Thoughts on the Commerce Report on Privacy

privacy.jpg.scaled500

Following on the heels of the FTC’s report on privacy, the Department of Commerce released its much anticipated green paper on online data privacy on Thursday in a report titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. Below is a summary of the major recommendations in the report, as well as an overview of some big picture takeaways.

The framework consists of five principal recommendations:

  1. Create a comprehensive set of Fair Information Practice Principles (FIPPs) to protect personal data in a commercial context, specifically focusing on principles for transparency, purpose specification and use limitation, and evaluation and accountability.
  2. Encourage the development of a voluntary, enforceable industry code of conduct to supplement FIPPs and address privacy concerns of emerging technologies.
  3. Create a new Privacy Policy Office (PPO) within the Department of Commerce to focus on data privacy. The PPO would act as a convener to develop a multi-stakeholder solutions, best practices and codes of conduct. The PPO would have no enforcement capabilities; the FTC would continue as the primary enforcement agency for privacy.
  4. Work to increase compatibility between the U.S. privacy framework and international privacy regimes, such as the EU Data Privacy Directive and the APEC Privacy Framework.
  5. Create a national standard for security breach notification.

The core of the data privacy framework proposed by the Department of Commerce is the Fair Information Practice Principles (FIPPs), which would serve as a baseline for data privacy in the United States, supplemented by voluntary and enforceable industry-specific codes of conduct. Baselines rules would set a clear expectation of privacy for consumers across all sectors and ensure there are no gaps. Voluntary codes of conduct would enable the framework to be dynamic and responsive to new business models, while giving the FTC the ability to enforce violations of both FIPPs or codes of conduct. Safe harbor provisions (combined with increased enforcement) would encourage businesses to participate in the development of these voluntary standards.

Of course the devil is in the details. A government attempt to create FIPPs for commercial data privacy could result in a clear and flexible set of guidelines or it could create a regulatory mess. And it is also not clear how an industry code of conduct would be developed to apply to certain emerging technologies when, by definition, the industry may be in its infancy.

One consistent theme throughout the Department of Commerce’s proposed privacy framework is a desire to create clear and consistent privacy regulations both domestically (e.g. by eliminating conflicting state laws) and internationally (e.g. by creating interoperable privacy frameworks). Such rules would allow companies to lower compliance and regulatory risks. Another consistent theme throughout the report is an emphasis on transparency, which was similarly promoted in the FTC report. The Commerce report states that transparency is useful for “promoting cooperation, empowering individuals to make informed and intelligent choices, strengthening multi-stakeholder governance models, and building trust in online environments.” Of all of the privacy principles, increased transparency is probably the one most stakeholders can agree on.

The report seems intent on carving out a role for the Department of Commerce in the ongoing debate on consumer privacy. This role is both appropriate and necessary. While the FTC has focused primarily on data privacy from the perspective of increasing consumer protection, data privacy affects other equally important issues such as innovation, competiveness and productivity. A multi-stakeholder effort at refashioning the U.S. data privacy framework should include strong advocates for business, innovation and beneficial forms of data sharing which ultimately benefit consumers. The report also avoids co-opting the domain of others, noting that FIPPs would not preempt existing privacy regulations in industries such as banking or health care. The Department of Commerce also leaves enforcement to others, such as the FTC, the states, and litigants in private lawsuits.

It is also worth noting what is not in the report. There is no serious inquiry into the costs involved in regulating data privacy, such as compliance cost, enforcement costs, and lost consumer value. In addition, the report does not discuss much the positive benefits of data sharing or how data can be made anonymous to protect privacy while also encouraging innovation. There is also little mention of privacy enhancing technologies (PETs) or their role in helping consumers manage their privacy. Neither does there appear to be a serious acknowledgement of the value of competition to provide consumers choice to satisfy varying degrees of willingness to exchange personal data for other benefits. And of course the most obvious omission from the report is a clear opinion on the question of government access to personal data, which is as important, if not more important, to most individuals than commercial access to personal data (although, to be fair, there is a discussion of the need for the Administration to review ECPA.)

Like the FTC report, the Department of Commerce report is intended to provoke discussion about the best way for government to address privacy. It is heartening to see Commerce take a more measured and balanced approach.

Photo credit: Flickr user alancleaver_2000

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.