The U.S. government is seeking comment on a report focused on the role privacy plays in furthering business over the Internet, and which might be used to shape policy within the Obama Administration.
The report, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” was produced by the Department of Commerce (DoC) “as a vehicle to spur further discussion with Internet stakeholders on this important area of policy development,” says a Federal Register notice posted Dec. 21, 2010.
Recognizing the vital importance of the Internet to U.S. innovation, prosperity, education, and political and cultural life, the DoC has made it a top priority to ensure that the Internet remains open for innovation, the department says. To further that goal, the DoC established the Internet Policy Task Force to identify leading public policy and operational challenges in the Internet environment. The task force will utilize expertise across many bureaus, including those responsible for domestic and international information and communications technology policy, international trade, cyber security standards and best practices, intellectual property, business advocacy and export control.
With the publication of the report, the DoC now seeks further comment in “the hopes to spur further discussion with Internet stakeholders that will lead to the development of a series of administration positions that will help develop an action plan” on Internet privacy.
The report is available at http://www.ntia.doc.gov/internetpolicytaskforce/, and the DoC has made available a list of questions that can be used to guide comments. Those questions are:
- Should baseline commercial data privacy principles—such as a comprehensive federal intergovernmental partnering program (FIPPs)—be enacted by statute or other means, to address how current privacy law is enforced?
- Are technologies available to help companies monitor their data use, to support internal accountability mechanisms?
- How should baseline privacy principles be enforced? Should they be enforced by non-governmental entities in addition to being the basis for the Federal Trade Commission’s (FTC) enforcement actions?
- As policymakers consider baseline commercial data privacy legislation, should they seek to grant the FTC the authority to issue more detailed rules? What criteria are useful for deciding which FIPPs require further specification through rulemaking under the Administrative Procedure Act? Should baseline commercial data privacy legislation include a private right of action?
- What is the best way of promoting transparency so as to promote informed choices? The task force is especially interested in comments that address the benefits and drawbacks of legislative, regulatory and voluntary private sector approaches to promoting transparency.
- What incentives could be provided to encourage the development and adoption of practical mechanisms to protect consumer privacy, such as privacy impact assessments (PIAs), to bring about clearer descriptions of an organization’s data collection, use and disclosure practices?
- What are the elements of a meaningful PIA in the commercial context? Who should define these elements?
- What processes and information would be useful to assess whether PIAs are effective in helping companies to identify, evaluate, and address commercial data privacy issues?
- Should there be a requirement to publish PIAs in a standardized and/or machine-readable format?
- What are consumers’ and companies’ experiences with systems that display information about companies’ privacy practices in contexts other than privacy policies?
- What are the relative advantages and disadvantages of different transparency-enhancing techniques in an online world that typically involves data from multiple sources being presented through a single user interface?
- Do these (dis)advantages change when one considers the increasing use of devices with more limited user interface options?
- Are purpose specifications a necessary or important method for protecting commercial privacy?
- Currently, how common are purpose specification clauses in commercial privacy policies?
- Do industry best practices concerning purpose specification and use limitations exist? If not, how could their development be encouraged?
- What incentives could be provided to encourage companies to state clear, specific purposes for using personal information?
- How should purpose specifications be implemented and enforced?
- How can purpose specifications and use limitations be changed to meet changing circumstances?
- Who should be responsible for demonstrating that a private sector organization’s data use is consistent with its obligations? What steps should be taken if inconsistencies are found?
- Are technologies available to allow consumers to verify that their personal information is used in ways that are consistent with their expectations?
- How should performance against stated policies and practices be assessed?
- What incentives could be provided to encourage companies to adopt technologies that would facilitate audits of information use against the company’s stated purposes and use limitations?
- Should the FTC be given rulemaking authority triggered by failure of a multi-stakeholder process to produce a voluntary enforceable code within a specified time period?
- How can the DoC best encourage the discussion and development of technologies such as “do not track”?
- Under what circumstances should a “preferred provider organization” (PPO) recommend to the administration that new policies are needed to address failure by a multi-stakeholder process to produce an approved code of conduct?
- How can cooperation be fostered between the National Association of Attorneys General, or similar entities, and the PPO?
- Do FIPPs require further regulatory elaboration to enforce, or are they sufficient on their own?
- What should be the scope of FTC rulemaking authority?
- Should FIPPs be considered an independent basis for FTC enforcement, or should FTC privacy investigations still be conducted under FTC Act Section 5 ”unfair and deceptive” jurisdiction, buttressed by the explicit articulation of the FIPPs?
- Should non-governmental entities supplement FTC enforcement of voluntary codes?
- At what point in the development and of a voluntary, enforceable code of conduct should the FTC review it for approval?
- Potential options include providing an ex ante “seal of approval,” delaying approval until the code is in use for a specific amount of time, and delaying approval until enforcement action is taken against the code.
- What steps or conditions are necessary to make a company’s commitment to follow a code of conduct enforceable?
- What factors should breach notification be predicated upon (e.g., a risk assessment of the potential harm from the breach, a specific threshold such as number of records, etc.)?
- How could a preemption provision ensure that federal law is no less protective than any existing state laws? What are useful criteria for comparatively assessing how protective different laws are?
- To what extent should state attorneys general be empowered to enforce national commercial data privacy legislation?
- Should national FIPPs-based commercial data privacy legislation preempt state unfair and deceptive trade practices laws?
The task force seeks case studies and statistics that provide evidence of concern–or comments explaining why concerns are unwarranted–about cloud computing data privacy and security in the commercial context. We also seek data that links any such concerns to decisions to adopt, or refrain from adopting, cloud computing services.
The task force also seeks input on whether the current legal protections for transactional information and location information raise questions about what commercial data privacy expectations are reasonable and whether additional protections should be mandated by law. The task force also invites comments that discuss whether privacy protections for access to location information need clarification in order to facilitate the development, deployment and widespread adoption of new location-based services.
The task force seeks information from the law enforcement community regarding the use of the Electronic Communications Privacy Act (ECPA) today and how investigations might be affected by proposed amendments to ECPA’s provisions.
Written comments may be submitted by the U.S. Postal Service to the National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue, NW, Room 4725, Washington, DC 20230.
Paper submissions should include a three and one-half inch computer diskette or compact disc (CD). Diskettes or CDs should be labeled with the name and organizational affiliation of the filer and the name of the word processing program used to create the document.
Online submissions may be sent to firstname.lastname@example.org. Submissions may be in any of the following formats: HTML, ASCII, Word, rtf, or pdf.
Comments will be posted at www.ntia.doc.gov/internetpolicytaskforce/.