President Barack Obama’s Administration is drafting its own comprehensive consumer data privacy legislation, partially spurred on by proposals advancing quickly in the European Union (EU) and Brazil to massively expand such privacy regulation in those regions. The White House may also be seeking to make tangible progress on the consumer side of privacy in order to distract from other criticism. Regardless of the motivation, an overly-broad initiative may not necessarily lead to the best data privacy outcome for the practice of survey, opinion and marketing research.
Foreign jurisdictions tightening data restrictions
The European Parliament approved a revised data protection regulation for the European Union (EU) on October 21, bringing the EU closer to concluding a year-and-a-half long re-write (and expansion) of the EU Data Protection Directive. Initial reports pegged a likely conclusion to their process as early in 2014, but a report from an EU summit on October 25 indicates that it might be delayed until 2015.
Meanwhile, according to The Wall Street Journal, “Officials, including Brazilian President Dilma Rousseff, have been pushing a requirement for Internet data relating to Brazilian citizens be stored in Brazil.” This may lead to regulations forbidding data transfer out of the country, which could be a major hindrance to survey, opinion and marketing research.
Leaders in both the EU and Brazil at least partially justify these regulatory changes by citing Edward Snowden’s revelations about America’s foreign and domestic surveillance.
White House bill being drafted
According to Politico, “Even as it defends the National Security Agency’s controversial Internet surveillance programs, the Obama administration has been working on legislation to boost online privacy safeguards for consumers.”
The White House has been saying since the summer that they are working on a bill to enact the President’s Consumer Privacy Bill of Rights, released last year. The President’s initiative also spawned the NTIA multistakeholder process for mobile apps privacy in which MRA participated, which wrapped up somewhat ambiguously this summer.
In his final address as Commerce Department general counsel on August 28, Cameron Kerry noted that “Legislation should not wait for some data disaster to happen that undermines the trust essential to a successful digital economy. One byproduct of the unauthorized disclosures about NSA surveillance has been to heighten awareness of just how much data each of us generates: data about data, data from various devices, data traveling and residing on multiple networks.”
Kerry went on to divulge some of the details of the White House bill, including further empowerment of the Federal Trade Commission (FTC) to enforce consumer data privacy and the granting of FTC-certified safe harbor to companies complying with voluntary codes of conduct such as that produced by the recent mobile apps privacy multistakeholder process.
MRA has not given up on the multistakeholder process approach, despite the problems with the mobile apps privacy effort’s ambiguous results, Berin Szoka, president of the activist group TechFreedom, has raised important concerns about it: “The power to certify systems will, in practice, likely become the power to dictate the contents of ‘self-regulation’ — in truth, more akin to European ‘co-regulation’. What will stop the FTC from abusing certification the way the FCC abuses merger review to extract ‘voluntary’ concessions?”
A clash of visions?
Comprehensive data privacy proposals have been advanced for the last few years by the FTC, the White House, and Members of Congress. All of them aim to make the U.S. better emulate the more restrictive EU privacy approach in hopes that the U.S. will be deemed “adequate” in its privacy protections by the EU. While MRA supports some form of baseline consumer data privacy law, the expansive measures envisioned by some go far beyond the baseline – with questionable promise of success.
Ultimately, our vision of a “baseline” differs. The vision embodied by the FTC privacy report, the White House, and past bills from Congressman Bobby Rush (D-IL) and then-Senator John Kerry (D-MA) includes a regime of opt in consent for data sharing, minimal limits on private lawsuits, and unfettered authority for the FTC to define terms and determine its own authority. The research profession’s vision focuses more on notice, opt out and clearer definitions and rules from which the FTC can operate.
We’ll continue to engage with all parties, including the Privacy Working Group in the House of Representatives led by Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT), and advocate for the best interests of the research profession.