February 24, 2012
On February 23, 2012, the Obama Administration unveiled a new framework for protecting privacy and promoting innovation on the internet and in the digital economy ("Framework").
The Framework consists of five key elements: (1) a Consumer Privacy Bill of Rights ("Bill of Rights") that sets out seven basic principles; (2) a process to develop more detailed sector-specific opt-in codes of conduct ("Codes of Conduct"); (3) enforcement powers for the Federal Trade Commission ("FTC") to enforce both the Bill of Rights and Codes of Conduct (when a company opts to abide by a Code of Conduct); (4) a national standard for security breach notification; and (5) greater global interoperability.
(1) Consumer Privacy Bill of Rights
The Administration proposes enacting a general Bill of Rights. Rather than using a concept of personally identifying information or "PII," the Bill of Rights would apply to "personal data" which would be defined to mean any data, including aggregations of data, able to be linked to a specific individual. The proposal states that "Personal data may include data that is linked to a specific computer or other device."
There are seven general principles put forth in the Bill of Rights:
(a.) Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
(b.) Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices. The prominence of disclosure notices should be consistent with the context.
(c.) Respect for Context: Consumers have a right to expect that companies will collect, use and disclose personal data in ways that are consistent with the context in which consumers provide the data. If companies use or disclose personal data for purposes other than that which the consumer would expect, they should provide heightened transparency in the privacy policy.
(d.) Security: Consumers have a right to secure and responsible handling of personal data.
(e.) Access and Accuracy: Consumers have a right to access and correct personal data in usable format, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies should ensure that they maintain accurate data.
(f.) Focused Collection: Consumers have a right to reasonable limits on the personal data companies collect and retain. Companies should collect only as much personal data as they need to accomplish the purposes specified under the Respect for Context Principle.
(g.) Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Bill of Rights. This will require companies to give training, assess performance, conduct audits (where appropriate) and ensure third parties to which personal data is disclosed adhere to these principles.
The Bill of Rights is expressed as a guide for the Administration to work with Congress on more specific statutory language. The Bill of Rights provides general principles that will afford companies discretion in how to implement them.
(2) Process to Develop Sector-Specific Enforceable Codes of Conduct
Detailed guidance is required to aid in the implementation of the principles set out in the Bill of Rights across a wide range of industries. The Administration has announced plans to convene an open and transparent forum for groups of stakeholders, including consumer groups, businesses, and privacy advocates, to discuss the Bill of Rights and adopt sector-specific Codes of Conduct.
Once a Code of Conduct is created and approved, if a company chooses to adopt the Code of Conduct, adherence will become enforceable by the FTC under Section 5 of the FTC Act (15 U.S.C. § 45). The Administration recommends giving the FTC authority to grant a "safe harbor" (forbearance from enforcement of the statutory Bill of Rights) if the company complies with a Code of Conduct that the FTC has reviewed and approved. Companies that choose not to adopt an applicable Code of Conduct would be subject to the general obligations of the Bill of Rights.
The Codes of Conduct will be designed to provide flexible and practical rules for companies to follow. Even without federal legislation, the Framework indicates that the FTC intends to convene and facilitate the multi-stakeholder process to produce Codes of Conduct which are enforceable (assuming a company opts-in to adopt the Code of Conduct) under its existing powers.
The Framework envisions a continuing process intended to allow stakeholders to modify privacy protections in response to rapid changes in technology, consumer expectations and market conditions.
(3) Strengthening FTC Enforcement
The Administration encouraged Congress to provide the FTC and State Attorney Generals with specific authority to enforce the Bill of Rights directly. The FTC would also be granted explicit authority to review Codes of Conduct against the Bill of Rights.
The Administration recommends that Congress pre-empt state laws to the extent that they are inconsistent with the Bill of Rights and provide forbearance from state laws for those companies that adopt and comply with FTC approved Codes of Conduct.
The Framework continues the recent trend of the FTC pushing to expand and apply its existing Section 5 authority to combat "unfair and deceptive" conduct to a broad range of practices and technologies related to consumer privacy as reported in our 2011 Year-End Data Privacy and Security Update.
(4) National Standard for Security Breach Notification
The Administration supports creating a national standard under which companies must notify consumers of unauthorized disclosures of certain kinds of personal data. This is intended to unify the existing patchwork of state laws which apply in the many states, the District of Columba and several U.S. Territories. The new national standard would replace the existing state legislation and would pre-empt future state legislation in this area.
(5) Global Interoperability
Part of the rationale for the Framework is to promote international interoperability of data privacy rules to facilitate the free movement of personal information internationally. The Framework outlines the United States’ existing data privacy sharing initiatives with other countries, including the Asia-Pacific Economic Cooperation’s voluntary framework of Cross Border Privacy Rules, and the Safe Harbor framework that facilitates data transfer between the United States and European Union Countries, as well as Switzerland. The Administration encourages the development of Codes of Conduct that identify globally accepted accountability mechanisms as a way to ease the burdens of sharing data between the United States and other countries.
The Framework comes hot on the heels of the European Commission’s proposed new EU-wide Data Protection Regulation announced on January 25, 2012. The United States Bill of Rights addresses only consumer data, where in contrast, the EU provisions cover all personal data (including, for example, employee data). The U.S. Government is known to be in discussions with the European Commission in order to improve the current process for transferring personal data from the EU to the U.S. The Administration’s announcement expresses the view that the existing EU-U.S. Safe Harbor framework could one day be supplemented by Codes of Conduct reflecting transatlantic consensus on important emerging privacy issues.
The Obama Administration plans to implement the Framework without delay. In the upcoming months, the Department of Commerce will work with other federal agencies, including the FTC, to convene the stakeholders for the process of developing enforceable Codes of Conduct, and Congress will determine whether to sign the Bill of Rights into federal law.
We will continue to monitor these developments.
Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you work or any of the following members of the Information Technology and Data Privacy Group:
United States
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650-849-5219, [email protected])
M. Sean Royall – Co-Chair, Dallas (+1 214-698-3256, [email protected])
Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Co-Chair, Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Member, Washington, D.C. (+1 202-887-3640, [email protected])
Karl G. Nelson – Member, Dallas (+1 214-698-3203, [email protected])
Europe
James A. Cox – Member, London (+44 207 071 4250, [email protected])
Andrés Font Galarza – Member, Brussels (+32 2 554 7230, [email protected])
Kai Gesing – Member, Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Member, Paris (+33 1 56 43 13 00, [email protected])
Daniel E. Pollard – Member, London (+44 207 071 4257, [email protected])
Jean-Philippe Robé – Member, Paris (+33 1 56 43 13 00, [email protected])
Michael Walther – Member, Munich (+49 89 189 33-180, [email protected])
China
Kelly Austin – Member, Hong Kong (+852 2214 3788, [email protected])
India
Jai S. Pathak – Member, Singapore (+65 6507 3683, [email protected])
© 2012 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.