Trans Atlantic Consumer Dialogue: Privacy on Opposite Sides of the Pond
Privacy loomed large as a discussion topic at the 13th Annual Meeting of the Trans Atlantic Consumer Dialogue (TACD), an event held in Washington, D.C. last week that brought together consumer advocacy organizations and regulatory agency heavyweights from both sides of the Atlantic for some in-depth policy discussions. The TACD’s annual meeting helps foster alliances between TACD member organizations (EFF is counted among them) working in the U.S. and the EU. While the overarching group tackles such broad-ranging issues as food policy and financial services, TACD’s Information Society division has been especially concerned with protecting Americans’ and Europeans’ privacy rights in the digital era.
At an overlapping event, the Consumer Federation of America (CFA) hosted a privacy roundtable to bring consumer groups together with representatives from major tech companies and online advertising associations for a frank discussion about emerging issues in online privacy. Both forums yielded some fascinating questions and debate. Here are some of the key takeaways.
Will a Privacy Bill of Rights Move Forward in the U.S.?
Much discussion revolved around the proposed “Consumer Privacy Bill of Rights,” a policy blueprint floated by the Whitehouse this past February that seeks to establish new safeguards to protect consumer data in the digital realm. As a TACD resolution on consumer privacy points out, this issue doesn’t affect Americans alone: “In the absence of legislation, the U.S. cannot offer the EU any assurance that there will be adequate protection for the personal data stored or used by U.S. companies,” TACD noted.
In an age where it’s commonplace for third-party data brokers to buy and sell individuals’ personal information without their knowledge or consent, sound policy is sorely needed. While the Whitehouse proposal could go farther on calling for limiting data collection, it nonetheless contains solid recommendations on transparency, accountability and security and would represent an important step in the right direction. (EFF, meanwhile, has devised its own Privacy Bill of Rights recommendations for mobile users and social network users.)
Unfortunately, questions arose during the TACD meeting about whether the proposal could indeed be expected to move forward as legislation anytime soon, particularly in an election year.
Commissioner Julie Brill, who serves on the FTC, endorsed the idea of converting the Whitehouse blueprint into law during one of the conference plenary sessions. “Such rapid advances in technology and marketing have led us … to conclude we’re facing potentially serious gaps in consumer privacy protection,” she noted.
But in a closed session that followed, representatives of other U.S. government agencies faced tough questions from advocates who voiced concerns that attempts to craft strong policy around consumer privacy would be waylaid and substituted with a multi-stakeholder process that has been launched concurrently to hash out industry best practices on consumer privacy.
Pressed as to whether the Whitehouse policy framework had actually been committed to draft legislative language, agency representatives acknowledged that the administration had not yet taken this step. While they offered assurances that a push for legislation is still on track, they also acknowledged that the effort likely is not going to be realized this election year.
The upshot is that the multi-stakeholder process is on the front burner while the legislative effort simmers in the background. This effort aims to facilitate collaboration with industry and other partners to pin down a code for best practices, and the FTC will be endowed with enforcement powers to hold companies accountable under the voluntary standard that is created.
Speaking of political campaigns: Investigative news outlet ProPublica put some pressure on Yahoo, Microsoft, and President Barack Obama’s reelection campaign this week with an article detailing how the companies are providing user data to political campaigns to facilitate sophisticated online voter targeting.
When Machines Decide
A number of fascinating conversations emerged from the CFA privacy dialogue, a forum held the following day that brought together representatives from industry, government, advocacy organizations and universities. One of the most intriguing (and perhaps chilling) was a presentation delivered by a representative from a prominent tech company who cheerfully described a world in which an "Internet of Things" could assist with decision-making --without any human intervention.
The Internet of Things may be thought of as “intimately networked” devices, people and computers “all talking to each other,” the company representative explained. While at present there are roughly 2 billion “things” (hint: most are smartphones) connected to the Internet, corporate researchers predict that the world will be swamped with a whopping 50 billion Internet-connected things by 2020.
As envisioned, these “things” will be wide-ranging in nature. They might include infrared sensors on doorways to tally the number of people entering a room, for example, or devices tasked with monitoring and controlling the power grid, or mitigating traffic congestion. It could even be a device worn by a patient to monitor blood pressure, equipped to automatically send the data back to a medical care provider. The long-term idea is to use vast amounts of collected data -- sent along largely invisible networks -- to enable these devices to recognize patterns over time and make decisions accordingly.
This scenario obviously raises a slew of thorny questions, but the discussion at the CFA dialogue centered on the privacy implications. Some wondered how consumers could be guaranteed agency in an intensely networked world. Others noted that it would be crucial to require adequate disclosure on who is obtaining the data that is being generated, and for what purposes it is being used. TACD, meanwhile, has also issued a resolution on the Internet of Things, which provides a useful way to think about this future scenario:
“The IoT will reveal much more about consumers’ habits, from the books they read and the medications they take to the types of transportation they use. Implementation of privacy by design will be important for the enforcement of consumer and privacy rights. In addition, the data protection principles (data collection limitations; lawful and fair collection; proportionality; finality; accuracy; transparency; right of access and rectification; confidentiality and security of processing) should be respected and implemented in the technology.”
TACD Recommendations on Consumer Privacy Rights
TACD has also issued a much broader resolution offering a set of detailed recommendations on consumer privacy in general. In it, member organizations urge the U.S. and EU governments to do the following (paraphrased and not a comprehensive list):
- The U.S. should seek Congressional enactment of the proposed Consumer Privacy Bill of Rights.
- The U.S. should ratify the Council of Europe Convention 108. This widely recognized convention supports user privacy rights, and has been adopted by 43 countries.
- The E.U. should implement a strong new privacy law, and EU member countries should engage in effective enforcement.
- Both the E.U. and the U.S. should promote “privacy-by-design.”
- Both the E.U. and the U.S. should encourage the development of global guidelines for online advertising.
- E.U. and U.S. regulatory authorities should work together and verify that consumers’ privacy rights are adequately protected under the U.S.-EU Safe Harbor Privacy Principles.