We need a Privacy Bill of Rights

Almost three years to the day after it issued its blueprint articulating a Consumer Privacy Bill of Rights and “urg[ing] Congress to pass legislation adopting the Consumer Privacy Bill of Rights” by putting these principles into law, the White House has released proposed legislation.

Since the original plan came out, privacy has exploded as an issue.  The Snowden leaks not only provoked concerns about government surveillance but also spotlighted how much data can be collected and what can be learned from it.  The rash of cyber attacks and data breaches from Target to Sony Pictures and now Anthem raised anxiety about the vulnerability of personal information.

{mosads}Consumer privacy legislation took a back seat as the Obama administration responded to the Snowden firestorm and then turned to studies by the White House Big Data Task Force and President ‘s Council of Advisers on Science and Technology. Their reports documented the “explosion” in the volume, velocity, and variety of data that is becoming “near-ubiquitous” and “increasingly approaching real time” collection.

The case for enacting consumer privacy legislation is even stronger today than in 2012.   The American system of privacy has great strengths: strong values deeply embedded in our culture and Constitution, sectoral regimes that protect the most sensitive categories of personal information; 47 state data breach notification laws and other laws; and active enforcement by the Federal Trade Commission, several other federal agencies, and state attorneys general; and strong privacy practices “on the ground.”  Nevertheless, as the digital economy expands, an increasing proportion of data collection and use falls outside the sectors that are covered by privacy rules. 

Even as phones, web searches, thermostats, cars and other devices and services stream personal data every bit as sensitive as health or financial records, the increasing volume, velocity, and variety of data collection have made it impossible for individuals to exercise any meaningful control over most data about them.  This results in an uneven playing field for consumers.  As the Big Data Task Force put it, “[unprecedented computational power and sophistication], most of which are not visible to the consumer, also create an asymmetry of power between those who hold the data and those who intentionally or inadvertently supply it.”

This, by any definition, is a market failure.  A recent Pew Research study showed a high level of consumer anxiety about these issues. It found that a majority of adults “feel that their privacy is being challenged along such core dimensions as the security of their personal information and their ability to retain confidentiality.” These dimensions include especially the ability to control information about them and how it is used.  U.S. companies have been leaders in innovations to give consumers better information and granular controls on the use and sharing of their information, but consumers need to have confidence that all companies will insure a basic level of privacy.

The White House bill offers a novel regulatory model intended to be as iterative and adaptive as the technologies and innovations at issue.  It operates from a set of broad baseline principles — transparency, individual control, respect for context, access and accuracy, security, focused collection, and accountability.  These are adapted from well-developed “fair information practice principles” that underlie privacy protections incorporated into law and embedded in the privacy practices of businesses, hospitals, universities, and other institutions around the world. 

Rather than try to anticipate all the questions that may arise and all the circumstances in which it may apply, the bill leaves specific application of the principles to evolving technology and practices, codes of conduct developed through multi-stakeholder processes advanced by the legislation, and case-by-case adjudication by the Federal Trade Commission.  There are trade-offs between certainty and creativity, between precision and flexibility.   The proposal errs on the side of creativity and flexibility.  The alternative is prescription. 

The FTC’s current application of Section 5 to privacy and security practices operates as a form of common law,feeling the stones along the bottom of the river as it iterates a growing body of law.  This is the essence common law adjudication.  The common law has applied broad constructs like “reasonable care” for centuries, and the common law delineated the American law of privacy protection from the 18^th and 19^th century cases described in the seminal law review article on privacy by Samuel Warren and Louis Brandeis until the adoption of the Privacy Act and Fair Credit Reporting Act in 1974.  Under an FTC invigorated by direct authority to enforce the Consumer Privacy Bill of Rights, the common law is capable of doing the same for privacy in the Information Age.

In the fallout from the Snowden leaks, there is an especially acute need to renew global trust in America’s protection of privacy and in the companies that operate under American privacy law.  As discussed in the White House big data review, data can be a resource that can produce groundbreaking public benefits in medical research, urban planning, and public health among other areas.  Establishing a digital environment in which people can trust their data will be used in ways consistent with their interests and expectations is a critical enabler of such benefits.

Moving forward with a baseline U.S. privacy law would provide a strong reaffirmation of America’s enduring privacy values.  At a time when the European Union is moving to adopt a new privacy regulation that would bind all member states, the Administration proposal presents to the world a different, American model.  It provides a way to seize leadership in the global discussion of privacy.                                    

Kerry is Ann R. and Andrew H. Tisch Distinguished Visiting Fellow at the Brookings Institution; and visiting scholar at the MIT Media Lab.  As General Counsel and Acting Secretary of the U.S. Commerce Department, he was a principal architect of the White House privacy policy and Consumer Privacy Bill of Rights in 2012.