Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

In the 1990’s, during the Clinton Administration, the Department of Commerce led U.S. efforts to develop policy related to privacy on the Internet and encouraged the development of online privacy policies and privacy seal programs.  Within the Department, the National Telecommunications and Information Administration (“NTIA”) authored numerous privacy position papers, and the International Trade Commission (“ITA”) negotiated the U.S.-European Union Safe Harbor Framework.  During the Bush Administration and the first year of Obama’s tenure, however, the Department was largely silent on privacy issues. 

Beginning last fall, the Department began holding sessions to investigate the effectiveness of privacy protections in the United States and the impact of privacy regulation on businesses.  The sessions were led by Marc Berejka, Senior Policy Advisor in the Secretary’s Office at the Department of Commerce, and Danny Weitzner, Associate Administrator for the NTIA’s Office of Policy Analysis and Development.  Over the past few months, the Department, in conjunction with NTIA and ITA, formed the Internet Policy Task Force and issued a notice of inquiry to discuss the “nexus between privacy policy and innovation in the Internet economy.” 

Last Friday’s day-long symposium included an introductory discussion on the global Internet economy and privacy that was followed by four panel discussions.  Professor Fred Cate, Senior Policy Advisor with the Centre for Information Policy Leadership and Distinguished Professor of Law at Indiana University Law School, set the stage for the first panel on “Privacy, Innovation and Global Trade.”  The participation of other Obama administration officials indicated that the Department is not alone in these efforts.  White House Deputy Chief Technology Officer Andrew McLaughlin led a panel on “Privacy Frameworks and Innovative Uses of Personal Information,” and Deputy Assistant Secretary of State and U.S. Coordinator for International Communications and Information Policy Phil Verveer spoke on the “Privacy on the Ground” panel.
 
The Department of Commerce will be receiving comments until June 7, 2010, on the notice of inquiry it issued on April 20, 2010.  A draft paper is expected in early October, ahead of the Organization of Economic and Cooperation and Development’s conference on privacy and technology, and the 32nd International Data Protection and Privacy Commissioners Conference, both of which will take place in Jerusalem during the last week of October.

The President also indicated that he would be appointing a privacy and civil liberties official reporting to the new cybersecurity coordinator.

The President cautioned, however, that dealing with cybersecurity issues would take time. “Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years. But we need to remember: We’re only at the beginning. The epochs of history are long—the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy.”

The President did not say who would be the new coordinator, nor did he provide a timeline for naming the new officials.

Today’s announcement is obviously a significant step towards a broader, higher priority approach from the federal government towards the growing problem of securing information and the systems that process it. While the President stressed that the new approach would include the private sector, he said that the government would not be telling the private industry how to go about securing their infrastructure, nor would the government engage in information monitoring.

According to published press reports, release of the cybersecurity report was delayed six weeks over disagreements within the administration over how the new cybersecurity position would be managed. That delay, the decision not to name the new coordinator, the tone of the President’s announcement, and the tools for fighting cyberattacks that he appeared to rule out suggest that while the administration’s response is serious, it is not necessarily as urgent as some experts have sought.

The Cyberspace Policy Review is available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.

The President’s announcement is available at http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure/.

And the unclassified documents on which the review relied are available at: http://www.whitehouse.gov/cyberreview/documents/.

The Obama Administration has taken these threats seriously.  On February 10 it initiated a 60-day review of federal cybersecurity efforts to protect vital U.S. computer networks (the Review).  The Review staff has engaged in significant and broad outreach to the government, the private sector and non-governmental organizations.  As the work of the Review draws to a close, its director, Melissa Hathaway, has intimated that it will not result in the naming of a cyber security advisor at the White House level.  This is an important, if controversial, signal.   However, on April 2, 2009, Senator Jay Rockefeller (D-WVA) and Senator Olympia Snow (R-ME) proposed legislation that would establish just such a position, invested with sweeping powers.  The legislation would empower government to set and enforce security standards for industry, and broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control critical infrastructure, such as electricity and water distribution.  Such new powers raise serious questions for industry and civil liberties.

The Centre for Information Policy Leadership has played a prominent role in these efforts.  Centre Senior Policy Advisor Professor Fred H. Cate has consulted on several occasions with the Review committee, and Paula Bruening served on the Commission. On April 5, Paula was featured as a guest on National Public Radio’s Diane Rehm show, along with Jim Lewis, director of the Commission’s  study, and Paul Kurtz, a cybersecurity consultant and former senior director, Office of Cyberspace Security at the National Security Council. During the hour-long discussion,  guests explained the nature of these cybersecurity threats, considered the challenges faced by government and industry, the consumer’s role, issues of civil liberties, and proposed possible ways to move forward.  To view the discussion, click here.

A company’s responsible use of data is key to maintaining the trust of customers and the public.  Technologies and business models that collect, use and analyze data emerge and change at a rate that outpaces the development of any law or policy.  While compliance with law remains fundamental, it may not suffice when a company uses information in a way that is unexpected or offends its customers.  A company fosters trust through more than compliance -- it does so by setting goals for protecting the privacy and security of data that reflect the appropriate expectations of companies and their customers -- and then working to ensure those goals are met.  An accountable company takes the further step to demonstrate its responsible practices.

The White House website calls this out explicitly in its technology agenda:

Safeguard our Right to Privacy: Strengthen privacy protections for the digital age and harness the power of technology to hold government and business accountable for violations of personal privacy.

The work of privacy professionals to explore the role of responsibility and accountability in protecting privacy has never been more timely.