US Consumer Privacy Bill of Rights

Having been studying Europe’s proposed Data Protection revision for several weeks, it’s interesting to compare it with the proposed Consumer Privacy Bill of Rights recently published by the White House. This, too, recognises that the Internet is different to the paper-based world, but it seems to me to put this in a more positive way than the European Commission manage:

Companies process increasing quantities of personal data for a widening array of purposes.  Consumers increasingly exchange personal data in active ways through channels such as online social networks and personal blogs. The reuse of personal data can be an important source of innovation that brings benefits to consumers but also raises difficult questions about privacy. The central challenge in this environment is to protect consumers’ privacy expectations while providing companies with the certainty they need to continue to innovate.

Notably, there’s an early and explicit recognition that this balance is what enables a lot of the free services we have become used to the Internet providing. If advertisers weren’t willing to pay for the patterns we generate when we use those services then, as in the real world, we’d probably have to pay for the services ourselves. So the Bill of Rights has  objectives to both protect consumers and benefit businesses:

Strengthening consumer data privacy protections and promoting innovation require privacy protections that are comprehensive, actionable, and flexible.

The Bill contains seven Rights, which may look surprisingly familiar to European readers:

  • Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices
  • Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data
  • Security: Consumers have a right to secure and responsible handling of personal data
  • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  • Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Anything linkable to a specific individual is considered personal data, including information linked to a specific computer or device.

However the way in which those Rights would be implemented and enforced look very different to Europe. In the USA, current privacy law is specific to sectors of activity so, for example, there is a law (FERPA) on personal data processed by education organisations and a separate law (HIPAA) on health data. In other sectors there may be little or no regulation. The new Bill of Rights is not intended to replace these sector laws – unless they fall below the minimum standards – but to allow other parts of the private sector to develop their own Codes of Conduct to support the Rights. Once Codes of Conduct had been developed, it would be up to a business whether or not it chose to abide by an appropriate Code, but if it advertised itself as doing so then any breach of the Code could be punished by the Federal Trade Commission under existing laws on deceptive and unfair practices (as for the current US/EU Safe Harbor agreement):

“The FTC brings cases based on violations of commitments in its privacy statements under its authority to prevent deceptive acts or practices. In addition, the FTC brings data privacy cases under its unfairness jurisdiction, which will remain an important source of consumer data privacy protection”

Codes of conduct would be developed by a “multi-stakeholder process”, explicitly like the way that US policy for the Internet is developed. It is expected that this will “produce solutions in a more timely fashion than regulatory processes and treaty-based organizations”, which seem also to produce “fragmented, prescriptive, and unpredictable rules that frustrate innovation and undermine consumer trust” [Hmmm, I wonder if they have something particular in mind?]

There’s also a striking statement that both businesses and consumers have responsibilities for privacy (something Europe tends, at least officially, to be rather coy about):

The Consumer Privacy Bill of Rights also recognizes that consumers have certain responsibilities to protect their privacy as they engage in an increasingly networked society … In a growing number of cases, such as online social networks, the use of personal data begins with individuals’ decisions to choose privacy settings and to share personal data with others. In such contexts, consumers should evaluate their choices and take responsibility for the ones that they make. Control over the initial act of sharing is critical. Consumers should take responsibility for those decisions, just as companies that participate in and benefit from this sharing should provide usable tools and clear explanations to enable consumers to make meaningful choices.

Since the Bill of Rights won’t apply to the whole of the USA, it seems unlikely to result in a declaration under Europe’s Data Protection Directive that the country provides equivalent protection of personal data. However the White House does suggest that there could be mutual international recognition of Codes of Conduct – the provision in the Directive allowing that is pointed out – and international participation in their development. Safe Harbor is seen as an “early example” of this type of agreement. Both the US and EU’s recent documents on developing privacy law identify cloud computing as a challenging and important sector to address:

Further complicating matters is the proliferation of cloud computing systems. This globally distributed architecture helps deliver cost-effective, innovative new services to consumers, companies, and governments. It also allows consumers and companies to send the personal data they generate and use to recipients all over the world. Consumer data privacy frameworks should not only facilitate these technologies and business models but also adapt rapidly to those that have yet to emerge.

So perhaps that will be an early business sector taking advantage of the proposals on both sides of the Atlantic?

[UPDATE: a joint statement by Commissioner Reding and Secretary of Commerce Bryson confirms that the two sides of the Atlantic are looking to move closer]

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *