Public Comments: January 2011 – Regarding Information Privacy and Innovation in the Internet Economy
The World Privacy Forum wrote these comments in response to the Green Paper of the Department of Commerce Internet Policy Task Force titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. (URL: http://www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green- paper.pdf).
or Read comments below
Comments of the World Privacy Forum
U.S. Department of Commerce Regarding Information Privacy and Innovation in the Internet Economy, RIN 0660-XA22
Via email to firstname.lastname@example.orgOffice of the Secretary
National Telecommunications and Information Administration
US Department of Commerce
1401 Constitution Ave., NW
Washington DC 20230
Re: RIN 0660-XA22. Federal Register: December 21, 2010 (Volume 75, Number 244) Page 80042-80044.
January 28, 2011
The World Privacy Forum is pleased to have this opportunity to comment on the Green Paper of the Department of Commerce Internet Policy Task Force titled Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework. (URL: http://www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green- paper.pdf).
The World Privacy Forum is a non-profit, non-partisan public interest research group that focuses on analysis and research of privacy issues, including issues relating to health care privacy, technology, and online/offline data privacy. More information on our work may be found at http://www.www.worldprivacyforum.org.
1. The Department of Commerce’s Safe Harbor Framework
The Department’s green paper discusses the Department of Commerce’s activities regarding the US and EU Safe Harbor Framework. On page 44, the paper states:
The approach taken to resolve issues between the United States and the European Union (EU) when the EU passed its Data Protection Directive in 1995 illustrates how safe harbors have been successful. *** It is widely regarded as a successful option for bridging the divide between the different approaches to privacy protection between the United States and the EU when it comes to cross-border transfers for commercial purposes.
It is difficult to understand how anyone, including the Department, can use the word successful to describe its Safe Harbor Framework. A month before the paper’s release, the World Privacy Forum released a report The US Department of Commerce and International Privacy Activities: Indifference and Neglect (Nov. 22, 2010). We reproduce here the findings of the WPF report that specifically pertain to the Safe Harbor Framework:
The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants do not comply with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.
There is no evidence that the Department of Commerce has conducted any type of audit or significant review of the Safe Harbor Framework since the program began in 2000. If there has been an audit or review, it has not been made public in any meaningful way. Any substantive shortcomings of the Safe Harbor Framework are the joint responsibility of the Department of Commerce and the European Union and as such are beyond the scope of this report. The European Commission ordered two studies of Safe Harbor, but took no significant action based on the consistent and critical findings of the studies. A third and more recent study confirmed that serious problems continue to exist with Safe Harbor compliance by US organizations. It is apparent from these studies that the Department of Commerce has not done enough to fully carry out its Safe Harbor responsibilities.
The Department of Commerce’s failure to demand compliance with Safe Harbor requirements has so undermined the value of the program that some European data protection authorities are no longer willing to rely on a participating organization’s self-certification as reflected on the Department of Commerce’s Safe Harbor website.
The three studies cited in these findings were conducted in 2001, 2004, and 2008. The findings of all studies are remarkably similar, showing that many and perhaps most participants in the Safe Harbor Framework do not comply with their commitments and that compliance has been a problem since the beginning of the Safe Harbor Framework.
The WPF report also discusses more recent activities. In April 2010, a working group of the German federal and state data protection authorities told businesses that export data from Germany to the United States that a data exporter may not rely on Safe Harbor self-certification and must instead verify whether a US data importer actually complies with the Safe Harbor requirements. In other words, the Safe Harbor Framework is no longer recognized in Germany.
To summarize, the Safe Harbor Framework has been consistently criticized for a widespread lack of compliance by participants with the requirements of the Safe Harbor, and the entire Safe Harbor Framework has now been rejected by the data protection authorities of a major European country. By what measure can the Department assert that the Safe Harbor Framework is a success?
We are afraid that the answer to this question reveals the mindset of the Department. The US- EU Safe Harbor Framework was not successful in achieving its stated goals. It was not successful in achieving better privacy protections for personal information exported to the US from Europe.
The US-EU Safe Harbor Framework was successful only by one measure. It succeeded for a time in papering over a significant privacy problem that had the potential to disrupt international trade. In our view, both the US and the EU showed indifference to the protection of personal privacy and acted jointly to provide a cover for business as usual for international trade. The Department of Commerce could have forced companies in the Safe Harbor Framework to comply with the requirements, but the Department did not do so.
What is most troubling here is the Green Paper’s proposal to build on the supposed success of the Safe Harbor Framework in encouraging the development of voluntary, enforceable privacy codes of conduct in specific industries under the direction of a new privacy office at the Department of Commerce. If the failed Safe Harbor Framework is the model for further voluntary actions on the part of industry, then we have to question the sincerity of this new effort at privacy protection. Is this new effort to serve the same ends as the Safe Harbor Framework? Is the real purpose to paper over the issues and kick the problem down the road rather than deal fairly with the privacy needs and interests of American consumers?
We draw a different conclusion from the 2000 US-EU Safe Harbor Framework than articulated in the Green Paper. There has been a series of other self-regulatory activities for privacy by US businesses. They include the Online Privacy Alliance, the Better Business Bureau’s Online Privacy Program, the Individual Reference Service Group (IRSG), the Privacy Leadership Initiative, the Network Advertising Initiative , and the Platform for Privacy Preferences (P3P). Every single one of these activities has failed to sustain any meaningful privacy for consumers.
Not all, but most of these activities have disappeared altogether. These privacy self-regulatory activities continued only as long as regulators or legislators were actively threatening to take action, and when the threats lessened, the self-regulatory efforts also tended to evaporate. The Safe Harbor Framework continues, but the program in its current state is inert in many important respects.
The Department of Commerce should take an honest look at privacy self-regulation and should confront the shortcomings that have consistently characterized American self-regulatory activities. The Safe Harbor Framework’s failures are obvious to everyone who has looked squarely at the program. If the Department cannot confront its own shortcomings in the privacy arena, admit its own failures, and institute improvements, then there is little hope that the Department can fairly and usefully supervise any privacy self-regulatory program, convince consumers that the Department can be an honest broker, or show the rest of the world that American businesses can be trusted to provide consumer privacy protections with legally enforceable rules.
Another finding of the WPF report was that consumers in the United States and elsewhere cannot reasonably expect the Department of Commerce to pay much, if any, attention to their privacy interests. The Green Paper offers nothing to change this conclusion. A Department that calls its Safe Harbor Framework a success without any recognition of its shortcomings cannot expect consumers to accept new claims from the Department that it will work fairly to address consumer privacy concerns.
2. The proposed stakeholder process lacks rigor and definition
One of the principal recommendations of the Green Paper is for voluntary, enforceable codes of Conduct, a phrase repeated a dozen times in the Paper. Specifically, the Green Paper recommends “legislation that would create a safe harbor for companies that adhere to appropriate voluntary, enforceable codes of conduct that have been developed through open, multi- stakeholder processes.”
We have a few problems here. First, as discussed above, the historical record shows that privacy self-regulation by American business has been a consistent failure. The Department’s own Safe Harbor Framework might in fact be the poster child for privacy self-regulatory failure. The case for more self-regulation has not been unambiguously made, nor the case for Commerce Department supervision of this process. The Green Paper fails to acknowledge adequately the problems with privacy self-regulation, hoping instead that the current industry programs will magically be different from those that came before. Like Charlie Brown, the Department recommends charging ahead to kick the self-regulatory football notwithstanding the consistent pattern of past failures. The Green Paper assumes that a self-regulatory program operating today will continue in the future, when evidence demonstrates otherwise.
Second, we wonder if the Green Paper authors spent enough time considering the reality of voluntary codes of conduct. How many codes of conduct would be necessary? This is a hard question to answer, but it could easily number in the dozens or conceivably even in the hundreds. The search engine industry may need its own code. Electronic mail providers may need their own code. Internet merchants would need a code. Social networking websites may need their own code and perhaps in multiple flavors depending on the audience and business models employed. Even if there were as few as a dozen codes, it is quite likely that a single business would have activities that fall within the domain of more than one code. The possibility of self- regulatory jurisdictional conflicts is both foreseeable and unaddressed in the Green Paper.
It is too easy to support voluntary codes of conduct in the abstract without confronting how they would be structured and how they would operate. The reality will be much harder, and implementing codes of conduct could be as difficult or more difficult than substantive privacy legislation. How consumers will understand and live under multiple different codes of conduct is another difficult question that the Green Paper does not consider.
Third, the recommendations put too many eggs in the FTC oversight and enforcement basket. Whether the FTC has done a good job with privacy oversight and enforcement is a question that we choose not to debate here, but we observe that a wide range of views on the FTC’s performance is readily available. Whether the FTC has the resources or willingness to undertake all of the activity, supervision, and enforcement that the Green Paper envisions is highly uncertain. More FTC activities in one area of its responsibility would likely mean less in other areas. Whether other consumer protection activities would disappear is unknown. It was a generous gesture for the Department to propose that it would fund a Privacy Office out of existing resources, but it seems that the Department also wants to impose on the FTC the same obligation to expend additional funds without considering the consequences.
Fifth, the Green Paper repeatedly proposes an open, multi-stakeholder process. The World Privacy Forum welcomes the notion of a multi-stakeholder process for developing privacy rules. Some of the failures of existing privacy self-regulatory activities are the result of a lack of participation by consumers. When self-regulation is controlled entirely by those being regulated – even if there is a cursory role for a regulatory or government agency – it is inevitable that self- regulation will lose rigor and fail. The only way for self-regulation to have a chance to help consumers and businesses is for there to be dynamic tension in the process. That tension will only be sustained by active participation by consumers.
The Green Paper does not address how an open, multi-stakeholder process will function, who will participate, and what procedures will apply. We would like to begin the discussion of these process issues by suggesting that:
1) Consumer and business representation be equal in any multi-stakeholder process.
2) Approval of consumer representatives must be a necessary element in any formal decisions, just as the approval of business will be necessary.
3) Consumers must select their own representatives through a process yet to be determined, and consumer representatives may not be designated or limited by business or government.
4) Consumer organization that require financial assistance to participate in the multi- stakeholder process should receive support for travel and other expenses (but not for staff support).
5) Government agencies may participate in the process, but no agency may have a vote.
6) Participants in the process must chose their own rules and presiding officer.
7) Certifiers of accountability with codes of conduct should be not-for-profit organizations that are wholly independent of business, consumers, and government.
We note that in the Green Paper itself, in notable contrast to the FTC paper arising from its Privacy Roundtable series, the Department ignored a substantial number of privacy and civil liberty groups active in the privacy arena. If the Green Paper is a precursor to the stakeholder groups, then we have concerns about the fairness and equitability of the process.
 The NAI is currently undertaking work on a self-regulatory code of conduct for online behavioral advertising and for an enhanced notice icon. Whether these efforts will prove successful in the long-term remains to be seen because regulatory and legislative threats are significant today. The past may provide a clue to the future. In 2000, the NAI also undertook a major privacy self-regulatory effort. That effort was the subject of a 2007 World Privacy Forum Report titled THE NETWORK ADVERTISING INITIATIVE: Failing at Consumer Protection and at Self-Regulation, http://www.worldprivacyforum.org/pdf/WPF_NAI_report_Nov2_2007fs.pdf. The 2000 NAI effort failed by virtually every measure except one. It succeeded in “lulling regulators into thinking that self-regulation fairly and effectively addresses the interests of consumers who are the targets of behavioral advertising.” Id.