The U.S. Department of Commerce Internet Policy Task Force published on December 16, 2010 its “Green Paper” on privacy. Entitled “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” (the “Framework”), it recommends considering a new framework for addressing online privacy issues in the United States. While the Framework does not express a commitment to specific policy proposals, it identifies and discusses areas of policy and possible approaches.
Gary Locke, Secretary of Commerce wrote in the foreword to the Framework that “protect[ing] the tremendous economic and social value of the Internet without stifling innovation requires a fresh look at Internet policy.” Indeed, the Framework notes that the world has much changed in the last 15 years, as new devices such as personal computers and mobile phones have transformed both the economy and people’s social life. Ninety-six % of working Americans use the Internet as part of their daily life, and sixty-two % of Americans use the Internet as an integral part of their jobs (p.14). Uses of personal data have multiplied, but privacy laws have not kept up with these changes.
Online retail sales accounted for over $140 billion in retail sales for U.S. companies in 2009 (p.14). But consumers are concerned about their privacy, and thus companies not protecting the privacy of their customers may very well lose them. Consumer expectations that the personal data collected by companies ”will be used consistently with clearly stated purposes and protected from misuses is fundamental to commercial activities on the Internet” (p.15).
The Framework includes policy recommendations under four broad categories:
1. Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs)
The first recommendation of the Framework is to recognize a full set of Fair Information Practice Principles (FIPPS) as a foundation for commercial data privacy. A FIPPS-based framework would promote transparency and clarity and would also “protect the privacy of personal information in commercial contexts not covered by an existing sectoral law.” Such framework would serve as a “the basis for recognizing expanding interoperability between U.S. and international commercial data privacy frameworks” (p. 22). It would also foster compatibility in privacy protection across industry sectors (p.24).They would do so by filling gaps in current data privacy protections. The Department of Commerce would not develop comprehensive and prescriptive rules (p.32).
Such framework would leave in place existing sectoral laws. Recommendation #8 of the Framework states that “A baseline commercial data privacy framework should not conflict with the strong sectoral laws and policies that already provide important protections to Americans, but rather should act in concert with these protections”(p. 58).
As the mere development of FIPPSs is probably not enough to provide sufficient privacy protection, the Framework also recommends creating voluntary codes of conduct that would promote informed consent and safeguard personal information.
It would focus exclusively on commercial data privacy. The PPO would work with the FTC to develop voluntary but enforceable codes of conduct, as, in some contexts, FIPPS might not be sufficiently protective (p. 41).Companies would voluntarily adopt such codes of conduct, but this commitment would be enforceable by the FTC. There would be a safe harbor for companies that commit and adhere to “an appropriate voluntary code of conduct” (p.43).
3. Encourage Global Interoperability
The lack of cross-border interoperability in privacy principles and regulation creates barriers to cross-border data flow, and companies have to bear a significant compliance cost. If global interoperability of data privacy approaches would be improved, it would have a positive effect on U.S. services exportations and thus would benefit the U.S. economy (p.14).
In order to do so, and also to generally decrease regulatory barriers to trade and commerce, the U.S. Government should work with its allies and trading partners “to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks” (p.7). Privacy laws around the world have substantive differences, yet these laws “are frequently based on the same fundamental values” (p.7). The U.S. should work with its allies to find practical means of bridging differences. The U.S. should also continue to support the APEC Data Privacy Pathfinder Project initiated in 2007 by the Asia Pacific Economic Cooperation. It is a set of collaborative projects taken on by APEC member-economies to develop and test the essential practical elements of a system that would enable accountable cross-border data flows under the guidance of APEC data privacy principles, and its endorsement should be secured during the 2011 APEC year, which will be hosted by the U.S.
4. Ensure Nationally Consistent Security Breach Notification Rules
The Framework recommends that a federal commercial data security breach notification be enacted. This federal law would set national standards, and addresses how to reconcile inconsistent State laws, as the difference between the different State laws comes with an undue cost to U.S. businesses, as they “must comply with several dozen variations on the same theme” (p. 57). This federal law would not, however, preempt other federal security breach notification laws. Both the FTC and State authorities would have authority to enforce the law.