Two weeks after the FTC released its privacy report , the Department of Commerce this morning released its own call  for the United States to improve its privacy protection framework. While the FTC focused on the consumer case for privacy legislation (consumers don’t understand how their data is being used and don’t have effective controls), the Commerce report focuses on the need for better privacy rules for businesses. Commerce cited two key reasons why business needs better privacy rules: First, consumers are increasingly aware that they don’t have privacy protections, and are growing increasingly unsure of adopting new technological services. Second, the lack of privacy protection in this country hurts U.S. companies that are competing internationally to offer cloud and other online services to global customers.
To bolster U.S. privacy protection, the Department of Commerce now recommends that we implement a privacy framework based on a full set of the Fair Information Practice Principles  (many  reporters  have called this a Privacy “Bill of Rights.”). A key recommendation of the report (which Commerce is calling a “green paper”) is that these Principles should be implemented on an industry-by-industry basis based on multi-stakeholder negotiations convened by the Department of Commerce and the FTC. The green paper argues that this approach would work better for both businesses and consumers than having one inflexible rule that applies imperfectly to different industries. (Importantly, in addition to consumer privacy concerns, the report recognizes that lack of government privacy protections is a potential inhibitor to e-commerce as well. Now that the Sixth Circuit has held conclusively that Americans have a Fourth Amendment expectation of privacy  in remote cloud storage, we may finally have the necessary critical momentum  to implement modern and appropriate safeguards to government access to electronic data.)
Contrary to prior reporting , the green paper does not explicitly call for a baseline privacy law to put the Fair Information Practice Principles into place. The report does list a baseline law as the first option it is considering, but it solicits public comment on what approach Commerce should ultimately take.
CDT strongly supports the idea of flexible multi-stakeholder approaches to privacy rules as an innovative and practical way to achieve meaningful privacy protections for consumers while not inhibiting technological development. Different industries collect and use consumer data in different ways, and negotiated industry-specific rules developed by business, public advocates, and government may offer a better approach than overly prescriptive top-down rules that may be too lenient or too harsh depending on the context.
However, it is not clear how such a multi-stakeholder approach could work in the absence of a baseline privacy law. As the report notes, industry has failed to self-regulate on its own. Commerce notes that the only major self-regulatory initiative in recent years has been the online advertising industry’s effort at developing consistent rules for showing behavioral ads. Over two years after that effort launched, we are still far from seeing that process fully implemented. And that’s the success story! CDT believes very strongly that such efforts would be improved with the input of civil society (like CDT) and effective only on the explicit approval of the FTC, but what incentive does industry have to bring others to the table to negotiate? The green paper does call for “stepped up” FTC enforcement, and potential “safe harbors” from FTC action, but without new law, the FTC has very limited ability to enforce privacy protection today (for the most part, only companies that affirmatively misstate their privacy practices are subject to enforcement). Without a baseline law to backstop a multi-stakeholder approach, you could probably get the biggest companies to the table to negotiate a set of best practices, but what about emerging apps developers and web start-ups that can otherwise fly under the radar without default rules?
We continue to believe that a baseline privacy law based on the Fair Information Practices is the only way to address the worst actors and to create consumer and global confidence in the U.S. privacy protection framework. Such a law certainly could (and probably should) incorporate a multi-stakeholder approach to narrow, industry-specific rulemaking. Indeed, this approach was reflected in the BEST PRACTICES  bill introduced by Chairman Bobby Rush last year that CDT has enthusiastically supported .
It’s a very positive step that both Commerce and FTC have found that the current self-regulatory framework and enforcement have not worked for both for businesses and consumers. Going forward, while we will always support meaningful industry efforts to protect consumer privacy , at the end of the day only a baseline law will offer complete protection against all potential misuses of personal data.