[Federal Register: April 23, 2010 (Volume 75, Number 78)]
[Notices]
[Page 21226-21231]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr23ap10-27]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Office of the Secretary
National Telecommunications and Information Administration
International Trade Administration
National Institute of Standards and Technology
[Docket No. 100402174-0175-01]
RIN 0660-XA12
Information Privacy and Innovation in the Internet Economy
AGENCY: Office of the Secretary, U.S. Department of Commerce; National
Telecommunications and Information Administration, U.S. Department of
Commerce; International Trade Administration, U.S. Department of
Commerce; and National Institute of Standards and Technology, U.S.
Department of Commerce.
ACTION: Notice of Inquiry.
-----------------------------------------------------------------------
SUMMARY: The Department of Commerce's Internet Policy Task Force is
conducting a comprehensive review of the nexus between privacy policy
and innovation in the Internet economy. The Department seeks public
comment from all Internet stakeholders, including the commercial,
academic and civil society sectors, on the impact of current privacy
laws in the United States and around the world on the pace of
innovation in the information economy. The Department also seeks to
understand whether current privacy laws serve consumer interests and
fundamental democratic values. After analyzing the comments responding
to this Notice, the Department intends to issue a report, which will
contribute to the Administration's domestic policy and international
engagement in the area of Internet privacy.
DATES: Comments are due on or before June 7, 2010.
ADDRESSES: Written comments may be submitted by mail to the National
Telecommunications Administration at U.S. Department of Commerce, 1401
Constitution Avenue, NW., Room 4725, Washington, DC 20230. Submissions
may be in any of the following formats: HTML, ASCII, Word, rtf, or pdf.
Online submissions in electronic form may be sent to privacy-noi-
2010@ntia.doc.gov. Paper submissions should include a three and one-
half inch computer diskette or compact disc (CD). Diskettes or CDs
should be labeled with the name and organizational affiliation of the
filer and the name of the word processing
[[Page 21227]]
program used to create the document. Comments will be posted at http://
www.ntia.doc.gov/advisory/privacyinnovation.
FOR FURTHER INFORMATION CONTACT: For questions about this Notice
contact: Joe Gattuso, Office of Policy Analysis and Development,
National Telecommunications and Information Administration, U.S.
Department of Commerce, 1401 Constitution Avenue, NW., Room 4725,
Washington, DC 20230, telephone (202) 482-1880; e-mail
jgattuso@ntia.doc.gov. Please direct media inquires to NTIA's Office of
Public Affairs at (202) 482-7002.
SUPPLEMENTARY INFORMATION: Recognizing the vital importance of the
Internet to U.S. innovation, prosperity, education and political and
cultural life, the Department has made it a top priority to ensure that
the Internet remains open for innovation. The Department has created an
Internet Policy Task Force whose mission is to identify leading public
policy and operational challenges in the Internet environment. The Task
Force leverages expertise across many bureaus at the Department,
including those responsible for domestic and international information
and communications technology policy, international trade,
cybersecurity standards and best practices, intellectual property,
business advocacy and export control. This is one in a series of
inquiries from the Task Force. The Task Force is conducting similar
reviews of cybersecurity, global free flow of information goods and
services, and online copyright protection issues. The Task Force may
explore additional areas in the future.
Background: The Department has launched the Privacy and Innovation
Initiative to identify policies that will enhance: (1) The clarity,
transparency, scalability and flexibility needed to foster innovation
in the information economy; (2) the public confidence necessary for
full citizen participation with the Internet; and (3) uphold
fundamental democratic values essential to the functioning of a free
market and a free society.
Innovation in the information economy continues to drive U.S.
commerce. Entrepreneurs and innovators in the United States are
developing novel information applications and creative ways of
delivering existing goods and services via the Internet. American
technology companies have created hundreds of thousands of new online
applications, revolutionizing how consumers and businesses interact,
transact, and use information. Beyond the boundaries of electronic
commerce, the Internet is transforming critical sectors of the U.S. and
global economy and society, such as health care, energy, education, the
arts and political life. In all these sectors, proper use of personal
information can play a critical, value-added role, so establishing
consumer trust and assuring flexibility for innovators is vital.
Recognizing that economic, social, and political participation in
the Internet is essential for all citizens, the United States must
establish an environment respectful of long-standing privacy principles
and individual privacy expectations, even as they evolve.
Contribution of this NOI to the Internet Policy Task Force:
Responses to this Notice will assist the Task Force in preparing its
report on Privacy and Innovation in the Information Economy. The
purpose of this report will be to identify and evaluate privacy policy
challenges, and to analyze various approaches to meet those challenges.
The Task Force's report may include options and recommendations for
general regulatory, legislative, self-regulatory and voluntary steps
that will enhance privacy and innovation, though the Task Force does
not expect to recommend detailed legislative or regulatory proposals at
this point. The Task Force is hopeful that the dialogue launched here
and the research conducted will contribute to Administration-wide
policy positions and global privacy strategy.
Contribution of Online Commerce to the U.S. Economy: Between 1999
and 2007, the United States economy enjoyed an increase of over 500
percent in business-to-consumer online commerce.\1\ Taking into account
business-to-business transactions, online commerce in 2007 accounted
for over $3 trillion dollars in revenue for U.S. companies.\2\ The
economic benefits provided by the information economy increased even
during our economic downturn. During 2008, industry analysts estimate
that sales of the top 100 online retailers grew 14.3 percent.\3\ In
contrast, the U.S. Census Bureau estimates a 0.9 percent decrease in
total retail sales over that time period.\4\ In 2009, U.S. mobile
commerce sales grew over 200 percent compared to the previous year,
reaching $1.2 billion.\5\ Analysts expect this impressive growth to
continue in 2010, projecting $2.4 billion in mobile commerce.\6\ Online
sales growth and expanding information systems are creating new jobs
focused on the information economy and directly impacting our economic
recovery.
---------------------------------------------------------------------------
\1\ U.S. Census Bureau, ``E-Stats,'' May 28, 2009.
\2\ Id.
\3\ Mark Brohan, ``The Top 500 Guide,'' Internet Retailer, June
2009.
\4\ U.S. Census Bureau, ``Quarterly Retail E-Commerce Sales: 4th
Quarter 2008,'' Feb. 16, 2010, Table 4.
\5\ ``U.S. M-Commerce Sales to Hit $2.4 Billion This Year, ABI
Research Says,'' Internet Retailer, Feb. 16, 2010.
\6\ Id.
---------------------------------------------------------------------------
In addition to the growth of online commerce, the Internet, the
World Wide Web, and associated information systems have lead to an
unprecedented growth in productivity over the last decade.\7\ More
businesses are using the Internet to provide electronic records to
customers and trading partners, and enterprises are shifting to a
digital back office and greener business environment. Although this has
spurred additional green innovation, the fact that increasingly more
data is being stored electronically and aggregated creates new
challenges in the privacy arena.
---------------------------------------------------------------------------
\7\ Executive Office of the President of the United States,
Council of Economic Advisors of the President, 2010 Economic Report
of the President, at Chapter 10, Feb. 2010.
---------------------------------------------------------------------------
Sustaining the growth of digital commerce and U.S. commerce
generally will require continued innovation in how information is used
and shared across the Internet. Commerce today depends on online
communication and the transmission of significant amounts of data. Key
to the current inquiry, the Department believes this development places
data protection in a new light.
The Nexus Between Privacy and Commerce, and the Department's Role:
Consumers have expressed concern regarding new or unexpected uses of
their personal information by online applications. Since Internet
commerce is dependent on consumer participation, consumers must be able
to trust that their personal information is protected online and
securely maintained. At the same time, companies need clear policies
that enable the continued development of new business models and the
free flow of data across state and international borders in support of
domestic and global trade. Our challenge is to align flexibility for
innovators along with privacy protection.
The Department has played an instrumental role in developing
policies that have helped commerce over the Internet flourish. Over the
past two decades, the National Telecommunications and Information
Administration (NTIA), in its role as
[[Page 21228]]
principal adviser to the President on telecommunications policies, has
worked closely with other parts of government on these issues.\8\ In
1993, the White House formed the Information Infrastructure Task Force
(White House Task Force), chaired by the Secretary of Commerce, to
develop telecommunications and information policies to promote the
development of the Internet. The Privacy Working Group of the White
House Task Force, led by NTIA, published a report entitled Privacy and
the National Information Infrastructure. In the report, NTIA analyzed
the state of privacy in the United States as it relates to existing and
future communications services and recommended principles to govern the
collection, processing, storage and use of personal data.\9\ In 1997,
the White House Task Force noted NTIA's findings in publishing A
Framework for Global Electronic Commerce, proposing five principles for
international discussion to facilitate the growth of Internet
commerce.\10\
---------------------------------------------------------------------------
\8\ 47 U.S.C. 902 (noting NTIA has ``the authority to serve as
the President's principal adviser on telecommunications policies
pertaining to the Nation's economic and technological advancement
and to the regulation of the telecommunications industry.''); see
also Connecting America: The National Broadband Plan, http://
download.broadband.gov/plan/national-broadband-plan.pdf, page 55.
\9\ See National Telecommunications and Information
Administration, ``Privacy and the National Information
Infrastructure: Safeguarding Telecommunications-Related Personal
Information,'' Oct. 1995, http://www.ntia.doc.gov/ntiahome/
privwhitepaper.html.
\10\ See President William J. Clinton and Vice President Albert
Gore, Jr. ``A Framework for Global Electronic Commerce,''
Washington, DC. 1997, http://clinton4.nara.gov/WH/New/Commerce/
read.html.
---------------------------------------------------------------------------
Over subsequent years, the Department has worked in a number of
international fora to develop privacy and security guidelines that
foster international trade. ITA administers the U.S.-European Union
(EU) Safe Harbor Framework, which allows U.S. companies to meet the
requirements of the 1995 EU Directive on Data Protection for
transferring data outside of the European Union.\11\ ITA also
administers the U.S.-Swiss Safe Harbor Framework, which was implemented
in 2008. The Department played a significant role in the development of
the 1980 Organization for Economic Cooperation and Development (OECD)
Privacy Guidelines, the 2005 Asia Pacific Economic Cooperation (APEC)
Privacy Framework and the launch of the Trilateral Committee on
Transborder Data Flows in 2008. ITA also is involved in bilateral
Internet commerce and privacy policy initiatives with India, Japan,
China, Korea and other key countries. In addition, ITA works closely
with the Department's National Institute of Standards and Technology
(NIST) and U.S. industry in developing international standards covering
cybersecurity and data privacy.
---------------------------------------------------------------------------
\11\ For more information on the U.S.-EU Safe Harbor Framework,
see http://www.export.gov/safeharbor/.
---------------------------------------------------------------------------
Today, there is a domestic and global reassessment of approaches to
privacy given the fundamental changes in the information economy. The
Federal Trade Commission (FTC) recently hosted a series of public
roundtables to explore the privacy challenges posed by the wide array
of 21st century technology and business practices that collect and use
consumer data.
The goal of the roundtables was to determine how best to protect
consumer privacy while supporting beneficial uses of the information
and technological innovation. The FTC accepted public comments on these
issues through April 14, 2010, and FTC staff is now reviewing the
comments received.\12\ The Department of Commerce has participated in
these sessions and will continue to collaborate with the FTC going
forward. The National Broadband Plan (Plan), which the Federal
Communications Commission released on March 16, 2010, makes
recommendations for government action to address online privacy
issues.\13\ Specifically, the Plan recommended clarifying the
relationship between users and their online profiles; developing
trusted ``identity providers'' to help consumers manage their data; and
creating principles to require that customers provide informed consent
before service providers share certain types of information with third
parties.\14\ The Plan also urged the creation of a number of Internet
privacy-related innovations to enhance our nation's energy, education,
health care, and government performance.\15\
---------------------------------------------------------------------------
\12\ See Federal Trade Commission, Exploring Privacy: A
Roundtable Series, http://www.ftc.gov/bcp/workshops/
privacyroundtables/.
\13\ See Connecting America: The National Broadband Plan, http:/
/download.broadband.gov/plan/national-broadband-plan.pdf.
\14\ Id. at 55-56 (Recommendations 4.14-4.16).
\15\ Id. at 208. 234-35, 252, 253, 286 (Recommendations 10.4,
11.11, 12.2, 12.5, 14.6, 14.7).
---------------------------------------------------------------------------
Internationally, the OECD's Committee on Consumer Policy (CCP)
recently launched a review of the 1999 Guidelines for Consumer
Protection in the Context of E-Commerce.\16\ The OECD Working Party on
Information Security and Privacy (WPISP) is conducting a 30th
anniversary study of the 1980 OECD Guidelines Governing the Protection
of Privacy and Transborder Flows of Personal Data.\17\ The APEC
Electronic Commerce Steering Group is developing a system for cross-
border data flows among APEC members to implement its 2005 Privacy
Framework.\18\ The United States, Canada and Mexico recently finalized
a report highlighting the need to address impediments to transborder
data flows.\19\ Finally, the European Commission is evaluating and
considering changes to its 1995 Directive on Data Protection.\20\ Given
the global reevaluation of data privacy policies, the Task Force is
seeking to determine whether current privacy frameworks, or frameworks
that are in development, create barriers to innovation on the Internet
and, if so, how they might be addressed.
---------------------------------------------------------------------------
\16\ See OECD, Conference on Empowering E-Consumers:
Strengthening Consumer Protection in the Internet Economy,
Washington, DC, Dec. 8-10, 2009, http://www.oecd.org/document/20/
0,3343,en_21571361_43348316_43410324_1_1_1_1,00.html.
\17\ See OECD, The 30th Anniversary of the OECD Privacy
Guidelines, http://www.oecd.org/document/35/0,3343,en_2649_34255_
44488739_1_1_1_1,00.html.
\18\ See APEC, Data Privacy Pathfinder Projects Implementation
Work Plan, http://www.apec.org/apec/apec_groups/committee_on_
trade/electronic_commerce.html.
\19\ See Office of Technology and Electronic Commerce,
Trilateral Committee on Transborder Data Flow, http://spp.gov/pdf/
Eng_Statement_of_Free_Flow.pdf.
\20\ See European Commission, Freedom, Security, and Justice,
Data Protection, http://ec.europa.eu/justice_home/fsj/privacy/
index_en.htm.
---------------------------------------------------------------------------
Request for Comment
This Notice of Inquiry seeks comment on the impact of the current
privacy framework on Internet commerce and innovation, both from the
commercial and consumer perspective, as well as ways in which it may be
necessary to adjust today's privacy framework to preserve and even
enhance innovation and privacy in our new web-centric information
environment.
The questions below are intended to assist in framing the issues
and should not be construed as a limitation on comments that parties
may submit. The Department invites comment on the full range of issues
that may be presented by this inquiry. Comments that contain
references, studies, research and other empirical data that are not
widely published should include copies of the referenced materials with
the submitted comments.
1. The U.S. Privacy Framework Going Forward
Prior to releasing this Notice, the Department conducted listening
sessions with a wide range of
[[Page 21229]]
stakeholders in order to understand the questions most pertinent to
stakeholders in the commercial, academic and civil society sectors and
that have the greatest bearing on innovation and consumer expectations.
During the course of those conversations, the Department heard that the
customary notice and choice approach to consumer protection may be
outdated, especially in the context of information-intensive, highly
interactive, Web-based services. According to some, online interactions
and web-based information linkages have become so complicated that it
is increasingly difficult to provide consumers truly meaningful notice
and choice. In lieu of, or in addition to notice and choice, some have
advanced the notion that sophisticated data managers migrate to a
``use-based'' model.\21\ These assertions raise several questions.
---------------------------------------------------------------------------
\21\ Use-based rules regulate the types of uses (or purposes)
for which personal information may be employed as opposed to
regulating what personal data can be collected.
---------------------------------------------------------------------------
Does the existing privacy framework provide sufficient guidance to
the private sector to enable organizations to satisfy these laws and
regulations? Are there modifications to U.S. privacy laws, regulations
and self-regulatory systems that would better support innovation,
fundamental privacy principles and evolving consumer expectations? If
so, what areas require increased attention, either in the form of new
laws, regulations or self-regulatory practices? What is the state of
efforts to develop a self-regulatory privacy framework? Are there
certain minimum or default requirements that should be incorporated
either into self regulation or to law? What is the proper goal of
privacy laws and regulations: Should the focus on commercial data
privacy policy be on satisfying subjective consumer expectations or is
it also necessary to enact objective privacy principles?
Those addressing the utility of self-regulation should
differentiate between practices defined and monitored unilaterally by
an enterprise, and practices and monitoring systems developed by third-
parties. If a third-party develops best practices, what mechanisms
would be available for users and civil society to provide feedback? How
will industry sectors enforce best-practice regimes when it might not
be in their economic interest to do so?
Is the notice and choice approach to consumer data privacy still a
useful model? Are there alternative approaches or frameworks that might
be used instead of notice and choice? Those who urge a use-based model
for commercial data privacy should detail how they would go about
defining data protection obligations based on the type of data uses and
the potential harm associated with each use.\22\ Describe how a use-
based privacy system would work? How should policy makers determine
what constitute harmful uses of personal information in this model? Are
there examples from existing privacy laws and regulations that suggest
strengths and weakness of the ``use-based'' model? Is this ``use-
based'' model for commercial data privacy a workable approach for
companies and consumers? What is the relationship between use-based
privacy rules and proposed accountability systems?
---------------------------------------------------------------------------
\22\ For more information on the use-based model, see e.g., The
Business Forum for Consumer Privacy ``A Use and Obligations Approach
to Protecting Privacy: A Discussion Document,'' Dec. 7, 2009, http:/
/www.huntonfiles.com/files/webupload/CIPL_Use_and_Obligations_
White_Paper.pdf.
---------------------------------------------------------------------------
2. U.S. State Privacy Laws
Most U.S. states have data breach laws or private sector data
privacy laws, and some have both.\23\ These and other state laws and
regulations govern how companies can collect, use and disclose personal
data about citizens of each state. The Task Force seeks input on how
different state-level laws and regulations affect companies' compliance
costs and product development processes. The agencies seek comment on
whether a diversity of state privacy laws has a positive, negative or
neutral impact on the privacy rights of Internet users.
---------------------------------------------------------------------------
\23\ For a list of state data breach and data privacy laws see
The National Conference of State Legislatures, Telecommunications
and Information Technology, http://www.ncsl.org/
Default.aspx?TabID=756&tabs=951,71,539#539.
---------------------------------------------------------------------------
What, if any, hurdles do businesses face in complying with
different state laws concerning privacy and data protection? Is there
harmonization among state laws governing data protection? Please
describe any significant differences that exist between the states. How
does complying with multiple states' laws affect organizations'
business activities and ability to operate online? What types of
existing state laws have the greatest impact on companies' business
models? What approaches do companies take to comply with privacy laws
in multiple states? Have state laws that attempt to regulate location
privacy had an impact on the development of business models or the way
in which businesses introduce new products in various markets? \24\
What future directions in state law are anticipated? Does the variety
of technology-specific state laws help individual Internet users
exercise their rights, or does it create confusion for consumers? Have
technology-specific state privacy laws affected online innovation and
business development and, if so, how?
---------------------------------------------------------------------------
\24\ Locational privacy (also known as ``location privacy'') is
an individual's ability to move in public space with the expectation
that his or her location will not be systematically and secretly
recorded for later use.
---------------------------------------------------------------------------
3. International Privacy Laws and Regulations
A variety of foreign laws govern how companies collect, use and
share personal data. There are national laws, sub-national laws, a
region-wide Directive in the European Union in addition to member-state
laws and, in many countries, laws under development. The Task Force
seeks input on how international data privacy laws and regulations
affect global Internet commerce, companies' compliance costs and
product development process, and Internet users.
What, if any, hurdles do businesses face in complying with
different foreign laws concerning privacy and data protection? What
types of foreign privacy laws have the greatest impact on companies'
business models? What approaches have businesses used to comply with
laws in multiple foreign jurisdictions? Do foreign laws that contain
content-based restrictions impede global trade or foreign investment?
For example, are there laws that restrict the types of information that
may be transferred, displayed, published or posted online which have
deterred businesses from entering certain markets or from engaging in
certain cross-border activity? Are laws that permit governments to have
access to personal information an impediment to innovation or global
trade and investment? If so, are the laws themselves actually an
impediment, or is it the application and enforcement of such laws that
are of concern? What challenges do businesses face when trying to
transfer data across borders? What lessons have been learned from the
U.S.-EU Safe Harbor Framework that could be applied in the global
context? What mechanisms do organizations use to enable cross border
data transfers? To what extent if any do privacy laws outside the
United States create third party liability for Internet intermediaries
such as search engines, content hosting
[[Page 21230]]
services, Internet service providers or others? \25\
---------------------------------------------------------------------------
\25\ See, e.g., 47 U.S.C. 230(c) (2006) (``No provider or user
of an interactive computer service shall be treated as the publisher
or speaker of any information provided by another information
content provider.'').
---------------------------------------------------------------------------
How does the multiplicity of international privacy laws impact
Internet users? What models for protection of individual privacy rights
across borders have proven effective in the global environment of the
Internet? Can countries with different privacy rules cooperate to
protect the privacy interests of their citizens?
How might privacy regimes in the United States and other
jurisdictions across the globe be harmonized?
4. Jurisdictional Conflicts and Competing Legal Obligations
Today, cloud computing models allow organizations to collect,
store, access and process data in separate locations around the world.
This can create challenges for both companies and regulators in
determining where data is located and who has jurisdiction over that
data. In addition, different regulators may attempt to assert
jurisdiction over data or a company's business practices, which may
create conflicting or competing legal obligations. For example, one
jurisdiction may require a company to retain its data, while another
may ask that data be expunged after its use. The Task Force seeks
information on any jurisdictional conflicts companies and regulators
face as a result of data privacy laws, how they are reconciled and
what, if any, effect they have on trade and foreign investment.
Do organizations face jurisdictional disputes as a result of
domestic or foreign privacy laws? Please describe the types of
jurisdictional disputes that arise as a result of privacy laws. What,
if any, conflicting legal obligations do companies face as a result of
data privacy laws? How do companies address jurisdictional conflicts
and any resulting conflicting legal and regulatory obligations? How do
such conflicts affect the cost of doing business? Do jurisdictional
issues affect global sales of U.S. companies when the U.S. company
stores data from non-U.S. customers inside the United States? Does
cloud computing, or other methods of globally distributing and managing
data, raise specific issues with respect to jurisdiction of which
Commerce and regulators should be aware? Have jurisdictional conflicts
had any impact on U.S. consumers?
5. Sectoral Privacy Laws and Federal Guidelines
The U.S. privacy framework is composed of sectoral laws combined
with constitutional, statutory, regulatory and common law protections,
in addition to industry self-regulation. Sectoral laws govern the
handling of personal data considered most sensitive. For instance, the
Communications Act includes privacy protections that telecommunication
providers and cable operators must follow when handling the personal
information of subscribers.\26\ The Health Insurance Portability and
Accountability Act (HIPAA) stipulates how ``covered'' health care
entities can use and disclose data.\27\ The Fair Credit Reporting Act
(FCRA) governs how consumer reporting agencies share personal
information.\28\ The Gramm-Leach-Bliley Act (GLBA) covers certain data
held by financial institutions.\29\ The Children's Online Privacy
Protection Act (COPPA) protects information collected online about
children under 13.\30\ In addition to these sectoral laws, the Federal
Trade Commission Act (FTC Act) provides the FTC authority to combat
``unfair or deceptive'' business practices.\31\ The FTC also provides
guidance for businesses regarding privacy and security practices.\32\
These laws and guidelines affect U.S. economic activity by controlling
how organizations can use data to develop new products and services or
improve existing ones. The laws and guidelines differentiate between
categories of data (e.g., health care, financial and other), and they
differentiate between data subjects (e.g., children and others). The
Task Force seeks input on how the U.S. privacy framework affects
business innovation, accountability and compliance related to the use
of personal information.
---------------------------------------------------------------------------
\26\ See 47 U.S.C. 551 (2006) (Protection of Subscriber
Privacy).
\27\ See 42 U.S.C. 1320 (2006) (``A covered entity may not use
or disclose protected health information'' except as permitted by
statute.). For information on HIPPA, see http://www.hhs.gov/ocr/
privacy/.
\28\ See 15 U.S.C. 1681r (``Any officer or employee of a
consumer reporting agency who knowingly and willfully provides
information concerning an individual from the agency's files to a
person not authorized to receive that information shall be fined
under title 18, imprisoned for not more than 2 years, or both.'').
For information on the FCRA, see http://www.ftc.gov/os/statutes/
fcrajump.shtm.
\29\ See 15 U.S.C. 6801-09, 6821-27 (2006). See e.g., 15 U.S.C.
6801a (2006) (``It is the policy of the Congress that each financial
institution has an affirmative and continuing obligation to respect
the privacy of its customers and to protect the security and
confidentiality of those customers' nonpublic personal
information.''). For information on the GLBA, see http://
www.ftc.gov/privacy/privacyinitiatives/glbact.html.
\30\ See 15 U.S.C. 6501-06 (2006). See, e.g.,15 U.S.C. 6502a
(2006) (``It is unlawful for an operator of a website or online
service directed to children, or any operator that has actual
knowledge that it is collecting personal information from a child,
to collect personal information from a child in a manner that
violates the [statute].''). For information on the COPPA, see http:/
/www.ftc.gov/privacy/privacyinitiatives/childrens.html.
\31\ See 15 U.S.C. 41-58 (2006). See, e.g., 15 U.S.C. 45(a)
(2006) (``The Commission is hereby empowered and directed to prevent
persons, partnerships, or corporations * * * from using unfair
methods of competition in or affecting commerce and unfair or
deceptive acts or practices in or affecting commerce.''). For
information on the FTC Act, see http://www.ftc.gov/ogc/stat1.shtm.
\32\ See Federal Trade Commission, Privacy Initiatives, http://
www.ftc.gov/privacy/index.html.
---------------------------------------------------------------------------
How does the current sectoral approach to privacy regulation affect
consumer experiences, business practices or the development of new
business models? How does the sectoral approach affect individual
privacy expectations? What practices and principles do these sectoral
approaches have in common, how do they differ? Are there alternatives
or supplements to the sectoral approach that should be considered? What
can be done to make the current framework more conducive to business
development while ensuring effective privacy protections?
6. New Privacy-Enhancing Technologies and Information Management
Processes
Researchers at universities, think tanks, international
organizations and company laboratories are developing privacy-enhancing
technologies and business methods to implement company privacy policies
and user preferences and to increase company accountability.
Researchers, for example, are considering consumer-targeted systems
that employ text analysis and behavioral economics to create enhanced
notification to consumers about privacy policies or to manage the
information they are sharing. These technologies and ever-evolving,
internal business processes have become an integral component of
industry self-regulation. At the same time, researchers recognize the
limitations of privacy-enhancing technologies related to consumer and
industry adoption, new research demonstrating the possibility of data
re-identification,\33\ and the continued security risks posed by
hackers and other forms of electronic intrusion. The
[[Page 21231]]
Task Force seeks input on the development, use and acceptance of
privacy-related technologies and business processes and their potential
to enhance consumer trust in Internet commerce.
---------------------------------------------------------------------------
\33\ Re-identification is the process by which personal data is
matched with its true owner. In order to protect privacy of
consumers, personal identifiers, such as social security numbers,
are often removed from databases containing sensitive information.
This de-identified data safeguards consumer privacy. However,
computer scientists recently revealed that this ``anonymize'' data
can be re-identified, such that the sensitive information may be
linked back to an individual.
---------------------------------------------------------------------------
What is the state of development of technologies and business
methods aimed at: (1) Improving companies' ability to monitor and audit
their compliance with their privacy policy and expressed user
preferences; (2) using text analysis or similar technologies to provide
privacy notices; and (3) enabling anonymized browsing, communication
and authentication? Please describe any other ongoing efforts to
develop privacy-enhancing technologies or processes of which the
Commerce Department should be aware. How has recent research
demonstrating the possibility of data re-identification affected
anonymization research efforts? Have consumers or businesses readily
accepted or used these technologies when they were made available? What
steps can be taken to assure that privacy-enhancing business processes
are robust, complied with and regularly updated? Do technology
designers and implementers have the right balance of incentives to
include privacy considerations at the design phase of their work? Have
currently-available privacy-related technologies and processes
increased user trust or companies' ability to manage personal
information?
Finally, the FCC has raised a number of privacy-related
recommendations for government action.\34\ Specifically, the Plan
recommends clarifying the relationship between users and their online
profiles; developing trusted ``identity providers'' to assist consumers
manage their data; and creating principles to require customers provide
informed consent before service providers share certain types of
information with third parties. What kinds of contributions to privacy
and innovation could such identity providers make? What marketplace
experience is there with such trusted third parties? Are there any
services of this sort imagined by the FCC in operation today? Is any
government action needed to encourage the marketplace in this
direction?
---------------------------------------------------------------------------
\34\ See supra note 14.
---------------------------------------------------------------------------
7. Small and Medium-Sized Entities and Startup Companies
Small and medium-sized entities (SMEs) and startup companies face
the same data protection laws and guidelines as their larger
counterparts, but with fewer resources. The Task Force seeks input on
how the issues outlined above might uniquely affect smaller companies
and how these effects are managed.
How do existing privacy laws impact SMEs and startup companies?
Please describe any unique compliance burdens placed on smaller
companies as a result of existing privacy laws. Are there commercial or
collective tools available to address such issues? How might privacy
protections be better achieved in the SME environment? Have smaller
companies been unable to engage in certain types of business activities
as a result of existing privacy laws? Do foreign privacy laws pose a
barrier to SMEs' international business plans? If such unique burdens
do exist, what mechanisms do SMEs see as helpful for surmounting those
challenges?
8. The Role for Government/Commerce Department
The U.S. privacy framework described above is multi-faceted. The
combination of sector-specific laws for sensitive data, self-
regulation, complemented by FTC enforcement authority, transparent
privacy practices, and voluntary guidelines, have generated industry
best practices, privacy seal programs and private sector innovation to
enhance privacy disclosures and consumer choice regarding data usage.
In many, though not all cases, this has been a formula for success to
build on. Yet, surveys continue to indicate that consumers are
concerned or confused about what happens to their personal information
online. The Task Force seeks input on how to help address barriers to
increased innovation and consumer trust in the information economy.
How can the Commerce Department help address issues raised by this
Notice of Inquiry?
Dated: April 20, 2010.
Gary M. Locke,
Secretary of Commerce.
Lawrence E. Strickling,
Assistant Secretary for Communications and Information.
Francisco J. S[aacute]nchez,
Under Secretary of Commerce for International Trade.
Patrick Gallagher,
Director, National Institute of Standards and Technology.
[FR Doc. 2010-9450 Filed 4-22-10; 8:45 am]
BILLING CODE 3510-60-P