Privacy & Information Security Law Blog

The Federal Trade Commission’s second “Exploring Privacy” roundtable concluded Thursday, January 28, 2010.  The roundtable did not provide many firm conclusions, but it did help further refine some hard issues facing privacy protection.

Although Thursday’s hearing was intended to be devoted to technology issues, the role of regulation appeared to dominate the discussions.  “Everyone is dying to talk about regulation,” said Jessica Rich, Deputy Director of the Bureau of Consumer Protection, moderating a panel on Technology and Policy.

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.