Summary of Draft Department of Commerce Privacy Green Paper

Notably, the article reports:

• The Department of Commerce document is expected to be released in the coming weeks.

• In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.

• The report [says] that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs)."  

• It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.

• As for other congressional action, the report [says] that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways."

"DRAFT COMMERCE REPORT RECOMMENDS
ONLINE PRIVACY OFFICE, LEGISLATION

A draft Commerce Department report that is being reviewed by the White House recommends the creation of a privacy policy office and passage of legislation that establishes “a baseline privacy framework.”  In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.

TRDaily has obtained a copy of the 54-page draft document, “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  It is the work of Commerce’s Internet Policy Task Force, which has held more than six months of consultations, issued a notice of inquiry in April (TRDaily, April 21), and held a symposium in May (TRDaily, May 7).  The document is expected to be released in the coming weeks.  The task force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.

“As the Internet evolves, the Obama administration is committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth.  These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online,” said a Commerce Department spokeswoman, declining to discuss specifics of the report.  “In the coming weeks, the Commerce Department will issue a report that contains policy recommendations and seeks further input, with the aim of advancing both the domestic and global dialogue and contributing to an eventual administration-wide position on information privacy policy.”  The report is currently being reviewed by the White House Office of Management and Budget, according to a source.

Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy (TRDaily, Oct. 25).  It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.

The report said that comments submitted in response to the NOI “demonstrated a compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners – all without compromising the current framework’s ability to accommodate new technologies.”

However, broadband industry providers commenting on the NOI told the department last summer that online privacy protections should be pursued through self-regulation, industry standards, and best practices, rather than through regulation and legislation (TRDaily, June 16).  Public interest groups, however, saw a role for government mandates, along with other approaches advocated by industry.

The report said that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs).  Widespread adoption of comprehensive FIPPs is essential to achieving the goals we have set for the Dynamic Privacy Policy Framework.  Widespread adoption of FIPPs would protect privacy interests in data that currently receive little or no statutory privacy protection.  Also, given the flexibility inherent in the individual principles, a FIPPs baseline would help ensure consumer privacy protection as new technologies emerge.  Finally, the FIPPs-based framework that we envision would allow companies to direct resources to the principles that matter most for protecting privacy in a particular technological, business, or social context.  Legislation would authoritatively establish a FIPPs-based framework, but action by industry, civil society, the Executive Branch, and enforcement agencies can also help this framework take hold.”  It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.

As for other congressional action, the report said that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways.  The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities.”

And while it called for “baseline” privacy legislation, the report said that such a measure “should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections.”

In addition, the document said that “[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment.”  Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.

The report also called on the Obama administration to “review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services.  The goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe.”

Regarding the privacy policy office (PPO), the task force said it could either be housed within Commerce or in the Executive Office of the President.  The office would not have enforcement authority, it said. “The PPO would help guide industry-specific, multi-stakeholder undertakings in developing data privacy policies that respond to identifiable technological or business developments,” it said.  “A PPO-facilitated process would provide a way for stakeholders who are examining innovative new uses of personal information to better understand changing consumer expectations-and identify privacy risks-early in the lifecycle of new products or services.  As both a convener of diverse stakeholders and a center of Executive Branch privacy policy expertise, the PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct.  Voluntary principles developed through this process would be enforceable by the Federal Trade Commission and would serve as a safe harbor for companies facing complaints about their privacy practices.”

In an Oct. 27 speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling also stressed that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies.  A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”

The report also recommended an emphasis on FIPPs that focus on “enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.”  It also said any legislation establishing “general FIPPs-based data privacy protection should include a safe harbor provision for companies that adhere to voluntary, enforceable codes of conduct.”  It also said that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but it sought questions on whether the FTC should be given additional rulemaking authority if voluntary enforceable codes are not established.

The report also recognized the importance of collaboration with stakeholders from other countries.  It recommended continued work by U.S. officials “toward increased cooperation among privacy enforcement authorities around the world,” that includes “a framework for mutual recognition of other countries’ privacy frameworks.”- Paul Kirby, [email protected]"

Authored by Christopher Wolf.