thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, February 28, 2015

White House releases draft Consumer Privacy Bill

The US "Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015" was released yesterday. It follows up to the 2012 "Consumer Privacy Bill of Rights" from President Obama. 

The draft bill sets out some basic definitions and principles, such as "reasonable" collection of personal data, and consumer rights, such as access to their own data. For enforcement, it gives the Federal Trade Commission the powers to approve and enforce Codes of Conduct submitted by different industry sectors. So far, the FTC has enforced certain data protection rules under Title V of the FTC act, which prohibits "unfair and deceptive trade practices".

At first glance, the draft has a number of serious issues, especially if you look at it from an EU data protection perspective. A few points are worth mentioning:

1) The bill exempts "Cybersecurity data" from the scope:
The term “personal data” shall not include cyber threat indicators collected, processed, created, used, retained, or disclosed in order to investigate, mitigate, or otherwise respond to a cybersecurity threat or incident, when processed for those purposes."
This does not make any sense. It may be reasonable to allow the processing of personal data for IT security purposes (as certain drafts of the planned EU data protection regulation do), but with this approach, things such as IP addresses are removed from the scope of the privacy bill.

2) The bill is contradictory. It states in section 103:
"If a covered entity processes personal data in a manner that is reasonable in light of context, this section does not apply",
and then in section 104, it says
"Each covered entity may only collect, retain, and use personal data in a manner that is reasonable in light of context."
To me it is completely unclear when section 103 would apply at all...

3) Title III of the bill recycles the "Safe Harbor" term and the idea of self-certification which has consistently been criticised by the European Parliament and privacy experts from around the world since the EU Commission and the US Department of Commerce came up with the Safe Harbor approach in 2000:
"Safe Harbor Protection.—In any suit or action brought under Title II of this Act for alleged violations of Title I of this Act, the defendant shall have a complete defense to each alleged violation of Title I of this Act if it demonstrates with respect to such an alleged violation that it has maintained a public commitment to adhere to a Commission-approved code of conduct that covers the practices that underlie the suit or action and is in compliance with such code of conduct."
At least compliance is required, not just the mere committment, but the underlying problem is that the FTC would only be able to review submitted codes, not develop and issue their own ones.

4) The draft would preempt state laws, some of which, such as the Californian one, are stronger than the White House proposal.

5) The bill would exempt start-ups from data privacy requirements for the first 18 months. This will encourage an approach such as "grow quickly and ruthlessly while collecting as much data as you can, and sell to the highest bidder after 18 months". I don't think this is good for a sustainable long-term business strategy.

6) The penalties section (203) is quite interesting, however:
"(1) The civil penalty shall be calculated by multiplying the number of days that the covered entity violates the Act by an amount not to exceed $35,000; or
(2) If the Commission provides notice to a covered entity, stated with particularity, that identifies a violation of this Act, the civil penalty shall be calculated by multiplying the number of directly affected consumers by an amount not to exceed $5,000 (...)"
This could easily exceed the 5% annual global turnover which the European Parliament has set as the maximum penalty in its version of the coming Data Protection Regulation.

This Washington Post article gives a good summary of the reactions (in short: The FTC is not happy, the NGOs are not happy, industry is partially happy, except for the libertarians).

The White House apparently did not manage to find bipartisan congressional sponsors before releasing it, so this and the timing (Friday afternoon) has lead some observers to believe already that it's "dead in the water".

Senator Ed Markey, known as a strong privacy defender, has criticised the draft for not doing enough  for consumers here. As a result, he has announced that he will present his own draft next week (!).

There will be loads of things to discuss for the European Parliament delegation that will visit Washington mid-March. Among the MEPs taking part are Jan Philipp Albrecht, vice-chair of the Civil Liberties, Justice and Home Affairs Committee and rapporteur for the EU Data Protection Regulation and for the EU-US Data Protection Umbrella Agreement, and Claude Moraes, chair of the same committee and rapporteur for the NSA mass surveillance inquiry and its upcoming follow-up.

Labels: , ,