Observations on the Dept. of Commerce's Privacy Inquiry

Earlier in the week, I referenced the U.S. Department of Commerce’s Notice of Inquiry concerning “Information Privacy and Innovation in the Internet Economy” (the “Inquiry”).  DataGuidance.com recently did a short article on the Inquiry in which I am quoted.   I have now had a chance to review the document in more detail and believe that this Inquiry and the report that it generates has the potential to usher in a paradigm shift and reshape the privacy environment as it relates to commerce. Unfortunately, it also has the potential to be a frustrating exercise involving entrenched special interests banging their heads against a wall in a political forum. Nonetheless, whether the Inquiry ends up yielding any legislation, industry standards, best practices or a strategic frame work for privacy, the document itself reflects some of key challenges faced at the intersection of privacy and commerce. This post outlines some of my observations after reading the Inquiry.

Some thoughts and observations in no particular order:

  • The Hard Questions. This Inquiry seeks to tackle practically all of the “hard questions” in privacy as it relates to commerce. Its breadth is impressive.
  • Balance Between Commerce and Privacy. Based on how it is written, the topics discussed and the framing of the questions, it is clear that the DOC seeks to find the proper balance between commercial innovation/burden and individual privacy. It is interesting that these questions are being considered in a commercial context rather than from a “civil rights” point of view. This is consistent, of course, with the U.S. approach. However, considering that one of the issues it addresses is international privacy laws and regulations, it begs the question of whether the lack of consistency in privacy regulations globally (and difficulties related thereto) is “baked into the cake.”
  • The Multiplicity of Privacy Laws. One of the key business problems the Inquiry seeks to explore is compliance with privacy laws and jurisdictional conflicts. The Inquiry ask questions about the multi-jurisdictional nature of handling person information, both on a national and state level within the United States, and on an international level with the rest of the world.  It also provides a series of questions that seek to explore the effectiveness of the U.S. sectoral approach to privacy regulation. The compliance burden arising out of multiple (and sometimes conflicting) privacy regulatory regimes has vexed and continues to vex multinational corporations that handle personal information.

From a commercial and compliance point of view this issue is extremely important. The reality is that for multinational companies (which these days can be very large and very small -- a website that is accessible by foreign data subjects could put a company in the "multinational" category), because of transborder data flow, it is extremely difficult, if not impossible (when actual cost is taken into account), to even know what laws apply to the organization. In fact, the legal environment is constantly changing due to new laws at multiple jurisdictional levels, and due to organizational changes concerning the type, handling and location of personal data interacting with a company. Even if companies have the ability to ascertain what laws apply to them, compliance is also very difficult and expensive (and some would maintain again that it is impossible to achieve 100% compliance).

Based on the questions posed the Inquiry seems to recognize the disconnect between applicable privacy laws based on arbitrary and imaginary borders, and the completely borderless environment in which information exists in commerce.  Will Commerce conclude that the multiplicity of privacy and security laws is an impediment or obstacle to the growth of the global economy? It will be interesting to see if the coming report will have recommendations on how to harmonize existing regulatory regimes while still addressing privacy issues important to particular countries.  

  • Cloud Computing and Borderless Data. Speaking of ethereal data processing-related concepts, the Inquiry specifically references cloud computing and web-based services, and appears to address the reality that in the 21st century data is borderless, but laws based on arbitrary location-based jurisdictional triggers are not.
  • Notice & Consent Model Outdated? The Inquiry also appears to recognize concerns about the weaknesses of the current notice and consent privacy regime, and inquires about a “use-based” consumer privacy model. A used-based model recognizes the view that privacy is context-based rather than static. A use of information in one context may be consistent with the data subject’s expectation of privacy, but the same information may violate privacy in another context. Putting up pictures on Facebook of a late night out with friends and sharing with those friends does not violate privacy principles, but allowing the data subject’s employer to see those photos might. It is not clear, however, whether a “use-based” system would provide more effective protection or whether it could be done cost-effectively without massive standardization and cooperation between a multiplicity of entities that might handle personal information in the midst of a transaction. To achieve this type of regime, which effectively gives the data subject more control over its data, technology solutions may be necessary.  Coincidentally, as discussed below, the Inquiry also asks questions concerning the role of technology in protecting privacy.
  • The Role of Technology in Managing and Protecting Privacy. The Inquiry asks questions about “privacy-enhancing technologies” that would allow data subjects to manage the information they are sharing, allow for the auditing of compliance with privacy policies and expressed user preferences, and provide privacy notices to individuals concerning the use or disclosure of their personal information. To the extent that PETs empower individual data subjects, the challenge of course is getting data subjects to understand how they can use these technologies, and providing notice of what will happen to their personal information if they fail to do so. One interesting question in the Inquiry relates to whether technology designers are proper incentivized to build privacy-related functionality into the design of their technology. I think this question gets to the crux of one of the key problems with PETs: if the technologies are not already built into the business processes from the start, is it feasible and cost-effective to implement efficacious PETs.
  • Recognition of the Small-Medium Business Challenges.  The Inquiry poses a series of questions concerning the impact of privacy and compliance on small/medium businesses and start-ups.  I think this issue is often overlooked in terms of how commercial innovation might be stifled by privacy requirements that are too costly.  Much of the innovation over the past 20 years has come from start-up companies utilizing the efficiencies of information technology and the Internet.  Do strict privacy requirements dissuade entrepreneurs from starting their companies or pose insurmountable obstacles due to compliance expenses?  Some would argue that innovation has not been stifled by pointing to the existence of Facebook, Twitter, MySpace, all of which are pushing the boundaries of privacy.  However, this begs the question because the existence of these companies is, in part, why the Inquiry is necessary.  Beyond start-ups, the reality is most small businesses (even your local laundry mat) store, process and transmit personal information of some sort.  Can laws and standards be created that are "one-size-fits all?"  If not, considering the volume of small businesses in the U.S. (compared to large companies), if you exempt or limit the obligations of small businesses, are you leaving a massive privacy consumer privacy gap? 

Overall, the ultimate impact of the Inquiry is unclear. The Inquiry specifically indicates that it is not being circulated for the specific purpose of creating legislation. However, it is possible that useful recommendations or guidance could come out of the DOC’s eventual report that could serve as the basis of future regulation, best practices or standards that relate to privacy in the context of modern commerce. It also must be recognized that this Inquiry is happening right in the middle of the political area. There will be entrenched and wealthy special interests on both the commerce and consumer side that will seek to influence the DOC and its report. The report will be less useful if it simply yields the same positions that have been espoused by various interests on either side of the spectrum. The hope is that the DOC report will get beyond the status quo and offer guidance and the foundations for public policy (and law) that actually move the ball forward and serve to address the significant privacy challenges the consumers and the commercial community face.