United States: Commerce Department Issues Privacy Law Recommendations

On December 16, 2010, the U.S. Department of Commerce issued its long-awaited report on consumer privacy, proposing a framework with recommendations for addressing online privacy issues in the United States.¹ Representing a departure from the past hands-off approach, the Obama administration recommends increased government activity in the area of consumer privacy protection. Entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, the report provides a detailed analysis of current privacy issues and makes various proposals with respect to certain core privacy principles in order to assure baseline consumer protections. The Commerce Department seeks to improve the state of privacy domestically and advance interoperability among the various privacy regimes around the world so that Internet-based products and services can continue to grow.

Coming on the heels of the FTC's privacy report issued December 1, 2010,² the Commerce Department report notes that during the past 15 years, technology has been transforming the economy and social life, with privacy laws struggling to keep up. The gap between the ability to acquire and use personal information and the current privacy framework leaves consumers with a sense of insecurity about whether using new technologies will expose them to unwanted loss of privacy and misuse of their personal information.

The report is an outgrowth of the Commerce Department's Internet Policy Task Force work that began more than a year ago with the input from stakeholders in industry, civil society, academia, and government. The Task Force proposes consideration of a Dynamic Privacy Framework, with four broad principles:

1. Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles (FIPPs). The FTC has long been a proponent of the FIPPs of notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. (See http://www.ftc.gov/reports/privacy3/fairinfo.shtm.) The report notes that, notwithstanding these efforts, Internet users largely do not understand current data privacy protections. The Task Force recommends the government recognize a full set of FIPPs as the foundation for commercial data privacy. As a sort of privacy "bill of rights," FIPPs can promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses, and expanded use of robust audit systems to bolster accountability. For example, companies could develop voluntary enforceable codes of conduct, and safe harbors could be created with respect to FTC enforcement actions. The report suggests that companies should obtain permission before using personal information for a purpose other than that for which it was originally collected.

The Task Force also suggested the use of privacy impact assessments (PIAs), which are used to identify and evaluate privacy risks arising from the use of personal information. If properly conducted, PIAs could be made public to provide consumer awareness of privacy practices and risks as companies develop new products, services, and technology. PIAs also help businesses determine the risks associated with information collection and use practices, leading to alternative approaches, where needed, that would help reduce privacy risks.

2. Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Commerce Department. The Task Force recognizes the benefit of obtaining the expertise and knowledge of the private sector in creating voluntary codes of conduct. The government can bring the necessary stakeholders (e.g., business industry, consumer groups, privacy advocates, and so forth) together to study new uses of personal information and better understand consumer expectations early in the life cycle of new products or services. In this regard, the report recommends establishing a Privacy Policy Office (PPO) in the Commerce Department.

The PPO would act as a "convener" of stakeholders, as well as a center of commercial data privacy policy expertise. Working with the FTC, the PPO would lead efforts to develop codes of conduct that would be enforceable by the FTC. Compliance with the appropriate codes of conduct would serve as a safe harbor for companies with respect to their privacy practices. The PPO would serve as a non-enforcement policy development resource, while the FTC would continue to handle enforcement matters. The Task Force also recognized the FTC's "do not track" mechanism proposal³ as an example of how the PPO could facilitate industry and consumer discourse on a significant privacy concept.

3. Encourage global interoperability. The report recognizes that differences between U.S. and other national privacy laws make it increasingly difficult, complex, and burdensome for companies to comply, which in turn affects their ability to provide goods and services in a global economy. With the goal of decreasing regulatory barriers to trade and commerce, the United States would work with other countries to promote efficient cross-border data flow. The Task Force suggests that global privacy interoperability should be based on accountability, mutual recognition, and reciprocity of enforcement.

4. Ensure nationally consistent security breach notification rules. The report recommends passage of a federal commercial data security breach notification (SBN) law that establishes national standards. The Task Force notes that state SBN laws have been successful in protecting personal data and reducing identity theft, but points out that the differences among them present inconsistency and unnecessary costs to U.S. businesses. The FTC and individual states would have the authority to enforce this law. A consistent national approach to data breach requirements would clarify protections for consumers, streamline compliance, and allow companies to develop a nationwide data management strategy. The federal SBN law would not, however, supersede or modify existing federal privacy laws, such as in the areas of health care, financial services, and education.

Footnotes

1. A copy of the report can be found at http://tinyurl.com/238q7zr.

2. See Foley Legal News Alert, "FTC Issues Proposed Privacy Framework for Businesses and Policymakers" at http://www.foley.com/abc.aspx?Publication=7709.

3. See Foley Legal News Alert, "FTC Issues Proposed Privacy Framework for Businesses and Policymakers" at http://www.foley.com/abc.aspx?Publication=7709.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.