Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Cool Reception for Obama's Privacy Plan
Businesses Would Help Define Consumer Privacy Bill of RightsThe Obama administration's discussion draft of a Consumer Privacy Bill of Rights law, issued late last week, has some of the president's usual supporters saying they're disappointed in his proposal.
See Also: Netskope FERPA Mapping Guide
Typical is the reaction from Sen. Ed Markey, D-Mass., who says: "While this proposal from the White House focuses attention on the need for strengthening the privacy rights of Americans, it falls far short of what is needed to ensure consumers and families are squarely in control of their personal data."
Similarly, Reps. Frank Pallone Jr., D-N.J., and Rep. Jan Schakowsky, D-Ill. - in a joint statement - say they're pleased President Obama is making consumer privacy a top priority in 2015 but believe a number of provisions in his proposal are "deeply problematic. ... Unfortunately, not only does this bill fail to move consumer protection forward, it may move it backward."
The president's plan would ask businesses to develop their own codes of conduct for the way they handle consumer information, such as how they collect, use and share data. It would also authorize the Federal Trade Commission, through its rulemaking authority, to make sure businesses satisfactorily adhere to those requirements. Companies that violate their own codes could face legal action from the FTC or states' attorneys general under the White House plan.
Exercising Control Over Own Data
A core premise behind the Consumer Privacy Bill of Rights, according to the White House, is that individual consumers have a right to exercise control of personal data companies collect from them - and how that information is used.
"The Internet has become an engine of innovation, business growth and job creation, so we need a strong foundation of clear protections for consumers, and a set of basic principles to help businesses guide their privacy and policy decisions," Commerce Secretary John Bryson says in a statement unveiling the administration's legislative proposal. "This privacy blueprint will do just that."
But some privacy experts disagree. "Federal privacy legislation is needed, but this one needs work and might not be the document the country needs," says privacy and IT security lawyer Francoise Gilbert of the IT Law Group. "The document is business friendly but provides little guidance. ... From a practical standpoint, covered entities and their advisers will find it difficult to define and measure what they are supposed to do. With only the Federal Trade Commission and states' attorneys general having the right to enforce the law, it would take a long time to identify and shape general standards."
Creating Privacy Review Boards
Christopher Pierson, general counsel and chief security officer at the secure payments service provider Viewpost, argues that the White House plan could weaken FTC consumer protection enforcement powers regarding private information if it's enacted as proposed. That's because the discussion draft calls for the creation of Privacy Review Boards that would help determine whether businesses comply with the code. The boards would be formed through FTC's rulemaking authority, and each one could represent a different industry.
Exactly who would serve on the boards and what specific authorities they would be granted are not detailed in the discussion draft; that would be spelled out in the rulemaking process.
"It definitely looks like it is weakening some of the traditional powers that have been set aside for FTC," Pierson says. "This looks a little more like companies and industry associations being able to promulgate some of their own rules, and then ask the Federal Trade Commission to bless them."
Such an approach, Pierson says, could result in various sectors having different privacy disclosure rules. "As opposed to one act that solidifies the country and sets forth a common platform, you could have some fracturing of the rules as a result," says Pierson, who also serves on federal government panels that advise the homeland security secretary on privacy and cybersecurity matters.
No Harm, No Rights?
Justin Brookman, director of the consumer privacy project at the advocacy group Center for Democracy and Technology, says a major flaw he sees in the administration plan is that the government can sue businesses for violating privacy rights only if harm can be proven. Brookman says the law should allow legal action, without having to document damages, if a business fails to provide the privacy rights it promises.
Brookman says consumers should not be required to prove they've been harmed to receive privacy protections. "We never loved the idea that privacy rights be contingent on harm because it could be used to forestall a lot of these protections," he says.
The two House members - Pallone and Schakowsky - offer this critique of what they see as flaws in the proposal:
- First, it calls for self-regulation by business. That, in the eyes of privacy advocates, would allow unsound practices related to data collection, use and share to continue.
- Second, state laws that hold companies accountable for protecting consumers' personally identifiable information would be pre-empted and individuals would be barred from pursuing legal action if organizations violate privacy policies.
- Third, the president's proposal would exempt new companies from any privacy requirements for their first 18 months of data collection, which, in turn, would discourage start-ups from designing consumer-focused privacy and security into their products and services.
- Fourth, the White House framework sets limits on penalties for companies that violate the privacy policies that companies themselves create. "With some of the biggest and fastest-growing companies on earth - including those valued in the hundreds of billions of dollars - covered by this bill, a $25 million maximum penalty is just a slap on the wrist," the Pallone-Schakowsky statement says.
No lawmaker has yet to adopt the discussion draft as their own bill to introduce in Congress. And, with strong political difference over how to regulate privacy rights, no one is predicting that such legislation would be enacted in the current Congress. Still, Pierson says he likes the idea that the administration is getting Congress - and the public - to consider the issue of protecting the privacy of information businesses retain on their customers, even if he - and other privacy experts - don't agree with what the administration proposed.