Commerce report calls for privacy principles

The Commerce Department Thursday unveiled a green paper on ways to enhance consumer privacy while still enabling online growth and innovation. It recommends the development of "Fair Information Privacy Principles," creation of a privacy office within the agency and consideration of a national data security breach notification law.

While laying out policy recommendations, the report, which was developed by the agency's Internet Policy Task Force, seeks additional comment on many issues, including most notably whether the proposed fair information privacy principles, which it describes as "a privacy bill of rights," should be implemented through legislation. The report says the principles "should promote increased transparency through simple notices, clearly articulated purposes for data collection, commitments to limit data uses to fulfill these purposes, and expanded use of robust audit systems to bolster accountability."

Among the issues it is seeking further comment on in addition to whether "baseline" privacy legislation should be enacted include how the privacy principles should be enforced, whether the Federal Trade Commission should be given authority to issue more detailed rules and whether privacy legislation should include the right for consumers to sue over privacy breaches.

One area where the report does call for the consideration of a legislative solution relates to data breach notifications. A federal data breach notification law, which would be enforced by state authorities and the FTC, could set national standards and pre-empt "inconsistent" state laws, the report says.

"A comprehensive national approach to commercial data breach would provide clarity to individuals regarding the protection of their information throughout the United States, streamline industry compliance, and allow businesses to develop a strong, nationwide data management strategy," the report said.

The report makes two other key policy recommendations including calling for the creation of a Commerce Department Privacy Policy Office, "using existing resources," that would help in encouraging and in coordinating the development of "voluntary, enforceable privacy codes of conduct in specific industries."

The report notes that commercial privacy policy "must be able to evolve rapidly to meet a continuing stream of innovations. A helpful step would be to enlist the expertise and knowledge of the private sector, and to consult existing best practices, in order to create voluntary codes of conduct that promote informed consent and safeguard personal information." The report seeks further comment on whether the FTC should be given rulemaking authority to step in if the "multi-stakeholder process" fails to develop a voluntary enforceable code by a specified date and other input on the authorities the privacy office should be given.

In addition, the report also calls for greater international cooperation on privacy. It notes that several countries around the world have adopted omnibus privacy laws, including the European Union, which is currently reviewing its data privacy directive. The process of trying to comply with the different privacy regimes around the world can be time consuming and costly for U.S. businesses, the report adds.

"Consistent with the general goal of decreasing regulatory barriers to trade and commerce, the U.S. Government should work with our allies and trading partners to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks," the report recommends.

The United States recently launched talks with the EU on ensuring the protection of personal data when cooperating on terrorism and crime-related investigations.

The Commerce report comes two weeks after the FTC issued its own report on ways to bolster online consumer privacy. It included guidelines that also call for similar measures such as increased transparency and notices about how information will be used and collected. However, one of its key recommendations was for the creation of a "do-not-track" mechanism that would allow for consumers to opt out of being tracked on the Web for the purpose of targeted advertising.

Commerce did not make such a recommendation and instead seeks further comment on how the agency can "best encourage the discussion and development of technologies such as "Do Not Track."