In an unusual move, the Department of Commerce has chimed in on the question of Internet data privacy, issuing a 78-page report from its Internet Policy Task Force. While the Chairman of the FTC has welcomed the new report, the business-oriented tone of the Commerce report suggests that a battle is brewing. Indeed, the report offers strong support for a “voluntary, multi-stakeholder process” that includes businesses as important, cooperative partners, while the FTC treats voluntary efforts by industry -- and industry itself -- almost contemptuously. While Commerce defers to the FTC as the primary enforcement authority, it also stages what appears to be a power grab to take a leadership role in defining how industry will or will not be regulated in the areas of privacy and information security.
So, what exactly is the Commerce report, and where is it likely to lead? The Commerce report refers to itself as a “green paper,” which one might think is a nod to wholesome environmental practices. Actually, in government-speak, a green paper is merely a tentative proposal or call for comments that might lead, eventually, to a white paper, which is a more formal statement of governmental policy. As a result, both the Commerce report and the FTC initiative reflect tentative steps in the direction of statutory, regulatory, and policy changes. How far they proceed is a matter of guesswork, particularly with a new and more conservative Congress waiting in the wings.
FIPPs. Commerce’s approach centers on the “broad adoption” of Fair Information Privacy Practices (“FIPPs”) that are sweeping and general enough to provide “ample flexibility” and “encourage innovation,” and envisions these being reflected in “voluntary, enforceable codes of conduct.” If they are voluntary, of course, they likely would not be promulgated in the form of statutes and regulations. If they are nonetheless enforceable, it would seem as if Commerce -- at least in part -- envisions trade groups and associations to require adherence by members and to provide for their own policing. Whatever the implications, they are different from the FTC’s report requesting that Congress invest it with greater legal authority over privacy matters. The FIPPs, as envisioned by Commerce, would include “simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill those purposes, and the expanded use of robust audit systems to bolster accountability.”
Uniform Security Breach Notification Rules? The Commerce report takes on an issue that has plagued direct marketers in recent years, and on which Congress has been unable to anything meaningful. Specifically, it proposes replacing the patchwork of dozens of inconsistent state security breach laws with a single national law. While this would put an array of consultants out of business, it would—if done correctly—remove significant regulatory expense (and uncertainty) from the shoulders of direct marketers of all sizes.
Overall, the Commerce report, if it is taken at face value as a genuine reflection of the Department of Commerce's position on commercial privacy matters, is a breath of fresh air. Unlike the FTC's report, which treats things like personalized advertisements as horrible invasions of privacy, the Commerce report reflects an understanding that the collection and use of customer information by businesses has an important place in not only bolstering the growing internet economy, but also serving legitimate consumer and business interests. And, unlike the FTC, places the greatest governmental focus on far more important privacy issues like data security and identity theft.
We are now at the beginning stages of a great debate about Internet privacy that could result in considerable change to the regulatory landscape. In subsequent blog posts, we will be addressing in greater detail individual issues raised by both the Commerce and FTC reports, and provide insights how the debate is evolving.
We wish all of our readers a wonderful holiday season!