The article below (reprinted with permission) from Telecom Reports Daily is based on the reporter’s review of a copy of the draft Privacy Green Paper from the Department of Commerce, now under review at the White House.
Notably, the article reports:
- The Department of Commerce document is expected to be released in the coming weeks.
- In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals. The department plans to seek formal comment on the questions in a separate “Federal Register” notice.
- The report [says] that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs)."
- It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.
- As for other congressional action, the report [says] that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways."
DRAFT COMMERCE REPORT RECOMMENDS
ONLINE PRIVACY OFFICE, LEGISLATION
TRDaily has obtained a copy of the 54-page draft document, “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.” It is the work of Commerce’s Internet Policy Task Force, which has held more than six months of consultations, issued a notice of inquiry in April (TRDaily, April 21), and held a symposium in May (TRDaily, May 7). The document is expected to be released in the coming weeks. The task force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.
Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy (TRDaily, Oct. 25). It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.
The report said that comments submitted in response to the NOI “demonstrated a compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners – all without compromising the current framework’s ability to accommodate new technologies.”
However, broadband industry providers commenting on the NOI told the department last summer that online privacy protections should be pursued through self-regulation, industry standards, and best practices, rather than through regulation and legislation (TRDaily, June 16). Public interest groups, however, saw a role for government mandates, along with other approaches advocated by industry.
As for other congressional action, the report said that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways. The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities.”
And while it called for “baseline” privacy legislation, the report said that such a measure “should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections.”
In addition, the document said that “[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment.” Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.
The report also called on the Obama administration to “review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services. The goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe.”
In an Oct. 27 speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling also stressed that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies. A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”
The report also recommended an emphasis on FIPPs that focus on “enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.” It also said any legislation establishing “general FIPPs-based data privacy protection should include a safe harbor provision for companies that adhere to voluntary, enforceable codes of conduct.” It also said that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but it sought questions on whether the FTC should be given additional rulemaking authority if voluntary enforceable codes are not established.
The report also recognized the importance of collaboration with stakeholders from other countries. It recommended continued work by U.S. officials “toward increased cooperation among privacy enforcement authorities around the world,” that includes “a framework for mutual recognition of other countries’ privacy frameworks.”- Paul Kirby, firstname.lastname@example.org