Fights lie ahead for package of Internet privacy and data-security laws proposed by Obama

12 January 2015. By Mike Swift.

President Barack Obama on Monday proposed what could be landmark Internet privacy and data breach laws during the first visit by a US president to the Federal Trade Commission in more than 80 years.

“We pioneered the Internet, but we also pioneered the Bill of Rights, and a sense that each of us as individuals [has] a sphere of privacy around us that should not be breached, whether by our government [or] by commercial interests,” Obama said in a 2,500-word speech that sounded consumer protection themes throughout.

Obama’s speech at the FTC marked the first visit to the agency by a president since Franklin Delano Roosevelt in 1937, and the president’s proposals could boost the profile of a 100-year-old agency that has emerged in recent years as the nation’s de facto cop on the beat for the Internet.

Although the privacy proposals marked the first real progress for online privacy rules since the Obama administration nearly three years ago released its consumer privacy “bill of rights”, neither privacy advocates nor the Internet industry were prepared to celebrate.

Indeed, with the proposals to be fleshed out in coming weeks, for both sides there is already a sense of needing to play defense.

Privacy advocates fear that strong existing state rules on data breaches in California and other states could be pre-empted by a weaker federal standard that would block consumers from suing companies under state laws for failing to provide adequate security to prevent a data breach, as is being done in the ongoing litigation against Target in Minnesota.

“The state pre-emption is a very serious sticking point. That is a big deal,” said Pam Dixon, executive director of the World Privacy Forum.

The Internet industry, meanwhile, wants to preserve its ability to use data for new software products that had not yet been created when data was first collected. It wants to avoid new rules that would require companies to get permission from consumers to collect data for a specific use. Large companies such as Apple and Facebook issued cautious and qualified statements of support for the president’s ideas.

“When you look at a lot of digital innovation, so much of the innovation comes from using the data for a purpose other than what it was created [for],” such as using sewer data to track water pollution, said Daniel Castro, senior analyst for the Information Technology & Innovation Foundation, which issued a statement calling the president’s plan “a wrong and outdated approach”.

Of course, the fact that Obama’s political party is now the minority in both houses of Congress means that the prospects for any of the bills are hardly robust.

“I like what he said about (privacy and data security) being a bipartisan issue, because it is,” said Terrell McSweeny, a Democrat who is one of the five FTC commissioners, said following the president’s speech. “I have my fingers crossed,” she said when asked about its chances for passing Congress.

Obama proposed three key digital privacy and security initiatives:

– Data Breaches: Obama said he will propose a “Personal Data Notification & Protection Act” that would establish a uniform 30-day notification period in which companies that suffer a data breach would have to alert consumers whose data was exposed. The federal standard would replace the current patchwork of 47 state laws that have different breach rules in multiple states. “If we’re going to be connected, we’ve got to be protected,” the president said.

– Consumer Privacy: Obama said within 45 days he will send legislation to Congress for a “Consumer Privacy Bill of Rights,” which would be based on an Internet privacy “framework” proposed in 2012 by the administration. Among those digital rights, the president said, is that “consumers have the right to decide what personal data companies collect from them and how companies use that data.”

– A “Student Digital Privacy Act.” That bill, modeled on a law passed by California last year would prohibit companies from using data gathered on students in schools to be sold or used to target commercial advertising. “We’re saying that data collected on students in the classroom should only be used for educational purposes — to teach our children, not to market to our children,” Obama said.

The student privacy proposal appeared to have the most support, though Castro said he’s also concerned that the law would forestall the chance to use data for noneducational uses that would help students, such as detecting students who are emotionally depressed.

Privacy advocates are likely to push for legislation that will go even further with the privacy bill of rights, such as a recommendation made by the FTC last spring to give consumers a centralized online portal where they can see information being collected by data brokers, and can opt out of having personal data collected and sold by the industry.

“We are extremely interested to see something about a national data-broker opt-out,”Dixon said. “If it’s not included in the legislation, it will be missing some extremely important protections.”

Obama did not say what prompted the White House to act, although he did mention “the hack of Sony” Pictures, an act that US officials have said was backed by the government of North Korea over the film, “The Interview,” as one reminder of the “enormous vulnerabilities” created by the Internet to go along with its “enormous opportunities.”

The White House was rumored to be working on an Internet privacy bill more than a year ago, but no plan emerged. Last May, the White House released two reports on the intersection of so-called “Big Data” and privacy, calling on Congress to pass data breach notification legislation and update an electronic privacy law to ensure greater protections for digital content.

With Europe also looking to modernize its data protection rules, the administration has another reason to act.

US Internet companies want to protect their ability to transfer data about users between data centers in the US and Europe, and European officials have said prospects for the continuation of a trans-Atlantic “safe harbor” agreement would be improved if
the US had a federal privacy law, as Europe does. The preservation of those data-transfer agreements is of vital interest to US companies.

Unless the president’s privacy “bill of rights” includes provisions such as a data-broker opt-out, it may not get strong support — even from privacy advocates. Privacy advocates are also concerned that the data breach bill might omit a private right of action for consumers injured by a data breach, a right not available in 17 states.

“If a federal (privacy) bill added something new to the question that wasn’t already covered today, that would be something we could get behind,” said Justin Brookman, director of consumer privacy for the Center for Democracy and Technology.

Otherwise, he said, privacy advocates fear the White House proposals “would be a step backward; they would make the situation worse.”

-Additional reporting by Claude Marx