Commerce Department Releases ‘Dynamic’ Online Privacy Framework in Report
December 22, 2010
Introduction

On December 16, 2010, the U.S. Department of Commerce released its version of a commercial online data privacy framework in a report or "green paper" entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. The report is the result of a review by the Commerce Department's Internet Policy Task Force ("Task Force"), launched in April of 2010, including staff from the National Telecommunications and Information Administration (NTIA), the International Trade Administration, and the National Institute for Standards and Technology. The Task Force spent over a year reviewing the current state of commercial online data privacy and developing a privacy framework, consulting with industry, consumers, academia, and government. The report comes two weeks after the Federal Trade Commission (FTC) released its own version of an online consumer privacy policy framework in the form of a preliminary staff report, which Kelley Drye previously analyzed in FTC Releases Proposed Framework for Protecting Consumer Privacy. Both reports seek to shape the ongoing privacy debate.

‘Dynamic' Privacy Framework

The Commerce Department report presents a "comprehensive national framework for commercial data privacy." The report begins by discussing the technological, legal and policy contexts of commercial data privacy, and by concluding that there are gaps/inadequacies in the current sectoral framework. The report presents ten recommendations that seek to create a ‘dynamic' framework - one that is adaptable to changing technologies and market forces - and that promotes consumer online confidence without hindering innovation. To highlight the report's major recommendations, the report proposes: adopting a set of baseline Fair Information Practice Principles, a so-called ‘Privacy Bill of Rights'; developing voluntary but enforceable privacy codes of conduct; creating a Commerce Department Privacy Policy Office; encouraging global interoperable privacy frameworks; and enacting a Federal commercial data security breach notification law. This Client Advisory will discuss each of the reports ten recommendations and highlight a few or the questions put forth for comment below.

1.  Adoption of Baseline Fair Information Practice Principles - A ‘Privacy Bill of Rights'

The report recommends developing comprehensive baseline Fair Information Practice Principles (FIPPs) to create rights and obligations with respect to personal information - a ‘Privacy Bill of Rights.' The proposed FIPPs are intended to be broad, general and adaptable to changing technologies and include many of the same principles highlighted in the FTC privacy report - such as enhanced transparency, security, data minimization, etc.

Notably, the report does not specify whether a FIPPs-based framework should be established by "industry, civil society, the Executive Branch or Congress." The report addressed the possibility of legislation but cautions on the "danger of locking-in outdated rules" that do not protect consumers and hinder innovation. The report seeks comment on whether the FIPPs should enacted by statute, FIPP enforcement, the criteria to decide which FIPPs require rulemaking, and whether privacy legislation should include a private right of action. As the Commerce Department considers its position on legislation, the Commerce Department expressed its interest in the following policy options:

  • Baseline commercial data privacy policies to fill-in gaps in the law;
  • Voluntary and enforceable codes of conduct that can adapt to changing technologies and business models;
  • Codes of conduct with ‘safe harbor' practices protected against FTC enforcement;
  • Limited Commerce Department rulemaking authority over certain FIPPs, in response to established market failures; and
  • Lower barriers to international online commerce.
2.  Adoption of "High Priority" Fair Information Practice Principles

The report calls for the adoption of certain "high priority" FIPPs, including:

  • Transparency. The report proposes enhancing transparency through simple, clear company privacy policies and notices to better inform consumers on how their personal information will be used. The report recommends incentivizing companies to create detailed and public Privacy Impact Assessments (PIAs), which identify and evaluate privacy risks for personal information. The report seeks comment on legislative, regulatory, and voluntary self-regulatory models to encourage greater transparency, how to incentivize PIAs and the contents the PIAs should include.
  • Purpose Specifications. The report proposes a FIPP that would require an organization to inform consumers on the specific purposes for data collection and the purposes for which the data is intended to be used.
  • Use Limitations. The report proposes limiting the uses of consumer data to those purposes specified and disclosed to consumers. The Commerce Department seeks to protect privacy while still encouraging creative re-use of information, as long as consumers are informed of this re-use upfront and given an opportunity to consent.
  • Accountability. The report proposes increasing accountability to protect consumer privacy through expanded use of robust auditing and enforcement. However, the report seeks comment on the technical feasibility to audit a company's data collection practices and how to ensure compliance with purposes and uses limitations. The report also seeks comment on incentivizing the use of technologies that aid privacy audits.
3.  Adoption of Voluntary, Enforceable, FTC-Approved Privacy Codes of Conduct

To address emerging technologies and issues not squarely covered by the baseline FIPPs, the report proposes creation of a semi-self-regulatory framework - voluntary but enforceable, FTC-approved consumer online privacy codes of conduct. The Commerce Department envisions privacy codes of conduct developed by industry, consumer groups, and government stakeholders in an open process and approved by the FTC. The report seeks comment on whether the FTC should be given rulemaking authority to develop codes of conduct in the event industry fails to act. The report also proposes several policy options to encourage stakeholders to develop and comply with voluntary privacy codes of conduct, discussed below.

  • Public Pressure. To persuade industry to develop voluntary privacy codes of conduct, the report recommends utilizing the "bully pulpit" of the Executive Branch - largely from the proposed Privacy Policy Office (more below) and FTC - with public statements drawing attention to online privacy issues and putting public pressure on companies.
  • Increased FTC Enforcement. To encourage industry actors to develop and sign-on to voluntary privacy codes of conduct, the report recommends increased FTC enforcement under the current patch-work of sectoral privacy laws.
  • Creation of a ‘Safe Harbor.' To provide an incentive to industry, the report proposes creating ‘safe harbor' statutory provisions that insulate companies from FTC enforcement for complying with voluntary codes of conduct. In other words, abiding by a specific voluntary code of conduct would create a presumption of compliance with broader FIPP-based commercial data privacy legislation. However, deviation from the code of conduct could lead to FTC enforcement action. To qualify for the safe harbor, the voluntary codes of conduct must be developed through an open, multi-stakeholder process and approved by the FTC.
4.  Establishment of Commerce Department Privacy Policy Office

A major proposal within the report is the creation of a Privacy Policy Office (PPO) within the Commerce Department. The PPO's role would be to develop commercial data privacy policy, provide guidance to industry, engage industry and develop and administer voluntary codes of conduct, lead international coordination on commercial data privacy policy, and provide consumer privacy education. The PPO would work with the FTC to identify where new privacy codes of conduct are needed. The PPO would not have enforcement authority - rather that role would be reserved for the FTC. The PPO would have authority over commercial online privacy only -not government online data collection practices, for example. Notably, the report seeks comment on how a Commerce Department could encourage the development of ‘Do Not Track' technologies, an approach recommended in the FTC privacy report.

5.  FTC Should Remain the ‘Lead' Consumer Privacy Enforcement Agency

The report recommends that the FTC should remain as the lead or primary enforcer of consumer privacy protection and suggests that baseline FIPP legislation could provide the FTC with greater privacy enforcement authority. Agency coordination will be required where FTC privacy enforcement authority overlaps with cybersecurity and protection of proprietary and critical infrastructure information. The report seeks comment on the scope of FTC rulemaking authority, the point at which the FTC should review voluntary codes of conduct, whether FIPPs should be considered on an independent basis or under Section 5 "unfair and deceptive" jurisdiction.

6.  Federal Government Should Continue to Encourage Global Interoperable Privacy Frameworks

The report recommends for the Federal government to work toward increased cooperation with other nations to develop interoperable commercial data privacy frameworks. The report proposes developing a global privacy framework that decreases the costs of doing business, provides consumers consistent protection worldwide, and encourages economic growth. In particular, the report endorses the Asian Pacific Economic Cooperative (APEC) Data Privacy Pathfinder Project model - a self-regulatory framework that adopts nine high-level privacy principles regarding collection, use and handling of personally identifiable information. The report finds that the APEC Privacy Framework allows for businesses to transfer consumer data according to established privacy principles while agreeing to submit to an APEC "accountability agent."

7.  Create a National Data Security Breach Notification Requirement

The report proposes creating a comprehensive national framework to govern security breaches of sensitive commercial data that includes notice requirements, encourages companies to create data security measures, and allows the states to expand upon these measures. The report seeks comment on the factors a breach notification should be based on such as the number of records released, etc.

8.  Baseline Privacy Framework Should Act in Concert and Not Conflict with Existing Sectoral Privacy Laws

The report emphasizes that baseline privacy principles should not conflict with but rather complement the strong sectoral patchwork of laws that currently protect privacy. Currently, privacy is protected through categorical, industry-specific laws, such as the Heath Insurance Portability and Accountability Act in the healthcare industry. The report notes the merits of the current industry-specific sectoral approach and seeks comments on the lessons of this approach.

9.  Framework Should Balance Federal Uniformity with State Freedom to Act

Without providing specifics, the report recommends balancing the need to create a uniform privacy regime while permitting the states to protect consumers and regulate concerns due to emerging technologies. The report seeks comment on the extent to which national baseline FIPP legislation should preempt state action and state unfair and deceptive trade practices laws, ensuring that Federal law is no less protective than state law, and the extent to which state Attorneys General should have an enforcement role.

10.  Administration Should Review the Electronic Communications Privacy Act Regarding Cloud Computing and Location-Based Services

The report also calls for review of the Electronic Communications Privacy Act (ECPA) in light of technological developments in cloud computing and location-based services. Generally, ECPA prohibits unauthorized access to communications systems and disclosing the contents of wire and electronic communications by a service provider. The Commerce Department is currently working with the Justice Department and other Federal agencies as part of a White House Interagency Subcommittee on Privacy and Internet Policy re-examining ECPA. The report seeks comment on cloud computing and location-based services and whether ECPA and other legal protections are sufficient protections.

Conclusions

The Commerce Department's report provides a "road map" for considering a new privacy framework that, along with the FTC report, will likely help frame the ongoing online consumer privacy debate in the coming months and years. Among the most significant recommendations of the Commerce Department report are adoption of broad baseline privacy principles to protect personal data, a semi-self-regulatory system of enforceable voluntary codes of conduct, the creation of a Executive Branch PPO, and the establishment of national security breach notification rules. Each of these proposals signals a more active role for the Administration in privacy policy, reflecting the growing importance of online commerce. Overall, the report aims to provide consumers with a baseline set of protections designed to promote user trust, to provide online companies with greater consistency, uniformity and predictability in privacy requirements, and to reduce trade barriers by encouraging global interoperability.

To further discussion on these issues, the Commerce Department released a Notice and Request for Public Comment with the report seeking public comment on the proposals and questions presented in the report. Public comments on the report are due on or before January 28, 2011 (two days before comments are due on the FTC privacy report). A copy of the Press Release on the report is available by clicking here. Kelley Drye attorneys have extensive experience in regulatory advocacy and in privacy-related matters in particular. Please contact us, if we can assist or advise in the preparation of comments.