On Monday, March 5th Jules Polonetsky interviewed with the NewsChannel 8 program “Capital Insider.” Viewers in Maryland, Virginia and Washington, DC watched Jules speak about mobile app privacy issues and Google’s privacy policy. To watch the interview, please click here.
Kudos to Yahoo for once again being an industry leader in advancing online privacy measures. We were pleased to work with Yahoo on both the first implementation of an industry symbol labeling behavioral ads, as well as their Ad Preference manager. As the FTC continues to urge successful Do Not Track implementation as an alternative to a Do Not Track law, it is critical that companies show progress by offering users actionable tools. Although there are details still to be worked out in fleshing out the parameters of Do Not Track between industry, browsers, and the W3C, real progress through major Do Not Track implementations demonstrates that business practical privacy enhancing steps are truly feasible. To see Yahoo’s post on the news, please click here.
Tomorrow morning from 8:30am – 10:30 am, Jules and Chris will participate in “The Latest Developments in Internet Privacy,” a panel hosted by ISOC-DC TV at SRI International (1100 Wilson Blvd. Suite 2800 Arlington, VA). Justin Brookman, Director of the Project on Consumer Privacy at the Center for Democracy and Technology will also participate on the panel. Free registration and more information about the event can be found here. The event will also be livestreamed here.
The Federal Trade Commission released its report on consumer privacy on Monday to provide policy recommendations for American businesses and legislators. Combined with the recently released Privacy Bill of Rights, the report helps lay out a path for the emerging comprehensive US data privacy framework.
As the EU also advances a revision of its data privacy regime through its new draft regulation a key factor to examine is how the two continents’ modified approaches will interact. Put another way, considering the need for data collection and processing, are the two distinct privacy regimes becoming more interoperable or are they diverging?
For example, the three documents consider when consumer choice (known as consent in the EU) should be offered before personal data can be collected or further processed. While the FTC report and Privacy Bill of Rights may result in a simplification of consumer choice principles, the EU draft regulation aims to toughen the concept by requiring “explicit consent”.
The major difference is in the two continents’ approach to individual control, i.e. when and to what degree must choice and transparency be provided to the data subject before the controller is able to collect data. The US’s proposed approach relies on the concept of “context”, meaning that processing should only be carried out in the context of the services requested by the consumer. The EU’s draft regulation, by contrast, calls for controllers to demonstrate a “legitimate basis” for data processing.
In both cases, companies are limited to processing data for purposes that are compatible with the original collection of data. Furthermore, both concepts have been proposed in an effort to allow companies to fulfill their contractual obligations to data subjects without having to solicit permission for each required data operation.
However, While the EU’s “legitimate basis” is exclusively intended to be a derogation from a process which otherwise relies on strict (explicit) consent, the US provides a framework in which companies need only provide choice and heightened transparency when data is used in a manner diverging from “commonly accepted principles”, i.e. when processing is outside the context of why a particular set of data was collected.
The ability for data collection to lead innovation has propelled the debates on choice and explicit consent to become a key issue in today’s global privacy debate. Forthcoming legislation will determine whether data privacy regulation is compatible with innovation and therefore provides policy-makers on both sides of the Atlantic with the opportunity to bridge the gap between their distinct privacy approaches.
-Julian Flamant
Surprisingly to most observers, one of the biggest effects of the new FTC report will be in the area of de-identified data. The FTC’s new approach, highlighted by them as the top issue of interest to techies, provides a major incentive for companies to improve their data processes.
The earlier report would have applied to “consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The debate has been about what it means to be “reasonably linked.” Consumer groups have correctly focused on the risks to consumers — new technology can link a vast range of data to individual consumers. Industry has correctly focused on the problems that come with an over-broad definition of “reasonably linked,” which could extend privacy rules to an almost unlimited range of data processing.
I believe the FTC has found a Goldilocks solution for the problem of de-identified data. The FTC provides what amounts to a safe harbor where: “(1) a given data set is not reasonably identifiable; (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form.”
The FTC approach provides a major incentive for companies to comply with the de-identification safe harbor. For data in the safe harbor, all of the other privacy requirements do not apply. That reduces the scope and cost of compliance.
The FTC approach correctly recognizes that a promise not to re-identify data is key. Once a company makes that promise, it is subject to enforcement for a deceptive practice under Section 5 of the FTC Act. The company thus will have a strong reason to control its internal processes, to make sure that data that should be de-identified stays de-identified.
Similarly, the requirement of promises from the downstream users keeps data protected against the main risks. Data that can be potentially re-identified stays within a protected bubble – the companies promise not to re-identify, on pain of Section 5 enforcement.
I have long believed that technical controls are not enough to protect consumers against possible re-identification, as shown in a 2009 report by the Center for Democracy and Technology and my December talk on de-identified data. The best path is to have reasonably strong technical protections, supplemented by the sorts of enforceable promises that the FTC report supports.
In short, companies now will have an important incentive to comply with the de-identification safe harbor, so that their other databases won’t have to comply with privacy requirements. The result will be better data practices for the information that could otherwise cause the most risk to consumers.
Going forward, defining the scope of this “safe harbor” could be a good candidate for a multi-stakeholder process facilitated by the U.S. Department of Commerce. The Administration is asking for public comments on “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct.” By defining the meaning of “reasonably identifiable” in concrete settings, companies will have a stronger incentive to put effective de-identification measures into place.
Please see slides and videos for a recap of FPF’s December 5, 2011 event “Personal Information: The Benefits and Risks of De-Identified Data.”
Please see below for FPF’s comments on today’s release of the FTC Final Privacy Framework Report. Today’s report follows a preliminary staff report that the FTC issued in December 2010.
Jules Polonetsky, Director and Co-Chair of the Future of Privacy Forum:
“Although the FTC calls for legislation, the focus of the report is a strong demand for an acceleration of industry best practices efforts. Whether it is finalizing Do Not Track, creating a central data broker opt-out site, or implementing standardized notices, the Commission is urging industry to take action itself.
Like the Commerce Department, the FTC also sensibly focuses on “the context of the consumers interaction with a business” to try to ensure new innovative uses of data are permissible. The Commission held to the basic ideas of the staff report, but responded to business and advocacy concerns by adding more nuance and flexibility.”
Christopher Wolf, Founder and Co-Chair of the Future of Privacy Forum:
“First, it is gratifying to see that the input provided by the Future of Privacy Forum was useful to the FTC, which repeatedly cites the Forum in the Report.
Second, the FTC’s definition of the scope of privacy protection is flexible and sensible, and allows for use of de-identified data.
Third, it is not surprising that the Commission joins in the call for baseline privacy legislation and data security legislation. There appears to be a groundswell of support for legislation. With that said, the FTC has called for legislation before, so by itself, this support will not necessarily lead to legislation anytime soon. Thus, improvements to the existing framework remain important.
On Do Not Track, the FTC correctly is prepared to wait for the ongoing self-regulatory efforts to proceed. A lot of progress has been made and can be expected.
On mobile, the FTC correctly supports further self-regulation, which makes sense given the complexity of the issues involved. The Future of Privacy Forum is convening an App Privacy Summit at Stanford University on April 25, related to this. On data brokers, the FTC is correct to call for protection proportionate to the sensitivity of the data. There is much work industry can do, and a self-regulatory approach makes sense given the complexities.
The reference in the Report to ‘Large Platform Providers’ is a welcome reference that focuses on functions rather than the specific technology used. For example, It has been a mistake in the past to focus solely on ISPs without considering other companies that collect and use (or could collect and use) as much information as ISPs.”
For any questions, please email [email protected].