On February 23, 2012, the White House has released a long-awaited report with final recommendations for a new consumer privacy regime in the United States. The report is titled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” and makes clear that “strengthening consumer data privacy protections in the United States is an important Administration priority.”
The “framework” consists of four key elements that the Administration has charged the Department of Commerce with implementing.
- A Consumer Privacy Bill of Rights that sets forth individual rights and corresponding obligations of companies in connection with personal data. These consumer rights are based on U.S.-developed and globally recognized Fair Information Practice Principles;
- Enforceable codes of conduct, developed through multistakeholder processes, to form the basis for specifying what the Consumer Privacy Bill of Rights requires in particular business contexts;
- Federal Trade Commission (FTC) enforcement of consumers’ data privacy rights through its authority to prohibit unfair or deceptive acts or practices; and
- Increasing global interoperability between the U.S. consumer data privacy framework and other countries’ frameworks through mutual recognition, the development of codes of conduct through multistakeholder processes, and enforcement cooperation.
The report expounds on each of these four elements as summarized below.
- Consumer Privacy Bill of Rights
The Administration promotes “A Consumer Privacy Bill of Rights” that includes the principles listed below. It bears noting that these principles are similar to those promoted by Europe’s Organization for Economic Co-operation and Development (OECD) and Asia-Pacific Economic Cooperations (APEC) that have been in place for years.
- Individual Control
- Respect for Context
- Access and Accuracy
- Focused Collection
The Bill of Rights will be “flexible” to promote innovation and will be enforced by the Federal Trade Commission. The Administration believes that enacting the Consumer Privacy Bill of Rights through federal legislation will increase “legal certainty for companies, strengthen consumer trust, and bolster the United States’ ability to lead consumer data privacy engagements with our international partners.”
- Enforceable codes of conduct
To implement the proposed Bill of Rights, the Administration calls on individual companies, industry groups, privacy advocates, consumer groups, crime victims, academics, international partners, state attorneys general, federal civil and criminal law enforcement representatives, and other relevant groups to participate in multistakeholder processes to develop codes of conduct that implement the general principles listed above.
The report calls the FTC the government’s “leading consumer privacy enforcement authority.” Thus, FTC enforcement is critical to ensuring that companies are accountable for adhering to their privacy commitments and ensuring that responsible companies are not disadvantaged by competitors playing by different rules. As part of consumer data privacy legislation, the Administration encourages Congress to provide the FTC (and state attorneys general) with specific authority to enforce the Consumer Privacy Bill of Rights.
- Promoting International Interoperability
The Administration recognizes that cross-border data flow is vital to the domestic and global economy. Differences in national data policies create bottlenecks and challenges that stifle growth and commerce. As such, the President’s report suggests engaging with international partners to increase interoperability in privacy laws by pursuing mutual recognition, the development of codes of conduct through multistakeholder processes, and enforcement cooperation.
Call for federal privacy legislation
The report concludes by urging Congress to pass legislation that codifies the Administration’s Consumer Privacy Bill of Rights. The President also seeks legislation that grants the FTC direct enforcement authority, puts in place a safe harbor that allows for the international exchange of personal information, and sets a national breach notification program, all while balancing state and federal roles in data privacy protection and preserving existing federal data privacy laws. Lofty goals to be sure!
Reaction to the report has been swift by privacy advocates, industry experts, and scholars. Some call it a signal that privacy is finally getting the attention it deserves, while others have called it “more of the same.” In the final analysis, while the report sets forth general principles and seeks the participation of representatives from all entities that have an interest in privacy, it obviously remains to be seen if the report has any effect on building a consensus around privacy rights and obligations. Until now, it has been clear that various diverging interests have made comprehensive agreement elusive. We expect the debate over many of these privacy principles to continue and expand, and therefore, suggest that you begin incorporating privacy into your business culture and information practices. We will continue to monitor this rapidly changing area of the law and will keep you advised of developments as they occur.
[Back to reference]