The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

U.S. Department of Commerce Publishes “Green Paper” on Privacy

Leave a comment

The U.S. Department of Commerce Internet Policy Task Force published on December 16, 2010 its “Green Paper” on privacy. Entitled “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” (the “Framework”), it recommends considering a new framework for addressing online privacy issues in the United States. While the Framework does not express a commitment to specific policy proposals, it identifies and discusses areas of policy and possible approaches.

Gary Locke, Secretary of Commerce wrote in the foreword to the Framework that “protect[ing] the tremendous economic and social value of the Internet without stifling innovation requires a fresh look at Internet policy.” Indeed, the Framework notes that the world has much changed in the last 15 years, as new devices such as personal computers and mobile phones have transformed both the economy and people’s social life. Ninety-six % of working Americans use the Internet as part of their daily life, and sixty-two % of Americans use the Internet as an integral part of their jobs (p.14). Uses of personal data have multiplied, but privacy laws have not kept up with these changes.  

Online retail sales accounted for over $140 billion in retail sales for U.S. companies in 2009 (p.14). But consumers are concerned about their privacy, and thus companies not protecting the privacy of their customers may very well lose them. Consumer expectations that the personal data collected by companies ”will be used consistently with clearly stated purposes and protected from misuses is fundamental to commercial activities on the Internet” (p.15).

The Framework includes policy recommendations under four broad categories:

1. Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs)

The Framework notes that, “from the consumer perspective, the current system of notice-and-choice does not appear to provide adequately transparent descriptions of personal data use which may leave consumers with doubts (or even misunderstandings) about how companies handle personal data and inhibit their exercise of informed choices” (p.22). Under a Notice-and-Choice model, “consumers ‘privacy rights depend on their ability to understand and act on each individual privacy policy” (p. 31), which may prove an overwhelming task.

The first recommendation of the Framework is to recognize a full set of Fair Information Practice Principles (FIPPS) as a foundation for commercial data privacy. A FIPPS-based framework would promote transparency and clarity and would also “protect the privacy of personal information in commercial contexts not covered by an existing sectoral law.” Such framework would serve as a “the basis for recognizing expanding interoperability between U.S. and international commercial data privacy frameworks” (p. 22). It would also foster compatibility in privacy protection across industry sectors (p.24).They would do so by filling gaps in current data privacy protections. The Department of Commerce would not develop comprehensive and prescriptive rules (p.32).

Such framework would leave in place existing sectoral laws. Recommendation #8 of the Framework states that “A baseline commercial data privacy framework should not conflict with the strong sectoral laws and policies that already provide important protections to Americans, but rather should act in concert with these protections”(p. 58).

2. Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the Federal Trade Commission, and a Privacy Policy Office within the Department of Commerce

As the mere development of FIPPSs is probably not enough to provide sufficient privacy protection, the Framework also recommends creating voluntary codes of conduct that would promote informed consent and safeguard personal information.

 

The government can also play a role by coordinating and encouraging the stakeholders. For doing so, the Framework recommends establishing a Privacy Policy Office (PPO) in the Department of Commerce, which would be both a convener of diverse stakeholders and a center of the Administration’s  commercial data privacy policy expertise (p.45). A flow chart on the”Creation and Operations of Proposed Privacy Policy Office” is available on p. 48 of the Framework.

 

It would focus exclusively on commercial data privacy. The PPO would work with the FTC to develop voluntary but enforceable codes of conduct, as, in some contexts, FIPPS might not be sufficiently protective (p. 41).Companies would voluntarily adopt such codes of conduct, but this commitment would be enforceable by the FTC. There would be a safe harbor for companies that commit and adhere to “an appropriate voluntary code of conduct” (p.43).

 

3. Encourage Global Interoperability

 

The lack of cross-border interoperability in privacy principles and regulation creates barriers to cross-border data flow, and companies have to bear a significant compliance cost. If global interoperability of data privacy approaches would be improved, it would have a positive effect on U.S. services exportations and thus would benefit the U.S. economy (p.14).

 

The Framework notes that disparate privacy laws have a growing impact on global competition, and “disparate approaches to commercial data privacy can create barriers to both trade and commerce, harming both consumers and companies” (p. 53). Because of the differences both in form and in substance between the U.S. and other privacy laws, it is increasingly complicated for companies to provide good and services in global markets. Since the European Union and others countries trading with the U.S. have adopted omnibus privacy laws, companies must thus demonstrate that their privacy practices adequately comply with the U.S. The U.S. must renew its commitment to leadership in the global privacy policy debate by developing an online privacy framework “that enhances trust and encourages innovation.”

 

In order to do so, and also to generally decrease regulatory barriers to trade and commerce, the U.S. Government should work with its allies and trading partners “to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks” (p.7). Privacy laws around the world have substantive differences, yet these laws “are frequently based on the same fundamental values” (p.7). The U.S. should work with its allies to find practical means of bridging differences. The U.S. should also continue to support the APEC Data Privacy Pathfinder Project initiated in 2007 by the Asia Pacific Economic Cooperation. It is a set of collaborative projects taken on by APEC member-economies to develop and test the essential practical elements of a system that would enable accountable cross-border data flows under the guidance of APEC data privacy principles, and its endorsement should be secured during the 2011 APEC year, which will be hosted by the U.S.

 

4. Ensure Nationally Consistent Security Breach Notification Rules

The Framework recommends that a federal commercial data security breach notification be enacted. This federal law would set national standards, and addresses how to reconcile inconsistent State laws, as the difference between the different State laws comes with an undue cost to U.S. businesses, as they “must comply with several dozen variations on the same theme” (p. 57). This federal law would not, however, preempt other federal security breach notification laws. Both the FTC and State authorities would have authority to enforce the law.

Advertisements

Author: marieandreeweiss

Marie-Andrée was educated in France and in the United States, and holds law degrees from both countries. She is fully bilingual English-French, and writes articles regularly in these two languages on various privacy-related topics. Marie-Andrée is a member of the Bar of the State of New York. As an attorney in solo practice, she focuses on intellectual property, First Amendment, privacy, and Internet-related issues. Before becoming an attorney, she worked several years in the fashion retail industry, as a buyer then a director of marketing. She is a member of the New York State Bar Association (Intellectual Property Section and International Section), and of the American Bar Association (Business Law Section, Section of Antitrust Law, and Section of Intellectual Property Law)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s