Commerce Department Backs Privacy Guidelines, New Office

The Commerce Department proposed adoption of fair information practice principles amounting to a “Privacy Bill of Rights” for online consumers, setting up a privacy policy office in the department, and reviewing the Electronic Communications Privacy Act in light of cloud computing, it announced Thursday.

"Self-regulation without stronger enforcement is not enough,” Commerce Secretary Gary Locke said on a call with reporters. There are no uniform requirements on how businesses handle consumers’ information online, and this is partly by design, he said. A key department recommendation is for companies to develop “voluntary, enforceable privacy codes of conduct” about how consumer information is collected and used. The proposed Privacy Policy Office would help outline the proper practices and work with the rest of the Obama administration, the FTC and other agencies to examine the commercial use of consumer data and identify gaps in privacy protection. Neither the report nor the Commerce officials on the call took a positions on the “Do Not Track” approach that the FTC proposed this month (CD Dec 15 p2). But the department encouraged discussion of data privacy rules including Do Not Track technology.

Legislation may be needed to ensure that companies follow privacy principles, Commerce officials said. The department hopes to get interested players to the table to broaden adoption of the conduct codes but recognizes that it has no authority to compel participation or compliance, said Daniel Weitzner, NTIA’s associate administrator for policy. Locke stressed that the report isn’t final and the department is seeking public comments through Jan. 28 on issues including whether legislation is needed. Commerce also seeks comment on whether the FTC should get the power to issue more-detailed rules and whether privacy legislation should allow consumers to sue over violations.

The report proposed a federal data breach notification law to set national standards and pre-empt state statutes that conflict with it. Calling for a comprehensive national approach to commercial data breach, the report seeks comments on whether and how state attorneys general should be empowered to enforce federal commercial data privacy legislation and how pre-emption could ensure that federal law is no less protective than current state laws. It also asks whether a pre-emption provision should apply narrowly to specific practices or subject matters, leaving states free to regulate in response to new concerns that arise from emerging technologies.

The report also seeks better international cooperation on privacy. Complying with varying privacy frameworks around the world can be time-consuming and costly for U.S. businesses, the report said. “Consistent with the general goal of decreasing regulatory barriers to trade and commerce, the U.S. Government should work with our allies and trading partners to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks,” the report says.

"I hope that the Department of Commerce in its final report will reach the conclusion that legislation is necessary to protect consumers,” said Chairman Jay Rockefeller, D-W.Va., of the Senate Commerce Committee. The FTC will try to avoid privacy conflicts with Commerce while going its own way, a commission official said this week. “We play nicely with our sister agencies,” said Jessica Rich, the Consumer Protection Bureau’s deputy director. The department’s views “reflect the positions of the administration,” whereas the FTC is an independent agency, she said on an American Bar Association teleconference (CD Dec 15 p3). The agencies stay in communication about policy, and “we do not want to clash with them, Rich said. But “we make our own decisions, and we go on our timeline,” she emphasized. Creating an administration privacy office “will not undermine or interfere with” the FTC’s efforts, Rich said.

Some consumer groups criticized the report for not backing legislation and as too industry-friendly. Instead of real laws protecting consumers, “we are offered a vague multi-stakeholder process to help develop enforceable codes of conduct,” said Jeff Chester, the Center for Digital Democracy’s executive director. “The time for questions has long passed,” and the paper should have firmly articulated what the safeguards should be for different sensitive data, he said. A new Privacy Policy Office should be independent and be covered by the Administrative Procedure Act, he said. The report proposed replying on a “failed self-regulatory model” when it’s clear that real regulations with “meaningful enforcement are necessary,” the Consumer Watchdog organization said. While praising the report, the Center for Democracy & Technology urged the Congress to “step up and pass the legislation needed to enact a baseline consumer privacy law.”