Today, the White House released its long-awaited Privacy “White Paper” that outlines the Obama Administration’s proposal for a new American privacy framework. The more than year-long process that culminated in today’s release of the White Paper began in December 2010 when the Department of Commerce’s Internet Policy Task Force released a “Green Paper” entitled: “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” We previously released a Privacy and Information Management Alert that provides an in-depth analysis of the Green Paper.
The Internet Policy Task Force utilized a multi-stakeholder approach to create the Green Paper, consulting with “stakeholders in industry, civil society, academia, and government” during the drafting process, as well as considering the numerous written responses it received pursuant to the publication of the Privacy and Innovation Notice of Inquiry. The drafters of the Green Paper stated that the majority of the written responses they received indicated that there is a “compelling need to ensure transparency and informed consent, to provide additional guidance to businesses, to establish a baseline commercial data privacy framework to afford protection for consumers, and to clarify the U.S. approach to commercial data privacy—all without compromising the current framework’s ability to accommodate customer service, innovation, and appropriate uses of new technologies.” The Green Paper included policy recommendations under four broad categories:
· Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles.
· Encourage Global Interoperability.
· Ensure Nationally Consistent Security Breach Notification Rules.
The White Paper released today by the Administration addressed many of the issues brought to light by and built on many of the recommendations set forth in the Green Paper and the more than one hundred comments received in response to the publication of the Green Paper. The Administration addressed those issues and recommendations by setting forth a new privacy framework that consists of four key elements: (1) a Consumer Privacy Bill of Rights; (2) a multi-stakeholder process to determine how these rights will apply in specific business contexts; (3) an effective enforcement model; and (4) greater interoperability between the privacy frameworks of the United States and its international partners.
Consumer Privacy Bill of Rights
The cornerstone of the Administration’s privacy framework is the Consumer Privacy Bill of Rights, which adapts the decades-old Fair Information Practice Principles (FIPPs) to the interconnected and interactive world that we live in today. The Privacy Bill of Rights applies to commercial uses of personal data and seeks to provide greater privacy protection for consumers and greater certainty for businesses. As we noted in an earlier blog post, there are seven core rights that comprise the Privacy Bill of Rights:
· Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
· Transparency: Consumers have a right to easily understandable information about privacy and security practices.
· Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
· Security: Consumers have a right to secure and responsible handling of personal data.
· Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
· Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
· Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
In a media teleconference about the White Paper, Jules Polonetsky, Director and Co-Chair of the Future of Privacy Forum, stated that a key point of framework is that the Administration calls on “consumer-facing companies [to] act as the stewards, as the ones responsible” for consumers’ privacy. He noted that although this seems like a logical arrangement, it is not the way the online ecosystem has worked in the past. By calling on consumer-facing companies to take responsibility for consumers’ privacy, the framework seeks to align business practices with consumers’ expectations about who will safeguard their privacy.
The Administration’s framework contemplates a multi-stakeholder approach that will produce enforceable codes of conduct that implement the Privacy Bill of Rights. The multi-stakeholder approach is championed by the Administration due to the “flexibility, speed, and decentralization necessary to address Internet policy challenges.” Christopher Wolf, Hogan Lovells Partner and Founder and Co-Chair of the Future of Privacy Forum, praised the Administration for eschewing a one-size-fits-all approach and instead opting for flexible codes of conduct, stating that “the call for enforceable codes of conduct is a sensible way to address privacy.” In addition to flexibility, the speed with which the multi-stakeholder process can produce solutions—as compared to the regulatory or law making process—is also appealing due to the constantly-evolving nature of privacy issues. Polonetsky noted that “many [privacy] issues are moving so quickly that if you don’t achieve success in the short term, [they] can outrun you.” The Administration has tasked the Commerce Department’s National Telecommunications and Information Administration (NTIA) with spearheading the multi-stakeholder process, and Polonetsky commented that he expects NTIA to start the process by releasing a Notice of Inquiry sooner rather than later, so that quick wins can be achieved.
Strengthening FTC Enforcement
In the White Paper, the Administration highlighted the importance of the FTC in maintaining a level playing field by ensuring that businesses adhere to their privacy commitments and punishing those that do not. The Administration stated that a business’s commitment to adhere to a voluntary code of conduct will become enforceable under Section 5 of the FTC Act, analogizing the situation to the FTC’s power to enforce the promises and representations businesses make in their privacy policies. However, the Administration also noted that one of the benefits of adhering to a code of conduct is that in “any enforcement action based on conduct covered by a code, the FTC will consider a company’s adherence to a code favorably.”
Promoting International Interoperability
Referring to the differences in national privacy laws that create challenges for businesses that wish to transfer data across national borders, the Administration stated that it is “critical to the continued growth of the digital economy that they strive to create interoperability between privacy regimes.” The Administration expressed its desire to promote international interoperability by pursing mutual recognition of commercial privacy frameworks, international codes of conduct based on the multi-stakeholder process, and bilateral or multilateral enforcement cooperation.
Calls for Privacy Legislation
At the conclusion of the White Paper, the Administration called on Congress to adopt the Consumer Privacy Bill of Rights and provide the FTC and State Attorneys General with the power to enforce those rights. However, Polonetsky pointed out that it is unlikely that Capitol Hill will act on this suggestion in the short term.
In addition, the Administration expressed support for creating a national standard for security breach notification, which would replace the state breach notification laws that are currently enacted in 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands. The Administration noted that the “patchwork of State laws creates significant burdens for companies without much countervailing benefit for consumers.”