Commerce Department opens a public discussion on private data

Department wades into complex questions about online data privacy protections

Online commerce offers terrific conveniences for consumers and massive growth opportunities for retailers. But it also poses complex issues for online businesses and consumer advocates alike, particularly over the role that the federal government should play in regulating how companies handle people’s personal data.

Privacy advocates, banks, data brokers, software companies, the makers of search engines and information technology security firms all have strong opinions on the subject, some of which are rooted in ideology while others are the result of heavy investments in their business models. Complicating the matter even further is the often-conflicting approaches that federal and state regulators take.

Thus, the debate over federal data privacy laws is complex, layered and almost impossible for policy-makers to arbitrate. The differing perspectives might explain why data breach notification bills seem to languish each year in Congress and why Congress hasn't seriously considered comprehensive consumer privacy legislation in years. What’s been missing so far is an honest broker among the competing stakeholders. In recognition of the importance of that discussion, the Commerce Department has moved to enter the debate.

The department is actively soliciting input from Internet users — consumers and businesses alike — on the current regulatory framework. In just the past several weeks, Commerce has formed an Internet policy task force, held a conference and issued a public notice of inquiry, and Secretary Gary Locke has given speeches on the subject. The department is gathering public comments through June 7, and those comments will contribute to the Obama administration’s domestic policy and international engagement on Internet privacy.

People can comment on a range of topics, such as the country's legal framework for protecting privacy and ways to improve it, how the various state-level and international privacy laws affect companies and consumers, and the jurisdictional conflicts companies and regulators must deal with as a result of the plethora of data privacy laws and how that affects trade.

Big companies in particular spend a lot of money complying with the privacy laws of different jurisdictions, said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University’s law school. As a result, he said, corporate leaders tend to establish policies stating that, when given a choice, the company must adhere to the state law that has stricter requirements.

That dynamic explains why many IT businesses, unlike many privacy and consumer advocates, favor a national law for data breach notification that would pre-empt the patchwork of state laws, some of which are stringent. They want to avoid the costs and confusion of complying with different state requirements.

Mark Bregman, Symantec’s chief technology officer, gave an example to describe the situation during a recent Capitol Hill briefing by the Internet Security Alliance and American National Standards Institute. “I live in California," Bregman said. "The servers that contain my personal data might be in North Dakota. The bank might be headquartered in New York. That leads to tremendous confusion and enormous added costs.”

Of course, there are reasons privacy advocates want to protect state prerogatives. Congress can take a long time to act, said Lillie Coney, associate director of the Electronic Privacy Information Center, while states are often good at identifying problems as they emerge.

It’s not at all clear that Commerce’s intervention will resolve this debate. But its focus on data privacy represents a marked shift from the previous administration.

“A lot of the discussions on privacy inside the government in the Bush administration were led by [the Homeland Security Department], and so you had a homeland security view on privacy,” said Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology. Having Commerce more involved should help internationally in data privacy discussions, he said.

To be sure, Commerce — as is the case with any executive branch agency — is limited in the impact it can have on federal regulations. But with lawmakers unable to settle the matter, the department represents a much-needed forum for open discussion.

“We need to take a fresh look at the policy framework that underpins the Internet economy,” Locke said in prepared remarks for the Business Software Alliance in April. “We need to ask: Are there policy nudges that can reduce impediments to e-commerce or that can spread its benefits more broadly?"


About the Author

Ben Bain is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above