It is going on three years since the Obama administration announced its privacy blueprint articulating the Consumer Privacy Bill of Rights. That blueprint called for passage of “legislation adopting the Consumer Privacy Bill of Rights” and laid out a roadmap for what such legislation should look like.
As the leader of the administration’s work on consumer privacy, I worked over the following year with my staff in the Commerce Department’s Office of General Counsel and National Telecommunications and Information Administration (NTIA) to put this roadmap into legislative language and pave the way for introduction of a bill. By 2013, I had reached the conclusion that the administration should go ahead and put out its own proposal for baseline privacy legislation.
I thought then that releasing proposed legislation would help to explain a novel regulatory model and begin serious debate about baseline consumer privacy legislation. It would also demonstrate to European partners and others a commitment to maintaining the strength of America’s multifaceted privacy regime.
The roadmap laid out in the 2012 blueprint centered on broad and flexible application of principles in the Consumer Privacy Bill of Rights, which reframed the longstanding and widely-adopted Fair Information Practice Principles (FIPPs) for the era of ubiquitous computing and user-generated data. What was most novel about this adaptation above all was the centrality of context, the explicit recognition that how data is collected, used, and disclosed should be a function of the context in which the data is provided – the Respect for Context principle. Second, rather than undertake and prescribe the application of Consumer Privacy Bill of Rights principles in a host of contexts, the framework relies on multistakeholder codes of conduct and FTC adjudication to apply the principles in specific contexts.
This approach consciously favors flexibility and adaptability over certainty and predictability, mirroring a digital world in which new versions and new models are introduced continuously to keep pace with changes in technology and the marketplace. The approach deliberately leaves a lot of questions unanswered, but the alternative risks being overly prescriptive. Releasing draft legislation would help articulate the approach and jumpstart discussion.
Then along came Edward Snowden. One of my first reactions to the Snowden disclosures was, well there goes the idea of putting out consumer legislation now. The disclosures ignited an international debate about privacy and data collection, but focused on government surveillance. For the administration to put out legislation at that stage would have looked like an effort to deflect attention to the private sector at a time when U.S. businesses were reeling from the fallout. Indeed, even after the President announced surveillance reforms six months later, some companies saw the simultaneous announcement of the White House Big Data Task force in that light.
The report from Big Data Task Force paved the way to put legislation forward, directing the Commerce Department to seek public comment and then “devise legislative text for consideration by stakeholders and submission by the president to Congress.” The Task Force and the accompanying report by the President’s Council of Advisers on Science and Technology expanded the case for carefully balanced legislation by laying out both the benefits and the risks of big data more thoroughly and concretely than did our 2012 blueprint. Many of the comments in the public consultation that followed supported the enduring application of the FIPPs in the era of Big Data.
In his speech at the FTC last week, President Obama took the next step, committing to introduce legislation by the end of February. In his forward to the 2012 blueprint, President Obama promised to “work with Congress to write these general principles into law.” After an 18-month hiatus in the wake of the Snowden revelations, now his administration is moving to show the way and restore global trust. Let the debate begin.
This post originally appeared on Privacy Perspectives a blog of The International Association of Privacy Professionals. Minor changes were made to reflect the text of the State of the Union.