You are here

Address by Assistant Secretary Strickling at Hudson Institute

Consumer Privacy in the Obama Administration
Washington, DC
April 11, 2012

I want to thank Harold Furchtgott-Roth and the Hudson Institute for inviting me to talk about the Obama Administration’s blueprint to protect consumer data privacy.  About six weeks ago, the Administration introduced a blueprint to improve consumer privacy protections and ensure that the Internet remains an engine for innovation and economic growth.  My agency, the National Telecommunications and Information Administration, played a key role in developing this policy, and we are leading the Administration’s work to put it into practice.  

Two weeks ago, I testified at a Congressional hearing on privacy.  The question before the panelists was whether the Administration’s blueprint tips the scale that balances privacy and innovation.  My response at that hearing was an emphatic no.  The Administration’s proposal strikes the right balance to preserve the flexibility businesses need to innovate while addressing the broad array of privacy harms that consumers face in our networked world.

We designed the blueprint to address direct harms to consumers.  Certainly, we all know that the misuse of personal data can cause financial harm.  Personal data lost through security breaches can lead to identity theft and financial fraud.  The financial cost of these incidents is quite apparent. 

But it is equally apparent that consumers suffer harms that are more difficult to quantify.  Consumers can suffer severe embarrassment from having their names or online identities associated with certain websites.  They have been surprised and shocked to find that information about them spreads rapidly from one place to another on the Internet.  It is no wonder that consumers express concern about how companies handle personal data and avoid those that fail to meet their expectations. 

These concerns register strongly in surveys.  For example, TRUSTe recently reported that 90 percent of the adults it surveyed worry about privacy online.  Consumers Union found in a separate survey that more than two-thirds of the respondents were “very concerned” about the privacy implications of personal data being shared or sold. 

But above and beyond direct harm to consumers, we also designed the blueprint to protect against harm to the Internet and the amazing economic growth and innovation it has inspired.  A key element in our thinking at the Commerce Department on all Internet policy issues has been the need to preserve the trust of all actors on the Internet.    The evidence we have makes it clear that consumer trust is fragile.  Maintaining that trust is important, not just to consumers, but to businesses as well.  If consumers no longer trust that their information will be protected online, they may stop utilizing the Internet, which would risk undermining the growth and innovation that has characterized the Internet economy.  Accordingly, in developing the Administration’s policy, we felt that adequately protecting consumer privacy needed to be done in a way that also protected innovation so that the result would be a win-win for the consumer and for business.

The Administration’s blueprint includes four key measures.  First is the Consumer Privacy Bill of Rights.  These rights are general statements of basic and globally recognized privacy principles.  We carefully avoided making these principles read like regulations intended to cover every possible contingency because we knew that doing so would threaten the flexibility businesses need to have to innovate on the Internet. 

The Consumer Privacy Bill of Rights recognizes that companies need to collect some personal data simply to do business with consumers.  It also recognizes that much of this data collection occurs within the context of a direct relationship between consumers and companies.  On the whole, the Consumer Privacy Bill of Rights provides a baseline to protect consumers from the wide range of privacy harms that arise in our networked economy.  The Administration believes this basic set of principles should be enacted into law.  A baseline consumer privacy law would, of course, provide strong protections for consumers.  It would also provide businesses with greater legal certainty and level the playing field between companies that handle personal data responsibly and those that do less than what consumers expect and deserve.  Baseline legislation could also reduce compliance burdens on companies that do business globally.  These are worthy goals for legislation, and the Administration looks forward to working with Congress to develop what we hope will be bipartisan legislation to codify the Bill of Rights.

Turning to the second key aspect of the blueprint, having developed these basic privacy principles, we then had a choice.  We could have proposed, as so much legislation does, that Congress direct a regulatory agency to engage in lengthy rulemaking proceedings to provide more definition and detail for these basic principles.  We did not do so.  Instead, we look to the private sector--companies, consumer advocates, and other stakeholders--to take the lead on implementation by developing legally enforceable codes of conduct that apply the Consumer Privacy Bill of Rights to specific business settings.  In our discussions with stakeholders, companies and privacy advocates have indicated great interest in participating in the voluntary process.  NTIA will convene the various stakeholders and facilitate their discussions, but we will not substitute our judgment for the consensus reached by the stakeholders. 

Companies will decide on their own whether to adopt a particular code developed through this multistakeholder approach.  Direct participation is the best way to shape the process and its results.  Companies also have a strong incentive to adopt codes of conduct once they are complete.  By doing so, they will undertake commitments to privacy that will help strengthen consumer trust.  Importantly, since NTIA is not a regulatory agency, we will not impose these codes on businesses. 

Once a company adopts a code, we believe it will be enforceable by the Federal Trade Commission under its authority to protect consumers from unfair and deceptive trade practices, just as it does today with privacy policies adopted by companies.  So the third key piece of the Administration’s policy is the strong enforcement of commitments companies make to protect the privacy of their customers.

Fourth and finally, the United States has a unique opportunity to be a leading voice in global discussions of consumer privacy.  Our goal is to improve the interoperability of privacy regimes around the world, which will help American businesses expand globally with our trading partners.  We are actively engaging our international partners to promote these principles and to make it easier for American businesses to succeed in the global marketplace. 

Our success in developing enforceable codes of conduct will also set a positive example for our trading partners, many of whom are considering what type of privacy regime to implement in their own countries.  Elsewhere in the world, there are alternatives to the Administration’s blueprint that rely more heavily on regulation. Other nations are watching closely, and NTIA will do its best to demonstrate that our model will provide strong but flexible privacy protections. 

With the release of the blueprint, we are moving forward to implementing the framework.  I mentioned our support for enacting the Consumer Privacy Bill of Rights in law, but we are not waiting for Congress to act.  The multistakeholder approach for privacy is viable without new legislation, and getting it up and running is an important focus for NTIA right now.

So how will the process work?  Well, I do not know precisely because that will be the first task of the first group to assemble to tackle one of these codes.  Right after we released the blueprint, we did seek comments from stakeholders.  As of the close of the comment period last week, we had received more than 80 comments.  The responses came from individuals, consumer groups, privacy advocates, companies, trade groups, and think tanks.  We even received comments from Canada, Europe, India, and the Republic of Georgia.  This strong and diverse response is a sign of the intense interest that many stakeholders share in working together on privacy, and working together now. 

We asked stakeholders to comment on two main areas.  First we asked for suggestions as to which consumer privacy issue should NTIA designate as the first topic around which to develop a code of conduct.  While we suggested a handful of topics in our request for comments, we left the door open to other suggestions.  We do think that there are two important factors to consider in selecting the first topic.  First, the issue should be of current concern to companies and consumers.  This requires striking a balance.  On one hand, the issue should be ripe for consideration.  By that, I mean there should be sufficient definition in the relevant technologies, markets, and consumer privacy interests to allow for a meaningful discussion.  On the other hand, we do not want to wade into an area that has already been addressed through existing self-regulatory efforts, absent broad consensus that we should do so.

The second consideration is simply that we have to “walk” before we can “run.”  That is, the issue needs to be relatively discrete, perhaps limited to addressing one or two elements of the Consumer Privacy Bill of Rights as it applies to a particular industry sector.  We think this kind of limited initial approach is necessary, because substance is only half of what stakeholders will be trying to figure out. 

We are also building a process, which presents its own set of challenges.  Before the stakeholders can discuss any matters of substance, they will need to agree on how they will work together.  I am hopeful that NTIA and stakeholders can work together quickly and respectfully in an initial meeting to set the rules of the road that will allow them to tackle substantive issues.

The privacy blueprint sets forth three guiding principles for the privacy multistakeholder process:  open participation, transparency, and consensus as a basis for stakeholders’ decisions.  Let me comment on each of them.

First is participation.  One key benefit of multistakeholder processes is that they can provide a vehicle to engage all interested parties.  Such parties can include industry, civil society, government, technical and academic experts and even the general public.  Contrast this approach with more traditional telecommunications regulatory processes which, by their very construct, have a more limited set of stakeholders and are often designed to limit direct participation, or at least make it difficult for others to participate.  Top-down regulatory models too often can fall prey to rigid procedures, bureaucracy, capture by incumbents and stalemate.

Consumer privacy exemplifies how Internet policy draws the interest of a large range of stakeholders.  The Internet is a diverse, multi-layered system that thrives only through the cooperation of many different parties.  A routine online interaction—using a smartphone to view a Web page that displays behaviorally targeted advertising, for example—raises privacy issues that could be sliced in multiple ways.  To stick with this example for a moment, consider that the network operator, the browser vendor, the advertising networks, and the website a consumer actually visits all may be able to collect data about the consumer.  Addressing policy issues in this space requires engaging these different parties, including consumers or groups that represent consumers.  This is essential when markets and technology are changing as rapidly as they are and given the individual nature of privacy interests.  Moreover, by encouraging the participation of all interested parties, multistakeholder processes encourage broader and more creative problem solving.  

Our second guiding principle in the privacy multistakeholder process is transparency.  Given the broad range of interests in consumer data privacy, it is important for anyone who has an interest in the privacy multistakeholder process, whether or not they participate, to understand the basis for decisions made within the group.  The proposals that are under discussion and participants’ arguments for or against such proposals will be useful to gaining this understanding.  It will be crucial for relevant information to be made available and accessible in a timely fashion.  We fully recognize, however, that stakeholders will not conduct all of their deliberations in public.  We expect that companies and consumer groups will want to hold discussions on their own to develop common perspectives.  What stakeholders will need to work out is how to integrate these private discussions into a process that allows everyone a chance to work from common proposals and understand the public rationales that stakeholders offer to support their positions.

The third and final issue I want to address is how to reach and maintain consensus in a multistakeholder process.  Of course, we need a shared understanding of consensus as it can be defined in many ways.  A voting model presents some obvious difficulties in the consumer privacy arena.  Consumer groups and privacy advocates are particularly concerned about this possibility because it gives an advantage to stakeholders that have the resources to outnumber them.  This model creates the risk that entire categories of stakeholders will always be on the losing side.  

Just as unworkable is the idea that consensus means unanimity.  This approach leads to the possibility of one participant holding up agreement during the process.  Citing this possibility, several commenters have warned that the perfect should not be the enemy of the good.  Between these two extremes, there is a broad middle ground.  We are reviewing comments with an eye toward not only the standard that should govern consensus but also how dissent should be handled.  Commenters provided many thoughtful discussions of these issues, and they will inform how we frame initial discussions with stakeholders.  But it will be up to the stakeholders, not NTIA, to decide how to define consensus. 

Let me conclude with a few brief thoughts about how the privacy multistakeholder process intersects with global privacy discussions.  Consumer privacy is an increasingly important trade issue.  Companies that do business globally face a complex set of privacy challenges, and complying with disparate privacy laws across the world imposes significant costs on U.S. enterprises.  Moreover, these laws are in flux, as many of our trading partners in Europe, Asia, and Latin America are developing or revising their privacy frameworks.  Though the United States shares many privacy values with other countries, we expect that differences will remain between our consumer data privacy framework and those of our international partners.  As a result, the privacy blueprint recommends creating greater interoperability with other privacy frameworks, rather than seeking uniformity or full harmonization.  This interoperability is based on mutual recognition of common privacy values, shared efforts to develop internationally recognized codes of conduct, and enforcement cooperation.

We at NTIA are working closely with our counterparts in the Department and throughout the Executive Branch to pursue greater interoperability.  An important activity for NTIA over the next year will be to promote the privacy multistakeholder approach internationally.  We expect that a diverse array of stakeholders will participate in the processes we will convene and welcome those stakeholders who have a practical perspective on global privacy compliance challenges.  Finally, we will continue to coordinate with our U.S. Government counterparts to keep a close watch on legal developments in Europe and other regions and to participate in privacy discussions in forums such as the Organization for Economic Cooperation and Development and the Asia-Pacific Economic Cooperation.

None of this will happen without the private sector’s energy and commitment.  The Administration has provided a blueprint, and NTIA will convene stakeholders, but the expertise necessary to create these codes of conduct lies in the private sector.  NTIA is eager to begin convening stakeholders to protect consumers, provide businesses with greater certainty, and allow continuing innovations that benefit our economy.  I am hopeful that you will join us in this effort. 

Thank you.  I look forward to your questions.