification rules. The report recommends passage of a federal commercial data security breach notification (SBN) law that establishes national standards. The Task Force notes that state SBN laws have been successful in protecting personal data and reducing identity theft, but points out that the differences among them present inconsistency and unnecessary costs to U.S. businesses. The FTC and individual states would have the authority to enforce this law. A consistent national approach to data breach requirements would clarify protections for consumers, streamline compliance, and allow companies to develop a nationwide data management strategy. The federal SBN law would not, however, supersede or modify existing federal privacy laws, such as in the areas of health care, financial services, and education.
1 See Foley Legal News Alert, “FTC Issues Proposed Privacy Framework for Businesses and Policymakers” at http://www.foley.com/abc.aspx?Publication=7709.
2 See Foley Legal News Alert, “FTC Issues Proposed Privacy Framework for Businesses and Policymakers” at http://www.foley.com/abc.aspx?Publication=7709.