Federal Goals and Suggested Outcomes for Privacy Regulation Identified in NTIA Public Comment Request

The National Telecommunications and Information Administration (NTIA) at the U.S. Department of Commerce has asked the public for comment on ways to advance consumer privacy while protecting prosperity and innovation. The government agency is seeking to develop the Trump Administration’s approach to consumer privacy by creating a set of privacy outcomes that will be core to any Federal action as well as a set of high level goals about the regulations that should provide the privacy protections. The public comment period will be open for thirty days.

The Administration is going to leave in place the current approach for privacy in the specific sectors where Congress has already passed a law: the Children’s Online Privacy and Protection Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act. Instead of modifying these laws, it is looking to bolster the privacy protections that are currently being protected under the Federal Trade Commission (FTC) Section 5 authority concerning unfair trade practices and deception of consumers.

“Risk-based flexibility” is at the “heart” of the Administration’s potential approach to protecting privacy in the areas not covered by an existing law. They want users to benefit from appropriate uses of their information while ensuring organizations minimize risks to users’ privacy. The Federal government is also looking for a way to minimize the burden of the solution on small and medium sized businesses. The Administration’s proposal is not going to address government access to data – it will be limited to data privacy practices by businesses and other private organizations.

The Administration is seeking a flexible, outcome-based approach rather than a prescriptive approach.

The privacy outcomes which the Government is looking for are:

1. Transparency
2. Control
3. Reasonable Minimization
4. Security
5. Access and Correction:
6. Risk Management
7. Accountability

The Federal government is also looking at 8 high level goals to set the standards for the future privacy regulation. The goals that they are looking for feedback on are:

1. Harmonize the regulatory landscape.
2. Legal clarity while maintaining the flexibility to innovate.
3. Comprehensive application.
4. Employ a risk and outcome-based approach.
5. Interoperability.
6. Incentivize privacy research.
7. FTC enforcement.
8. Scalability.

To provide additional information and clarity about the privacy outcomes:

1. Transparency: Organizations should make it easy for users to understand the collection, storage, use and sharing of their personal information. Organizations should move away from long privacy practices where appropriate.

2. Control: Consumers should have reasonable control over the collection, use, storage and disclosure of their personal information, as well as the ability to withraw consent or limit activities previously permitted.

3. Reasonable Minimization: Take appropriate steps (in context) to reduce the risk of privacy harm including minimization of data collection, retention, use and sharing.

4. Security: Employ security safeguards to secure the personal information that the organization collects, stores, uses and shares. The measures should be appropriate to the level of risk and consumers should be able to expect their data is protected from loss or unauthorized access.

5. Access and Correction: Users should have access to the personal information they provide and the ability to correct, complete, amend or delete the data.

6. Risk Management: Organizations should take steps to manage and mitigate the risk of harmful uses or exposure of personal data.

7. Accountability: Organizations should be accountable externally, hold their internal teams accountable, and takes steps to ensure that their third-party vendors and services are accountable for their privacy practices.

To provide additional information and clarity about the high level goals:

1: Harmonization: The sectoral approach provides strong protections but there is a need to avoid creating a patchwork of duplicative laws that ultimately fails to improve data privacy for individuals who are unaware of the specifics of these privacy protections.

2. Legal Clarity: The U.S. is looking to balance the establishment of clear legal rules for businesses to follow while allowing the flexibility needed to permit novel business models and technology.

3. Comprehensive Application: Provide for broad application of consumer privacy law to all private sector organizations to afford similar treatment for similar data practices across industries.

4. Risk and Outcome-based Approach: Encourage the identification of privacy risks through risk modeling and focus on creating user-centric outcomes that provide measurable improvements in privacy. The goal is to enable innovation and give businesses the flexibility to balance business needs, consumer expectations, potential privacy harms and legal obligations.

5. Interoperability: Create data privacy practices that are consistent with international norms and frameworks to reduce friction in data flows between countries.

6. Incentivize Privacy Research: The government will encourage privacy research to inform the development of tools, methodologies, frameworks and products to enhance privacy.

7. FTC enforcement: The government is considering leaving enforcement of privacy violations with the Federal Trade Commission and giving it additional resources and statutory authority to enable enhanced enforcement.

8. Scalability: Targeted enforcement at large businesses and controllers. Small businesses making good-faith efforts to offer privacy protections should not be the primary targets of enforcement actions.

The request for comment is part of the Commerce Department’s overall efforts to modernize the country’s data privacy practices. The National Institute of Standards and Technology (NIST) is in parallel working on a volutary privacy framework for organizations to follow to manage their privacy risk, similar to the voluntary cybersecurity framework developed a few years ago. The first public workshop to start the process of creating the privacy framework will be in Austin on October 16, 2018, at the same time as the International Association of Privacy Professionals (IAPP) is holding its Privacy Security Risk conference in the city.

The request for comment was released ahead of the Senate Commerce Committee hearings tomorrow with executives from Alphabet, Apple, AT&T and more. The hearing is expected to start the search in the Senate for an appropriate Congressional bill on data privacy for the country.

More from Clarip

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Federal Privacy Laws
– Pending Congress Bills

Privacy News
– Clarip Blog