Three years after it first proposed such a move the White House has introduced a draft Consumer Privacy Bill of Rights (CPBR) that would give consumers clearer and more guarantees on how personal data is protected by organisations – regardless of the sector those organisations operate in. The draft bill seems to be taking heat from all sides, and if adopted it would bring US policy on privacy protection in the age of big data more in line with the draft legislation in Europe.
The proposed CPBR would see the Federal Trade Commission (FTC) regulate how firms manage, protect, and give access to consumer data.
President Obama has long positioned himself as a champion of privacy rights, having released a first draft of a CPBR in 2012 that sought, much like the current draft policy proposal, to adhere to the following principles:
- Individual Control: Consumers have a right to exercise control over what personal data organisations collect from them and how they use it.
- Transparency: Consumers have a right to easily understandable and accessible information
- about privacy and security practices.
- Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security: Consumers have a right to secure and responsible handling of personal data.
- Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
But much like the case three years ago, the most recently proposed draft drew criticism from organisations dotted all over the political spectrum – despite winning some support from IT incumbents and trade organisations.
The Center for Democracy & Technology’s director of consumer privacy Justin Brookman said the law “has too many loopholes and doesn’t provide for meaningful enforcement,” while adding it’s encouraging the President is at least attempting to advance privacy issues.
“The bill envisions a process where industry will dominate in developing codes of conduct,” said John Simpson, privacy project director for Consumer Watchdog, a nonprofit organisation advocating consumer rights reform in the US. “The bill is full of loopholes and gives consumers no meaningful control of their data.”
The bill relies heavily on a “multi-stakeholder” process to develop codes of conduct that would give companies that adopt those codes a “safe harbour” from enforcement, the organisation said. It would also pre-empt stronger state laws, forcing some states that currently have stronger consumer data privacy policies in place to drop them in favour of weaker federal legislation.
“Any pre-emption should set a floor, not a ceiling, allowing states to have stronger protections.”
Democratic Reps. Jan Schakowsky (D-Ill.) and Frank Pallone (D-N.J.) said the proposal is problematic because it sets up a self-regulatory system that “could allow companies to design the privacy policies the FTC would enforce,” while House Republicans Fred Upton and Michael Burgess said policymakers should “tread carefully” in embracing the CPBR.
Consumer Electronics Association president Gary Shapiro said the law if passed “could hurt American innovation and choke off potentially useful services and products.”
“If enacted, the proposal’s broad definitions, expanded bureaucratic authorities and steep penalties could burden the tech economy with uncertainty and stifle the development of the Internet of Things (IoT), which holds promise for novel new services and products, consumer safety and security, and job creation.”
But the proposed legislation, which more closely resembles European proposals to protect consumer data than other bills introduced in this area in the US before, has found some support in the corporate world. Microsoft, one of the cloud companies that has heavily lobbied the US government to strengthen its data protection policies, welcomed the proposal as a step in the right direction.
“Not all will agree with every aspect of the proposal – some will say it goes too far, while others will say it doesn’t go far enough – but it’s a good place to start the conversation,” said Brendon Lynch, chief privacy officer at Microsoft in prepared remarks.
“The proposal, which appears to be based on the Fair Information Principles, outlines steps companies should take to increase transparency, and calls for consumers to be provided privacy choices. We agree.”
“Core to any successful new privacy legislation is a requirement that companies tell customers, in plain language, what data about them is collected and how that data is used. Transparency is essential to help build an understanding of practices that impact consumer privacy. We look forward to a discussion with other stakeholders about transparency as well as the other Fair Information Practices Principles that underpin the proposal,” Lynch said.
The Software and Information Industry Association (SIIA) struck a more balanced tone. Mark MacCarthy, SIIA vice president for public policy said while he believes American consumers are already well served by US privacy laws the organisation does support “policies that promote responsible data management, and allow US technology companies to continue innovating to the benefit of businesses and consumers,” and intimated the recently-introduced CPBR falls within that category.
We would be concerned by any new proposals that might undermine these goals, he added.
“SIIA and our members look forward to working with the Administration and other policymakers to ensure that the US public policy framework contains necessary consumer privacy protections while providing for the continued growth of data-driven innovation.”
The CPBR is the latest in a series of moves that put data privacy at the centre of proposed legislation in the US. In January the Administration unveiled rules that aim to help protect student data, and US lawmakers earlier this month introduced two bipartisan bills that seek to limit the reach of US courts over data stored in cloud services located outside the US.