The Trump Administration has drawn up a framework for protecting consumer data privacy in an age of ubiquitous free internet content, much of which is based on targeted advertising and data sharing to support that business model.
The National Telecommunications & Information Administration outlined the seven-point plan Tuesday (Sept. 25) and is seeking comment on that approach, which is presented in broad-brush strokes with goals most can agree on--transparency, control, security, but without any prescriptive approaches like opt-in regimes for collection and sharing or minimum security standards, where the tough work of implementation, and getting Republicans and Democrats to agree, will have to be done.
NTIA said the Administration is seeking these "outcomes," but says it is not planning to dictate the practices to achieve those outcomes, which are outlined below, but NTIA summarizes as producing "a reasonably informed user, empowered to meaningfully express privacy preferences, as well as products and services that are inherently designed with appropriate privacy protections, particularly in business contexts in which relying on user intervention may be insufficient to manage privacy risks."
1. "Organizations should be transparent about how they collect, use, share, and store users’ personal information. 2. "Users should be able to exercise control over the personal information they provide to organizations. 3. "The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks. 4. "Organizations should employ security safeguards to protect the data that they collect, store, use, or share. 5. "Users should be able to reasonably access and correct personal data they have provided. 6. "Organizations should take steps to manage the risk of disclosure or harmful uses of personal data. 7. "Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems."
NTIA's announcement came the day before the Senate Commerce Committee is hearing from edge providers and ISPs about their data privacy and security regimes and plans, including similar sentiments about the need to provide security, transparency and control.
It also comes in the wake of Europe's adoption of a new data protection regime, something NTIA acknowledged in the comment request (the European Union adopted a tough new General Data Protection Regulation (GDPR) online privacy framework May 25, one some Democratic members of Congress have pressed the U.S. to adopt.
"A growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape," NTIA said. "Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. The Administration hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally."
Comments will be due 30 days after publication of the request for comments in the Federal Register, which probably means six weeks or so, but stakeholders were not waiting around.
An inquiry on broad-strokes proposals with plenty of room for self-regulation and options for compliance was getting a good reception from the relevant stakeholders.
“SIIA is pleased that NTIA has launched an inquiry into steps that can be taken to improve privacy protection in the United States, while still allowing for innovative data uses," said Software & Information Industry Association VP Mark MacCarthy. "We will be responding to this request for comments and encourage industry groups, privacy advocates and privacy scholars to participate.”
"USTelecom appreciates this effort by NTIA to advance the privacy conversation," said USTelecom president Jonathan Spalter. "Our members understand the success of any digital business depends on consumer trust. Several members of Congress have also introduced – or plan to introduce – privacy legislation. Taken together, we hope these initiatives will lay the groundwork for a single, national framework with strong consumer protections and flexibility for a competitive and innovative marketplace. What we need most is clear and consistent privacy rules that apply equally to all companies that interact with consumers through the internet."
USTelecom, NCTA-The Internet & Television Association and other ISPs are in agreement that any privacy regime needs to apply equally to the edge providers who do most of the data mining and sharing.