Office of the Secretary, U.S. Department of Commerce; National Telecommunications and Information Administration, U.S. Department of Commerce; International Trade Administration, U.S. Department of Commerce; and National Institute of Standards and Technology, U.S. Department of Commerce.
Notice of Inquiry.
Comments are due on or before June 7, 2010.
Written comments may be submitted by mail to the National Telecommunications Administration at U.S. Department of Commerce, 1401 Constitution Avenue, NW., Room 4725, Washington, DC 20230. Submissions may be in any of the following formats: HTML, ASCII, Word, rtf, or pdf. Online submissions in electronic form may be sent to firstname.lastname@example.org. Paper submissions should include a three and one-half inch computer diskette or compact disc (CD). Diskettes or CDs should be labeled with the name and organizational affiliation of the filer and the name of the word processing Start Printed Page 21227program used to create the document. Comments will be posted at http://www.ntia.doc.gov/advisory/privacyinnovation.Start Further Info
FOR FURTHER INFORMATION CONTACT:
For questions about this Notice contact: Joe Gattuso, Office of Policy Analysis and Development, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue, NW., Room 4725, Washington, DC 20230, telephone (202) 482-1880; e-mail email@example.com. Please direct media inquires to NTIA's Office of Public Affairs at (202) 482-7002.End Further Info End Preamble Start Supplemental Information
Recognizing the vital importance of the Internet to U.S. innovation, prosperity, education and political and cultural life, the Department has made it a top priority to ensure that the Internet remains open for innovation. The Department has created an Internet Policy Task Force whose mission is to identify leading public policy and operational challenges in the Internet environment. The Task Force leverages expertise across many bureaus at the Department, including those responsible for domestic and international information and communications technology policy, international trade, cybersecurity standards and best practices, intellectual property, business advocacy and export control. This is one in a series of inquiries from the Task Force. The Task Force is conducting similar reviews of cybersecurity, global free flow of information goods and services, and online copyright protection issues. The Task Force may explore additional areas in the future.
Background: The Department has launched the Privacy and Innovation Initiative to identify policies that will enhance: (1) The clarity, transparency, scalability and flexibility needed to foster innovation in the information economy; (2) the public confidence necessary for full citizen participation with the Internet; and (3) uphold fundamental democratic values essential to the functioning of a free market and a free society.
Innovation in the information economy continues to drive U.S. commerce. Entrepreneurs and innovators in the United States are developing novel information applications and creative ways of delivering existing goods and services via the Internet. American technology companies have created hundreds of thousands of new online applications, revolutionizing how consumers and businesses interact, transact, and use information. Beyond the boundaries of electronic commerce, the Internet is transforming critical sectors of the U.S. and global economy and society, such as health care, energy, education, the arts and political life. In all these sectors, proper use of personal information can play a critical, value-added role, so establishing consumer trust and assuring flexibility for innovators is vital.
Recognizing that economic, social, and political participation in the Internet is essential for all citizens, the United States must establish an environment respectful of long-standing privacy principles and individual privacy expectations, even as they evolve.
Contribution of Online Commerce to the U.S. Economy: Between 1999 and 2007, the United States economy enjoyed an increase of over 500 percent in business-to-consumer online commerce. Taking into account business-to-business transactions, online commerce in 2007 accounted for over $3 trillion dollars in revenue for U.S. companies. The economic benefits provided by the information economy increased even during our economic downturn. During 2008, industry analysts estimate that sales of the top 100 online retailers grew 14.3 percent. In contrast, the U.S. Census Bureau estimates a 0.9 percent decrease in total retail sales over that time period. In 2009, U.S. mobile commerce sales grew over 200 percent compared to the previous year, reaching $1.2 billion. Analysts expect this impressive growth to continue in 2010, projecting $2.4 billion in mobile commerce. Online sales growth and expanding information systems are creating new jobs focused on the information economy and directly impacting our economic recovery.
In addition to the growth of online commerce, the Internet, the World Wide Web, and associated information systems have lead to an unprecedented growth in productivity over the last decade. More businesses are using the Internet to provide electronic records to customers and trading partners, and enterprises are shifting to a digital back office and greener business environment. Although this has spurred additional green innovation, the fact that increasingly more data is being stored electronically and aggregated creates new challenges in the privacy arena.
Sustaining the growth of digital commerce and U.S. commerce generally will require continued innovation in how information is used and shared across the Internet. Commerce today depends on online communication and the transmission of significant amounts of data. Key to the current inquiry, the Department believes this development places data protection in a new light.
The Nexus Between Privacy and Commerce, and the Department's Role: Consumers have expressed concern regarding new or unexpected uses of their personal information by online applications. Since Internet commerce is dependent on consumer participation, consumers must be able to trust that their personal information is protected online and securely maintained. At the same time, companies need clear policies that enable the continued development of new business models and the free flow of data across state and international borders in support of domestic and global trade. Our challenge is to align flexibility for innovators along with privacy protection.
The Department has played an instrumental role in developing policies that have helped commerce over the Internet flourish. Over the past two decades, the National Telecommunications and Information Administration (NTIA), in its role as Start Printed Page 21228principal adviser to the President on telecommunications policies, has worked closely with other parts of government on these issues. In 1993, the White House formed the Information Infrastructure Task Force (White House Task Force), chaired by the Secretary of Commerce, to develop telecommunications and information policies to promote the development of the Internet. The Privacy Working Group of the White House Task Force, led by NTIA, published a report entitled Privacy and the National Information Infrastructure. In the report, NTIA analyzed the state of privacy in the United States as it relates to existing and future communications services and recommended principles to govern the collection, processing, storage and use of personal data. In 1997, the White House Task Force noted NTIA's findings in publishing A Framework for Global Electronic Commerce, proposing five principles for international discussion to facilitate the growth of Internet commerce.
Today, there is a domestic and global reassessment of approaches to privacy given the fundamental changes in the information economy. The Federal Trade Commission (FTC) recently hosted a series of public roundtables to explore the privacy challenges posed by the wide array of 21st century technology and business practices that collect and use consumer data.
The goal of the roundtables was to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation. The FTC accepted public comments on these issues through April 14, 2010, and FTC staff is now reviewing the comments received. The Department of Commerce has participated in these sessions and will continue to collaborate with the FTC going forward. The National Broadband Plan (Plan), which the Federal Communications Commission released on March 16, 2010, makes recommendations for government action to address online privacy issues. Specifically, the Plan recommended clarifying the relationship between users and their online profiles; developing trusted “identity providers” to help consumers manage their data; and creating principles to require that customers provide informed consent before service providers share certain types of information with third parties. The Plan also urged the creation of a number of Internet privacy-related innovations to enhance our nation's energy, education, health care, and government performance.
Internationally, the OECD's Committee on Consumer Policy (CCP) recently launched a review of the 1999 Guidelines for Consumer Protection in the Context of E-Commerce. The OECD Working Party on Information Security and Privacy (WPISP) is conducting a 30th anniversary study of the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The APEC Electronic Commerce Steering Group is developing a system for cross-border data flows among APEC members to implement its 2005 Privacy Framework. The United States, Canada and Mexico recently finalized a report highlighting the need to address impediments to transborder data flows. Finally, the European Commission is evaluating and considering changes to its 1995 Directive on Data Protection. Given the global reevaluation of data privacy policies, the Task Force is seeking to determine whether current privacy frameworks, or frameworks that are in development, create barriers to innovation on the Internet and, if so, how they might be addressed.
Request for Comment
This Notice of Inquiry seeks comment on the impact of the current privacy framework on Internet commerce and innovation, both from the commercial and consumer perspective, as well as ways in which it may be necessary to adjust today's privacy framework to preserve and even enhance innovation and privacy in our new web-centric information environment.
The questions below are intended to assist in framing the issues and should not be construed as a limitation on comments that parties may submit. The Department invites comment on the full range of issues that may be presented by this inquiry. Comments that contain references, studies, research and other empirical data that are not widely published should include copies of the referenced materials with the submitted comments.
1. The U.S. Privacy Framework Going Forward
Prior to releasing this Notice, the Department conducted listening sessions with a wide range of Start Printed Page 21229stakeholders in order to understand the questions most pertinent to stakeholders in the commercial, academic and civil society sectors and that have the greatest bearing on innovation and consumer expectations. During the course of those conversations, the Department heard that the customary notice and choice approach to consumer protection may be outdated, especially in the context of information-intensive, highly interactive, Web-based services. According to some, online interactions and web-based information linkages have become so complicated that it is increasingly difficult to provide consumers truly meaningful notice and choice. In lieu of, or in addition to notice and choice, some have advanced the notion that sophisticated data managers migrate to a “use-based” model. These assertions raise several questions.
Those addressing the utility of self-regulation should differentiate between practices defined and monitored unilaterally by an enterprise, and practices and monitoring systems developed by third-parties. If a third-party develops best practices, what mechanisms would be available for users and civil society to provide feedback? How will industry sectors enforce best-practice regimes when it might not be in their economic interest to do so?
Is the notice and choice approach to consumer data privacy still a useful model? Are there alternative approaches or frameworks that might be used instead of notice and choice? Those who urge a use-based model for commercial data privacy should detail how they would go about defining data protection obligations based on the type of data uses and the potential harm associated with each use. Describe how a use-based privacy system would work? How should policy makers determine what constitute harmful uses of personal information in this model? Are there examples from existing privacy laws and regulations that suggest strengths and weakness of the “use-based” model? Is this “use-based” model for commercial data privacy a workable approach for companies and consumers? What is the relationship between use-based privacy rules and proposed accountability systems?
2. U.S. State Privacy Laws
Most U.S. states have data breach laws or private sector data privacy laws, and some have both. These and other state laws and regulations govern how companies can collect, use and disclose personal data about citizens of each state. The Task Force seeks input on how different state-level laws and regulations affect companies' compliance costs and product development processes. The agencies seek comment on whether a diversity of state privacy laws has a positive, negative or neutral impact on the privacy rights of Internet users.
What, if any, hurdles do businesses face in complying with different state laws concerning privacy and data protection? Is there harmonization among state laws governing data protection? Please describe any significant differences that exist between the states. How does complying with multiple states' laws affect organizations' business activities and ability to operate online? What types of existing state laws have the greatest impact on companies' business models? What approaches do companies take to comply with privacy laws in multiple states? Have state laws that attempt to regulate location privacy had an impact on the development of business models or the way in which businesses introduce new products in various markets?  What future directions in state law are anticipated? Does the variety of technology-specific state laws help individual Internet users exercise their rights, or does it create confusion for consumers? Have technology-specific state privacy laws affected online innovation and business development and, if so, how?
3. International Privacy Laws and Regulations
A variety of foreign laws govern how companies collect, use and share personal data. There are national laws, sub-national laws, a region-wide Directive in the European Union in addition to member-state laws and, in many countries, laws under development. The Task Force seeks input on how international data privacy laws and regulations affect global Internet commerce, companies' compliance costs and product development process, and Internet users.
What, if any, hurdles do businesses face in complying with different foreign laws concerning privacy and data protection? What types of foreign privacy laws have the greatest impact on companies' business models? What approaches have businesses used to comply with laws in multiple foreign jurisdictions? Do foreign laws that contain content-based restrictions impede global trade or foreign investment? For example, are there laws that restrict the types of information that may be transferred, displayed, published or posted online which have deterred businesses from entering certain markets or from engaging in certain cross-border activity? Are laws that permit governments to have access to personal information an impediment to innovation or global trade and investment? If so, are the laws themselves actually an impediment, or is it the application and enforcement of such laws that are of concern? What challenges do businesses face when trying to transfer data across borders? What lessons have been learned from the U.S.-EU Safe Harbor Framework that could be applied in the global context? What mechanisms do organizations use to enable cross border data transfers? To what extent if any do privacy laws outside the United States create third party liability for Internet intermediaries such as search engines, content hosting Start Printed Page 21230services, Internet service providers or others? 
How does the multiplicity of international privacy laws impact Internet users? What models for protection of individual privacy rights across borders have proven effective in the global environment of the Internet? Can countries with different privacy rules cooperate to protect the privacy interests of their citizens?
How might privacy regimes in the United States and other jurisdictions across the globe be harmonized?
4. Jurisdictional Conflicts and Competing Legal Obligations
Today, cloud computing models allow organizations to collect, store, access and process data in separate locations around the world. This can create challenges for both companies and regulators in determining where data is located and who has jurisdiction over that data. In addition, different regulators may attempt to assert jurisdiction over data or a company's business practices, which may create conflicting or competing legal obligations. For example, one jurisdiction may require a company to retain its data, while another may ask that data be expunged after its use. The Task Force seeks information on any jurisdictional conflicts companies and regulators face as a result of data privacy laws, how they are reconciled and what, if any, effect they have on trade and foreign investment.
Do organizations face jurisdictional disputes as a result of domestic or foreign privacy laws? Please describe the types of jurisdictional disputes that arise as a result of privacy laws. What, if any, conflicting legal obligations do companies face as a result of data privacy laws? How do companies address jurisdictional conflicts and any resulting conflicting legal and regulatory obligations? How do such conflicts affect the cost of doing business? Do jurisdictional issues affect global sales of U.S. companies when the U.S. company stores data from non-U.S. customers inside the United States? Does cloud computing, or other methods of globally distributing and managing data, raise specific issues with respect to jurisdiction of which Commerce and regulators should be aware? Have jurisdictional conflicts had any impact on U.S. consumers?
5. Sectoral Privacy Laws and Federal Guidelines
The U.S. privacy framework is composed of sectoral laws combined with constitutional, statutory, regulatory and common law protections, in addition to industry self-regulation. Sectoral laws govern the handling of personal data considered most sensitive. For instance, the Communications Act includes privacy protections that telecommunication providers and cable operators must follow when handling the personal information of subscribers. The Health Insurance Portability and Accountability Act (HIPAA) stipulates how “covered” health care entities can use and disclose data. The Fair Credit Reporting Act (FCRA) governs how consumer reporting agencies share personal information. The Gramm-Leach-Bliley Act (GLBA) covers certain data held by financial institutions. The Children's Online Privacy Protection Act (COPPA) protects information collected online about children under 13. In addition to these sectoral laws, the Federal Trade Commission Act (FTC Act) provides the FTC authority to combat “unfair or deceptive” business practices. The FTC also provides guidance for businesses regarding privacy and security practices. These laws and guidelines affect U.S. economic activity by controlling how organizations can use data to develop new products and services or improve existing ones. The laws and guidelines differentiate between categories of data (e.g., health care, financial and other), and they differentiate between data subjects (e.g., children and others). The Task Force seeks input on how the U.S. privacy framework affects business innovation, accountability and compliance related to the use of personal information.
How does the current sectoral approach to privacy regulation affect consumer experiences, business practices or the development of new business models? How does the sectoral approach affect individual privacy expectations? What practices and principles do these sectoral approaches have in common, how do they differ? Are there alternatives or supplements to the sectoral approach that should be considered? What can be done to make the current framework more conducive to business development while ensuring effective privacy protections?
6. New Privacy-Enhancing Technologies and Information Management Processes
Researchers at universities, think tanks, international organizations and company laboratories are developing privacy-enhancing technologies and business methods to implement company privacy policies and user preferences and to increase company accountability. Researchers, for example, are considering consumer-targeted systems that employ text analysis and behavioral economics to create enhanced notification to consumers about privacy policies or to manage the information they are sharing. These technologies and ever-evolving, internal business processes have become an integral component of industry self-regulation. At the same time, researchers recognize the limitations of privacy-enhancing technologies related to consumer and industry adoption, new research demonstrating the possibility of data re-identification, and the continued security risks posed by hackers and other forms of electronic intrusion. The Start Printed Page 21231Task Force seeks input on the development, use and acceptance of privacy-related technologies and business processes and their potential to enhance consumer trust in Internet commerce.
Finally, the FCC has raised a number of privacy-related recommendations for government action. Specifically, the Plan recommends clarifying the relationship between users and their online profiles; developing trusted “identity providers” to assist consumers manage their data; and creating principles to require customers provide informed consent before service providers share certain types of information with third parties. What kinds of contributions to privacy and innovation could such identity providers make? What marketplace experience is there with such trusted third parties? Are there any services of this sort imagined by the FCC in operation today? Is any government action needed to encourage the marketplace in this direction?
7. Small and Medium-Sized Entities and Startup Companies
Small and medium-sized entities (SMEs) and startup companies face the same data protection laws and guidelines as their larger counterparts, but with fewer resources. The Task Force seeks input on how the issues outlined above might uniquely affect smaller companies and how these effects are managed.
How do existing privacy laws impact SMEs and startup companies? Please describe any unique compliance burdens placed on smaller companies as a result of existing privacy laws. Are there commercial or collective tools available to address such issues? How might privacy protections be better achieved in the SME environment? Have smaller companies been unable to engage in certain types of business activities as a result of existing privacy laws? Do foreign privacy laws pose a barrier to SMEs' international business plans? If such unique burdens do exist, what mechanisms do SMEs see as helpful for surmounting those challenges?
8. The Role for Government/Commerce Department
The U.S. privacy framework described above is multi-faceted. The combination of sector-specific laws for sensitive data, self-regulation, complemented by FTC enforcement authority, transparent privacy practices, and voluntary guidelines, have generated industry best practices, privacy seal programs and private sector innovation to enhance privacy disclosures and consumer choice regarding data usage. In many, though not all cases, this has been a formula for success to build on. Yet, surveys continue to indicate that consumers are concerned or confused about what happens to their personal information online. The Task Force seeks input on how to help address barriers to increased innovation and consumer trust in the information economy.
How can the Commerce Department help address issues raised by this Notice of Inquiry?Start Signature
Dated: April 20, 2010.
Gary M. Locke,
Secretary of Commerce.
Lawrence E. Strickling,
Assistant Secretary for Communications and Information.
Francisco J. Sánchez,
Under Secretary of Commerce for International Trade.
Director, National Institute of Standards and Technology.
1. U.S. Census Bureau, “E-Stats,” May 28, 2009.Back to Citation
2. Id.Back to Citation
3. Mark Brohan, “The Top 500 Guide,” Internet Retailer, June 2009.Back to Citation
4. U.S. Census Bureau, “Quarterly Retail E-Commerce Sales: 4th Quarter 2008,” Feb. 16, 2010, Table 4.Back to Citation
5. “U.S. M-Commerce Sales to Hit $2.4 Billion This Year, ABI Research Says,” Internet Retailer, Feb. 16, 2010.Back to Citation
6. Id.Back to Citation
7. Executive Office of the President of the United States, Council of Economic Advisors of the President, 2010 Economic Report of the President, at Chapter 10, Feb. 2010.Back to Citation
8. 47 U.S.C. 902 (noting NTIA has “the authority to serve as the President's principal adviser on telecommunications policies pertaining to the Nation's economic and technological advancement and to the regulation of the telecommunications industry.”); see also Connecting America: The National Broadband Plan, http://download.broadband.gov/plan/national-broadband-plan.pdf, page 55.Back to Citation
9. See National Telecommunications and Information Administration, “Privacy and the National Information Infrastructure: Safeguarding Telecommunications-Related Personal Information,” Oct. 1995, http://www.ntia.doc.gov/ntiahome/privwhitepaper.html.Back to Citation
10. See President William J. Clinton and Vice President Albert Gore, Jr. “A Framework for Global Electronic Commerce,” Washington, DC. 1997, http://clinton4.nara.gov/WH/New/Commerce/read.html.Back to Citation
11. For more information on the U.S.-EU Safe Harbor Framework, see http://www.export.gov/safeharbor/.Back to Citation
12. See Federal Trade Commission, Exploring Privacy: A Roundtable Series, http://www.ftc.gov/bcp/workshops/privacyroundtables/.Back to Citation
13. See Connecting America: The National Broadband Plan, http://download.broadband.gov/plan/national-broadband-plan.pdf.Back to Citation
14. Id. at 55-56 (Recommendations 4.14-4.16).Back to Citation
15. Id. at 208. 234-35, 252, 253, 286 (Recommendations 10.4, 11.11, 12.2, 12.5, 14.6, 14.7).Back to Citation
16. See OECD, Conference on Empowering E-Consumers: Strengthening Consumer Protection in the Internet Economy, Washington, DC, Dec. 8-10, 2009, http://www.oecd.org/document/20/0,3343,en_21571361_43348316_43410324_1_1_1_1,00.html.Back to Citation
17. See OECD, The 30th Anniversary of the OECD Privacy Guidelines, http://www.oecd.org/document/35/0,3343,en_2649_34255_44488739_1_1_1_1,00.html.Back to Citation
18. See APEC, Data Privacy Pathfinder Projects Implementation Work Plan, http://www.apec.org/apec/apec_groups/committee_on_trade/electronic_commerce.html.Back to Citation
19. See Office of Technology and Electronic Commerce, Trilateral Committee on Transborder Data Flow, http://spp.gov/pdf/Eng_Statement_of_Free_Flow.pdf.Back to Citation
20. See European Commission, Freedom, Security, and Justice, Data Protection, http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm.Back to Citation
21. Use-based rules regulate the types of uses (or purposes) for which personal information may be employed as opposed to regulating what personal data can be collected.Back to Citation
22. For more information on the use-based model, see e.g., The Business Forum for Consumer Privacy “A Use and Obligations Approach to Protecting Privacy: A Discussion Document,” Dec. 7, 2009, http://www.huntonfiles.com/files/webupload/CIPL_Use_and_Obligations_White_Paper.pdf.Back to Citation
23. For a list of state data breach and data privacy laws see The National Conference of State Legislatures, Telecommunications and Information Technology, http://www.ncsl.org/Default.aspx?TabID=756&tabs=951,71,539#539.Back to Citation
24. Locational privacy (also known as “location privacy”) is an individual's ability to move in public space with the expectation that his or her location will not be systematically and secretly recorded for later use.Back to Citation
25. See, e.g., 47 U.S.C. 230(c) (2006) (“No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”).Back to Citation
27. See 42 U.S.C. 1320 (2006) (“A covered entity may not use or disclose protected health information” except as permitted by statute.). For information on HIPPA, see http://www.hhs.gov/ocr/privacy/.Back to Citation
28. See 15 U.S.C. 1681r (“Any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency's files to a person not authorized to receive that information shall be fined under title 18, imprisoned for not more than 2 years, or both.”). For information on the FCRA, see http://www.ftc.gov/os/statutes/fcrajump.shtm.Back to Citation
29. See 15 U.S.C. 6801-09, 6821-27 (2006). See e.g., 15 U.S.C. 6801a (2006) (“It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.”). For information on the GLBA, see http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.Back to Citation
30. See 15 U.S.C. 6501-06 (2006). See, e.g., 15 U.S.C. 6502a (2006) (“It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the [statute].”). For information on the COPPA, see http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.Back to Citation
31. See 15 U.S.C. 41-58 (2006). See, e.g., 15 U.S.C. 45(a) (2006) (“The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations * * * from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”). For information on the FTC Act, see http://www.ftc.gov/ogc/stat1.shtm.Back to Citation
32. See Federal Trade Commission, Privacy Initiatives, http://www.ftc.gov/privacy/index.html.Back to Citation
33. Re-identification is the process by which personal data is matched with its true owner. In order to protect privacy of consumers, personal identifiers, such as social security numbers, are often removed from databases containing sensitive information. This de-identified data safeguards consumer privacy. However, computer scientists recently revealed that this “anonymize” data can be re-identified, such that the sensitive information may be linked back to an individual.Back to Citation
34. See supra note 14.Back to Citation
[FR Doc. 2010-9450 Filed 4-22-10; 8:45 am]
BILLING CODE 3510-60-P