19 April 2012
President Obama and the Federal Trade Commission outline their vision for protecting consumer privacy. But how does this fit with European rules and what does this mean for research?
Many have made the mistake of thinking that the US lacks a comprehensive system of privacy rules. At a conference held by the European Commission and the US Administration in March, regulators raised awareness that both regions have clear privacy rules; there are just very different ways of expressing them and both regions’ rulebooks desperately need modernisation to fit the digital age.
Many research companies conducting cross-border research between EU and US will be familiar with the Safe Harbor system which is currently under review. The European Commission will shortly issue a report on how to improve the credibility and reliability of the process, which could propose new audits whilst the Federal Trade Commission (FTC) could extend the programme to non-profit organisations.
ESOMAR supported comments submitted by CASRO in 2011 on the first round of the FTC’s reflection, a preliminary staff report entitled "Protecting Consumer Privacy in an Era of Rapid Change”. See news item HERE. The final privacy report now contains concrete recommendations for businesses.
The original FTC strategy has now been narrowed in scope. It will not apply to businesses that collect and do not share non-sensitive data from fewer than 5,000 consumers a year. Data covered by the report has to be "reasonably linked" to consumers, computers, or devices but would not come into this category if a company takes reasonable measures to de-identify the data, commits to not re-identify it, and prohibits downstream recipients from re-identifying the data.
The FTC report also singles out “data brokers” who “often buy, compile, and sell highly personal information about consumers” without consumers’ knowledge. Whilst some say that the exact definition of a data broker should be clarified, the FTC recommends legislation to provide consumers with greater transparency, firstly through granting access to information held by data brokers. Secondly, it calls on data brokers who compile consumer data for marketing purposes to consider creating a centralised website where consumers can obtain information about their practices and their options for controlling data use.
The final report contains three key principles:
Privacy by Design: companies should build in consumers' privacy protections at every stage in developing their products. E.g. reasonable security for consumer data, limited data collection and retention, and reasonable procedures to promote data accuracy.
Simplified Choice for Businesses and Consumers: companies should give consumers the option to decide what information is shared about them, and with whom. This should include a Do-Not-Track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.
Greater Transparency: companies should disclose details about their collection and use of consumers' information, and provide individuals with access to the data collected about them.
At the EU-US conference, despite a joint statement expounding common goals from the heads of both regulatory authorities on both sides of the Atlantic, most EU panelists insisted on a binding set of laws, accompanied by individual rights, while most U.S. panelists affirmed that voluntary codes of conduct, combined with enforcement by the FTC are preferred.
The main message from the conference appeared to be that the 27 EU national data protection agencies will need to generate more PR, similar to the FTC’s recent efforts, about enforcement actions if they want to be seen as a global leader for privacy protection. This could mean more resources devoted to name and shame actions if companies break the rules, but it is also a concern if less resources are devoted to advising companies of the best practice examples of how to comply with the rules.
For more details, contact: firstname.lastname@example.org