NET RESULTS:ALMOST EXACTLY a year ago, the Obama administration signalled it intended to produce a consumer data privacy "Bill of rights" to offer specific safeguards for consumers, and push new obligations on organisations that handle electronic data.
Last week, the US administration made good on that promise with a Consumer Privacy Bill of Rights set within a long white paper proposing how the Bill could be implemented and enforced within a larger data protection regime. The Bill has four proposed elements: a consumer privacy Bill of rights; “a multistakeholder process” to work out how to apply the Bill of Rights principles
in particular business contexts; effective enforcement; and “a commitment towards increased interoperability with the privacy frameworks of our international partners”.
The Bill’s seven data “rights” are that consumers are entitled to: 1. individual control over their data; 2. transparency in how it will be gathered and used; 3. respect for context; 4. security; 5. access and accuracy; 6. focused collection, so that organisations only gather data for limited and appropriate uses; and 7. accountability.
If this all has a familiar ring to it, that’s probably because the Obama initiative (timely in an election year) comes in the wake of fresh European Commission consumer data protection proposals announced by justice commissioner Viviene Reding in late January.
The timing here is interesting. Media reports had circulated since late last year that the US administration, on multiple levels, was lobbying hard on the European draft privacy proposals and wanted a delay on the January announcement. Reding made no bones about it at a seminar with journalists in Brussels recently where she noted she had been heavily pressured not to launch the proposals on January 25th, but did so anyway. I would hazard a guess the Americans were not happy.
The US proposals somewhat unfairly now have the feel of a response rather than international leadership. But, in the US context, the proposals are definitely groundbreaking and, if implemented, would give US citizens some of the data protections Europeans already have. They would also go further in pushing for more transparency and accountability from internet, mobile and “app” companies and from online advertisers.
One interesting element is support for a “Do Not Track” initiative that would let consumers opt out from “tracking cookies”, which hitch on to browsers and enable them to follow the activity of a web user and report it back to an advertiser or company.
After years in which privacy advocates and concerned consumers were told regularly that privacy doesn’t matter any more, that real internet users couldn’t care less, these are clear semaphores that privacy retains significant meaning for people.
Or as Obama puts it in the paper, “ . . . even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy since its inception, and we need it now more than ever.”
The US white paper also echoes European proposals with a growing recognition that consumer uncertainty and concern about how their data are used feeds directly into commerce – ie whether people will use government and commercial services, buy online, participate in online communities and, in short, keep the internet business (and therefore, economic) growth engine alive.
Businesses are beginning to get this. On the day of the Obama announcement came news that large advertisers and internet companies in the US look set to bring in some form of a “Do Not Track” opt-out. Industry wants to be seen as self-regulating, and to fend off formal legal restrictions. But equally, tracking cookies have been controversial with consumers.
Another line in the Obama proposal worth mentioning is: “In addition, United States leadership in consumer data privacy can help establish more flexible, innovation-enhancing privacy models among our international partners.” Hmmm. That seems a direct riposte to Europe, doesn’t it? “Flexibility” has the risk of meaning watered-down voluntary policies. US companies haven’t exactly demonstrated they can manage data without supervision.
As major US data privacy advocates Epic (Electronic Privacy Information Centre) note, this data Bill of rights looks great in theory but all depends on implementation and enforcement. The same holds with the EU proposals. But it’s refreshing to see privacy and data protection high on the agenda.
