‘Dynamic' Privacy Framework
1. Adoption of Baseline Fair Information Practice Principles - A ‘Privacy Bill of Rights'
The report recommends developing comprehensive baseline Fair Information Practice Principles (FIPPs) to create rights and obligations with respect to personal information - a ‘Privacy Bill of Rights.' The proposed FIPPs are intended to be broad, general and adaptable to changing technologies and include many of the same principles highlighted in the FTC privacy report - such as enhanced transparency, security, data minimization, etc.
Notably, the report does not specify whether a FIPPs-based framework should be established by "industry, civil society, the Executive Branch or Congress." The report addressed the possibility of legislation but cautions on the "danger of locking-in outdated rules" that do not protect consumers and hinder innovation. The report seeks comment on whether the FIPPs should enacted by statute, FIPP enforcement, the criteria to decide which FIPPs require rulemaking, and whether privacy legislation should include a private right of action. As the Commerce Department considers its position on legislation, the Commerce Department expressed its interest in the following policy options:
- Baseline commercial data privacy policies to fill-in gaps in the law;
- Voluntary and enforceable codes of conduct that can adapt to changing technologies and business models;
- Codes of conduct with ‘safe harbor' practices protected against FTC enforcement;
- Limited Commerce Department rulemaking authority over certain FIPPs, in response to established market failures; and
- Lower barriers to international online commerce.
2. Adoption of "High Priority" Fair Information Practice Principles
The report calls for the adoption of certain "high priority" FIPPs, including:
- Transparency. The report proposes enhancing transparency through simple, clear company privacy policies and notices to better inform consumers on how their personal information will be used. The report recommends incentivizing companies to create detailed and public Privacy Impact Assessments (PIAs), which identify and evaluate privacy risks for personal information. The report seeks comment on legislative, regulatory, and voluntary self-regulatory models to encourage greater transparency, how to incentivize PIAs and the contents the PIAs should include.
- Purpose Specifications. The report proposes a FIPP that would require an organization to inform consumers on the specific purposes for data collection and the purposes for which the data is intended to be used.
- Use Limitations. The report proposes limiting the uses of consumer data to those purposes specified and disclosed to consumers. The Commerce Department seeks to protect privacy while still encouraging creative re-use of information, as long as consumers are informed of this re-use upfront and given an opportunity to consent.
- Accountability. The report proposes increasing accountability to protect consumer privacy through expanded use of robust auditing and enforcement. However, the report seeks comment on the technical feasibility to audit a company's data collection practices and how to ensure compliance with purposes and uses limitations. The report also seeks comment on incentivizing the use of technologies that aid privacy audits.
3. Adoption of Voluntary, Enforceable, FTC-Approved Privacy Codes of Conduct
To address emerging technologies and issues not squarely covered by the baseline FIPPs, the report proposes creation of a semi-self-regulatory framework - voluntary but enforceable, FTC-approved consumer online privacy codes of conduct. The Commerce Department envisions privacy codes of conduct developed by industry, consumer groups, and government stakeholders in an open process and approved by the FTC. The report seeks comment on whether the FTC should be given rulemaking authority to develop codes of conduct in the event industry fails to act. The report also proposes several policy options to encourage stakeholders to develop and comply with voluntary privacy codes of conduct, discussed below.
- Increased FTC Enforcement. To encourage industry actors to develop and sign-on to voluntary privacy codes of conduct, the report recommends increased FTC enforcement under the current patch-work of sectoral privacy laws.
- Creation of a ‘Safe Harbor.' To provide an incentive to industry, the report proposes creating ‘safe harbor' statutory provisions that insulate companies from FTC enforcement for complying with voluntary codes of conduct. In other words, abiding by a specific voluntary code of conduct would create a presumption of compliance with broader FIPP-based commercial data privacy legislation. However, deviation from the code of conduct could lead to FTC enforcement action. To qualify for the safe harbor, the voluntary codes of conduct must be developed through an open, multi-stakeholder process and approved by the FTC.
5. FTC Should Remain the ‘Lead' Consumer Privacy Enforcement Agency
The report recommends that the FTC should remain as the lead or primary enforcer of consumer privacy protection and suggests that baseline FIPP legislation could provide the FTC with greater privacy enforcement authority. Agency coordination will be required where FTC privacy enforcement authority overlaps with cybersecurity and protection of proprietary and critical infrastructure information. The report seeks comment on the scope of FTC rulemaking authority, the point at which the FTC should review voluntary codes of conduct, whether FIPPs should be considered on an independent basis or under Section 5 "unfair and deceptive" jurisdiction.
6. Federal Government Should Continue to Encourage Global Interoperable Privacy Frameworks
The report recommends for the Federal government to work toward increased cooperation with other nations to develop interoperable commercial data privacy frameworks. The report proposes developing a global privacy framework that decreases the costs of doing business, provides consumers consistent protection worldwide, and encourages economic growth. In particular, the report endorses the Asian Pacific Economic Cooperative (APEC) Data Privacy Pathfinder Project model - a self-regulatory framework that adopts nine high-level privacy principles regarding collection, use and handling of personally identifiable information. The report finds that the APEC Privacy Framework allows for businesses to transfer consumer data according to established privacy principles while agreeing to submit to an APEC "accountability agent."
7. Create a National Data Security Breach Notification Requirement
The report proposes creating a comprehensive national framework to govern security breaches of sensitive commercial data that includes notice requirements, encourages companies to create data security measures, and allows the states to expand upon these measures. The report seeks comment on the factors a breach notification should be based on such as the number of records released, etc.
8. Baseline Privacy Framework Should Act in Concert and Not Conflict with Existing Sectoral Privacy Laws
The report emphasizes that baseline privacy principles should not conflict with but rather complement the strong sectoral patchwork of laws that currently protect privacy. Currently, privacy is protected through categorical, industry-specific laws, such as the Heath Insurance Portability and Accountability Act in the healthcare industry. The report notes the merits of the current industry-specific sectoral approach and seeks comments on the lessons of this approach.
9. Framework Should Balance Federal Uniformity with State Freedom to Act
Without providing specifics, the report recommends balancing the need to create a uniform privacy regime while permitting the states to protect consumers and regulate concerns due to emerging technologies. The report seeks comment on the extent to which national baseline FIPP legislation should preempt state action and state unfair and deceptive trade practices laws, ensuring that Federal law is no less protective than state law, and the extent to which state Attorneys General should have an enforcement role.
10. Administration Should Review the Electronic Communications Privacy Act Regarding Cloud Computing and Location-Based Services
The report also calls for review of the Electronic Communications Privacy Act (ECPA) in light of technological developments in cloud computing and location-based services. Generally, ECPA prohibits unauthorized access to communications systems and disclosing the contents of wire and electronic communications by a service provider. The Commerce Department is currently working with the Justice Department and other Federal agencies as part of a White House Interagency Subcommittee on Privacy and Internet Policy re-examining ECPA. The report seeks comment on cloud computing and location-based services and whether ECPA and other legal protections are sufficient protections.
To further discussion on these issues, the Commerce Department released a Notice and Request for Public Comment with the report seeking public comment on the proposals and questions presented in the report. Public comments on the report are due on or before January 28, 2011 (two days before comments are due on the FTC privacy report). A copy of the Press Release on the report is available by clicking here. Kelley Drye attorneys have extensive experience in regulatory advocacy and in privacy-related matters in particular. Please contact us, if we can assist or advise in the preparation of comments.