Publications

13 Jan 2011

Comments on Commerce Department Internet Privacy Green Paper are due January 28

E-Commerce and Privacy Alert

Kate Lucente
Jim Halpert
Thomas M. Boyd

Comments for the US Department of Commerce Green Paper, Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age, are due to the agency by January 28, 2011.

The Green Paper, written by the Department’s Internet Policy Task Force, outlines the Department’s draft proposals and recommendations for commercial information privacy protections.¹  Final administration actions to encourage stronger self-regulation and Administration recommendations regarding privacy legislation will likely follow in the form of a final report later in the year.

The Green Paper follows the December 1, 2010 release of the preliminary FTC Staff Report on Privacy, Protecting Consumer Privacy in an Era of Rapid Change (FTC Privacy Report).  Like the FTC Privacy Report, the Green Paper concludes that the current “notice and choice” Internet privacy framework does not work well and so proposes an expanded set of Fair Information Practice Principles (FIPPs). 

Green Paper differs from FTC Privacy report

However, unlike the FTC Privacy Report, the Green Paper emphasizes a narrower set of FIPPs (transparency, purpose specification and use limitations, and auditing for compliance), which it believes “could be highly effective . . . while remaining a flexible, low-cost legal framework.”  It also stresses that self-regulation, rather than legislation or regulation, should play the front-line role in achieving the framework, because self-regulation is more flexible and leaves more room for innovation.  Finally, again in contrast to the FTC Privacy Report, the Green Paper poses a long list of questions regarding privacy legislation and the appropriate role for FTC and FTC rulemaking in setting the framework.  It suggests consideration of baseline privacy legislation and enactment of a national breach notification law, and contemplates FTC authority, at a minimum, to review the self-regulatory principles.  It also asks whether the FTC should be given rulemaking authority to promulgate general privacy principles, which the Commission currently lacks.² 

First, the Green Paper reviews what the DOC considers to be the major technological, legal and policy challenges, in the context of commercial data privacy.  The Green Paper then advocates the “importance of developing a more dynamic approach to commercial privacy,” domestically and internationally: “To address new challenges and to draw from the best features of current privacy law and policy, the Task Force offers for consideration a Dynamic Privacy Framework.”³ 

The Green Paper characterizes this Framework as “designed to protect privacy, transparency, and informed choice while also recognizing the importance of improving customer service, recognizing the dynamic nature of both technologies and markets, and encouraging continued innovation over time.”⁴  The Framework includes policy recommendations under four broad categories:

• Enhancing consumer trust online by developing a comprehensive set of Fair Information Practice Principles (FIPPs) that serve as baseline privacy standards.  The Department recommends that the US government recognize these FIPPs as “a foundation for commercial data privacy.”⁵   
• Encouraging the development of voluntary, enforceable privacy codes of conduct in specific industries that draw on the existing expertise and knowledge of the private sector and governmental stakeholders and build upon current industry best practices.  These voluntary codes of conduct would “promote informed consent and safeguard personal information.”  To advance the codes, the DOC also proposes the establishment of a Privacy Policy Office within the Department to work with industry sectors and the FTC in leading efforts to develop voluntary but enforceable codes of conduct.”  The PPO’s exclusive focus would be on commercial data privacy.⁶
• Renewing the US commitment to leadership in the global privacy policy debate and decreasing regulatory barriers to trade and commerce that US companies face, by encouraging policies that promote “low-friction, cross-border data flow through increased global interoperability of privacy frameworks” and finding “practical means to bridge differences.”⁷
• Ensuring “nationally consistent security breach notifications rules.” The Green Paper recommends the consideration of a “federal commercial data security breach notification law that sets national standards, addresses how to reconcile inconsistent State laws, and authorizes enforcement by State authorities.”⁸  It does not directly address preemption of state data security mandates, however.

The Green Paper’s Framework and findings follow a more than year-long review, conducted by the Department’s Internet Policy Task Force, which consisted of consultations with industry, civil society, academic and government stakeholders. A Notice of Inquiry issued in April and consideration of the responses to the NOI, and a Privacy and Innovation Symposium held in May 2010.  [In the interest of full disclosure, please note that DLA Piper submitted client views in the form of responses to the NOI and DLA Piper partner Jim Halpert was among the speakers at this symposium.]

The Green Paper reported that “NOI respondents were virtually unanimous in calling for strengthening the U.S. commercial data privacy framework,” and that a “a majority of respondents suggested that there is a compelling need to ensure transparency and informed consent, to provide additional guidance to businesses, to establish a baseline commercial data privacy framework to afford protection for consumers and to clarify the U.S. approach to commercial data privacy.”⁹  The Green Paper states that these goals must be achieved “without compromising the current [US privacy] framework’s ability to accommodate customer service, innovation, and appropriate uses of new technologies.”¹⁰

Current landscape

The Green Paper observes that “the U.S. protects personal data through a sectoral framework that has facilitated innovation and spurred some of the world’s most technologically advanced services, while also providing meaningful privacy protections.”¹¹  However, the DOC believes that this “sectoral approach” to privacy has left some “gaps” in the federal government’s regulatory framework.  According to the Department, “much of the personal data traversing the Internet falls into these gaps.”¹²  Further, these gaps are often “filled” by disparate state laws, such as varying state breach notification laws, which present challenges to businesses that must comply with dozens of varying state approaches.

The dynamic privacy framework

The Green Paper envisions a comprehensive national framework for commercial data privacy, with details filled in by flexible industry sector self-regulation. 

Fair information privacy practices (FIPPs)

The Department sees widespread adoption of baseline FIPPs as providing “flexible protection for privacy interests in commercial data that currently receive little or no statutory privacy protection.”¹³  Rather than replacing current, robust sectoral privacy regulations, these FIPPs would serve to fill in the current gaps in the federal privacy framework by providing a minimum threshold for privacy practices.  In the context of the larger proposed Framework, these baseline FIPPs would be implemented in conjunction with voluntary codes of conduct and government enforcement.  According to the Green Paper, the FIPPs would also respond to consumer concerns about the uses of their personal data and help increase consumer trust. 

For example, the Green Paper sets forth the FIPPs adopted by the US Department of Homeland Security to govern that agency’s use of personally identifiable information, which include, among other things, transparency, individual participation, data minimization, and data quality and integrity.¹⁴  The Green Paper envisions the following possible framework:

• Baseline commercial data privacy policies that would fill existing gaps
• The development of voluntary, enforceable codes of conduct that enable continued flexibility in rules that can evolve with new technologies and business models
• Safe harbors against FTC enforcement for practices defined by baseline data privacy or voluntary, enforceable codes
• Limited rulemaking authority over certain baseline FIPPs if it is established that market failures require prescriptive regulatory action, and
• A framework likely to lead to lower barriers to the global free flow of goods and services online.

Enhanced transparency

Like the FTC Privacy Report, DOC’s Green Paper calls for enhanced transparency to cure overly complex and detailed privacy disclosures:

Merely providing general information about data practices is not effective transparency; this information must be accessible, clear, meaningful, salient, and comprehensible to its intended audience.  When information is presented in a way that is highly complex or detailed, it may not be transparent. . .  Privacy policies are the current framework’s primary mechanism for informing consumers of companies’ privacy practices. The shortcomings of many privacy policies . . . are widely recognized: they can be dense, lengthy, written in “legalese,” and “overwhelming” to the few consumers who actually venture to read them.¹⁵

The Green Paper suggests enhanced transparency that would “improve on the current notice-and-choice framework and broaden the focus to include a more holistic focus on the purposes of personal data collection and use.”  The Department envisions greater transparency that would include shorter, clearer disclosures, and  publishing the results of privacy impact assessments.  However, the DOC Framework is more open-ended than the FTC’s Proposed Privacy Framework when discussing how businesses could or should give consumers “meaningful choice” or obtain “informed consent” about the ways a consumer’s personal data is collected and used. 

Second, the Green Paper promotes what it dubs “purpose specification and use limitations,” as an alternative to the principle in the FTC’s proposed framework that businesses should only collect necessary information.  The principles of purpose specification and use limitation would require organizations to commit to collecting data for specific purposes, and using it only in ways that are consistent with achieving those purposes.  The Green Paper states that use of information for other purposes that are “not at the expense of user privacy” should be encouraged and that this new framework is more effective than the FTC’s “notice and consent” obligation for retroactive material changes to privacy policies.¹⁶

Third, the Green Paper calls for auditing of actual uses against specified uses set forth in revamped, clearer privacy policies, with “accountability” through internal discipline or outside enforcement in the event of deviations from the stated purposes.

The FIPPs would not, however, stipulate any particular mechanism(s) that organizations should employ to further these principles.  Rather, the Framework envisions the implementation of voluntary and enforceable codes of conduct to address these more specific or procedural issues. 

Voluntary and enforceable codes of conduct

In recognizing that the FIPPs are meant to be comprehensive, yet general, the Framework also proposes the development of voluntary and enforceable codes of conduct that are more specific and yet flexible enough to address emerging technologies and issues not covered by the baseline FIPPs.  The Framework promotes the establishment self-regulatory codes of conduct, such as the 2008 principles for online behavioral advertising. 

The Green Paper points to the behavioral advertising principles as “the only significant example of a voluntary code of conduct developed through a collaborative industry effort.”¹⁷   The Department proposes to incentivize the development of these codes of conduct to increase participation by, among other things, providing a safe harbor for companies that commit and adhere to an appropriate voluntary code of conduct:

Given potential safe harbor, companies will have the opportunity to lower compliance and regulatory risks, which should provide ample incentive to participate in developing voluntary codes.  A voluntary code of conduct would have to meet certain requirements to make adopters eligible for safe harbor: [1] development through an open, multi-stakeholder process and [2] approval by the FTC for sufficiency. . . FTC approval of a voluntary enforceable code of conduct as sufficient would establish a presumption that an entity that demonstrates compliance with the code would not be subject to an enforcement action under FIPPs-based commercial data privacy legislation.  For companies that do not align themselves with a voluntary code of conduct, the default would be for the FTC to enforce the FIPPs through a transparent and predictable process.¹⁸

In addition, as noted above, the Framework calls for the development of a Privacy Policy Office within the Department to facilitate the development of voluntary, consensus-based codes of conduct for use in commercial privacy contexts.  However, the FTC would remain the federal government’s primary enforcer of consumer privacy protection. 

The Green Paper also considers the possibility of new privacy legislation and increased enforcement power for the FTC: “Baseline commercial data privacy legislation could give the FTC a specific statutory basis for bringing privacy-related enforcement actions. This enforcement activity would, in turn, clarify the principles and allow them to evolve through case-by-case adjudication.”¹⁹

Global interoperability

The Green Paper observes correctly that disparate national approaches to commercial data privacy often create barriers to both trade and commerce, which harm both consumers and companies.  To overcome some of these obstacles, the Framework supports advocating for greater harmonization and international interoperability of privacy standards. Some of the options proposed include:

• The creation of a global privacy standard
• Adoption of a treaty or convention to govern cross-border data flows
• An enhanced US privacy framework that can be more easily supported abroad
• Increased DOC advocacy for US interests in bilateral and multilateral privacy discussions
• The creation of accountability certifications, such as Binding Corporate Rules, to enable cross-border data flows
• Application for adequacy status from the European Union

The Green Paper notes, by way of example, that the Department is currently pursuing endorsement of a system for cross-border transfers from APEC countries that satisfy the APEC Privacy Principles.  This APEC Pathfinder project would be a self-regulatory framework or seal program for businesses to transfer consumer data across the APEC region pursuant to privacy protections that track the APEC Privacy Principles. 

National security breach notification requirement

The Green Paper notes that nearly all of the NOI responses that addressed the issue favored federal preemption of state data breach laws.  The Department itself also expressed concerns over the current condition of state data breach legislation:  “State privacy laws still present challenges to businesses that must comply with several dozen variations on the same theme. As one commenter complained, the State law ‘maze’ is costly and confusing for businesses and consumers alike.”²⁰  The Green Paper endorses adoption of a national security breach notification law, but does not address adopting a uniform data security law, which may be equally important.

Preemption of state laws

In its Green Paper, the Department further raises the issue of preemption of other state privacy laws by enacted federal legislation, but it does not really take a position on the issue: 

Any new Federal privacy framework should seek to balance the desire to create uniformity and predictability across State jurisdictions with the desire to permit States the freedom to protect consumers and to regulate new concerns that arise from emerging technologies, should those developments create the need for additional protection under Federal law.

Rather than take a position on the issue, the Department presented some of the arguments on both sides and poses additional questions for public comment (See Section III).

Electronic surveillance and commercial information privacy

Lastly, the Green Paper discussed the privacy concerns surrounding new technologies, such as cloud computing and location-based services.  In this context, a major concern is that current laws regulating law enforcement access to Internet communications (and records associated with customer accounts) may undermine consumer trust and, accordingly, the utilization and development of these technologies.  So, the Department is seeking further comment and data (i) from the public concerning Electronic Communication Privacy Act’s (ECPA) effects on the adoption of cloud computing and location-based services; and (ii) from members of the law enforcement community on how potential ECPA amendments would affect their investigations.

Commerce also requesting comment on further questions

In its Green Paper, the Department also seeks comment on a number of specific questions, which are set forth in the Appendix below, several of which bear in important ways on the Administration’s recommendations regarding federal privacy legislation. 

Again, comments on the Green Paper are due January 28. 

Please let us know if you are interested in filing comments to the Green Paper or to the questions below and would like assistance in your filing.  For more information, please contact Jim Halpert, Tom Boyd or Kate Lucente.

APPENDIX: FURTHER QUESTIONS FROM COMMERCE DEPARTMENT (BY TOPIC)

Fair information privacy practices (FIPPs)

1) Should baseline commercial data privacy principles, such as comprehensive FIPPs, be enacted by statute or through other means, to address how current privacy law is enforced?

2) How should baseline privacy principles be enforced? Should they be enforced by non-governmental entities in addition to being the basis for FTC enforcement actions?

3) As policymakers consider baseline commercial data privacy legislation, should they seek to grant the FTC the authority to issue more detailed rules? What criteria are useful for deciding which FIPPs require further specification through rulemaking under the Administrative Procedure Act?

4) Should baseline commercial data privacy legislation include a private right of action?

Transparency

1) What is the best way of promoting transparency so as to promote informed choices? The Task Force is especially interested in comments that address the benefits and drawbacks of legislative, regulatory, and voluntary private sector approaches to promoting transparency.

2) What incentives could be provided to encourage the development and adoption of practical mechanisms to protect consumer privacy, such as privacy impact assessments (PIAs), to bring about clearer descriptions of an organization’s data collection, use, and disclosure practices?

3) What are the elements of a meaningful PIA in the commercial context? Who should define these elements?

4) What processes and information would be useful to assess whether PIAs are effective in helping companies to identify, evaluate, and address commercial data privacy issues?

5) Should there be a requirement to publish PIAs in a standardized and/or machine-readable format?

6) What are consumers’ and companies’ experiences with systems that display information about companies’ privacy practices in contexts other than privacy policies?

7) What are the relative advantages and disadvantages of different transparency-enhancing techniques in an online world that typically involves data from multiple sources being presented through a single user interface?

8) Do these (dis)advantages change when one considers the increasing use of devices with more limited user interface options?

9) Are purpose specifications a necessary or important method for protecting commercial privacy?

10) Currently, how common are purpose specification clauses in commercial privacy policies?

11) Do industry best practices concerning purpose specification and use limitations exist? If not, how could their development be encouraged?

12) What incentives could be provided to encourage companies to state clear, specific purposes for using personal information?

13) How should purpose specifications be implemented and enforced?

14) How can purpose specifications and use limitations be changed to meet changing circumstances?

15) Who should be responsible for demonstrating that a private sector organization’s data use is consistent with its obligations? What steps should be taken if inconsistencies are found?

16) Are technologies available to allow consumers to verify that their personal information is used in ways that are consistent with their expectations?

17) Are technologies available to help companies monitor their data use, to support internal accountability mechanisms?

18) How should performance against stated policies and practices be assessed?

19) What incentives could be provided to encourage companies to adopt technologies that would facilitate audits of information use against the company’s stated purposes and use limitations?

Voluntary and enforceable codes of conduct

1) Should the FTC be given rulemaking authority triggered by failure of a multi-stakeholder process to produce a voluntary enforceable code within a specified time period?

2) How can the Commerce Department best encourage the discussion and development of technologies such as “Do Not Track”?

3) Under what circumstances should the PPO recommend to the Administration that new policies are needed to address failure by a multi-stakeholder process to produce an approved code of conduct?

4) How can cooperation be fostered between the National Association of Attorneys General, or similar entities, and the PPO?

5) Do FIPPs require further regulatory elaboration to enforce, or are they sufficient on their own?

6) What should be the scope of FTC rulemaking authority?

7) Should FIPPs be considered an independent basis for FTC enforcement, or should FTC privacy investigations still be conducted under Federal Trade Commission Act Section 5 “unfair and deceptive” jurisdiction, buttressed by the explicit articulation of the FIPPs?

8) Should non-governmental entities supplement FTC enforcement of voluntary codes?

9) At what point in the development of a voluntary, enforceable code of conduct should the FTC review it for approval? Potential options include providing an ex ante “seal of approval,” delaying approval until the code is in use for a specific amount of time, and delaying approval until enforcement action is taken against the code.

10) What steps or conditions are necessary to make a company’s commitment to follow a code of conduct enforceable?

National security breach notification requirement

1) What factors should breach notification be predicated upon (e.g., a risk assessment of the potential harm from the breach, a specific threshold such as number of records, etc.)?

Coexistence of fair information privacy practices with current sectoral privacy regulations

2) Are there lessons from sector-specific commercial data privacy laws—their development, their contents, or their enforcement—that could inform US commercial data privacy policy?

Preemption of state laws

1) Should a preemption provision of national FIPPs-based commercial data privacy policy be narrowly tailored to apply to specific practices or subject matters, leaving States free to regulate new concerns that arise from emerging technologies? Or should national policy, in the case of legislation, contain a broad preemption provision?

2) How could a preemption provision ensure that Federal law is no less protective than existing State laws? What are useful criteria for comparatively assessing how protective different laws are?

3) To what extent should State Attorneys General be empowered to enforce national FIPPs-based commercial data privacy legislation?

4) Should national FIPPs-based commercial data privacy legislation preempt State unfair and deceptive trade practices laws?

Electronic surveillance and commercial information privacy

1) The Task Force seeks case studies and statistics that provide evidence of concern—or comments explaining why concerns are unwarranted—about cloud computing data privacy and security in the commercial context. We also seek data that link any such concerns to decisions to adopt, or refrain from adopting, cloud computing services.

2) The Task Force also seeks input on whether the current legal protections for transactional information and location information raise questions about what commercial data privacy expectations are reasonable and whether additional protections should be mandated by law. The Task Force also invites comments that discuss whether privacy protections for access to location information need clarification in order to facilitate the development, deployment and widespread adoption of new location-based services.

3) The Task Force seeks information from the law enforcement community regarding the use of ECPA today and how investigations might be affected by proposed amendments to ECPA’s provisions.