Enough of the Patchwork: Tech Industry Group Calls for a National Privacy Framework
The Internet Association (IA), a group of 40 major internet and technology firms, called for the establishment of a national privacy framework anchored by six privacy principles on Wednesday. In its press release announcing the principles, the IA indicated its support for the American approach to federal privacy legislation that is “consistent nationwide, proportional, flexible, and encourages companies to act as good stewards of the personal information provided to them by individuals.”
In describing the context for the principles the IA noted that its members comply with the range of strong federal privacy, data security, consumer protection, and anti-discrimination laws. Coupled with following state laws, and self-regulatory principles that govern how they do business, this “patchwork” leads to inconsistent experiences for individuals. Accordingly, a new, comprehensive national framework would create more “consistent privacy protections that bolster consumers’ privacy and ease compliance for companies.”
The IA’s six principles include:
- Transparency – Individuals should have the ability to know if and how personal information they provide is used and shared, who it’s being shared with, and why it’s being shared.
- Controls – Individuals should have meaningful controls over how personal information they provide to companies is collected, used, and shared, unless that information is legally required or is necessary for the basic operation of the business.
- Access – Individuals should have reasonable access to the personal information they provide to companies. Personal information may be processed, aggregated, and analyzed to enable companies to provide services to users.
- Correction – Individuals should have the ability to correct the personal information they provide to companies, except where companies have a legitimate need or legal obligation to maintain it.
- Deletion – Individuals should have the ability to request the deletion of the personal information they provide to companies when it’s no longer necessary to provide services, except where companies have a legitimate need or legal obligation to maintain it.
- Portability – Individuals should have the ability to take the personal information they provided to one company and provide it to another company that provides a similar service.
Further, the IA identified key components of a National Privacy Framework to include:
- Fostering privacy and security innovation.
- A national data breach notification law.
- Technology and sector neutrality.
- Performance standard-based approach.
- Risk-based framework.
- A modern and consistent national framework for individuals and companies.
The IA’s principles could be a response to the recently imposed compliance obligations imposed by the EU’s General Data Protection Regulation, as well as the recently enacted California Consumer Privacy Protection Act that will become effective in 2020. At the same time, NIST has announced plans to collaborate with industry to develop a voluntary, enterprise-level Privacy Framework, much like its popular Cybersecurity Framework. A recently released survey from the National Telecommunications and Information Administration (NTIA) noted that privacy and security online continues to be a major issue for many Americans. The NTIA survey noted that nearly three-quarters of Internet-using households had significant concerns about online privacy and security risks. One third said such worries caused them to hold back from some online activities.
Finally, the U.S. Senate Committee on Commerce, Science, & Transportation will hold a hearing examining consumer privacy protection on September 26, 2018. Currently, the witnesses listed to testify include senior executives from internet and technology companies:
- Len Cali, Senior Vice President—Global Public Policy, AT&T Inc.
- Andrew DeVore, Vice President and Associate General Counsel, Amazon.com, Inc.
- Keith Enright, Chief Privacy Officer, Google LLC
- Damien Kieran, Global Data Protection Officer and Associate Legal Director, Twitter, Inc.
- Guy (Bud) Tribble, Vice President for Software Technology, Apple Inc.
- Rachel Welch, Senior Vice President, Policy & External Affairs, Charter Communications, Inc.