Commerce Department’s “Dynamic Policy” Privacy Approach – Likes & Concerns

by on December 16, 2010 · 1 comment

Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:

Like:

  • “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
  • Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
  • Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
  • Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
  • ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.

Concerns:

  • The Uncertainty of FIPPs. The report advocates the creation of Fair Information Practice Principles (FIPPs) that could be voluntarily adopted by industry. But what would the look like? The report mentions, but doesn’t explicitly endorse, FIPPs from the Department of Homeland Security—which are of course binding on government, and might not all be desirable for the private sector. According to the report, the proposed Privacy Policy Office would coordinate these. The FIPPs have been wrongly characterized as a consumer privacy “bill of rights” by some media outlets (they are industry codes of conduct, not affirmative consumer rights).
  • Privacy Policy Office. While we like this, we’re also concerned by it. The process of convening multi-stakeholders means multi-viewpoints and multi-disagreements. We’d prefer the marketplace to be the venue and consumers to be the ultimate arbiter on privacy principles.
  • National Requirements for Security Breaches. The report calls for Congressional legislation to create a nationwide data security breach law. But is this really necessary? 46 states already have a relatively consistent and reasonable approach toward how companies should safeguard data and the processes involved when there’s a breach.
  • FTC Rulemaking. The report leaves open for further comment whether the FTC needs enhanced (APA) rulemaking authority in the privacy area. NetChoice has opposed giving the FTC blanket, no-hold-barred APA authority, and we’d also oppose this for an issue as broad as privacy.

Likes and concerns aside, 2011 is shaping up to be a busy privacy year! Look forward to working with stakeholders from government, industry and civil society to help refine and implement some of the core recommendations of this document.

Previous post:

Next post: