IAPP-GDPR Web Banners-300x250-FINAL

Jacqueline Klosek, CIPP

The prestigious National Research Council (NRC) recently issued a comprehensive report on privacy and technology in the digital age. In addition to providing a very thoughtful and detailed overview of privacy, the report outlines the need for a national privacy commissioner or standing privacy commission to provide ongoing and periodic assessments of privacy developments. Exceeding 450 pages, the report, "Engaging Privacy and Information Technology in a Digital Age," examines the past present and future of privacy in great detail. It also provides recommendations on the future of privacy regulation. While its value as a tool for prognosticating the near-term future of privacy remains questionable, it is a thought-provoking read for individuals interested in privacy issues.

History of the Report
The NRC, a body organized by the National Academy of Sciences (NAS) in 1916 to advise the federal government, assembled a committee of 16 people with a fairly broad range of expertise, including senior individuals with backgrounds in information technology; business; government; consumer protection; liability; economics; and privacy law and policy. From 2002 to 2003, the committee held five meetings to explore a wide range of different viewpoints. For example, briefings and/or other input were obtained from government officials at all levels, authorities on international law and practice relating to policy, social scientists and philosophers concerned with personal data collection, experts on privacy-enhancing technologies, business representatives concerned with the gathering and uses of personal data, consumer advocates, and researchers who use personal data.

Findings and Recommendations
An overriding theme present in the findings was that privacy is ever-evolving and highly contextual. The researchers contended that one's view of privacy and interpretation of its value and importance will often vary, depending upon the circumstances, including the situation and relationships at hand, the intentions of the parties involved, and other contextual factors. Despite the contextual factors impacting privacy, the report's authors still found that the loss of privacy can, and often does, result in significant harm to individuals and groups. Ultimately, the report concluded that privacy is an important value that should be protected.

Select Recommendations
The report placed a lot of attention on the role of the government in the privacy equation. As a result, many of the recommendations were focused on the government:

  • Governments at various levels should establish formal mechanisms for the institutional advocacy of privacy within government. The report made the case for the establishment of a national privacy commissioner or standing privacy commission to provide guidance on privacy developments. While this is a viable approach in many other countries that have implemented national privacy commissioners with broad oversight, it is questionable whether this well-founded approach has enough support in the U.S.  
  • The U.S. government should undertake a broad systematic review of national privacy laws and regulations. Privacy advocates have long criticized the U.S. for having a piecemeal approach to privacy. For some time now, many individuals have contended the sectoral-based approach to privacy should be replaced with a system that is much more comprehensive. Back in the late 1990s, when the main European privacy directive was coming into force, there seemed to be a fair amount of momentum toward enacting a comprehensive privacy law in the U.S. However, since then, privacy has taken a large step back, and it seems there are many reasons to be skeptical about the passage of a comprehensive privacy law in the United States any time soon.
  • Government policy makers should respect the spirit of privacy-related laws. The report's authors observed that various governmental bodies have important roles to play in protecting individual privacy rights. However, they concluded that the existing legal and regulatory framework surrounding privacy is still a patchwork that lacks consistency. As a result, the authors suggested that policymakers pursue a less decentralized and more integrated approach to privacy policy and regulation.
  • Congress should pay special attention to, and provide special oversight over, the government's use of private sector organizations to obtain personal information about individuals. During the past few years, increased governmental demands for data from the private sector have raised major concerns among privacy advocates.  The authors recognized this and suggested that Congress begin to focus more closely on these issues.
  • Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy. In the report, the experts observed that the availability of individual recourse for recognized violations of privacy is an essential element of public policy regarding privacy. They contended that the lack of sufficient recourse is a weakness of the present U.S. system.

The report also contained a number of recommendations that are applicable to the private sector:  

  • The FTC principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations. The principles of fair information practice for the protection of personal information, first enunciated back in a 1973 report of the U.S. Department of Health, Education and Welfare, are, according to the committee, still of great relevance today. The report suggests that private sector enterprises should abide by such fair information principles.
  • Organizations with self-regulatory privacy policies should take both technical and administrative measures to ensure their enforcement. In addition, organizations should routinely test whether their stated privacy policies are being fully implemented; produce privacy impact assessments when they are appropriate; strengthen their privacy policy by establishing a mechanism for recourse if an individual or a group believes they have been treated in a manner inconsistent with an organization's stated policy; and establish an institutional advocate for privacy. While acknowledging that companies operating in the privacy sector can develop and implement self-regulatory regimes for protecting personal data, the authors also expressed concern that self-regulation is limited as a method for ensuring privacy. At the same time, however, they did acknowledge that self-regulation does provide some level of protection that might not otherwise be available to the public.
  • Where policy decisions require that individuals shoulder the burden of protecting their own privacy, law and regulation should support that goal. In order to enhance privacy, individual, organizational and public policy actors have roles to play. Individuals can take a number of steps to enhance the privacy of their personal data as well as to become better informed about the extent to which their privacy has been compromised, although the effectiveness of these measures is bound to be limited.

Likely Impact of the Report
The report is comprehensive, but it has been subject to a fair amount of criticism. For one, it contains so many recommendations, which waters down the report's value. Instead, the report's authors may have been better-advised to focus on a smaller number of critical issues. In addition, there are real questions about the practical value of many of the recommendations. This may be due in part to the fact that many of the report's authors were academics. Arguably, it would have been more advantageous to have more practitioners and privacy advocates on board. Finally, and, perhaps most significantly, there seems to be very little political will for movement on these issues at this time. Indeed, all indications suggest that the present administration is of the view that privacy should take a backseat to expansive information collection efforts that are even tangentially connected to the ongoing War on Terror. At the same time, while there has been a fair amount of attention on discrete aspects of privacy and data security, in particular, the legislative response to data security breaches, there has not been a lot of serious focus on efforts to enact a comprehensive federal practice law. In sum, although the report is an interesting read, there is little reason to hope that it will actually lead to significant changes in privacy regulation.

Jacqueline Klosek is Senior Counsel with Goodwin Procter LLP, where she specializes in privacy and intellectual property. She is the author of many publications concerning privacy law, including the re-cently published War on Privacy (Praeger, 2006). She may be reached for comment at:

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


A Free Executive Summary of the Report on Engaging Privacy and Information Technology in a Digital Age is available at: Information about obtaining the full report is also available on the Web site of the NAP at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»