Digital rights groups have lobbied for legislation to protect personal data for years. But when President Obama released a draft Consumer Privacy Bill of Rights, the proposal was roundly criticized by the staunchest proponents for greater privacy who fear the proposal includes too many loopholes to offer enough protection.
At the same time, industry groups have criticized the plan for exactly the opposite reasons: To them, it would hinder innovation and impose burdensome new regulatory requirements on all companies that collect, store and use consumer data.
The fact that the draft plan has managed to attract such widespread criticism is testimony to the vast chasm between those who want more privacy protections and those who feel consumers are already well served via existing privacy rules and self-regulatory initiatives.
The dividing lines
The Obama administration's draft plan seeks to give consumers more control over the collection, storage, use, and sharing of their data. It would require companies, nonprofits, and other organizations to limit data collection and to spell out privacy policies clearly, get informed consent from users, and provide consumers with a way to correct errors in their records.
Critics of the draft include privacy groups, lawmakers, and even the Federal Trade Commission. One of the biggest concerns is that it would give organizations way too much latitude to determine when and what privacy protections a consumer should receive.
"We really need to put the consumer back in the consumer privacy bill of rights," said FTC Commissioner Julie Brill at the International Association for Privacy Professionals' Global Privacy Summit on Thursday. The proposal seems to allow, she said, a potential data broker or ad network to gather their version of a privacy review board – "and off they go."
In a letter to Mr. Obama on Tuesday, the Center for Democracy and Technology, the Center for Digital Democracy, Electronic Frontier Foundation, and nearly a dozen other privacy groups listed numerous other complaints. Among them are concerns that the the plan would decimate stronger state-level privacy protections and seriously weaken the FTC’s enforcement authority on consumer privacy matters. Lawmakers such as Sen. Ed Markey (D) of Massachusetts and Reps. Frank Pallone (D) of New Jersey and Jan Schakowsky (D) of Illinois expressed similar concerns.
On the other side of the spectrum, industry groups such as the Consumer Electronics Association and the influential Internet Association, which counts eBay, Amazon, and other large Web companies as members, say the plan is overly restrictive.
If enacted, said Gary Shapiro, chief executive officer of the Consumer Electronics Association in a statement, "the proposal's broad definitions, expanded bureaucratic authorities and steep penalties could burden the tech economy with uncertainty and stifle the development of the Internet of Things."
A way forward
Given the incredible polarization on the issue, there’s little chance the proposal would gain enough support in Congress to make it into a bill, says Jules Polonetsky, executive director and co-chair of the Future of Privacy Forum. But he says it should help launch a conversation focused on more nuanced approaches to addressing business needs and consumer privacy issues.
“The ideas in the Consumer Privacy Bill of Rights have far more sophistication than the initial reactions suggest,” says Mr. Polonetsky. “There are a whole range of ideas that are actually incredibly nuanced and show real efforts to recognize the need for both, data innovation as well as consumer protection.”
An example, he says, is a provision that for the first time addresses data being used beyond its original context. The provision would give heightened protections for consumers when data collected for one purpose is used for another purpose while at the same time giving companies a way to argue for such use via so-called Privacy Review Boards.
It also introduces the notion of risk-based privacy protections. As written, the plan would allow companies to determine whether to apply certain privacy protections to a data set based on their assessment of a risk of harm to the data. A company, for instance, would not obligated to give consumers access or correction rights to their data if it doesn't feel use of the data poses an actual risk to the individual.
Such provisions have received scathing criticism from privacy advocates. Alvaro Bedoya, executive director of the Center on Privacy and Technology at Georgetown University Law Center, sees them as vesting companies with too much control over consumer data.
“They allow industry to conduct self-regulation behind a Potemkin privacy village,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “It looks like the public has a right but how this is defined will be done behind closed doors," he says.
Polonetsky says the way forward is not to focus on the specifics in the draft but on its broader ideas.
With technology developing at such a rapid pace enough flexibility needs to be built into data regulations to accommodate unforeseen future uses of data, he says. “For instance, there may be uses of big data that are not discovered until long after the data is collected,” he says.
From a legislative standpoint, the administration’s draft is “nowhere near ready,” Polonetsky concedes. But it introduces several important ideas into the privacy debate for the first time.
A tough challenge
Justin Brookman, director of consumer privacy at the Center for Democracy and Technology, says the unpopularity of the draft highlights the tough challenge the administration faces in coming up with something that is acceptable to all stakeholders.
The bill could have been more privacy-friendly, said Mr. Brookman. But if it had been, the ones protesting the most would have been industry leaders.
The key is that the bill offers a foundation to build on, he says. One of the best aspects of the bill is that its requirements are based on Fair Information Practice Principles such as transparency, individual control, respect for context, focused collection, and responsible use and accountability, Brookman said in a separate blog post. The blog lists the many problems that exist in the draft as written.
“I don’t think any of this was done in bad faith,” he says. “It’s hard to get privacy law right. The important thing is they got the language out there.”
With a draft bill so complex, another challenge could be Congress. "Congress has a ton on its plate," said Ms. Brill, the FTC commissioner. "They're very well meaning people. Many people will say it's very unlikely they'll have time to deal with this issue. Is that diplomatic enough?"
Passcode deputy editor Sara Sorcher contributed reporting from Washington.
The original version of this story incorrectly attributed a quote by Jeffrey Chester ("They allow industry to conduct self-regulation behind a Potemkin privacy village. It looks like the public has a right but how this is defined will be done behind closed doors") to Alvaro Bedoya.