How to make a privacy statute that will stand the test of time

Brevity is the soul of wit, and of durable legislation. I admire the core principles in Intel’s proposed bill but suggest that it could be made much simpler, placing confidence in the expanded enforcement powers of the FTC, State AGs and the courts, to implement core privacy principles in a wise manner.

Congress, guided by Intel, should recognize that durable privacy rules must protect a growing range of individual lives and and expanding number of innovative businesses. Flexibility, agility and resistance to political interference are essential. We should follow the example of laws that have successfully regulated broad swaths of the economy with simplicity and technological neutrality. The Copyright Act, responsible for regulating rights of authors, readers, listeners and other users of artistic expression, is remarkably simple given the complexity of the market. The operative part of the Act is really just the first nine short sections with no rule-making required for enforcement. The antitrust laws are equally brief. The Sherman Antitrust Act is only seven sections filling a few pages, and the other key competition statutes are similarly brief. Indeed, the portion of the Federal Trade Commission Act the governs more or less the whole of consumer protection, along with privacy and security, today is just one brief section filling less than a page.

These examples show that the US legal system has done well governing complex parts of the economy with simple legislative rules that are subsequently enforced directly by expert agencies (the FTC or Department of Justice), governed on important questions of scope and reach by the courts. This builds on the best of our common law tradition of making progress case-by-case, in response to real social and technical circumstances, as opposed to trying to predict the future or legislate certainty in every edge case.

FTC common law of privacy (to borrow a phrase from Profs Dan Solove and Woody Hartzog) as reflected in its enforcement actions has developed well but with constraints: First, the FTC has had to rely on the limited ‘deception’ authority and has been very cautious about use of the broader ‘unfairness’ provisions of the FTC Act for fear of igniting judicial challenges to its enforcement authority. Congress can change that by creating clear and directly enforceable privacy rules to empower FTC enforcement. And, the large new fining authority proposed by Intel is wise addition to this mix.

When Congress tried to dictate in exhaustive detail how broad principles are to be interpreted and how the authority of enforcement agencies are to be used, the process can easily become inflexible and bogged down in the uncertainty of cycles of appeals of administrative rule-making procedures. A failure mode to avoid is recent additions to the Communications Act such as the Telecommunication Act of 1996, including contentious and ultimately failed efforts to create a more competitive telecommunications market and endless controversy and uncertainty over net neutrality. These are important fights which I supported, but they gave rise to decades-long rule-making disputes, leaving consumers often unprotected on issues that mattered deeply, including broadband privacy and non-discriminatory internet access service. Protracted rule-making or litigation are likely to advantage companies that seek to narrow consumer protection and evade privacy principles. Privacy rights must not be held hostage to this kind of delay.

As drafted, it is not entirely clear to me whether Intel intends that rule-making is required in advance of enforcement. Section 6(b)(4) contains a reference to the existing FTC rule-making authority under 15 USC 57a. I would ask Intel to clarify whether that is meant to avoid or require additional rule-making to enable enforcement.

6 comments

  1. Tim Sparapani
    Here’s the TLDR summation of my response to Danny – Bright lines with rules for interpretation of those brief rules are the most workable solution for protecting consumers and benefit fit innovators, but companies need to be forced to undertake the process of analysis and so Intel’s emphasis on setting out process and requiring accountability is, of necessity, spelled out at length. In short, we need bright lines and we need legislatively-mandated process. Intel’s draft, wisely, does both.

    I’m of two minds with respect to Danny’s thoughtful comment. We all want and need a law that will stand the test of time. Numerous privacy laws (ECPA, COPPA to name just two) have had their viability undercut by a focus on regulating existing technologies. Others, such as HIPAA, are less protective than they should be because they were overly reliant on weighty process or a too-keen focus on the current type of business relationships and market construction at the time of their enactment. Legislators are facing a once-in-a-generation chance to regulate wisely. My definition of wise regulation — to further illustrate my recommendations below — is enactment of a workable system that gives us all the benefits of technological advancement with a means for mitigating or eliminating the consequences to both individuals and society from any advancement.

    So, how best to draft a law that withstands the test of time and achieves these twin results of being simultaneously pro-innovator and pro-consumer? Whether the law is brief or verbose, we should attempt to enact a law that anticipates as many of the challenges that are emerging and draft policy to help guide the future.

    As I’ve learned time and time again advising startups, innovators want bright line rules. Short, sweet, direct. I’ve heard repeatedly from innovators some version of the refrain “Just tell me what it is I need to do or don’t do and I’ll code my software, build my systems and design my User Interface accordingly.” So, yes to bright lines. That will help us get innovators bought in to this legislation and give them rules they can readily remember and properly implement to advance compliance. Most startups have a bias against weighty rules — at first — until they realize that a lack of clarity leaves them feeling exposed. That can, quite surprisingly, sometimes slow their pace of innovation. If the answers are spelled out in the law or regulation they can adapt to anything.

    Consumers, surprisingly, often function best with bumper sticker short bright lines. Think of these as privacy slogans that they can remember and wield to advance their data protection. A good example is that every American believes they have a right to free speech. The intricacies of the First Amendment and the limitations on that speech — hint, there are many — are lost, but the bumper sticker protection gives a workable system that can generally ground both companies and consumers.

    These short, bright line rules are especially helpful in guiding emerging technologies without burdening innovation or blocking new technologies. Short, straightforward rules partner well with avoiding dystopian outcomes from misuses of new and emerging technologies involving consumer data.

    So the answer for the length of legislation should be short and sweet, right? Not so fast.

    While the world’s largest companies and those who are already serving customers in the EU are now accustomed to engaging in analysis of their data collection, storage, use and sharing, they didn’t get there over night. And, they’ve learned a lot about what works and what doesn’t. Unfortunately, it’s my experience that the expertise needed to undertake this systemic privacy analysis is not often available to startups. More importantly, it’s not often found at companies that aren’t used to thinking of themselves as consumer data companies. Most manufacturers don’t understand how they’ve also become companies chock full of consumer data, for example. Therefore, both startups and old line (aka companies that don’t think of themselves as “tech companies”) need wise privacy process spelled out for them. If either of these types of companies don’t have a virtual roadmap dictating what it takes to analyze privacy risks to their customers they may do a cursory analysis at best. Or, they might miss important steps. Or, they might not be able to bind their executives to the work it takes to implement proper privacy protective processes throughout the business. Worse still, they might fail to bind their vendors or subcontractors, or let data sneak out the back either accidentally or via sale to a third party that won’t protect that data appropriately or could misuse it.

    Here’s the genius of Intel’s draft. It gives us bright line rules for emerging technologies and then spells out privacy analysis and process for entities.

    • Danny Weitzner
      I agree 100% with Tim as to the process that large data-holding companies need to go through in order to be good stewards of personal data. However, I do not not believe it is the role of either Congress or the FTC (in a rulemaking process) to prescribe such internal procedures. The extensive accountability requirements described in section 4(h) are great guidance for at least certain organizations, but they are not necessary to ensure that a company refrains from abusing personal data nor are they sufficient to ensure that such abuse doesn’t happen. So I consider it overkill to expend enforcement resources on monitoring all of these steps when they do not necessarily produce the right result. Simply put, companies should be held to specific substantive privacy standards — the ones in section 4 are pretty good. If they follow these rules, that’s great. If not, they should be punished, regardless of whether or not they had a good accountability process in place. So, right of the bat, I would remove section 4(h). The standards there are great advice about how to work to be responsible, but this statute ought not to be in the business of giving management advice. It should state rights and responsibilities clearly and see that they are enforced.

      • David Hoffman
        Danny, I am interested to know what portions of Section 4h you believe would be overkill. In my experience they are high level concepts that all organizations that handle personal nal data should follow. I still think we do need a carve out from the bill for entities that are small, do not use data in a sensitive way and who do not manage the personal data for large numbers of individuals. That being said, the requirements in 4h are so flexible that they could apply to just about anyone without much added cost. For example, privacy training is available for free on the internet. Also, for a small organization it is not difficult to combine the responsibilities of a privacy official with those of the employee who is in charge of information security. Net, I am wondering which of those requirements you believe fall in the category of “extensive”.

  2. Marty Abrams
    Process requirements for individuals lead to less fairness while actionable process requirements for organizations actually frees them to innovate for everyone while still protecting individuals. The lesson from the recent cent Conference of Data protection and Privacy Commissioners is that, with all the requirements in the GDPR, fairness is the de facto standard for whether processing is in bounds or out. By design, whether the word that comes first is privacy, data protection, comprehensive, or ethics, is the process that weights consequences, for all interests, whether those consequences are good or bad. Congress can’t and shouldn’t define the fine print of what is in or out. Yes Congress can say that secret processing, or processing to accommodate fraud are out. Congress may also define the bounds of the public commons versus the private space. But using legislative text to define the future is a fools errand. As for startups, they can do processing by design. I have worked with organizations that have.

    The role of regulators gets more difficult if there are not bright lines. The reluctance to use unfairness when overseeing fair processing is an indication of the difficulty off enforcing against subjective standards. But we need to find a way to make that possible. There are positive lessons. The Information Commissioners in British Columbia and Alberta have effectively overseen accountability in their respective provinces. That oversight has been based on guidance published in 2012. The Spanish passed legislation in 2011 that established a sliding scale for fines based on comprehensive programs. We need to vet the regulator role more fully in the next few months.

    • David Hoffman
      Marty, this is an excellent point. I have heard others say that we really should just empower the FTC to use their Section 5 “unfairness” authority to require companies to to practice ethical data processing. I doubt that will work, based on the political issues we have seen with the FTC attempting to expand their use of unfairness without having more of a guide from Congress on what is unfair. I do start from the presumption that the best way to protect privacy is to require companies to put in place the minimum people, policies and processes to demonstrate they are behaving responsibly. That is what we attempted to capture in Section 4h. In my experience, having organizations go through the exercise of determining how to put the items included in 4h in place, is the single best way to make sure that individual privacy is protected (instead of just providing for the ability for enforcement actions after privacy has already been lost). The requirements listed in 4h strike me as the minimum that organizations need to do to demonstrate they are behaving responsibly. Some social media and public discussion comments seem to think the requirements will create too much bureaucracy and paperwork. I am interested in which of the requirements people think will do that. Intel’s view is that privacy is a fundamental human right, and therefore it is not too much to ask that organizations demonstrate they will protect that human right by behaving responsibly.

  3. Pam Dixon
    The powerful Fair Credit Reporting Act and the Violence Against Women Act are just two pieces of US privacy legislation that serve as cases-in-point that lasting privacy thought requires both oth high level concepts as well as particulars. Brevity may be the soul of wit, but it is clarity that is the soul of legislation that achieves both durability and quality. The FCRA and VAWA have proven effective and important in the US to provide both protection and guidance.

    Without the particulars and procedural guidance for those entities that are implementing, companies and other entities covered by a given legislation are left to a no-man’s land of ambiguity and definitional volatility which typically results in legal uncertainty.

    Marty’s points about process requirements are well-articulated, and persuasive.