NTIA Seeks Comment on “Consumer Privacy Bill of Rights”
Last week, the National Telecommunications & Information Administration (NTIA) released a Request for Comment on Big Data and Consumer Privacy in the Internet Economy, as directed by the recent Administration Big Data Report. In particular NTIA is seeking comment on the following:
- how the principles in the Consumer Privacy Bill of Rights support innovations related to big data while also responding to potential privacy risks;
- whether the Consumer Privacy Bill of Rights should be clarified or modified to better accommodate the benefits or risks of big data;
- whether a responsible use framework should be used to address the challenges posed by big data; and
- mechanisms to best address the limits of the “notice and consent” model for privacy protection noted in the big data report.
U.S.-EU Negotiate on Safe Harbor
Paul Nemitz, the chief European Commission negotiator for the Safe Harbor Framework, is in DC this week for negotiations with his U.S. counterpart, Commerce Department Deputy Assistant Secretary for Services Ted Dean. Both participated in a June 10 Center for Strategic & International Studies (CSIS) event called “The Safe Harbor Agreement: Data Protection or Protectionism.” The Commission issued 13 recommendations for improving the Safe Harbor Framework as part of its “Restoring Trust in EU Data Flows” effort in 2013. Dean and Nemitz have been negotiating based on those recommendations. Both negotiators signaled that they are close to agreement. However, Nemitz argued forcefully that recommendation 13 which calls for the national security exception to be invoked “only to an extent that is strictly necessary or proportionate” needs to be addressed satisfactorily. He called this recommendation the “elephant in the room.” What he meant was that there had to be some limits on bulk collection of data for intelligence purposes. Dean noted that his office within Commerce was not responsible for the national security related recommendations. However, he reminded the audience of President Obama’s January 17, 2014 speech which called for enhancing protections for non-U.S. persons, suggesting that progress could be made in this area as well.
The U.S.-EU Safe Harbor Framework is one way in which companies can transfer data from the European Union to the United States. The way it works is that companies self-certify to the Commerce Department that they maintain privacy practices included in the Framework. The Federal Trade Commission enforces compliance with Commerce administering the program. There are now over 3,000 companies enrolled in the Safe Harbor program. Many participants are small and medium sized enterprises. Much of the data transferred pursuant to this mechanism is human resources data. There is a 2009guide to self-certification.
Obama Administration announces 4th Big Data Workshop in DC
The fourth Big Data Workshop in DC is on the way. The White House Office of Science and Technology Policy (OSTP) is cohosting an event with the Georgetown University McCourt School of Public Policy’s Massive Data Institute, on June 19. The event titled “Improving Government Performance in the Era of Big Data: Opportunities and Challenges for Federal Agencies” will engage the public and experts in a discussion on the future of data innovation and policy. Those interesting in attending should RSVP promptly, as the event is expected to fill up.
California Guidance on Meaningful Privacy Policy Statements
California Attorney General Kamala D. Harris recently released guidance, Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, which includes recommendations on the new DNT disclosures called for by the 2013 law, AB 370, requiring web site operators to disclose how they are responding to a “Do Not Track” browser signal. To help members understand the new law, SIIA held awebcast briefing on Feb. 6. This guidance not only provides companies more detailed information the compliance expectations, but it also broadly encourages companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in readable format.
David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPolicy.