U.S. Commerce Department Unveils Online Privacy Framework

Though overshadowed by the December 1st release of the FTC's Privacy Framework (see our coverage here, here, here and the report itself here), we wanted to at least give a nod before the year runs out to the Department of Commerce's own report, entitled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, and less formally known as the Internet Policy Task Force Privacy Green Paper (the “Report”), available here

The Report can in part be considered a bookend companion to the FTC's privacy framework, in putting forth a list of policy recommendations with the goal of promoting consumer privacy online while “ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

A top-of-the-waves summary of the Commerce Department Report's key recommendations include:

  • Fair Information Practice Principles comparable to a “Privacy Bill of Rights” for Online Consumers
    • As with the FTC report, the Report recommends clear principles as to how “online companies collect and use personal information for commercial purposes,” which would be a baseline foundation and “would build on existing Fair Information Practice Principles (FIPPs).”
    • The Commerce Department envisions this baseline as the start of a widespread “Privacy Bill of Rights.”
  • Enforceable Privacy Codes of Conduct in Specific Sectors; Create a Privacy Policy Office in the Department of Commerce
    • The Report recommends that “the expertise of industry, consumer groups, privacy advocates, and other stakeholders” be enlisted to create usable industry-wide privacy policies and recommends the establishment of a a privacy policy office in the Department of Commerce to work directly with the FTC, the Executive Office of the President, and other Federal entities. The Report proposes that the “new office would convene stakeholder dialogues,” and “help develop enforceable privacy codes of conduct.”
  • Encourage Global Interoperability to Spur Innovation and Trade
    • In addition to the confluence of federal and state regulation the Report recognizes that "disparate privacy laws have a growing impact on global competition." In response the report recommends the U.S. government work with "its trading partners to find practical means of bridging differences in our privacy frameworks."
  • Harmonizing Disparate Security Breach Notification Rules
    • An increasing complaint of those faced with handling of PII or other sensitive data is the thicket of different breach notification laws on the state level. The Report essentially recommends a federal data breach notification regime to “provide clarity to consumers, streamline industry compliance, and allow businesses to develop a strong, nationwide data management strategy.” However, the Report qualifies this pre-emption, stating “[t]his recommendation is not aimed at preempting federal security breach notification laws for specific sectors, such as healthcare.” The devil is always in the details, however.
  • Review the Electronic Communications Privacy Act for the Cloud Computing Environment
    • Finally, the report recommends a review of the Electronic Communications Privacy Act (ECPA), codified at 18 U.S.C. § 2510 “to address privacy protection in cloud computing and location-based services.” The Department's stated goal with this proposal is to “ensure that, as technology and market conditions change, ECPA continues to appropriately protect individuals’ privacy expectations and punish unlawful access and disclosure of consumer data.”

We'll be returning to the Commerce Department's Report in future posts, as both it and the FTC's recent framework will be influential in guiding future legislation and industry discussions in the new year.