If the speakers who populated last week’s Global Privacy Summit session on the prospects for a U.S. consumer privacy law are any indication of how actual negotiations on the bill might play out, it could be a bumpy ride to President Barack Obama's desk.
In late February, the Obama administration released its much-anticipated draft for a Consumer Privacy Bill of Rights Act of 2015, which aims to give consumers greater control over their online data by allowing them to see, correct and delete information that companies hold on them as well as to restrict companies from reusing or reselling consumer data in ways consumers haven’t signed off on, among other effects. Its tenets resemble but perhaps modernize the Fair Information Practice Principles (FIPPs), emphasizing data accuracy and security, responsible data use, respect for context and enforcement measures.
The bill, which was released in draft form for discussion purposes with House and Senate versions released this week, would see companies voluntarily developing enforceable codes of conduct. The Department of Commerce’s National Telecommunications and Information Administration (NTIA) would lead a multi-stakeholder process to develop such codes of conduct, which would be enforceable under Section 5 of the Federal Trade Commission (FTC) Act, though there's been some criticism that the bill doesn't give the FTC enough enforcement power.
Cam Kerry, formerly of the Department of Commerce (DoC) but now in private practice at Sidley Austin, was heavily involved in curating the bill during his tenure at the DoC. While he said he’s frustrated it took years for the proposal to come to fruition—a blueprint of the bill was released in 2012—it took some time to convince lawmakers of the need for such a bill, for one.
“We didn’t do enough in 2012 to articulate the benefits of data use and to articulate in a concrete way what the harms are,” Kerry said. “As I would go out and talk to people on Capitol Hill, they’d ask, ‘What’s the harm we are trying to deal with?'”
But now, things have changed. The Snowden revelations helped with that a bit, and earlier this year, the president stood at a podium bearing the U.S. emblem and said data privacy is a priority in this country.
“The president of the United States is putting his personal imprint on baseline privacy legislation,” Kerry said. “That is a big deal.”
But Nuala O’Connor, CIPP/US, CIPP/G, president and CEO of the Center for Democracy & Technology, said while she gives the administration props for bringing a draft bill to fruition at all, the bill itself doesn’t seem to live up to the last three years of hype it's received.
“The reality is it has not met the expectations many of us had for the bill, and that’s why there’s been very significant blowback from industry,” she said. “There’s got to be a stronger baseline, and it’s got to be much more comprehensive.”
For one, the potential enforcement actions the FTC can take are too weak, she said: "Tens of thousands of dollars in fines are meaningless for big companies."
O’Connor also disapproves of some of the bill’s built-in data-use exceptions, such as for companies with 25 or fewer employees. Start-ups should be held to the same standard as big corporations, she said.
Microsoft’s Mike Hintze, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM, CIPT, is less critical of the bill.
“We think it’s a good starting point for the conversation. It brings some positive contributions to the discussion," he said.
Microsoft has been calling for comprehensive privacy legislation for more than a decade, he added. It's just good business.
"It's about trust and fostering trust in online services and technologies," he said. "Companies can adopt good practices, but unless there’s a baseline fallback set of protections enforceable in law,” there’s going to be some hesitance on the part of consumers, particularly those in Europe.
Hintze is pleased with the draft's adjustment from the standard FIPPs model of notice and choice, which he said puts too much burden on the user and can’t work with every form of data collection. Instead, regulating data use at the company level and simply taking some of those uses off the table—those that would be high risk to the consumer—ultimately makes the consumer safer.
The bill as it stands “may not have gotten all the balances you have to get exactly right or to everyone’s satisfaction, but it’s a really good starting point for that,” he said.
The NTIA’s John Morris said the bill, while acknowledging the fact that notices have become an obstacle to meaningful consumer interaction in some cases, does shift some from the FIPPs model of notice and choice, but its requirements are less rigid, depending more on context. There is still a place for notice and choice in the Digital Age.
“We want to achieve something that allows me to go to the health club and sign up for a class and have them take my credit card and email me without a whole lot of notices,” Morris said. “But at the same time, if the health club strikes a deal with the insurance company and starts passing up information to the insurance company when I miss a class, jolly well, I do want to know about that.”
Finally, Hintze and Kerry said it’s essential that some version of this bill is passed if the U.S. wants to maintain a viable economic relationship with Europe.
“They think we don’t have privacy laws,” Kerry said of his experience talking privacy overseas.
Hintze agreed: “There are broad misunderstandings about U.S. privacy law, and having one in place would certainly help in those discussions and help companies doing business globally.”
If you want to comment on this post, you need to login.