From CQ Weekly, my first policy article as tech reporter:
The Federal Trade Commission wrapped up a multi-year review of consumer privacy issues last week, concluding that Congress should pass a bill to protect data online.
The agency’s call echoed a White House proposal last month, which outlined a Consumer Privacy Bill of Rights that President Obama wants Congress to enact.
The usual congressional inertia means that nothing is likely to happen anytime soon. But inaction in this field has an unusual consequence: It’s creating a vacuum, which is being filled by the European Union’s privacy policies, ensuring that they will become the global standard. That prospect does not sit well with U.S. companies.
The European Commission has moved swiftly to offer new rules that stand to reshape business on both sides of the Atlantic. The aim is to consolidate and strengthen the consumer privacy laws of each of the 27 EU member countries and tighten rules for the safe-harbor program that sets privacy requirements for American companies operating in Europe.
Françoise Le Bail, the European Commission’s director general for justice, said the new regulations would simplify privacy policies, require companies to disclose what they track and give consumers more control over their data. The EU’s proposals may also go a step further than America’s by requiring companies to seek permission before tracking users.
Although Le Bail praised the White House for including similar provisions in its proposal, she urged Congress to follow up with a law while making clear that Europe would proceed with its plans regardless.
“We want the protection that we are providing at the European level — and, again, that we are providing for everybody regardless of nationality — we want this level of protection to be continued,” Le Bail said at a congressional briefing last month.
What the European Commission decides will greatly affect global Web companies, including American firms that rely on collecting user data to target advertising, a business that some industry groups say could be undermined by the EU’s proposed disclosure requirements.
“All these companies are U.S. companies. Why are we letting the Europeans write the rules for how they are doing business?” asks Tim Lordan, executive director of the Internet Education Foundation, which advises the Congressional Internet Caucus Advisory Committee. Lordan’s group invited Le Bail to Capitol Hill. Absent congressional action, Lordan says, “the European data directive basically becomes your rule of the road.”
The White House privacy proposal was designed in part to deal with that concern by facilitating through the Commerce Department a voluntary industry code of conduct that would work with Europe’s rules.
Keep It Voluntary?
Internet companies have agreed to participate in the White House effort, saying it is a better way to address privacy issues than broader legislation. Historically, U.S. laws have tackled privacy issues by sector, as was the case with health information in the 1996 Health Insurance Portability and Accountability Act, That approach is favored by trade groups.
“If we demonstrate to the rest of the world that the multi-stakeholder process produces good, strong privacy protection, then I think our way of approaching the issue might have international legitimacy,” says Mark McCarthy, a spokesman for the Software and Information Industry Association.
Still, some members of Congress say a baseline privacy law is needed to codify the American approach to protecting the data of Internet and mobile-phone users.
“Most developed economies have law built on the standard that the European Union has established. But I believe we can and should set our own standard — something more flexible and more stakeholder-driven but just as capable of delivering strong privacy protections,” said Sen. John Kerry, chairman of the Commerce Subcommittee on Communications, Technology and the Internet. The Massachusetts Democrat has revived efforts to pass a consumer privacy bill cosponsored with Republican John McCain of Arizona.
Rep. Edward J. Markey, also a Massachusetts Democrat and the co-chairman of the Bipartisan Privacy Caucus, has bipartisan backing for a bill to strengthen privacy protections for children online.
But Republican Rep. Mary Bono Mack of California advised caution. “We’re still trying to figure out if and where legislation would be needed and, more importantly, we’re trying to make sure that there isn’t bad legislation that hurts the economy,” she said.
As chairwoman of a House Energy and Commerce subcommittee, she held a hearing in September on European privacy rules and one last week on the White House proposal.
“Part of the concern about privacy is driven by the EU and our companies needing to comply with the EU,” she said, adding, “Very rarely do my constituents write in about concerns of privacy.”