The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Cameron Kerry: The Department of Commerce Will Not Wait for Privacy Legislation

The Center for Technology Innovation at Brookings hosted a discussion on July 21 featuring Jon Leibowitz, Chairmanof the Federal Trade Commission, and Cameron F. Kerry, General Counsel of the U.S. Department of Commerce. Both share their views on the Department of Commerce and FTC’s strategies to protect consumer privacy.

Chairman Leibowitz reported that, in response to questions posed by the FTC staff report on privacy published in December 2010, the FTC received more than 450 comments from interested parties, which are being analyzed now. The FTC expects to issue a final report later this year.

Chairman Leibowitz also highlighted which critical elements are essential ”to a fair process and an outcome that ensures both the protection of consumer privacy, as well as business innovation.” These are clear and enforceable standards, and a transparent process involving all stakeholders.

Mr. Kerry reminded the audience that the Obama administration announced last March its support of legislation to create a consumer privacy bill of rights, a baseline data privacy protection. He added that the Department of Commerce believes that:

a baseline protection should be flexible, should be enforceable at law, and serve as the basis for the development of enforceable codes of conduct. These codes of conduct should specify how the principles in the bill of rights would apply in specific business context.” …

We need a process that allows industry to be responsive to changing consumer expectations and enables stake holders to identify privacy risks early in the development of new products and new services. We need a process that is nimble enough to respond quickly to consumer data privacy issues as they emerge and that can address them without the need for legislation or regulation because legislation and regulation simply do not move at Internet speed.”

Mr. Kerry then exposed what will be the role played by the Department of Commerce in this process.

“As I said in the Green Paper that we issued last December, more than self-regulation is needed. At this point, it’s clear that an effective and a representative process usually — not always but usually — takes a nudge from the government. That’s why we see a need for the government to take the initiative in convening stakeholder discussions….

The Department of Commerce will enlist stakeholder participation by issuing public notices that describe the issues in play and announcing times,  dates, and places for public meetings, and will provide opportunities for remote participation by live streaming and options for viewers around the world to post reactions and comments. We intend to run an open process but independent — industry stakeholders and independent third parties will hold the pen in drafting the codes.

The FTC will play an important role, as the Department of Commerce believes that:

“…effective enforcement will benefit from legislation that grants the FTC a clear authority in the commercial data privacy arena. Granting the FTC explicit authority in enforcing the principles of the bill of rights — privacy bill of rights — will strengthen its role in consumer data privacy policy and give it the enforcement tools that are needed in this field. And if companies know that the FTC can enforce baseline legislation, that is an incentive to define codes of conduct and to move forward with the process as this world advances into new areas.”

Mr. Kerry then added that:

“At the Department of Commerce, we don’t intend to wait for legislation. We are going to begin to identify pressing privacy issues that can benefit from a multi-stakeholder process and we’ll continue discussions with the FTC about baseline protections, about how to approve codes of conduct and about how to implement the multi-stakeholder process. And then we will begin to convene groups to energize this process in a conversation that today is long overdue.”

More information, including the uncorrected transcript of the event, here. All quotes are from this uncorrected transcript.


Leave a comment

Joint Hearing on “Internet Privacy: The Views of the FTC, the FCC, and NTIA”

The Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a joint hearing on Thursday, July 14, 2011 on “Internet Privacy: The Views of the FTC, the FCC, and NTIA.”

In her opening statement, Subcommittee Chairman Mary Bono Mack (R-CA) noted that:

“… as consumers, we willingly dole out this personally identifiable information online – literally bit by bit. This information is then compiled and collated by computers to produce personal profiles used in online behavioral marketing and advertising. This data mining helps to pay the freight for all of the information that we get for free on the Internet. … First and foremost, greater transparency is needed to empower consumers. While it’s still unclear to me whether government regulations are really needed, providing consumers with more transparency is the first step in better protecting Americans.”

In his opening statement, Representative Henry Waxman (D-CA) noted that self-regulation may not be the best way to protect consumer’s online privacy. He cited a recent report by Stanford researcher Jonathan Mayer “Tracking the Trackers” which found that eight members of the self-regulatory group Network Advertising Initiative (NAI) had left cookies in place even after having promised users who chose to opt out to stop tracking them.

What could be the role of the Federal Communications Commission?

Chairman Greg Walden (R-Ore) noted that:

[t]oday’s regime is neither competitively nor technologically neutral. [While] Section 222 of the Communications Act gives the Federal Communications Commission broad authority to implement privacy protections for consumers of wireline and wireless telephone services…[and]specifically calls out location-based services for regulation, [it]…applies that regulation only to carriers and not providers of devices, operating systems, or applications. Other parts of the Communications Act give the Commission authority over cable operators and satellite television providers under a “prior consent” framework. In stark contrast, there are few if any communications privacy regulations governing web-based companies, even those that can access a user’s search queries, emails, voice and video online conversations, web browser, and even operating systems…. Why should a wireless provider that transmits data to and from a smartphone be subject to federal oversight, but not an operating system provider that has access to the exact same data?”

Chairman Julius Genachowski of the Federal Communications Commission (FCC) testified that one of the FCC’s National Broadband Plan findings was that “[p]rivacy concerns are a barrier to broadband adoption.”  He added that “[i]t is clear we need to strike a balance – ensuring that personal information and consumer choice is protected, and at the same time ensuring a climate that encourages new investment and new innovations that will create jobs and improve our quality of life.”

The FCC has, “[t]hrough … rulemakings and enforcement … addressed difficult issues such as when opt-in and opt-out notifications are appropriate, minimum notice standards, data sharing rules, reasonable data security measures, and notification to law enforcement and consumers in the event of data breaches.

What could be the role of the Federal Trade Commission?

 Commissioner Edith Ramirez of the Federal Trade Commission (FCC) stated in her prepared testimony that “the Commission continues to encourage Congress to enact data security legislation that would (1) impose data security standards on companies, and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach,” referring to a prepared statement of the FCC of its testimony on data security before the Subcommittee on commerce, manufacturing, and trade,  June 15, 2011.

Also, the FTC “enforces the FTC Act and several other laws that require companies to maintain reasonable safeguards for the consumer data they maintain” and “enforces the FCRA, which… prescribes that companies only sell sensitive consumer report information for “permissible purposes,” and not for general marketing purposes.” The FTC is also “active in ensuring that companies engaged in social networking adhere to any promises to keep consumers’ information private,” citing a March 2011 consent order resolving allegations that Twitter deceived its customers by failing to honor their choices after offering  the opportunity to designate certain “tweets” as private.

The FTC “has sought to protect consumers from deceptive practices in the behavioral advertising area”, for instance, when it settled with Chitika Ad Network over a deceptive opt-out mechanism. The FTC also “sought to ensure that data brokers respect consumers’ choices,” for instance when it announced a final order against data broker US Search, that maintained an online service, allowing users to search for information about others.

What could be the role of the National Telecommunication and Information Administration?

Lawrence Strickling, Assistant Secretary for Communications and Information & Administrator, National Telecommunication and Information Administration (NTIA), which acts as principal advisor to the President on communications and information policy, testified that the NTIA “has been working over the last two years with Secretary Locke’s Internet Policy Task Force and colleagues throughout the Executive Branch to conduct a broad assessment of how well our current consumer data privacy policy framework serves consumers, businesses, and other participants in the Internet economy.” The NTIA “supports legislation that would create baseline consumer data privacy protections through a consumer privacy bill of rights.

The NTIA “has recommended legislation with three main characteristics. First, it should establish baseline consumer data privacy protections that would apply in commercial contexts. … Second, we have recommended that legislation provides appropriate incentives for stakeholders in the private sector to develop and adopt enforceable codes of conduct through a multi-stakeholder process…. Third, the Administration supports legislation that strengthens the FTC’s consumer data privacy enforcement authority.”

More, including the hearing webcast, here.

Leave a comment

EU Commission Publishes Public Consultation on Personal Data Breach Notifications

The European Union (EU) Commission published on July 14, 2011 a public consultation, “ePrivacy Directive: circumstances, procedures and formats for personal data breach notifications.”  

The European Union Commission is seeking the opinion of telecom operators, Internet service providers, Member States, national data protection authorities, consumer organizations and other interested parties on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way all across the EU.

Directive 2009/136/EC revised the Directive 2002/22/EC, the “Universal Service Directive,” and Directive 2002/58/EC, the “ePrivacy Directive.” Both of these directives are part of the Telecom Package, the five directives comprising the regulatory framework for electronic communications networks and services in the EU. Directive 2009/136/EC entered into force on 25 May 2011. The 2009 Directive introduced in the European Union legal framework an obligation for electronic communications providers to report, without undue delay, personal data breaches to the relevant national authority, and to individuals affected when there is a risk to their personal data or privacy. A personal data breach is a security incident by which personal data is compromised (unauthorized access, alteration or destruction).

The Commission is hoping to gather practical contributions about how the new rules have been implemented, and what issues may have been encountered. This information would then help the Commission find out whether additional technical measures are needed to ensure that all Member States’ personal data breach notification measures are harmonized, and if so, what form they should take.

From the press release:

The consultation is seeking input on the following specific issues:

Circumstances: how organizations comply, or intend to comply, with the new obligation under the telecoms rules; the types of breaches that would trigger the requirement to notify the subscriber or individual and examples of protection measures that can render data unintelligible

Procedures: the notification deadline, the means of notification and the procedure for an individual case

Formats: the contents of the notification to the national authority and to the individual, existing standard formats and the feasibility of a standard EU format.

In addition, the Commission wants to learn more about cross-border breaches and compliance with other EU obligations relating to security breaches.”

One can contribute to the consultation until September 9, 2011.

Leave a comment

Draft Regulations Issued for Canada’s Anti-Spam Legislation

The Canadian Radio-Television and Telecommunications Commission (“CRTC”) and Industry Canada both recently published draft regulations, referred to as the Electronic Commerce Protection Regulations, under the authority of the anti-spam legislation enacted last year. The legislation, which is now being referred to as “Canada’s Anti-Spam Legislation” (“CASL” or “the Act”), is available here. In addition to amending several existing laws, CASL specifically establishes rules for sending commercial electronic messages (“CEMs”) to recipients in Canada and prohibits sending CEMs to electronic addresses without the recipient’s prior express or implied consent.
CASL has a wide scope, especially when compared to CANSPAM in the United States. CASL covers all “commercial electronic messages” sent to an “electronic address,” not only email communications. “Electronic message” is defined to mean a message sent over any means of telecommunications, including text, sound, voice or image, and “electronic address” is defined to cover email, instant messaging, text messages, and messages to “any similar account,” which could include social media websites such as Facebook and Twitter.
            The CRTC’s regulations: (1) prescribe the form and required information to be included in a CEM; (2) specify that a clear and prominent link to the required information can be used where it is not practicable to include all information in the CEM (e.g., character limited CEMs); and (3) the information required to be in a request for express consent to send CEMs. The CRTC notice announcing the regulations is available here. Comments can be submitted to the CRTC through August 29, 2011
            Industry Canada’s regulations: (1) define the meaning of personal relationship and family relationship under the Act; (2) prescribe the requirements allowing an individual to withdraw consent which was given to a third party; and (3) provide definitions related to implied consent based upon an “existing non-business relationship.” Industry Canada’s proposed regulations are available here. Comments can be submitted to Industry Canada through September 7, 2011. 

Leave a comment

House Committee Addresses U.S. Information Security

On July 7, 2011, the House Committee on Oversight and Government Reform held a hearing entitled “Cyber Security: Assessing the Immediate Threat to the United States”—the first in a series of hearings designed to examine threats to the U.S. digital infrastructure. Witnesses included, the Department of Homeland Security Acting Deputy Undersecretary Greg Schaffer, the Associate Deputy Attorney General James Baker, the Deputy Assistant Secretary for Defense for Cyber Policy Robert Butler, and the National Institute of Standards and Technology Senior Internet Policy Advisor Ari Schwartz.

The hearing addressed the ability of the U.S. digital infrastructure to withstand cyber attacks, such as attacks against federal agency databases; discussed the Obama administration’s plan to increase digital defenses; and debated how to coordinate government efforts to improve digital infrastructure with private industry efforts. Lawmakers have acknowledged that, given that 85 percent of the nation’s infrastructure is owned by the private sector, private-public sector partnerships are critical to improving information security. Some entities, however, such as the U.S. Chamber of Commerce, have expressed concern that plans to create baseline security practices are disguised attempts to impose sweeping new security regulations on private networks.

More information regarding the Oversight Committee’s hearing can be found here.