Commerce Department opens a public discussion on private data

Department wades into complex questions about online data privacy protections

Online commerce offers terrific conveniences for consumers and massive growth opportunities for retailers. But it also poses complex issues for online businesses and consumer advocates alike, particularly over the role that the federal government should play in regulating how companies handle people’s personal data.

Privacy advocates, banks, data brokers, software companies, the makers of search engines and information technology security firms all have strong opinions on the subject, some of which are rooted in ideology while others are the result of heavy investments in their business models. Complicating the matter even further is the often-conflicting approaches that federal and state regulators take.

Thus, the debate over federal data privacy laws is complex, layered and almost impossible for policy-makers to arbitrate. The differing perspectives might explain why data breach notification bills seem to languish each year in Congress and why Congress hasn't seriously considered comprehensive consumer privacy legislation in years. What’s been missing so far is an honest broker among the competing stakeholders. In recognition of the importance of that discussion, the Commerce Department has moved to enter the debate.

The department is actively soliciting input from Internet users — consumers and businesses alike — on the current regulatory framework. In just the past several weeks, Commerce has formed an Internet policy task force, held a conference and issued a public notice of inquiry, and Secretary Gary Locke has given speeches on the subject. The department is gathering public comments through June 7, and those comments will contribute to the Obama administration’s domestic policy and international engagement on Internet privacy.

People can comment on a range of topics, such as the country's legal framework for protecting privacy and ways to improve it, how the various state-level and international privacy laws affect companies and consumers, and the jurisdictional conflicts companies and regulators must deal with as a result of the plethora of data privacy laws and how that affects trade.

Big companies in particular spend a lot of money complying with the privacy laws of different jurisdictions, said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University’s law school. As a result, he said, corporate leaders tend to establish policies stating that, when given a choice, the company must adhere to the state law that has stricter requirements.

That dynamic explains why many IT businesses, unlike many privacy and consumer advocates, favor a national law for data breach notification that would pre-empt the patchwork of state laws, some of which are stringent. They want to avoid the costs and confusion of complying with different state requirements.

Mark Bregman, Symantec’s chief technology officer, gave an example to describe the situation during a recent Capitol Hill briefing by the Internet Security Alliance and American National Standards Institute. “I live in California," Bregman said. "The servers that contain my personal data might be in North Dakota. The bank might be headquartered in New York. That leads to tremendous confusion and enormous added costs.”

Of course, there are reasons privacy advocates want to protect state prerogatives. Congress can take a long time to act, said Lillie Coney, associate director of the Electronic Privacy Information Center, while states are often good at identifying problems as they emerge.

It’s not at all clear that Commerce’s intervention will resolve this debate. But its focus on data privacy represents a marked shift from the previous administration.

“A lot of the discussions on privacy inside the government in the Bush administration were led by [the Homeland Security Department], and so you had a homeland security view on privacy,” said Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology. Having Commerce more involved should help internationally in data privacy discussions, he said.

To be sure, Commerce — as is the case with any executive branch agency — is limited in the impact it can have on federal regulations. But with lawmakers unable to settle the matter, the department represents a much-needed forum for open discussion.

“We need to take a fresh look at the policy framework that underpins the Internet economy,” Locke said in prepared remarks for the Business Software Alliance in April. “We need to ask: Are there policy nudges that can reduce impediments to e-commerce or that can spread its benefits more broadly?"

 

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.