Today the the Obama Administration is unveiling its new “Consumer Privacy Bill of Rights” (quoted in full at the end of this post) which they tout “as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.” [Update: The White House issued this 'white paper', Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy that it says provides the background for the proposal. Despite the January cover date, I think it's new, suggesting that there may have been some last-minute tussle about the contents?] [Update2: White House "Fact Sheet" on 'Consumer Privacy Bill of Rights'.]
But as far as I can tell from my initial read, this is only a first step towards rules with a tooth or two. Next, our friends at NTIA (the people who gave you the modern ICANN), will be “conven[ing] Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.” Good luck with that in this Congress.
NTIA does have a strong and smart leader right now, Lawrence E. Strickling, the Assistant Secretary for Communications and Information, so this could be good. On the other hand, Strickling has shown willingness to carry the trademark lobby’s water on some ICANN issues (what else is new?), so this bears watching. On the good side, the administration is asking for enforceable legislation, not some blurry new public-private partnership. And the Commerce Department wrote a pretty good requirements document for what the policy should look like in its recent National Strategy for Trusted Identities in Cyberspace (April 2011). That document envisioned an “Identity Ecosystem” described as a system that will enhance privacy and civil liberties:
The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace. By default, only the minimum necessary information will be shared in a transaction. For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data.
In addition to privacy protections, the Identity Ecosystem will preserve online anonymity and pseudonymity, including anonymous browsing.
However, while setting out the outlines of how such a system might work in theory, the Strategy did not attempt to explain key aspects of how its ambitious goals might be attained in practice. Instead it sets out a ten-year roadmap, in which the first three to five years require “standardization of policy and technology” based on the twin pillars of underlying reliable offline credentials and private-sector leadership. Worse, only one month later, however, the White House released its International Strategy For Cyberspace, a document that while by no means all bad (it extolled the Internet’s benefits and opportunities), also warned darkly of the Internet’s dangers:
Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety The theft of intellectual property threatens national competitiveness and the innovation that drives it These challenges transcend national borders; low costs of entry to cyberspace and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.
And it is this latter document, not the better Identity Management paper from a month earlier, that gets cited in today’s press release about the “Consumer Privacy Bill of Rights”. Which vision will prevail – the primarily pro-privacy vision or the Internet-as-danger vision? The Administration’s press release sounds some positive notes, for example this one:
Achieving privacy policies for a Global, Open Internet: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners.
At very hurried first glance the Consumer Privacy Bill of Rights idea seems based on principles that actually sound good…but may not be quite as great as they sound:
American Internet users should have the right to control personal information about themselves. Based on globally accepted privacy principles originally developed in the United States, the Consumer Privacy Bill of Rights is a comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit. These rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.
Does this mean the US will catch up with the EU’s data protection regime? I can’t tell for sure, but my first guess is “no”. To say that these are “obligations to which companies handling personal data should commit” is carefully not to say that these are obligations to which corporations will be required to adhere. At least not yet. Or at most only sectorally, rather than generally. Meanwhile, though, we’re going to kick the can down the road a bit, and “convene stakeholders including industry and privacy advocates to develop enforceable codes of conduct that implement the principles in the Consumer Privacy Bill of Rights for specific industry sectors.” But only those rules that “will keep up with, and not hamper, the pace of innovation.” So if your business model is, like Facebook or Google, based on using consumer information, then what?
There is one thing everyone agrees on – that companies should keep their promises about privacy and that the FTC can enforce on them when they do not – and this will remain a major enforcement tool. That’s good as afar as it goes, but in most cases that is only as far as your carefully drafted EULA.
The Administration seems to envision a legislative proposal, I would imagine after the election. It will set out the “basic principles the Administration believes should be reflected in a privacy law” which will on the one hand involve proposing “clear and actionable rights” while also providing “a way for companies to be confident that they are respecting these rights through an FTC-approved enforcement safe harbor.”
Let the food fight begin?
Here is the advance text of the Obama administration’s “Consumer Privacy Bill of Rights”:
CONSUMER PRIVACY BILL OF RIGHTS
The Consumer Privacy Bill of Rights applies to personal data, which means any data, including aggregations of data, that is linkable to a specific individual. Personal data may include data that is linked to a specific computer or other device. The Administration supports Federal legislation that adopts the principles of the Consumer Privacy Bill of Rights. Even without legislation, the Administration will convene multistakeholder processes that use these rights as a template for codes of conduct that are enforceable by the Federal Trade Commission. These elements–the Consumer Privacy Bill of Rights, codes of conduct, and strong enforcement–will increase interoperability between the U.S. consumer data privacy framework and those of our international partners.
1. Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it. Companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. Companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect, use, or disclose, as well as the sensitivity of the uses they make of personal data. Companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection, use, and disclosure. Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.
2. Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. At times and in places that are most useful to enabling consumers to gain a meaningful understanding of privacy risks and the ability to exercise Individual Control, companies should provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete the data or de-identify it from consumers, and whether and for what purposes they may share personal data with third parties.
3. Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data, unless required by law to do otherwise. If companies will use or disclose personal data for other purposes, they should provide heightened Transparency and Individual Control by disclosing these other purposes in a manner that is prominent and easily actionable by consumers at the time of data collection. If, subsequent to collection, companies decide to use or disclose personal data for purposes that are inconsistent with the context in which the data was disclosed, they must provide heightened measures of Transparency and Individual Choice. Finally, the age and familiarity with technology of consumers who engage with a company are important elements of context. Companies should fulfill the obligations under this principle in ways that are appropriate for the age and sophistication of consumers. In particular, the principles in the Consumer Privacy Bill of Rights may require greater protections for personal data obtained from children and teenagers than for adults.
4. Security: Consumers have a right to secure and responsible handling of personal data. Companies should assess the privacy and security risks associated with their personal data practices and maintain reasonable safeguards to control risks such as loss; unauthorized access, use, destruction, or modification; and improper disclosure.
5. Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should use reasonable measures to ensure they maintain accurate personal data. Companies also should provide consumers with reasonable access to personal data that they collect or maintain about them, as well as the appropriate means and opportunity to correct inaccurate data or request its deletion or use limitation. Companies that handle personal data should construe this principle in a manner consistent with freedom of expression and freedom of the press. In determining what measures they may use to maintain accuracy and to provide access, correction, deletion, or suppression capabilities to consumers, companies may also consider the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.
6. Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain. Companies should collect only as much personal data as they need to accomplish purposes specified under the Respect for Context principle. Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.
7. Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies should be accountable to enforcement authorities and consumers for adhering to these principles. Companies also should hold employees responsible for adhering to these principles. To achieve this end, companies should train their employees as appropriate to handle personal data consistently with these principles and regularly evaluate their performance in this regard. Where appropriate, companies should conduct full audits. Companies that disclose personal data to third parties should at a minimum ensure that the recipients are under enforceable contractual obligations to adhere to these principles, unless they are required by law to do otherwise.