Wednesday, April 09, 2008

Federal Legislative Outlook, Privacy/Antitrust Issues Discussed at IAPP Privacy Summit

This posting was written by Thomas Long, Editor of CCH Privacy Law in Marketing.

Congress is unlikely to complete legislation on data security in the current term, David Strickland, counsel for the Senate Commerce Committee, said on March 27. Strickland was speaking at a panel discussion on legislative developments at the Privacy Summit held by the International Association of Privacy Professionals (IAPP) in Washington, D.C., on March 26-28.

"[Data security legislation] will be a high priority in the next Congress," Strickland said, "and the groundwork for that will be laid in this Congress."

House Judiciary Committee counsel, Ameer Gopalani, stated that he thinks "we can enact something," although legislation might not include the full gamut of issues. "If the committees can work together," he said, "we can nail down the strong policy" this year.

Desire for Uniformity, Predictability

Representing the private sector, Tony Hadley, Vice President of Government Affairs for credit reporting agency Experian, said, "Uniformity and predictability is what businesses want." At present, these qualities are lacking, with varying state laws making it hard to determine the applicable data security standards for nonfinancial entities. Hadley also advocated that the federal government exercise restraint in adding new regulations.

According to Strickland, the bill currently under examination in the Senate Commerce Committee (S. 1178) would cover entities not reached by the Gramm-Leach-Bliley Act and would probably extend the FTC’s Safeguards Rule to nonfinancial businesses.

With regard to online advertising, Strickland said that there would likely be a focus on the FTC’s approach to behavioral advertising, in an effort "to create a fulsome and effective industry self-regulatory regime." The committee is in "studying mode" on the issue, he said.

Emerging Antitrust Role for Privacy Professionals

The intersection of privacy and antitrust is creating a new role for chief privacy officers serving companies undergoing mergers and other transactions—that of participating in the antitrust due diligence process, privacy law expert Peter Swire observed at the IAPP Privacy Summit on March 28.

Viewing the differing ways businesses treat privacy as a form of non-price competition is a concept "clearly within the antitrust mainstream," according to Swire, a professor at the Moritz School of Law of the Ohio State University.

Although the Federal Trade Commission declined to interfere with a merger between Google and online advertising company DoubleClick last December, all five members of the Federal Trade Commission have recognized that privacy practices are relevant to the merger review process, Swire said.

He pointed out that FTC Commissioner Pamela Jones Harbour, in her dissent to the FTC’s approval of the deal, had predicted that, in future merger reviews involving combinations of data, the FTC would likely issue Second Requests asking detailed questions about privacy practices, data, and the effect of mergers on them.

In Swire’s view, the two key questions in examining privacy in an antirust context are: (1) is privacy a non-price factor that is important to consumers? and (2) will the merger reduce competition in privacy? There is a competitive advantage to having a good privacy reputation, Swire said, and there is evidence that businesses are competing on that basis.

Reducing privacy-related competition can negatively affect consumer welfare, according to Swire. In addition, privacy harms can lead to a reduction in the quality of a good or service, such as a shift from low-surveillance to high-surveillance practices by website operators. These harms provide possible reasons to block or place conditions on a merger.

About the IAPP

The IAPP is the world's largest association of privacy professionals. Based in York, Maine, the organization represents more than 4,700 members from businesses, governments, and academia across 32 countries. The IAPP's Executive Director is J. Trevor Hughes, co-author of CCH Privacy Law in Marketing. More information about the IAPP is available at

No comments: