Remarks of David J. Redl
Assistant Secretary of Commerce for Communications and Information
Mobile World Congress Ministerial Programme
February 26, 2019
-- As Prepared for Delivery --
Thank you for inviting me to speak today about consumer data privacy, a vital issue that’s at the forefront of Internet policy debates around the world. We’re here to discuss the implementation of the European Union’s General Data Protection Regulation, but I also want to use my time to talk about the United States’ effort to rethink its own approach to privacy.
The American people place great value on their privacy, and not just for personal reasons. Privacy enables the exercise of autonomy and free association that is at the heart of our democracy, and all democracies. It goes to the core of who we are and how we govern ourselves.
Protections for privacy date back to America’s founding, and throughout our history, we have been global leaders in the development of privacy practices and frameworks. In fact, you can draw a clear line between the Fair Information Practice Principles, which were developed in the U.S. in the 1970s, and the principles of the GDPR.
It's easy for us, then, to appreciate the motivations behind the GDPR, and the values that drove its adoption are ones we share in the United States. But we certainly have our differences – differences in our legal systems and in how we want to approach privacy in today’s economy.
Our differences aren’t trivial, but that doesn’t mean we can’t find a way forward that works for everyone. The United States and the European Union already have a model for cooperation in the Privacy Shield Framework.
Our plan with respect to GDPR is to work toward global interoperability that allows for our differences while continuing the beneficial free flow of data between the United States and the European Union.
Developing an Approach to Privacy
The agency I lead, the National Telecommunications and Information Administration, or NTIA, has been directed by the White House to lead the development of the Administration’s policy toward consumer data privacy.
We want to build consensus around a fundamentally American approach to privacy, built on the same bedrock principles that so many nations share. We’ve been talking with dozens of stakeholders to better understand what the problems are, what we can agree upon, and how we can move forward.
NTIA put out a request for comments as well, and received more than 200 responses. We received comments from a range of industries, companies and individuals. The European Commission was among a number of international organizations that shared their thoughts. We’re grateful for the time and energy that these groups put into our process.
We also recognize that the debates around privacy have taken on a new urgency. Where once concerns about data collection were ancillary, for consumers and companies, it’s now inseparable from our daily lives. There seems to be a new headline every month that involves data privacy – from hacked baby monitors to data theft to home assistance devices that unexpectedly talk to you in the middle of the night.
We can’t, and wouldn’t want to, turn back the clock on our technological innovations. There’s no going back – this is our reality. Governments around the world – even state governments in the U.S. – are responding to this reality with new regulations.
For any new rules on data privacy, ultimately, it comes down to trust. Our challenge is to create a privacy model that ensures Americans trust the technologies in their lives, while guarding against the creation of obstacles to innovation that would harm our economy. A model that ensures privacy and prosperity. We believe this is possible.
What’s next? We are still in the process of reviewing and digesting the comments we received, but there have been a few themes to emerge.
First, we heard a sense of urgency, and a desire for American leadership on this issue. Our policies must reflect the changes in the use of data that have transformed consumers’ relationship with technology over the past decade.
Second, there is broad industry consensus that we can’t have a patchwork regulatory landscape within the U.S., and where there are differences internationally, we should take care not to harm the data flows that power the global digital economy.
Finally, we received many thoughtful, constructive comments on our proposed risk-and-outcomes-based approach. Our work on a risk-based approach is being led by NTIA’s sister agency, the National Institute for Standards and Technology, or NIST.
They are known for their Cybersecurity Framework for managing cyber risks, and they’ll be taking the broad outlines of that and applying it to privacy. The result will be a collection of tools that anyone can use to assess and address privacy risks in any regulatory environment.
We feel that focusing on risks and outcomes is preferred to notice-and-consent approaches. It’s well known that few consumers bother to read long legal notices – and it’s our view that giant compliance departments aren’t going to lead to better privacy outcomes for consumers.
We don’t want companies creating checkboxes and regulators critiquing web design – they should be spending their time on providing real protections for consumers.
A risks-and-outcomes focus has another benefit, which is it that it doesn’t entrench large, established businesses at the expense of startups and small firms. If the compliance costs associated with data use are prohibitive for small businesses, we may well lose out on the next generation of innovation, not to mention the jobs and economic benefits that small businesses provide.
Security is a Precursor to Privacy
Another aspect of privacy that I want to highlight is security. We’ve already seen with GDPR and the WHOIS service that decisions on privacy can have effects on essential global systems.
The WHOIS is a service that, prior to the GDPR, provided public access to domain name registration information, including contact information for the entity or person registering the domain name. This information is a critical tool that helps keep people accountable for what they put online. Law enforcement uses WHOIS to shut down criminal enterprises and malicious websites. Cybersecurity researchers use it to track bad actors. And it is a first line in the defense of intellectual property.
The loss of WHOIS has little benefit for consumer privacy, and major benefits for cyber-criminals. It’s a prime example of not only why we want to focus on outcomes, but of the inescapable link between security and privacy.
As you look at the booths here in Barcelona, you’ll see many options for 5G networking equipment. When network operators around the world are deciding which equipment they’re going to use, their first thought should be: Do I value my customers’ privacy and data security? In the United States, our four largest wireless carriers have clearly answered affirmatively, and are making purchasing decisions accordingly.
Simply put, you cannot have true privacy without secure network technology. We’re ready to work together to ensure that our technology infrastructure is secure.
If you have thoughts to share on what I’ve outlined here today, I invite your continued collaboration. In May, NIST will be hosting its second public workshop on the development of the Privacy Framework. It will be held in Atlanta, Georgia, and I encourage all interested stakeholders to participate.
As the Administration continues to build out our approach, we’re keeping our high-level goals in mind. We need a solution that will provide legal clarity, flexibility to innovate, and high levels of consumer protection.
It’s the position of the United States government that privacy and prosperity are not mutually exclusive. We can have real protections for consumers and a thriving market for technologies that use data – a market that’s open to businesses big and small. Our path will give consumers and businesses certainty and confidence to proceed into the next generation of technological innovation.