February 4, 2011
Policy Posts are in-depth analyses on current tech policy issues from CDT experts. Sign up to receive the latest Policy Posts here:
The Commerce Department's Internet Policy Taskforce released a "Green Paper" outlining a proposal for a new privacy framework and asked the public to comment on the substance of the paper. CDT believes the paper is an important first toward establishing a long overdue comprehensive privacy protection framework in the United States. This Policy Post outlines the recommendations CDT submitted in response to the paper.
In its comments, CDT argued that that the only way to implement a commercial data privacy framework that fully and effectively incorporates all the Fair Information Practice principles (FIPs) is through baseline privacy legislation. While CDT recognized the importance of the Task Force's approach of developing a multi-stakeholder process to help devise industry-specific implementations of privacy rules, we counseled that it would be difficult to drive a discussion without incentives and common floor protections. Indeed, "voluntary and enforceable codes of conduct" (which the Task Force recommends as a means to implement a privacy protection framework) is the privacy protection framework that we have today, which both the FTC and the Department of Commerce Task Force have found inadequate.
CDT explained that the lack of baseline rules and failure of voluntary self-regulation has been bad for both consumers and businesses. Without fundamental baseline protections, the United States loses the confidence of global customers and the necessary credibility in its push for the harmonization of global privacy laws and for the easing of restrictions on cross-border data flows.
Baseline standards can help ease all of these problems. It is difficult to envision any other mechanism (formal or informal) that could provide the same clarity and incentives as baseline legislation.
Leslie Harris' Testimony Before the Senate Commerce, Science & Transportation Committee, "Privacy Implications of Online Advertising" (July 9, 2008)
CDT expressed support for a coregulatory approach to the implementation of the FIPs into privacy legislation. Under this model, industry coalitions could propose coregulatory compliance programs for safe harbor status from certain elements of a baseline law, such as a private right of action and opt-in permission for some third-party data transfers. These safe harbor programs would be subject to FTC review and approval to ensure that they include substantive privacy protections at least as strong as those required by the baseline law and must be backed up by a robust auditing and self-regulatory enforcement regime. CDT endorsed such a coregulatory approach in the BEST PRACTICES bill introduced in the last Congress. The Task Force Green Paper builds on the ideas in that bill by suggesting a mechanism to bring civil society groups into the discussions on safe harbor rules. However, delegating enforcement of safe harbor rules entirely to non-governmental bodies could debilitate any privacy protection framework, and would fail to assuage the privacy concerns of foreign customers. Therefore, the FTC and state Attorneys General should always retain the authority to bring actions against companies who certify that they are in compliance with an approved code of conduct but in fact are not.
Leslie Harris' Testimony before the House Subcommittee on Commerce, Trade, and Consumer Protection (July 22, 2010)
The Federal Trade Commission should have robust enforcement authority under any privacy protection framework. In recent years, despite significant limitations in its authority absent a specific privacy law, the FTC's Consumer Protection Bureau has brought important privacy protection actions, and consequently it has the experience and expertise needed to enforce new substantive privacy protections. Any new privacy protection framework should give the FTC the ability to obtain penalties for violations of FIPs-based rules, whether those rules are embodied directly in regulations or adopted by companies as part of a safe harbor or multi-stakeholder program.
However, there is an important difference between empowering the FTC to issue regulations and mandating that such regulations be issued immediately. Flexibility is especially important where rapid innovation is concerned. If a baseline privacy law incorporates safe harbor programs, the FTC may have less need to issue detailed regulations, as the expectation for coregulatory programs is that much of the “on-the-ground” rulemaking and implementation of privacy protections would take place within the safe harbor programs.
If the FTC is not given the full set of tools to implement privacy protections, the United States may have difficulty developing international confidence in any new privacy protection framework.
CDT discussed desirable features of baseline privacy legislation. First, a carefully scoped private right of action, in conjunction with a safe harbor protection for compliant participants, can help ensure accountability. Second, in addition to the FTC, state Attorneys General should also be given the ability to enforce and obtain statutory penalties for violations of a FIPPS-based federal law. Third, any preemption of state law in a new baseline federal privacy law should be narrowly tailored to reach only those state laws that expressly cover the same set of covered entities and same set of requirements. Finally, a baseline commercial privacy law should not preempt the strong sectoral laws and policies already in place.
The FTC’s support for "Do Not Track" has produced remarkable results in a few short months, as both Microsoft and Mozilla have announced their intent to develop browser features that would allow consumers to prevent third-party tracking. CDT believes that "Do Not Track" technology could be included as one piece of baseline privacy legislation, though we would be hesitant about statutory language that mandates specific technical solutions. However, "Do Not Track" does not address a wide range of other privacy concerns, such as cloud computing, social networking, and offline data sharing. With or without “Do Not Track,” we need a comprehensive approach to baseline privacy legislation.