Remarks of Assistant Secretary Strickling at the 32nd International Conference of Data Protection and Privacy Commissioners

Remarks by Lawrence E. Strickling, Assistant Secretary of Commerce for Communications and Information
32nd International Conference of Data Protection and Privacy Commissioners
Jerusalem, Israel
October 27, 2010

– As Prepared for Delivery –

It is a real pleasure being here to speak with you at the 32nd International Conference of Data Protection and Privacy Commissioners. Thank you, Minister Steinitz and also Minister of Justice Neeman, who invited me to come to Jerusalem to share the views of the United States of America on privacy and innovation.

I am the Administrator of the National Telecommunications and Information Administration at the U.S. Department of Commerce.  NTIA serves as the principal advisor to the President on communications and information policy. 

I am here to tell you that the Obama Administration places a high priority on extending the Internet’s transformative potential more broadly in our society. And, it is vital to ensure that the global Internet environment continues to encourage innovation and creativity.

The Commerce Department plays an important role in the Administration’s overall Internet policy effort. Earlier this year, Commerce Secretary Gary Locke established an Internet Policy Task Force to address four key public policy challenges facing the Internet: first, enhancing Internet privacy; second, ensuring cybersecurity; third, protecting copyright; and fourth, ensuring the global free flow of information. Along with NTIA, the Task Force includes experts from four other agencies at the U.S. Department of Commerce: the International Trade Administration, the National Institute of Standards and Technology, the U.S. Patent and Trademark Office, and the Office of the Secretary.

We are guided by two dominant principles as we approach these challenging issues:

First is the importance of trust.  It is imperative for the sustainability and continued growth of the Internet that we preserve the trust of all actors. For example, if users do not trust that their personal information is safe on the Internet, they will worry about using new services. If content providers do not trust that their content will be protected, they will threaten to stop putting it online.

Our second key principle is the commitment to the multi-stakeholder policy development model. There’s little question that multi-stakeholder organizations have played a major role in the design and operation of the technical aspects of the Internet and are directly responsible for its success.  Our approach, which we call Internet Policy 3.0, recognizes that the interplay among technical standards and design, multi-stakeholder institutions, voluntary best practices, and laws and regulations can ensure that the Internet continues to meet its economic and social potential. In this model, a key role for government is to convene stakeholders to discuss critical technology issues, bring them to the public’s attention, and work together with all interested parties to solve challenging problems.  This convener role is a important way to provide leadership on these issues while preserving the benefits of a multi-stakeholder approach. We’ve put these principles into practice with our work on privacy and the other matters being studied by the Internet Policy Task Force.

At the outset, I want to emphasize how seriously Americans take privacy. A fundamental right against government intrusion on individual privacy is enshrined in the Fourth Amendment of our Constitution. We have strong statutory protection in sectors where sensitive information is found –health, finance, education – and a world-class consumer privacy regulator in the Federal Trade Commission. A recent study reported that 65 percent of adult Internet users in the United States have proactively taken steps to increase their privacy on social networking sites.  And even while the conventional wisdom suggests that younger Internet users are cavalier about their privacy rights, surveys show that young adults are also taking steps to protect their privacy interests online.

Industry groups in the United States are also taking an active role in protecting privacy.  For example, a coalition of online advertisers recently announced a plan to provide consumers with more information about the ads they see, when they actually see the ads.  The idea is that there will be an icon in or near advertisements so that consumers can easily find privacy policies and opt out pages.  Voluntary industry efforts like this are essential, but we should work to make them more robust, worthy of greater trust, and globally scalable.

The Internet Policy Task Force effort on privacy began by listening to everyone who was willing to talk to us: companies, trade groups, civil society, and academics. This past spring we used these conversations to shape a Notice of Inquiry, which posed a number of questions about the connections between privacy, policy, and innovation. We held a public symposium in Washington, where experts from all sectors shared their views on topics ranging international frameworks to specific voluntary codes of conduct. And we’ve been working informally, but closely, with our colleagues at the Federal Trade Commission, which is the U.S. federal government’s main privacy enforcement agency.

We have learned a lot from these engagements. First and foremost, it is clear to us on the Task Force that we need to strengthen our privacy framework.  Privacy notices are written by lawyers (and, it often seems, for lawyers).  It’s difficult for consumers to act in their own interest if the law doesn’t meet their basic expectations and the options presented by the marketplace are written in legalese.  Meanwhile, companies struggle to comply with laws that may differ from state to state and certainly from country to country. While the privacy policy framework we have in the United States has been great for innovation, we still have more to do to build consumer trust and provide legal certainty for all.

Based on everything we’ve learned over the last six months, we are developing a set of policy recommendations which we will soon publish as a Department of Commerce “green paper.” We identify it as ‘green’ not because of its environmental impact, but because it contains both recommendations and a further set of questions on topics about which we seek further input. We view this document as the next step in an ongoing conversation, rather than a final statement of the Department’s policy views. In the end, our goal is to advance both the domestic U.S., and global dialogue, and to contribute to an eventual Obama Administration position on information privacy policy.

So what specifically needs to be done to strike a better balance between privacy and innovation? First, it is time that we adopt comprehensive Fair Information Practice Principles (FIPPs) as the information privacy framework in the United States to clarify how personal data on the Internet is protected.  Baseline privacy protections will build consumer trust and give businesses in the United States more guidance about what’s expected of them.  To borrow from one of the responses we received to our Notice of Inquiry, baseline FIPPs are something that consumers want, companies need, and the economy will appreciate. Industry, civil society, and the U.S. Government all have important roles to play in helping this framework take hold.

Second, we realize that government is not going to have all the answers. Along with government, there are vital roles for industry and civil society to play in putting FIPPs into practice in the United States. The implementation strategy will be critical so that we don’t end up with another set of boxes to check. My overarching concern is that FIPPs do not become a mere compliance exercise. They should lead to substantive privacy protections, and they should be part of a dynamic privacy policy framework. 

I envision a strong role for voluntary but enforceable codes of conduct, which must be developed through open, multi-stakeholder processes as a way to fuel this dynamism. This approach recognizes that technologists and entrepreneurs, privacy and consumer advocates, business interests, and the government have to work together to develop a privacy policy. Launching such multi-stakeholder processes is, indeed, challenging, but we should have confidence in the process because similar global, multi-stakeholder efforts have been successful, for example, the creation of the underlying Internet standards.

The framework I have in mind would build on current successes with voluntary codes but provide a more accountable, institutional structure for the future. Starting in the mid-1990s, NTIA and the FTC explored options to protect online privacy, working closely with industry groups and privacy advocates.  During that formative period of the Internet privacy debate, the FTC played a pivotal leadership role based on its expertise in consumer protection and its role as the primary enforcement authority. The result was that major web sites agreed to post privacy policies explaining how they used personal information.  Today, we can debate whether we rely too heavily on these notices, but it’s the process that I want to emphasize. The quick actions that many stakeholders took in the mid-1990s allowed them to reach consensus in the midst of dynamic technological change much more rapidly than our legislature and regulatory institutions could have acted.  That, in my mind, is a considerable success.

Making a multi-stakeholder process effective and dynamic requires everyone to stay engaged. Government can play a role as a convener or facilitator of the various constituencies that need to be engaged. In the area of privacy, I believe that the U.S. Government should establish a Privacy Policy Office to serve as a center of information privacy expertise. This Office would complement, not supplant, the Federal Trade Commission or the other institutions in the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies. A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices. This institutional commitment to engage on information privacy issues in a dynamic, multi-stakeholder manner over the long term would do more than just help voluntary industry codes to develop.  It would also be an important vehicle to help us better engage with all of you to address the privacy issues that we’re all confronting.

This brings me to a third major issue: our desire for robust engagement with the global privacy community. The Obama Administration realizes that the legal and policy framework surrounding the Internet, especially privacy, is complex both domestically and internationally.  While we understand that governments must act to protect their citizens, we also wish to avoid fragmented sets of inconsistent and unpredictable rules that frustrate innovation and the broad commercial success of the online environment.

How can we go about this? I am here today because we are committed to engaging with our allies and trading partners around the world to find approaches to data protection that build on our shared global commitments.  Respecting individual rights, while also recognizing that there will be differences in the way democratic societies go about protecting those rights, is vital in this regard. 

I come here ready to learn from all of you. I come with a sense of hope that we can find ways to lower the barriers to the flow of information and innovative services around the world. And, I come with a commitment to work with you to build cooperative cross-border relationships that ensure the protection of privacy values we all hold dear.

In addition to moving in the directions I’ve suggested today, the United States can build on the progress we currently share in the global arena. International cooperation on enforcement is very encouraging. Just about a month ago, privacy enforcement agencies from thirteen countries formally announced the formation of the Global Privacy Enforcement Network.  I’m pleased to say that the U.S.’s own FTC is among the thirteen.  So is the Law, Information and Technology Authority from our host country, Israel.  GPEN, as it’s known, will allow better cross-border investigation of privacy complaints. The FTC is also one of five signatories to the APEC Cross-border Privacy Enforcement Arrangement. This agreement creates a voluntary framework for cross-border cooperation on consumer privacy investigations and enforcement matters for relevant authorities throughout the APEC region.     

I look forward to hearing your ideas about how the United States can reinvigorate its international privacy engagement.  Along with the formal and informal dialogue I expect we will all have, I invite you to send your formal comments when the Department’s report comes out.  We’ll be asking many more questions in the report, and we want to hear from you.

The time for greater international cooperation is here.  All nations, including the United States, must be ready to work together and begin a proactive and productive dialogue on privacy reform efforts. The United States is ready to work with its global partners to develop a formula for establishing greater legal and practical certainty in privacy protection. At Commerce, we are eager to enter into a comprehensive dialogue on the question of principles that we all can live up to and how to adapt to our national experience. It is time for a robust global dialogue and decisive action so we look forward to working with you.

Finally, let me offer my thanks again to our Israeli hosts for their gracious hospitality, and my appreciation for the opportunity to meet and talk with so many in the global privacy community. My hope is that this pair of privacy conferences will be remembered in the history of 21st century privacy policy as laying the groundwork for progress toward global privacy interoperability.