Commerce Department Task Force Issues Green Paper on Internet Privacy Protection

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

The government should develop a dynamic framework for the protection of consumers’ commercial data online—including the adoption of a set of baseline principles akin to a “Privacy Bill of Rights”—while supporting innovation and evolving technology, according to a green paper issued December 16 by the Commerce Department’s Internet Policy Task Force.

The green paper—titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework—reviews the technological, legal, and policy contexts of current commercial data privacy challenges; describes the importance of developing a more dynamic approach to commercial privacy both in the United States and around the world; and discusses policy options.

The green paper is meant to stimulate further public discussion with the domestic and global privacy policy community, according to the task force.

Rather than expressing a commitment to specific policy proposals, it addresses areas of policy and possible approaches. More specific proposals may be considered, as appropriate, in a future white paper, the task force said.

“America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs, and economic growth,” said Commerce Secretary Gary Locke.

“Self-regulation without stronger enforcement is not enough,” he warned. “Consumers must trust the Internet in order for businesses to succeed online. Today’s report is a road map for considering a new framework that is good for consumers and businesses.”

Fair Information Practice Principles

The government should adopt a baseline commercial data privacy framework built on an expanded set of Fair Information Practice Principles (FIPPs), the task force said. Baseline FIPPs would be comparable to a “Privacy Bill of Rights.”

“Revitalized FIPPs should emphasize substantive privacy protection rather than simply creating procedural hurdles,” the task force stated. “To promote informed consent without imposing undue burdens on commerce and on commercial actors, FIPPs should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability.”

High priority should be given to FIPPs that enhance transparency regarding data privacy practices, encourage greater detail in purpose specifications and use limitations, and foster the development of verifiable evaluation and accountability, in the task force’s view.

Voluntary, Enforceable Codes of Conduct

The green paper urges the government to encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the Federal Trade Commission, and a new Privacy Policy Office within the Department of Commerce.

Codes of conduct should address emerging technologies and issues not covered by current application of baseline FIPPs. To encourage the development of such codes, the task force said the Administration should consider a variety of options, including public statements of Administration support, stepped up FTC enforcement, and legislation that would create a safe harbor for companies that adhere to codes to conduct.

Establishment of Privacy Policy Office

According to the green paper, the Commerce Department should establish a Privacy Policy Office (PPO) to serve as a center of commercial data privacy expertise. The proposed PPO would have the authority to convene discussions of commercial data privacy implementation models, best practices, codes of conduct, and other areas that would benefit from bringing stakeholders together. The PPO would work in concert with the Executive Office of the President as the Administration’s lead on international outreach on commercial data privacy policy.

The PPO would not have any enforcement authority. In the opinion of the task force, the FTC should remain the lead consumer privacy enforcement agency for the U.S. government.

Increased International Cooperation

The U.S. government should continue to work toward increased cooperation among privacy enforcement authorities around the world and should develop a framework for mutual recognition of other countries’ commercial data privacy regimes, the task force said.

Global privacy interoperability should build on accountability, mutual recognition and reciprocity, and should be based on enforcement cooperation principles pioneered in the Organisation for Economic Cooperation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC).

Federal Data Security Breach Standards

The green paper recommended that the government consider adopting a comprehensive commercial data security breach framework for electronic records. Such a framework should include breach notification provisions and should encourage companies to implement strict data security protocols.

States would be allowed to build upon the framework in limited ways, the task force said. A federal framework should track the effective protections that have emerged from state security breach notification laws and policies.

Review of Electronic Communications Privacy Act

The Administration should review the Electronic Communications Privacy Act (ECPA), with a view to addressing privacy protection in cloud computing and location-based services, the green paper determined. This effort should ensure that, as technology and market conditions change, the ECPA protects individuals’ expectations of privacy and punishes unlawful access to and disclosure of consumer data.

Comments Sought

The Commerce Department is seeking public comments on the plan to further the policy discussion and ensure the framework benefits all stakeholders in the Internet economy. Comments are due on or before January 28, 2011. Written comments may be submitted by mail to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue, N.W., Room 4725, Washington, DC 20230. Online submissions in electronic form may be sent to privacynoi2010@ntia.doc.gov.

Text of the 88-page green paper is available here on the Commerce Department’s website.

FTC Chairman’s Statement

“The Department of Commerce’s Green Paper is a welcome addition to the ongoing dialogue about protecting consumers’ privacy,” said FTC Chairman Jon Leibowitz. “It places special emphasis on policies that will preserve the viability of the Internet as it evolves through innovation, transforms the marketplace, and spurs economic growth. We think it will make a significant contribution to the growing and critical debate about how best to protect the privacy of American consumers.”