TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Is the New Consumer Privacy Bill Overkill? A Q&A with Adam Thierer Related reading: CES 2015 Dispatch: Challenges Multiply for Privacy Professionals, Part One



The Obama administration’s draft discussion Consumer Privacy Bill of Rights is a hot topic of conversation here in Washington. Recently, Adam Thierer and I had a chance to talk about it. Adam is a well-known figure in privacy circles. He is a senior research fellow with the Technology Policy Program at the Mercatus Center at George Mason University specializing in technology, media, Internet and free-speech policies, with a particular focus on online safety and digital privacy.

Chris Wolf: What are your high-level reactions to the proposed privacy legislation?

Adam Thierer: The bill aims to convert fair information practice principles, which have traditionally been flexible, voluntary guidelines, into a more formal set of federal regulatory edicts. Many of the principles found in the administration’s draft proposal are quite sensible as best practices for private-sector digital innovators, but the danger here is that they would be transformed into a heavy-handed, bureaucratized regulatory regime for America’s dynamic, data-driven economy.

I worry about the consequences of that approach for the future of technological innovation, consumer choice, entrepreneurialism, economic growth and the competitiveness of America’s digital economy. Indeed, I have the same question about the measure that was posed by Michael Mandel, chief economic strategist at the Progressive Policy Institute: “Do Democrats who support a strict privacy standard understand the economic consequences of imposing more regulations on the sector which has been the main force for lifting living standards since the bust?”

The measure’s silence on government surveillance activities is also concerning. The administration should have first channeled its energies into that far more significant privacy problem.

CW: Is there any part of the legislation that you like?

AT: To reiterate, most of the best practices found in the bill represent sensible general guidelines for data-collecting entities to follow; it’s the fact that they are being converted into regulatory demands that concerns me. But to the extent anything here is needed, I’d say the provisions preempting certain state laws are probably needed to address the growing crazy-quilt of overlapping digital privacy and security laws.

CW: From a compliance perspective, what is your take on what would be required of businesses that collect personal data?

AT: It’s clear that this measure opens the door to a significant expansion in the regulatory oversight of the digital economy and the great many operators who engage in various types of data collection. With the exception of very small organizations, the definition of “covered entity” is broad enough that just about everyone operating across the entire digital ecosystem will be swept up by the proposal. If this measure is ever subjected to a serious benefit-cost analysis, I suspect that the breadth of its coverage will result in staggering compliance costs.

CW: Is it fair to say that the bill treats all data that is linkable to a person or a device as potentially dangerous? Is that the right approach?

AT: In a sense, that is a logical response to the growth of digital connectivity and the rise of the Internet of Things. The problem is that this move significantly enlarges the scope of regulation envisioned by this bill. It’s also not likely workable. If every data-collecting device and service in our lives triggers this new compliance regime, one wonders how regulators will enforce it considering the sheer volume of activity we are talking about here.

CW: The bill places a heavy emphasis on disclosures at the time of data collection and the context of data collection. To what extent will this approach stifle secondary or innovative uses of data?

AT: The bill essentially reverses the burden of proof regarding many current data collection practices and moves us toward a “guilty until proven innocent” sort of standard (similar to the approach used in Europe). In particular, there’s a great deal of vague language found throughout the proposal about what is “not reasonable in light of context.” The ambiguity about that term alone could trigger an avalanche of legal activity and enforcement nightmares. In turn, that could greatly limit innovative secondary uses of data and prevent serendipitous data discovery.

CW: Should the bill distinguish between first-party and third-party data collection?

AT: There are good reasons to distinguish between first-party and third-party data collection and to ensure that the latter receives more scrutiny and greater care. On the other hand, third-party data collection isn’t some sort of nefarious business practice. It can benefit consumers just as much as first-party data collection practices by offering more personalized services or cross-subsidizing services to help keep price low, or even at zero.

CW: What is your opinion on the introduction of a privacy review board?

AT: Privacy review boards sound great in theory, but in practice they could become a major impediment to digital innovation by slowing the advent of new and better online services that the public desires. To be clear, companies should absolutely have people and procedures in place internally to review their data collection and use policies. In this regard, I have repeatedly praised the role that IAPP-trained privacy professionals play and noted the important influence they are having on how privacy and security by design work “on the ground” today. It might even be sensible for some data-driven companies to bring on “data ethicists” to grapple with thorny problems associated with more widespread data collection or use. However, as with best practices, it is an entirely different matter to be mandating any of these things in a top-down fashion through federal mandates.

CW: What is the Federal Trade Commission’s (FTC's) role in the bill? Is the FTC a winner or a loser in this legislation?

AT: It’s hard to see why the FTC has pushed back against this draft bill. If instituted, this bill would solidify the agency’s growing influence over the digital economy. The agency would be granted powers over and above its existing (and already quite expansive) Section 5 “unfair and deceptive practices” authority. Under Sec. 402 of the draft proposal, the FTC’s Section 5 authority is expressly preserved. Meanwhile, the agency is given oversight authority for the proposed codes of conduct to determine whether they should qualify for safe harbor protection. All in all, that sounds like a win for the FTC to me.

CW: How does the bill impact the role of state attorneys general and consumer class-action lawsuits in shaping privacy law? Is that the right approach?

AT: By granting state AGs expanded authority to pursue civil action on behalf of their residents, the measure simply adds another potential layer of legal risk to the perilous regulatory climate the rest of this bill would create for digital innovators. Again, these potential costs need to be factored into any benefit-cost analysis conducted in the future.

CW: Should the bill be improved or should we start from scratch?

AT: We need a completely different approach that would not completely upend America’s data-driven economy and all the life-enriching innovation that goes along with it. The last thing we want to do is follow the European Union down the disastrous path it has charted with top-down data directives and digital economy micromanagement at every juncture. That has decimated digital innovation on the other side of the Atlantic.

CW: Does the U.S. need a Consumer Privacy Bill of Rights? Why or why not?

AT: For all the reasons I’ve stated here, we need to reorient our policy focus to tap alternative and less costly approaches to protecting privacy and security that rely on education, empowerment and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions. Instead of imposing fair information practice principles in a rigid regulatory fashion, privacy and security best practices should evolve gradually to address new marketplace realities and be applied in a more organic and flexible fashion, often outside the realm of public policy.

CW: Thanks for your thoughts, Adam.


If you want to comment on this post, you need to login.