Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

US Department of Commerce Releases Draft Privacy Green Paper, Adding to Federal Examination of Privacy Protections

Preserving consumer privacy online and thereby bolstering consumer trust in the Internet is essential for businesses to succeed online according to the just-released Department of Commerce Green Paper entitled “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  

The Green Paper was authored by the Internet Policy Task Force at Commerce – a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology. The paper follows a Notice of Inquiry to which many stakeholders responded, and a symposium last May. It also follows the December 1st release of the preliminary FTC Staff Report on Privacy.

The Green Paper says there is a  “compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners – all without compromising the current framework’s ability to accommodate new technologies.”

Like the FTC Report, the Commerce Green Paper proposes an expanded set of Fair Information Practice Principles (FIPPs), yet it is stronger than the FTC Report in raising the prospect of baseline privacy legislation, and it directly raises the question of whether the FTC should be given rulemaking authority to implement privacy principles (which it now lacks under Section 5 of the FTC Act). The Green Paper also suggests a safe harbor provision in any legislation, for companies that adhere to "voluntary, enforceable codes of conduct.”

The paper cautions that any new laws should not preempt the strong sectoral laws that already provide important protections, but rather should act in concert.  The paper also recognizes the important role state law has played in building the privacy and data security framework in the U.S., and it cautions against impairing the states’ role as privacy law incubators.  In addition, the role state Attorneys General can play in enforcing privacy rights is expressly recognized in the Green Paper.

With respect to full implementation of the FIPPs, the paper specifically has in mind enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.  The idea of Privacy Impact Assessments also is discussed.

The Green Paper also calls for a federal data security breach notification law for electronic data.

The Commerce paper also calls to reforming the opaque and outmoded Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services. The goal of this effort is to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs for security.

The absence of a designated privacy authority in the federal government also is addressed in the Green Paper, and there is a call for a Privacy Policy Office (PPO). The office would not have enforcement authority – the FTC would continue to play the lead privacy enforcement role. 

In his October 27th speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling explained that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies. A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”

Mutual international recognition of and respect for privacy frameworks also is mentioned in the Green Paper, a reference to the EU’s persistent finding that the U.S. lacks “adequate protection” of personal data, thus requiring cumbersome legal mechanisms for the cross-border transfer of data.

The Green Paper is being published in the Federal Register with a period for public comment and input.