Reading through the respective December 2010 privacy reports from the Federal Trade Commission (FTC) and Department of Commerce (DoC), one cannot help but be struck by the Obama Administration’s seeming desire to make America’s tech sector — and the regulatory regime that governs it — more closely resemble Europe’s.  The push for an ambitious new “privacy framework” and set of “fair information practices” is just a riff borrowed from the EU data directive.  And although the Obama team stops short of calling privacy a “dignity right” as many European policymakers are prone to do, it’s clear from both the FTC and DoC reports that that’s were they want to take us.

It’s interesting to me, though, that the Obama Administration relies on two fundamentally flawed rationales for the “European-ification” of American privacy law.  In this regard, I’ll reference some passages from the DoC’s report that appear in the section on “The Economic Imperative” for a new regime, which appears on pages 13-16 of the report.

Myth #1: Privacy Regs Are Needed to Get More People Online or Using Digital Technology

First, the DoC pulls out the old saw about the need for expanded privacy regs to ensure greater online trust and, as a result, promote increased online interactions.  The report claims that “maintaining consumer trust is vital to the success of the digital economy” and that “an erosion of trust will inhibit the adoption of new technologies” (p. 15)  The problem with the theory that online commerce or consumer interactions online are somehow being thwarted by a lack of more privacy regulation is that it is plainly contradicted by the facts. 

Interestingly, you need do nothing more that scan back just a couple of paragraphs in the DoC report to find some of those facts! For example, on pg. 14, the report notes: “The Internet is also increasingly important to the personal and working lives of individual Americans.  Ninety-six percent of working Americans use the Internet as part of their daily life, while sixty-two percent of working Americans use the Internet as an integral part of their jobs.”  Does the DoC not see the contradiction here, or is the Obama Administration claiming that we cannot rest until we move the needle from 96% to 100%?!

Then we have the DoC’s claim that “an erosion of trust will inhibit the adoption of new technologies.”  Really?  What, then, are we to make of the 500 million people who have flocked to Facebook despite repeated claims by some that it is a privacy pariah? And there are plenty of other examples of the explosion of online activity over the past decade.  The fact is, online participation and technology adoption is growing like wildfire. If you need more evidence, go through the data sets from the Pew Internet & American Life Project about Internet usage over time and try to find one metric that is decreasing.  [Just as an unrelated aside, I am still sometimes astonished by how many people use eBay despite continuing concerns about online fraud, which is a far more serious and legitimate “harm” than most supposed privacy violations.  Yet, eBay is now the world’s largest online marketplace with more than 90 million active users globally and $60 billion in transactions annually, or $2,000 every second.]

In sum, advocates of increased privacy regulation have fed the DoC a catchy line about the need for more privacy regulation in the name of encouraging greater online participation and the DoC has bought into that theory despite a lack of evidence that there is any real problem here.

Myth #2: Privacy Regs Are Needed to Promote the Competitiveness of U.S. High-Tech Firms

Second, we hear of the DoC speak of the need for “interoperability” or harmonization of privacy policies internationally to facilitate smoother online commercial interactions or data flows.  Despite the report’s admission that “a considerable amount of global commerce takes place on the Internet [and] global online transactions currently total an estimated $10 trillion annually” and is growing, the DoC continues on to argue that:

the lack of cross-border interoperability in privacy principles and regulations creates barriers to cross-border data flow and significant compliance costs for companies. Improving the global interoperability of data privacy approaches could enable increased exports of U.S. services and… support the overall objective of creating jobs by promoting exports. Thus, commercial data privacy considerations are vital not only to our domestic commerce, but also to international trade.

In other words, says the DoC, things are pretty good right now, but they will get a lot better once we harmonize privacy regulations in the direction of the E.U. and other regions.  But here’s the problem with that theory: The DoC is assuming that the benefits of regulatory harmonization — which, to be perfectly clear, would arrive in the form increased regulation on U.S. operators — would outweigh the cost of complying with those new rules.

The DoC says it wants to “prevent conflicting policy regimes from serving as a trade barrier” (p. 20), but should the U.S. impose burdensome new regulations on American companies to achieve that goal?  Would we really be better off if all U.S. firms and policy more closely resembled the E.U. in this regard?   To answer that question, you might conduct the simple experiment of stopping the average person in the street — here in the U.S. or even abroad — and asking them to name five major U.S. digital economy companies and then see if they can even name one major European competitor in the same arena. Needless to say, it’s hard to find many European counterparts that rival Google, Amazon, Apple, Facebook, eBay, Microsoft, etc.   Now, why is that?  Why is it that the information technology sector has thrived in America and that U.S. companies are leaders in many of their respective sectors across the globe?  Might it be precisely because we did not follow others down the path of “data directives” and heavy handed, top-down regulation of the Internet more generally?

Do you want some empirical evidence for why it’s a bad idea to achieve parity or harmonization in the fashion the DoC suggests?  Well then, consider this recent study by Avi Goldfarb and Catherine Tucker which found that “after the [European Union’s] Privacy Directive was passed [in 2002], advertising effectiveness decreased on average by around 65 percent in Europe relative to the rest of the world.”  They argue that because regulation decreases ad effectiveness, “this may change the number and types of businesses sustained by the advertising-supporting Internet.” Regulation of advertising and data collection for privacy purposes, it seems, can affect the global competitiveness of online firms.

The other problem with the DoC’s appeal for harmonization of privacy regulatory regimes through increased regulation is that it sets a horrible precedent.   At least thus far this has not been the approach the U.S. government has taken in most other Internet policy contexts, and with good reason.  Think about this in the context of speech controls.  When we see the Europeans or other regions and countries stifling free speech and expression online, has our response been to say, “Well, in the name of policy harmonization and improving cross-border interoperability, we Americans need to accept the wisdom of censoring the Net.”  Of course not!  That would be insane.  Instead, when confronted with conflicting regulatory regimes abroad, our response here in the States has usually been to proudly boast to the world that we have the more sensible approach to Net regulation, which is to say, it should be tightly limited so as not to stifle speech or commerce.  I really don’t care if you want to call that “American exceptionalism” or whatever else; I just think it’s plain old common sense.

And yet, in the case of privacy regulation, the Obama Administration’s Department of Commerce wants to throw that notion to the wind and harmonize in the direction of more regulation of U.S. companies.  Isn’t the Commerce Department supposed to be in the business of helping to promote U.S. trade, exports, commerce, and global competitiveness?  If so, the right approach to “leveling the playing field” in this context should be the same as it is in relation to speech policy or trade law: the rest of the world should deregulate down to our level; we should absolutely not regulate up to theirs.

PFF Adjunct Fellow Mike Palage, who served on the ICANN board from 2003 to 2006, filed these comments (PDF) on the NTIA’s recent Notice of Inquiry regarding ICANN’s future.  Mike’s four key points were as follows:

1. ICANN’s Periodic Review of its internal operations and supporting organizations has failed, and has become nothing more than a “perpetual motion machine of public comments and documentation producing no meaningful results.” Only a second Evolution and Reform Process can solve ICANN’s current deficiencies;
2. ICANN must hardcode into its policies and its contracts the principle that its policies cannot supersede national laws;
3. ICANN must cease any operational role in technical infrastructure as required by its bylaws and focus instead on its mission as a technical coordinator; and
4. Congress must avoid “kicking the JPA can down the road” and instead provide much-needed leadership by creating a solid foundation for ICANN 3.0 in legislation after proper consultation with the Government Accountability Office.

I’ve been working closely with PFF’s new Adjunct Fellow Michael Palage on ICANN issues.  Here is his latest note , from the PFF blog.

ICANN recently proclaimed that the “Joint Project Agreement” (one of two contractual arrangements that ICANN has with the U.S. Department of Commerce (DoC) governing ICANN’s operations) will come to an end in September 2009. ICANN’s insistence on this point first became clear back in October 2008 at ICANN’s Washington, D.C. public forum on Improving Institutional Confidence when Peter Dengate Thrush, Chair of ICANN’s Board declared:

the Joint Project Agreement will conclude in September 2009. This is a legal fact, the date of expiry of the agreement. It’s not that anyone’s declared it or cancelled it; it was set up to expire in September 2009.

ICANN’s recently published 2008 Annual Report stuck to this theme:

“As we approach the conclusion of the Joint Project Agreement between the United States Department of Commerce and ICANN in September 2009…” – His Excellency Dr. Tarek Kamel, Minister of Communications and Information Technology, Arab Republic of Egypt

“Concluding the JPA in September 2009 is the next logical step in transition of the DNS to private sector management.” – ICANN Staff

“This consultation’s aim was for the community to discuss possible changes to ICANN in the lead-up to the completion of the JPA in September 2009.” – ICANN Staff

ICANN’s effort to make the termination of the JPA seem inevitable is concerning on two fronts. First, ICANN fails to mention that the current JPA appears to be merely an extension/revision of the original 1998 Memorandum of Understand (MoU) with DoC, which was set to expire in September 2000. Thus, because the JPA does not appear to be a free-standing agreement, but merely a continuation of MOU-as Bret Fausset argues in his excellent analysis of the relationship between the MoU and the JPA (also discussed by Milton Mueller). Therefore, it would be more correct to talk about whether the “MoU/JPA”-meaning the entire agreement as modified by the most current JPA-will expire or be extended.

Although previous MoUs with the USG have been extended, ICANN seems to be playing a game of chicken with the USG-hinting that it will not extend the current MoU/JPA if ICANN believes that it has completed its mission. Since it seems possible that ICANN really might walk away from the MoU/JPA without global stakeholder consensus that it has fully completed its obligations under the MoU/JPA, it is critical that we think about the consequences of such a unilateral move by ICANN. ICANN would likely argue that the bilateral contracts it has in place with registry operators-from which ICANN has carefully removed most references to the USG in recent years-provide a sufficient legal basis for ICANN to continue its current operations without direct USG oversight.

Some stakeholders have expressed concern about the idea of ICANN not being directly held accountable to any government entity, but ICANN appears to have attempted to preemptively address this concern, when it acknowledged in its 2008 Annual report that “[t]he California attorney general is the legal overseer of California nonprofit public benefit corporations such as ICANN.”

With the future stability and security of the Internet hanging in the balance, a neutral third party ought to analyze the current existing relationship between the USG and ICANN- before ICANN decides in September 2009 whether to renew the MoU/JPA or walk away. The General Accounting Office (GAO) is the ideal candidate for such a task, given its well-established reputation for independent analysis and prior experience studying these matters-especially its detailed 2000 analysis of the early stages of DoC’s relationship with ICANN.

In conducting a new study, GAO ought to consider the following issues:

• Since the original 2000 GAO report on ICANN, ICANN’s annual budget has skyrocketed to more than $60 million. That budget is set to grow significantly once ICANN begins accepting applications for new gTLDs on a large scale: Using ICANN’s own projections of new gTLD applicants and the minimum fees that will be assessed suggests that ICANN’s budget will soon exceed $100 million. As ICANN’s budget grows, one must ask: Are these fees-paid by largely gTLD registrants, registrars, and registries-consistent with the GAO’s conclusion in its 2000 report that ICANN is limited to recovering only actual costs (because “ICANN is a project partner with the Department under the memorandum of understanding, and it is the Department’s policy to allow project partners to recover only actual project costs”)?

• If ICANN walked away from the MoU/JPA without the USG formally acknowledging that ICANN had successful fulfilled its obligations under the agreement, would ICANN be able to rely upon its existing contracts with registry operators to continue collecting fees?

• In its 2000 report, the GAO asked whether the DoC “had the authority to transfer control of the authoritative root server to ICANN.” The GAO did not definitively answer this question, but concluded that it was “uncertain whether transferring control would involve the transfer of government property to a private entity” thus giving rise to implications involving the Property Clause of the U.S. Constitution (Art. IV, § 3, cl. 2.), which requires statutory authority for the disposal of government property.

• GAO investigated, but did not resolve, whether or not an act of Congress would thus be required to transfer control of the root server to ICANN. But GAO did not undertake the same analysis as to whether the contractual rights associated with the top-level domains themselves constituted “government property” requiring Congressional action for any to transfer to ICANN. This may have been because U.S. courts had, at that time, held that domain names were not “property” in general, but simply a contractual right to a service provided by the registration authority. But potentially changed with the Ninth Circuit’s 2003 decision in Kremen v. Network Solutions concerning sex.com. Thus, if the GAO concludes that ICANN’s gTLD contracts with registry operators involve property rights and that statutory authority would be required for the DoC to transfer these rights to ICANN, it is difficult to see how ICANN would be able to enforce these rights if ICANN ended its relationship with the USG as a project partner by walking away from the MoU/JPA-regardless of ICANN’s success in removing references to the USG in these contracts.

These are just some of the initial questions the GAO needs to answer well before September 2009, independent of whether the USG and ICANN decide to extend the MoU/JPA. The stakes are just too high for these questions to remain unanswered.