On December 1, the FTC issued its long awaited report in which it outlines a Proposed Framework for businesses and policy makers for the protection of personal data. The Proposed Framework would reach a broad range of commercial entities, both online and offline, that collect, maintain, share, or use consumer data. The protection would apply not only to what has traditionally been named “personally identifiable information” that can be reasonably linked to an individual, as this has been done in the past, but also to data that can be reasonably linked to a specific computer or device. (FTC Report, p. 42).
The proposed Framework is divided into three principles: (a) implementation of “Privacy by Design”, (b) simplification of choices for consumers; and (c) providing greater transparency.
Each of these principles, if adopted and followed by US businesses, would bring the United States closer to the practices that have been in place in Western Europe and many APAC countries for many years, and that are increasingly adopted elsewhere, such as in the Americas (Canada, Mexico, Argentina, Uruguay, etc.). However, significant gaps would remain.
Privacy by Design
Referring to the concept of “Privacy by design” coined by Ann Cavoukian, the Information and Privacy Commissioner of Ontario (Canada), the FTC Proposed Privacy Framework would require companies to build privacy protections into their everyday business practices. In addition, companies would be expected to promote privacy throughout their organizations, and at every stage of the development of their product and services
The Framework would require at least the following privacy protections:
- Providing reasonable security for consumer data;
- Collecting only the data needed for a specific business purpose;
- Retaining data only as long as necessary to fulfill that purpose;
- Safely disposing of data no longer being used; and
- Implementing reasonable procedures to promote data accuracy.
There are significant similarities between these principles and the rules that already exist in data protection laws in effect throughout the European Union and many countries on all continents. For example, Article 17 of the 1995 EU Data Protection Directive requires security measures. Further, ensuring data accuracy and limiting collection and retention of personal data are among the Principles Relating to Data Quality listed in Article 6 of the EU Data Protection Directive. Thus, the adoption of these privacy protections would take United States companies significant closer to their counterparts in the 50 + countries that have adopted data protection laws.
Comprehensive Data Management Procedures
The proposed FTC framework would also require companies to develop a reasonable privacy program and comprehensive data management procedures throughout the life cycle of their products and services. This program would include, for example:
- Assign personnel to oversee privacy issues;
- Train employees on privacy issues; and
- Conduct privacy impact assessments when developing new products and services.
Such concepts are not new, and they are consistent with prior guidelines that the FTC has provided in its consent orders, such as in its 2002 Final Consent Order in its case against Eli Lilly and Company.
As it has done in its prior communications, the FTC explains that implementation can be scaled to each company’s business operations. For example, a small amount of non-sensitive consumer data would require less stringent or comprehensive measures than vast amounts of consumer data. Companies that engage in the business of selling consumer data would be subject to higher scrutiny.
Putting in place an appropriate privacy program may require significant efforts for companies that have not yet appreciated the value of personal information, and the need to protect personal information of employees, customers and others who contribute to the wealth of the business, through their work, their purchases, or otherwise.
The concept of a comprehensive data management process is also one of the components of the recent “Communication 609” published in early November 2010 by the European Commission. The Communication, which is intended to outline proposed changes to the current EU data protection framework, would also require that national laws provide for the appointment of a “Data Protection Official” for companies over a certain size, and for the conduct of a Privacy Impact Assessment before launching a new product or service. (See Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.). Thus, in this respect, the Proposed FTC Framework and the proposed changes to the EU practices are consistent with each other.
Second, the proposed Framework would require companies to make it easier for consumer to understand their privacy practices and exercise choices, if any. The FTC provides a two-prong approach:
- Collection of data for “commonly accepted” purposes would not require prior consent of the data subject;
- For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices.
- Commonly Accepted Purposes
The FTC Report (see, page 43 of the report) provides examples of what would be “commonly accepted” purpose: product and services fulfillment; internal operations, fraud prevention, legal compliance and public purpose, and first party marketing. The view is that these practices are obvious from the nature of the transaction (e.g. delivery of a product) or sufficiently accepted or necessary for public policy reasons. Thus, it is not necessary to encumber the flow of data.
This concept is consistent with the view taken by the national laws of the EU Member States where the collection and processing of personal information (other than sensitive information) is permitted when it is necessary for the performance of a contract between the data subject and the entity collecting the data, for compliance with a legal obligations, or to protect public interest or the vital interest of the data subject. (See, e.g., Article 7 of the 1995 EU Data Protection Directive).
There is, however, a significant difference between the FTC view and the European view, in that the FTC Framework would allow the collection and processing of personal information for “first party marketing”, while this practice is restricted in the European Union to only the marketing of a similar product or service than that which the customer purchased previously. (See, e.g., Article 13, of the 2002 e-Privacy Directive). Thus, the US approach would be significantly more protective of business interests
Choice Required for Other Practices
For data practices that are not “commonly accepted,” the FTC Framework would require that privacy choices be clearly and concisely described and offered to consumers at the time when the consumers are making decisions about their data, such as when entering personal data or before accepting a product or service.
The current draft of the Proposed Framework is not yet clear as to the direction it will follow with respect to the collection and processing of sensitive information. The final Framework is likely to suggest restrictions to the collection and processing of sensitive information, and to specify what constitutes “sensitive information.”
While the concept of “sensitive data” has not yet been defined by the FTC or otherwise, in practice, the United States has identified “sensitive data” very differently than the rest of the world. Existing US laws – such as the laws pertaining to security breach disclosures – have mostly focused on identity theft, and have provided heightened protection to financial information and identity information, for instance. The rest of the world has generally identified as “sensitive,” information that pertains to our most intimate activities or thoughts, such as sexual preference, medical condition, or religious or philosophical beliefs.
In its Communication 609, the European Commission has announced that it would likely expand the definition of “sensitive information”, to include other types of information, such as genetic information. There has not been any expression of intent to include in this category any financial or identity information.
The third component of the FTC proposed Framework would focus on increasing the transparency of companies’ data handling practice. This would be achieved though several vehicles:
- Clearer, shorter, and more standardized privacy notices;
- Reasonable access to data maintained by the business;
- Prominent disclosures and affirmative express consent required when making material changes; and
- Consumer education.
- Privacy Notices
The FTC Report comments that privacy policies could play an important role in promoting transparency, accountability, and competition among companies if the policies are clear, concise, and easy-to-read. Thus, it would require that companies improve their privacy policies in order to allow a comparison of the data practices and choices across companies.
This requirement for simplicity and clarity is very similar to the call for ensuring that informed consent be provided that the EU Commission recently made in its Communication 609. In this document, the EU Commission commented that the opacity of privacy policies online makes it difficult for individuals to be aware of their rights and to give informed consent. Like the FTC, Communication 609 stresses the need for individuals to be well and clearly informed, in a transparent way, of the data controller’s data handling practices. The information must be easily accessible, easy to understand, and must be made using clear and plain language.
It is not surprising that both the United States and the European Union would express the same frustrations. In both regions, privacy notices have become lengthy, complex documents, that the average customer has trouble deciphering.
Access to Data
The FTC report also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, however, the report suggests that the extent of access might be proportional to both the sensitivity of the data and its intended use.
For many years, the right of access and correction has been absent from most privacy notices and privacy policies, except for those issued under HIPAA. On the other hand, the right of access and correction has been one of the most fundamental rights provided to individuals throughout the European Union, and in the non-EU countries that have followed the same principles.
Today, most US sites do not offer a right of access and modification; or this right is limited to the data that are published in the “my account” section of a site. It would be impossible, however to have access to the “dossier” that a company has created by compiling information about an individuals that would have been gathered through purchases from data brokers.
In contrast, many EU residents have enjoyed a right of access and correction for their data, for over 30 years. Nowadays, all EU residents enjoy a “right to know” (i.e. right to know whether an entity has data about them), a right of access, a right of correction, erasure, or blocking of data that are incomplete or inaccurate or have been collected or processed in violation of the applicable national law, and in some circumstances, a right to object to the processing of their data.
Further, in its Communication 609, the EU Commission has announced that the upcoming amendment to the data directives would provide enhanced rights for individuals, including: (a) requiring that access or correction be provided free of charge; (b) clarifying the right to prevent the processing of one’s data; and (c) the “right to be forgotten”.
The right of access to data and the associated rights have been one of the most significant differences between the United States and the rest of the world when comprising the privacy regimes throughout the world. With the proposed addition of a right of access and correction, the United States would be getting closer to the philosophies in effect in most the rest of the world.
Consent to Material Changes
In addition, under the Proposed Framework, all entities would be required to provide prominent disclosures and obtain affirmative consent for material, retroactive changes to data policies. For several years, the Federal Trade Commission has insisted that consumers should have the right to object to new uses of their information for purposes that had not been originally disclosed. For example, this requirement was expressed in the enforcement action against Gateway Learning, in 2004 (see, http://www.ftc.gov/opa/2004/09/fyi0454.shtm), and restated in several FTC documents (see, e.g., Behavioral Principles, http://www.ftc.gov/opa/2009/02/behavad.shtm).
This approach is consistent with the purpose limitation principle in effect in the EU (see, Article 6, 1995 Data Protection Directive), which requires that individuals consent to any new use of their personal information.
Finally, the Proposed Framework would require that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.
This approach is also consistent with the views recently expressed by the European Union in Communication 609. The Commission has also acknowledged that it was necessary to increase the public’s understanding and awareness of privacy issues. The Commission proposes to set aside a budget for an awareness campaign.
Borders used to create a wall between countries, and prevented the free flow of people, information and goods. Cloud Computing and the Internet have shattered this wall, and we now live in a borderless world. Nevertheless, countries have retained their identify and their sovereignty within their territory, which results in significant discrepancies in the way legal issues are handled. This has been the case, for example, for the protection of personal data throughout the world. The discrepancies in the data protection regimes throughout the world hamper the free flow of the personal data. This challenge also creates a challenge to global commerce. The more similar the laws are, the easier it is for people, goods and ideas to move freely, and for commerce to flourish.
With its proposed Privacy Framework, the Federal Trade Commission is outlining a structure that would take the protection of personal data and privacy rights in the United States closer to the regimes in effect in most of the world’s leading economic powers. This progress should be very favorable to electronic and traditional commerce. It is important to encourage the efforts of the Federal Trade Commission, so that all countries can better exchange people and goods, and interstate and international commerce can prosper.