by Cameron Kerry, General Counsel for the U.S. Department of Commerce.
The time has come for Congress to pass strong Internet consumer privacy legislation that provides clear rules of the road for businesses and consumers while preserving the innovation and free flow of information that are hallmarks of the Internet economy.
That’s the Obama Administration’s conclusion based on the work we have been doing on commercial data privacy. Three months ago, the Commerce Department published its Green Paper, which contained preliminary policy recommendations to enhance consumer protection and strengthen online trust, while ensuring the Web remains a platform for innovation, jobs, and economic growth.
In response, the Commerce Department received thoughtful and well-researched comments from over a hundred stakeholders representing industry, consumer groups, and academic sectors. We carefully reviewed all them. Through the Privacy and Internet Policy Subcommittee of the National Science and Technology Council (NSTIC), which I co-chair with Assistant Attorney General Christopher Schroeder, we consulted with Federal agencies and key White House offices to develop a roadmap for moving forward on this important Administration priority.
Based our review, we have concluded that baseline consumer privacy legislation will strengthen the U.S. Internet privacy framework for consumers and businesses alike. The Obama Administration is committed to working with Congress to pass a bill that provides a stronger statutory framework to protect consumers’ privacy interests in data that are collected and used or disclosed in commercial contexts in the Internet economy, while supporting innovation. Consumer privacy legislation should have the following elements:
First, the bill should include the concept of a “consumer privacy bill of rights” based on comprehensive, widely accepted Fair Information Practice Principles. These consumer data privacy protections should be legally enforceable and broad and flexible enough to allow consumer privacy protection and business practices to adapt as new technologies and services emerge. Any legislation should avoid duplicating or conflicting with the requirements of existing sector-specific data privacy laws and regulations.
Second, any legislation should recognize that the Federal Trade Commission (FTC) plays a vital role as the nation’s independent consumer privacy enforcement authority. The Administration recommends granting the FTC explicit authority to enforce any consumer privacy bill of rights with an eye towards appreciating that any standards should evolve and adapt to a rapidly evolving digital marketplace.
Third, the Administration will work to promote global interoperability with our allies and trading partners. The legislative approach that we recommend could help to reduce the multiple compliance burdens that companies currently face and provide consumers with more consistent cross-border data protections.
And finally, consistent with existing Federal requirements and ongoing Administration policy development in this area, the Administration recommends adoption of a Federal consumer data security breach notification law that sets national standards, reconciles inconsistent State laws, and authorizes enforcement by State authorities.
In the coming weeks, the Commerce Department and NSTC subcommittee will be working to fill out these elements as we finish up our work on Administration policy and engage with Congress. With or without legislation, we will continue to convene stakeholders as well as the FTC and other government agencies to develop enforceable best practices or codes of conduct for consumer data privacy.
This work is important to the continued vitality of the Internet as an integral part of economic, social, and civic life in the United States and across the globe.