Strickling Suggests ‘U.N. Model’ for Defining Consensus in Privacy Discussions
NTIA has no interest in pushing a particular view of privacy rules for the private sector in the multistakeholder meetings it plans to convene around the Obama administration’s Consumer Privacy Bill of Rights (CD April 4 p4), NTIA Administrator Lawrence Strickling told a Hudson Institute gathering Wednesday. NTIA will have to “resist the impulse” to lead the discussion, even at the prompting of participants, he said: “People are going to be looking for those handholds” -- what the government thinks should happen.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The agency is focused on getting stakeholders to decide what will constitute “consensus” for applying the White House’s “Privacy and Innovation Blueprint” to particular business contexts, Strickling said. Strickling twice called the government proposal “the least regulatory approach” possible.
"I personally don’t like” the idea of a voting model for establishing consensus in the discussion groups, because that’s just a matter of “how many can show up and vote” for one side or another, Strickling said. But he’s also not keen on requiring unanimity from all parties, which could give one or two groups a “veto” over the process, he said: A better idea is a “U.N. model” where “if nobody is objecting too hard, then you have consensus.” The discussions must have open participation, because every online transaction probably includes three or four parties in addition to the consumer, and they will have to be involved, Strickling said. Some businesses told NTIA in comments they're afraid the agency is requiring all discussions to be public, he said, but “of course we're not saying that” parties can’t have closed-door discussions: NTIA simply wants to ensure “the output of the process has the full confidence” of all.
NTIA isn’t a regulatory agency and so was careful to write up the proposed baseline privacy rules so as to “avoid making them read like regulations,” Strickling said. They come from “a set of values that have stood the test of time and frankly are shared in most countries in the world,” and aren’t intended to define all practices and cover “every contingency,” he said. Though NTIA wants Congress to enact a law based on the principles, legislation wouldn’t have to be “complicated,” perhaps just a 10-15 page bill, he said.
If the discussions result in “strong and flexible” codes of conduct, it will be a “powerful example” to U.S. trading partners who are also eyeing Europe’s ongoing proceedings on privacy regulation, Strickling said. He specifically mentioned Singapore as one country considering various privacy approaches: The U.S. is “quite anxious” to talk to such countries.
NTIA and stakeholders will set the “rules of the road” at the first meeting, Strickling said: The eventual substance of codes is “only half” of the work. Many comments to NTIA boiled down to “we have to be able to walk before we can run,” meaning the agency should not try to impose rules on every sector right off the bat, he said: “I'm quite worried about doing that at the outset."
One area where NTIA is mulling whether to scrap existing sector-specific privacy rules is telecom, Strickling said. Phone companies are competing with a broader group of rivals now who aren’t subject to rules such as for customer proprietary network information, he said: NTIA suggests “replacing that FCC model with the regime that we provide” for baseline rules. Other sector-specific rules for health and financial information should remain, he said.
The agency has been careful not to “plow ground that’s already been well-plowed,” such as weighing in on do-not-track practices that industry and the World Wide Web Consortium have been developing, Strickling said: NTIA would just be “an additional oar in the water.” A “good topic to consider as the first one out the door” in discussions is transparency in mobile applications, he said, but cautioned that the approach taken on mobile apps won’t dictate how future topics will be approached.
TechFreedom President Berin Szoka asked Strickling from the audience to provide evidence of “generalized harm” that justifies the NTIA wading into territory traditionally overseen by the FTC. Surveys cited by NTIA don’t answer “what consumers would choose in the real world if given a tradeoff” between stronger privacy rules and the services made possible by broad data collection, Szoka said: The agency implies “there’s some cliff we're about to fall from” without regulation.
The surveys show that lack of enforceable codes of conduct “could lead to something happening fundamentally to the trust consumers have on the Internet,” just as content owners may not release works online if they can’t be effectively protected from piracy, Strickling said. (See related report in this issue.) And unless “everybody is playing from at least a basic playbook,” legitimate companies won’t know “they aren’t being hurt in the marketplace” by unscrupulous competitors, he said.
Trying to devise privacy rules that mesh better with the EU’s more regulatory stance could backfire, suggested Dan Brenner, a telco lawyer for Hogan Lovells. “We've had a decade or more in which the Europeans have looked askance” at U.S. privacy practices, he said from the audience, admitting he was being “contrarian.” As cloud computing becomes big business, isn’t there an argument that companies will store consumer data in countries that “give them the least amount of hassle” with privacy rules? he asked. But EU nations, for example, won’t let companies get access to that consumer data in the first place without acceding to privacy rules, Strickling said. Hudson’s Harold Furchtgott-Roth, a former FCC commissioner, said that’s easier said than done, because a given company may not know where a third-party provider is storing data.
Strickling dismissed the possibility that stakeholders could refuse to adopt enforceable rules after coming to consensus: “It would suggest to me that something went wrong in the actual process itself.” Industry participants won’t “capture” their own prerogatives over those of consumer groups and then enshrine them in law, because every step will require consensus, he said: If the process gets “railroaded” by business groups, for example, then consumer groups will “decamp from the process” and it will be a failure.
Strickling also rejected a comparison of the failed Stop Online Piracy Act (SOPA) to the forthcoming privacy discussions. Georgetown University Prof. Mike Nelson, a former IBM Internet director, said there are privacy implications in fighting online piracy and that the administration’s push for “SOPA two” could conflict with NTIA’s baseline proposal. The administration isn’t pushing for antipiracy legislation again this year, Strickling said. Rather it’s convening stakeholders to reach agreement on antipiracy measures, such as overcoming privacy hurdles to identify bad actors who register domain names for malicious purposes, he said. That was the problem with SOPA, he added -- one set of interested parties didn’t feel represented equally from the start.