In an unusual move, the Department of Commerce has chimed in on the question of Internet data privacy, issuing a 78-page report from its Internet Policy Task Force. While the Chairman of the FTC has welcomed the new report, the business-oriented tone of the Commerce report suggests that a battle is brewing. Indeed, the report offers strong support for a “voluntary, multi-stakeholder process” that includes businesses as important, cooperative partners, while the FTC treats voluntary efforts by industry -- and industry itself -- almost contemptuously. While Commerce defers to the FTC as the primary enforcement authority, it also stages what appears to be a power grab to take a leadership role in defining how industry will or will not be regulated in the areas of privacy and information security.
So, what exactly is the Commerce report, and where is it likely to lead? The Commerce report refers to itself as a “green paper,” which one might think is a nod to wholesome environmental practices. Actually, in government-speak, a green paper is merely a tentative proposal or call for comments that might lead, eventually, to a white paper, which is a more formal statement of governmental policy. As a result, both the Commerce report and the FTC initiative reflect tentative steps in the direction of statutory, regulatory, and policy changes. How far they proceed is a matter of guesswork, particularly with a new and more conservative Congress waiting in the wings.
The Commerce Report Sounds the Defense of the Status Quo In Privacy Regulation, Founded In Large Part On Self-Regulation By Industry. The Commerce report praises almost unconditionally the handling of the Internet under US law, focusing mainly on at the success of industry as voluntary self-regulators. The report also posits the Department of Commerce itself as the leadership entity within the US Government on privacy matters, and claims a power to “ensure the Internet fulfills its social and economic potential.” The FTC’s mandate of protecting consumers from commercial abuses is far narrower. Direct marketers may have found, in the Department of Commerce, a voice to stand up to the newly regulation-happy and business-unfriendly FTC, and one that is ready to take power from the FTC. This could not be clearer than in Commerce’s own recommendation that an overarching Privacy Policy Office be created under its regulatory umbrella.
FIPPs. Commerce’s approach centers on the “broad adoption” of Fair Information Privacy Practices (“FIPPs”) that are sweeping and general enough to provide “ample flexibility” and “encourage innovation,” and envisions these being reflected in “voluntary, enforceable codes of conduct.” If they are voluntary, of course, they likely would not be promulgated in the form of statutes and regulations. If they are nonetheless enforceable, it would seem as if Commerce -- at least in part -- envisions trade groups and associations to require adherence by members and to provide for their own policing. Whatever the implications, they are different from the FTC’s report requesting that Congress invest it with greater legal authority over privacy matters. The FIPPs, as envisioned by Commerce, would include “simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill those purposes, and the expanded use of robust audit systems to bolster accountability.”
The PPO. Commerce’s proposed Privacy Policy Office is intended to be both “the convener of diverse stakeholders” on privacy matters, but also the “center of Administration commercial data privacy expertise.” It would work with the FTC in “leading efforts to develop voluntary but enforceable codes of conduct.” In a sentence that likely made career FTC employees cringe, Commerce states that compliance with such voluntary codes would serve as a “safe harbor for companies facing certain complaints about their privacy practices.” In other words, compliance with these voluntary codes could potentially insulate a company from privacy and security related claims asserted by the FTC, the individual states, and potentially even money-hungry class action lawyers. Of course, the scope of the “safe harbor” protection is not made especially clear in the Commerce report, and past experience—as in the telemarketing area—suggests that Congress could seriously fumble on the issue preemption of state laws and limitations on bankrupting class action lawsuits.
Uniform Security Breach Notification Rules? The Commerce report takes on an issue that has plagued direct marketers in recent years, and on which Congress has been unable to anything meaningful. Specifically, it proposes replacing the patchwork of dozens of inconsistent state security breach laws with a single national law. While this would put an array of consultants out of business, it would—if done correctly—remove significant regulatory expense (and uncertainty) from the shoulders of direct marketers of all sizes.
Overall, the Commerce report, if it is taken at face value as a genuine reflection of the Department of Commerce's position on commercial privacy matters, is a breath of fresh air. Unlike the FTC's report, which treats things like personalized advertisements as horrible invasions of privacy, the Commerce report reflects an understanding that the collection and use of customer information by businesses has an important place in not only bolstering the growing internet economy, but also serving legitimate consumer and business interests. And, unlike the FTC, places the greatest governmental focus on far more important privacy issues like data security and identity theft.
We are now at the beginning stages of a great debate about Internet privacy that could result in considerable change to the regulatory landscape. In subsequent blog posts, we will be addressing in greater detail individual issues raised by both the Commerce and FTC reports, and provide insights how the debate is evolving.
We wish all of our readers a wonderful holiday season!