Movement toward a U.S. privacy framework is gaining steam this week as lobbying efforts in Washington intensify ahead of the release of White House document outlining an initial approach to consumer privacy and a highly anticipated Congressional hearing Wednesday in which privacy professionals from several major tech companies will testify. 

An "unpublished Notice by the National Telecommunications and Information Administration," an arm of the Department of Commerce, has appeared on the Federal Registry and includes a PDF requesting public comment by October 26 on a federal approach to consumer privacy. Through the NTIA's request for comment, "the Administration will determine the best path toward protecting individual's [sic] privacy while fostering innovation," the document states. "The time is ripe for this Administration to provide the leadership needed to ensure that the United States remains at the forefront of enabling innovation with strong privacy protections." 

A driving force behind a federal mandate, according to the NTIA document, are industry and White House concerns that the EU General Data Protection Regulation and "a growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape." The aim of a framework, according to the NTIA, is to reduce regulatory fragmentation and increase national and global interoperability. 

The document also supports a risk-based approach to consumer privacy and is broken into two main parts: a set of "user-centric privacy outcomes that underpin the protections that should be produced by any Federal actions on consumer-privacy policy," and "a set of high-level goals that describe the outlines of the ecosystem that should be created to provide those protections," the document states. The NTIA's Request for Comment "does not call for the creation of a statutory standard," but seeks feedback on how to meet these privacy outcomes and goals. 

The RFC is the product of a process led by the National Economic Council of the United States and in coordination with the International Trade Administration to ensure consistency with "international policy objectives" and in conjunction with the National Institute for Standards and Technology to ensure a risk-based approach. The NTIA also received feedback from "a broad range of industries, academics, and civil society organizations." 

An official version of the document is expected Wednesday. 

The forthcoming NTIA release comes in parallel with a hearing Wednesday entitled Examining Safeguards for Consumer Data Privacy. The highly anticipated hearing will be convened by the U.S. Senate Committee on Commerce, Science & Transportation and include testimony from newly promoted Google Chief Privacy Officer Keith Enright, Twitter Global Data Protection Officer and Associate Legal Director Damien Kieran, as well as representatives from AT&T, Amazon, Apple, and Charter Communications. 

Sen. John Thune, R-S.D., the committee's chair, said the hearing "will provide leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation." 

Several organizations have shared their proposed privacy principles. In recent weeks, the U.S. Chamber of Commerce and the Internet Association each released their blueprints. Those were joined this week by proposed frameworks from Google and the Interactive Advertising Bureau. 

In a blog post announcing his promotion to CPO and Google's proposed framework, Enright said the company is "sharing our view on the requirements, scope, and enforcement expectations that should be reflected in all responsible data protection laws." Google's proposed framework emphasizes transparency and user control, including allowing users to "access, correct, delete and download personal information about them." 

Similarly, in a letter to Thune and Ranking Member Bill Nelson, D-Fla., IAB Executive Vice President for Public Policy David Grimaldi said the organization is "eager to partner with Congress as it looks at the online privacy landscape and considers enhancements to benefit consumers," while ensuring the U.S. "maintains its position as the global data leader."

Noting that its 650 members help generate $1.12 trillion in the ad-supported digital ecosystem, the IAB contends data collection must be conducted responsibly, "which IAB member companies realize and safeguard." A framework should "be flexible and nimble so that 'rules of the road' can evolve with innovation and consumer expectations." It also calls for "meaningful consumer controls that are technologically neutral, proportionate to consumer risk, and encourage industry best practices." 

Though industry will be represented at Wednesday's hearings, several privacy and consumer advocacy organizations have been vocal about not being included. 

In comments provided to The Privacy Advisor, Center for Democracy & Technology Policy Counsel Joe Jerome, CIPP/US, said the CDT is "disappointed that the Senate Commerce Committee began this conversation by inviting edge providers and ISPs to discuss their approach to privacy protection. A new federal privacy law cannot just codify what these companies are already doing; the reason we are even here is because the status quo is inadequate." 

Jerome added that the CDT "looks forward to future conversation with Congress and the administration on what a meaningful solution looks like." He notes there's a lot of "top-level consensus already," including on notice, "individual data rights around access, and even some discussion of appropriate prohibitions around collecting and using some data." He noted that Google's framework "includes a collection and use limitation." 

The CDT, he says, believes a federal law "needs to have both real limits around sensitive data practices and an enforcement stick sufficient to ensure this." Two specific data practices of concern, Jerome says, are the sharing of location data and limits on face tracking. 

The Electronic Frontier Foundation has also expressed consternation about lack of representation at Wednesday's hearing. In a blog post, they note current state laws, including the California Consumer Privacy Act, the Illinois Biometric Privacy Act and the Vermont Data Broker Act could all be in jeopardy if a federal law pre-empts state laws.

Look for continuing coverage of Wednesday's hearing, and continuing U.S. federal privacy law developments, from the IAPP. 

photo credit: Bold Frontiers Washington DC Capitol - HDR via photopin (license)