Late last month, the White House released a new Consumer Privacy Bill of Rights. This framework only applies to private uses of information, and does not change existing regulations on public uses of information. It supplements, rather than replaces, existing regulations on specific industries. While not a perfect document, this new bill of rights creates a promising foundation for the future enforcement of privacy rights. It is not in itself a solution to the proliferation of personal data on the internet, but it gives clear guidance as to how to proceed.
The basic problem, as framed by the White House, centers on the issue of trust in online interactions. So far, so good; it is promising that the report grounds internet regulation in fundamental values and acknowledges the significance of internet privacy as a basic element of contemporary economic and social life, rather than treating it as a niche issue. The report goes on to acknowledge that the United States has a central role in the architecture and the policies of the global internet, and that the Consumer Privacy Bill of Rights must take into account how it will fit with alternative information policies in other countries. It is a useful way of framing the issue, but unfortunately the content does not entirely live up to this promise. As mentioned above, this is an important step, but no more than that.
This Bill of Rights acknowledges that it builds upon principles first articulated in the early 1970s, when government agencies began to recognize that the storage of personal information in easily accessible digital records could create serious violations of privacy rights (a subject blogged about previously). These “Fair Information Practice Principles,” or FIPPs, are the basis of the current rights. There are seven identifiable rights in the document: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. It is an interesting and ambitious list, but that ambition is tempered by its reliance on industry self-regulation. For example, the do-not-track provisions largely follow those of the Digital Advertising Alliance, an industry group. In part, this position reflects the simple fact that the political will to enact new, robust legislation is not there. In part, it reflects a desire to use a “multistakeholder process” to balance commercial interests against consumer rights through an ongoing conversation.
This procedural aspect is touted as a virtue of American internet policy in that it retains flexibility and uniformity. However, while the report celebrates the successes of this approach in the 1990s and 2000s, the need for the Consumer Privacy Bill of Rights suggests that we have reached a point where the issue of privacy rights must be confronted directly. The National Telecommunications and Information Administration (NTIA) within the Department of Commerce will be responsible for convening these multistakeholder deliberations, while the FTC and State Attorneys General will be responsible for enforcement. Under this framework, the elements of this Bill of Rights are not so much rights that individuals can invoke, but guiding values for the multistakeholder deliberations. As the report acknowledges, this bill of rights “should be the legal baseline that governs consumer data privacy in the United States.”
While trying to bring order to the data policies of private corporations, the structure of this Bill of Rights has some fundamental differences with the European rights-based approach currently under discussion. While the European approach is not without its problems, it goes much farther in establishing individual, enforceable privacy rights. The virtue of the White House’s approach is its feasibility; while privacy groups have correctly pointed out its shortcomings, it does promise a sensible improvement over the status quo.
The question we should be asking now is how to use this multistakeholder framework in order to give an effective voice to privacy rights advocates. It is hard to imagine that advocacy groups will have their positions represented as well as internet companies unless they have strong legal rights to latch onto, which is what this Consumer Privacy Bill of Rights fails to do. It is a promising start, but its effectiveness will depend on how strongly the responsible agencies push.