TR Daily NTIA Solicits Comment on Proposed Consumer Data Privacy Framework
Tuesday, September 25, 2018

NTIA Solicits Comment on Proposed Consumer Data Privacy Framework

The National Telecommunications Information Administration solicited comment today “on ways to advance consumer privacy while protecting prosperity and innovation.”

The request for comment (RFC) is designed to help the agency assess “a proposed approach to consumer data privacy designed to provide high levels of protection for individuals, while giving organizations legal clarity and the flexibility to innovate,” a news release on the RFC said.

“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” NTIA Administrator David J. Redl said in the news release. “The Trump Administration is beginning this conversation to solicit ideas on a path for adapting privacy to today’s data-driven world.”

“NTIA’s request for comment proposes an approach with two parts: privacy outcomes for users and high-level goals for federal action to achieve them,” Mr. Redl noted in a telephone briefing for reporters. “We’re proposing outcomes because we want the focus of the conversation to be on producing better results for consumers, not mandates about internal company processes or what needs to be included in a legal policy.”

“Our next steps will be determined by what we hear from the commenters, and we hope we get a broad range of comments” from parties, Mr. Redl added. ““We’re truly looking for guidance from all different quarters, and we’ll decide what to do based on that feedback.”

Asked whether NTIA might recommend legislation, he noted that a number of stakeholders have called for such action and said the agency wants to see what parties say first.

“This RFC is the outcome of an interagency process led by the National Economic Council (NEC) of the United States. NTIA has worked in coordination with the International Trade Administration (ITA) to ensure consistency with international policy objectives, and in parallel with the work of the National Institute of Standards and Technology (NIST) in developing a voluntary risk-based Privacy Framework as an enterprise risk management tool for organizations,” the RFC noted.

“The Trump Administration’s proposed approach focuses on the desired outcomes of organizational practices, rather than dictating what those practices should be,” the news release said. “With the goal of building better privacy protections, NTIA is seeking comment on the following outcomes: 1. Organizations should be transparent about how they collect, use, share, and store users’ personal information. 2. Users should be able to exercise control over the personal information they provide to organizations. 3. The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks. 4. Organizations should employ security safeguards to protect the data that they collect, store, use, or share. 5. Users should be able to reasonably access and correct personal data they have provided. 6. Organizations should take steps to manage the risk of disclosure or harmful uses of personal data. [and] 7. Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.”

The news release noted that “NTIA also is seeking comment on several high-level goals identified in the Request for Comments setting the broad outline of the direction that the Trump Administration should take to achieve U.S. consumer privacy protections.”

The goals are (1) harmonizing “the regulatory landscape”; (2) providing “[l]legal clarity while maintaining the flexibility to regulate”; (3) comprehensively applying any actions; (4) employing “a risk and outcome-based approach”; (5) ensuring interoperability in the cross-border flow of data; (6) encouraging privacy research; (7) ensuring the Federal Trade Commission has the tools to enforce consumer privacy; and (8) ensuring scalability.

On the last issue, the RFC said, “The Administration should ensure that the proverbial sticks used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling. In general, small businesses that collect little personal information and do not maintain sensitive information about their customers should not be the primary targets of privacy-enforcement activity, so long as they make good-faith efforts to utilize privacy protections. Similarly, there should be a distinction between organizations that control personal data and third-party vendors that merely process that personal data on behalf of other organizations. Just as organizations should employ outcome-based approaches when developing privacy protections for their customers, the government should do the same with its approach to privacy enforcement and compliance.”

The RFC asked whether the administration should consider other outcomes or goals, whether descriptions are clear, and whether there are “any risks that accompany the list[s]” of outcomes and goals.

It also asked whether any aspects of the proposed approach could be achieved through executive actions, including procurement, or non-regulatory steps and whether the department should “convene people and organizations to further explore additional commercial data privacy-related issues?”

Comments are due Oct. 26 in docket no. 180821780-8780-01.

Industry entities welcomed the RFC.

“USTelecom appreciates this effort by NTIA to advance the privacy conversation,” said Jonathan Spalter, president and chief executive officer of the U.S. Telecom Association. “Our members understand the success of any digital business depends on consumer trust. Several members of Congress have also introduced – or plan to introduce – privacy legislation. Taken together, we hope these initiatives will lay the groundwork for a single, national framework with strong consumer protections and flexibility for a competitive and innovative marketplace. What we need most is clear and consistent privacy rules that apply equally to all companies that interact with consumers through the internet.”

“Data and human ingenuity are the lifeblood of today’s most beloved, useful, and in-demand innovations, and protecting that data is critical for individuals, companies and governments alike. As times change and innovation progresses, the rule of law protecting consumers must evolve as well. We commend NTIA for taking a deliberative and thoughtful approach to advancing a national privacy framework that both protects our privacy as users and our ability to continue to be the world leaders in innovation,” said Dean Garfield, president and CEO of the Information Technology Industry Council. “This is a positive step toward modernizing our laws, so they better align with user expectations and enable the technology driving our future. The issues at play have broad societal implications and so we look forward to working with all key stakeholders and providing input on how we can achieve these goals together.”

“CCIA welcomes the Department of Commerce’s engagement, through NTIA and NIST, with the ongoing conversation about privacy and data protection,” said Ed Black, president and CEO of the Computer & Communications Industry Association. “Our companies are willing to engage in a real thoughtful discussion on privacy and are glad to see NTIA and NIST taking the lead to organize that in a way that includes input from all stakeholders.”- Paul Kirby, [email protected]


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More