FPF Senior Fellow Peter Swire: FTC Deserves Praise for Its De-Identification “Safe Harbor”

Surprisingly to most observers, one of the biggest effects of the new FTC report will be in the area of de-identified data.  The FTC’s new approach, highlighted by them as the top issue of interest to techies, provides a major incentive for companies to improve their data processes.

The earlier report would have applied to “consumer data that can be reasonably linked to a specific consumer, computer, or other device.”  The debate has been about what it means to be “reasonably linked.”  Consumer groups have correctly focused on the risks to consumers — new technology can link a vast range of data to individual consumers. Industry has correctly focused on the problems that come with an over-broad definition of “reasonably linked,” which could extend privacy rules to an almost unlimited range of data processing.

I believe the FTC has found a Goldilocks solution for the problem of de-identified data.  The FTC provides what amounts to a safe harbor where: “(1) a given data set is not reasonably identifiable; (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form.”

The FTC approach provides a major incentive for companies to comply with the de-identification safe harbor.  For data in the safe harbor, all of the other privacy requirements do not apply.  That reduces the scope and cost of compliance.

The FTC approach correctly recognizes that a promise not to re-identify data is key.  Once a company makes that promise, it is subject to enforcement for a deceptive practice under Section 5 of the FTC Act.  The company thus will have a strong reason to control its internal processes, to make sure that data that should be de-identified stays de-identified.

Similarly, the requirement of promises from the downstream users keeps data protected against the main risks.  Data that can be potentially re-identified stays within a protected bubble – the companies promise not to re-identify, on pain of Section 5 enforcement.

I have long believed that technical controls are not enough to protect consumers against possible re-identification, as shown in a 2009 report by the Center for Democracy and Technology and my December talk on de-identified data.  The best path is to have reasonably strong technical protections, supplemented by the sorts of enforceable promises that the FTC report supports.

In short, companies now will have an important incentive to comply with the de-identification safe harbor, so that their other databases won’t have to comply with privacy requirements.  The result will be better data practices for the information that could otherwise cause the most risk to consumers.

Going forward, defining the scope of this “safe harbor” could be a good candidate for a multi-stakeholder process facilitated by the U.S. Department of Commerce.  The Administration is asking for public comments on “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct.”  By defining the meaning of “reasonably identifiable” in concrete settings, companies will have a stronger incentive to put effective de-identification measures into place.

Please see slides and videos for a recap of FPF’s December 5, 2011 event “Personal Information: The Benefits and Risks of De-Identified Data.”

FPF Responds to FTC Release of Final Privacy Framework Report

Please see below for FPF’s comments on today’s release of the FTC Final Privacy Framework Report. Today’s report follows a preliminary staff report that the FTC issued in December 2010.

Jules Polonetsky, Director and Co-Chair of the Future of Privacy Forum:

“Although the FTC calls for legislation, the focus of the report is a strong demand for an acceleration of industry best practices efforts.  Whether it is finalizing Do Not Track, creating a central data broker opt-out site, or implementing standardized notices, the Commission is urging industry to take action itself.

Like the Commerce Department, the FTC also sensibly focuses on “the context of the consumers interaction with a business” to try to ensure new innovative uses of data are permissible. The Commission held to the basic ideas of the staff report, but responded to business and advocacy concerns by adding more nuance and flexibility.”

Christopher Wolf, Founder and Co-Chair of the Future of Privacy Forum:

“First, it is gratifying to see that the input provided by the Future of Privacy Forum was useful to the FTC, which repeatedly cites the Forum in the Report.

Second, the FTC’s definition of the scope of privacy protection is flexible and sensible, and allows for use of de-identified data.

Third, it is not surprising that the Commission joins in the call for baseline privacy legislation and data security legislation. There appears to be a groundswell of support for legislation. With that said, the FTC has called for legislation before, so by itself, this support will not necessarily lead to legislation anytime soon. Thus, improvements to the existing framework remain important.

On Do Not Track, the FTC correctly is prepared to wait for the ongoing self-regulatory efforts to proceed.  A lot of progress has been made and can be expected.

On mobile, the FTC correctly supports further self-regulation, which makes sense given the complexity of the issues involved. The Future of Privacy Forum is convening an App Privacy Summit at Stanford University on April 25, related to this. On data brokers, the FTC is correct to call for protection proportionate to the sensitivity of the data. There is much work industry can do, and a self-regulatory approach makes sense given the complexities.

The reference in the Report to ‘Large Platform Providers’ is a welcome reference that focuses on functions rather than the specific technology used. For example, It has been a mistake in the past to focus solely on ISPs without considering other companies that collect and use (or could collect and use) as much information as ISPs.”

For any questions, please email [email protected].

Mar. 26, 2012 – Consumer Privacy in Focus as Regulators Zero in on Mobile, Street Fight

Mar. 23, 2012 – Facebook addresses more privacy concerns; user doubts are still biggest threat to growth, Washington Post

Mar. 23, 2012 – Facebook takes steps to address privacy concerns, Atlanta Journal Constitution

Mar. 23, 2012 – Facebook takes steps to address privacy concerns, Huffington Post Tech

Mar. 23, 2012 – Nation and World: Facebook can't win on privacy issue, Star Telegram

Georgetown Hosts Lawful Access to the Cloud Seminar

On Tuesday, Georgetown’s Law School hosted a Seminar titled “Lawful Access to the Cloud.” The seminar’s panelists grappled with how to find the right balance between civil liberties and legitimate law enforcement needs to access data in the cloud;.

The morning’s first panel focused on lawful access to data in the U.S., and the second panel focused on law enforcement access to data in the E.U. Bruce Schwartz, Deputy Assistant Attorney General at the U.S. Justice Department began the day by pushing back at the widespread perception that the U.S. has less protection than the E.U. for data stored in the cloud. In fact, he said, the U.S. has higher greater protections for electronically stored data than the E.U. The Center for Democracy and Technology’s President and CEO, Leslie Harris, responded that the most important criterion for laws and practices regarding lawful access to data in the cloud is conforming to citizen’s expectations. Harris submitted that most users would be very surprised at the permissiveness of the current legislative structure in the U.S. regarding lawful access to data in the cloud.

Next, Mark Rasch, the Director of Cybersecurity and Privacy Consulting at CSC, examined several of the ways that the cloud is different from previous technologies and explained how much of the legal structure regarding lawful access to electronic communication is hopelessly out of date. The final panelist, Fred Cate, Professor of Law and Director of the Center for Applied Cybersecurity Research at Indiana University, talked about how U.S. lawful access statutes need to change more quickly. He also argued that the U.S. government needs to do a much better job being transparent and accountable about lawful access to electronically stored information.

Peter Swire, Senior Fellow at FPF and the C. William O’Neill Professor of Law at the Ohio State University, began the second panel by explaining that the widespread use of encryption has led law enforcement to increasingly rely on accessing data stored in the cloud. Widespread encryption makes it very difficult for law enforcement officials to access encrypted electronic communications as they are being sent, so law enforcement places greater emphasis on accessing the unencrypted, stored communications in the cloud. Swire then gave an overview of UK data protection laws and pointed out that the laws in the UK in many respects are more permissive than U.S. law.

Following Swire, Google’s Richard Salgado talked about the practices his company follows regarding lawful access. Salgado explained that Google’s policies are based on the reasonable privacy expectations of users. Google, he said, works hard to be transparent and, when legal, provides notices to consumers when their data is accessed by law enforcement. Emilio de Capitani, former Head of Unit at the Committee on Citizens’ Freedoms and Rights in the European Parliament, rounded out the day. He gave an overview of E.U. laws governing lawful access and discussed some of the challenges facing E.U. member states as they try to increasingly standardize their policies for lawful access to data.

Throughout the day, several themes emerged time and again. The seminar made it clear that there is a significant amount of uncertainty about the laws and practices of lawful access in both the U.S. and the E.U. Secondly, U.S. laws regarding lawful access are very outdated and need to be updated to take into account the technological changes that have emerged during the last several decades. Finally, many foreign companies and countries believe that U.S. laws regarding lawful access, especially the PATRIOT Act, allow the U.S. government very significant access to electronically stored data. Regardless of the validity, this fear is having an adverse effect on the ability of U.S. cloud providers to sell their services overseas.

 

-Peter Swire and Steven Beale

App Developer Privacy Summit – April 25th

FPF Responds to WH Announcement on Green Button Initiative

WASHINGTON – Today, the White House announced that 9 new utilities have committed to adopting the industry-led Green Button Initiative, joining 6 previously announced commitments, for a total of 27 million homes committed.

The statement below can be attributed to Jules Polonetsky, Director and Co-Chair of the Future of Privacy Forum.

“Offering consumers access to their data provides the kind of transparency that enhances privacy.  By showing consumers the details of energy usage data, utilities are taking an important step to ensure that smart meters are a key benefit intended to help consumers be smarter about energy use.

With appropriate privacy programs in place, access to data will increasingly empower consumers to use their data to manage smart home devices that will advance innovation and consumer control.”

For any questions, or to schedule a phone call with Jules Polonetsky, please email [email protected].

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.