The White House's release of long-awaited online and offline privacy legislation drew a crowd of commenters, from the Hill to the Internet to civil society representatives, and the reception was definitely on the chilly side from most quarters.
The bill is billed as putting some legislative teeth into the Administration's privacy bill of rights, but some saw it more like gumming at the issue.
"Three years ago, President Obama promised that his administration would deliver a 'Privacy Bill of Rights' to protect American consumers. The bill released today is a serious setback for privacy," said Jeff Chester, executive director of the Center for Digital Democracy, who has been critical of the administration efforts to come up with voluntary privacy codes of conduct without the buttress of legislation. "Instead of effective rights that Americans can rely on to protect themselves and their families from the onslaught of online and offline data gathering, the administration proposal perversely reduces the power of the Federal Trade Commission to protect the public. It fails to give the FTC, the country’s key privacy regulator, 'rule-making' authority to craft reasonable safeguards, and actually empowers the companies that now harvest our mobile, social, location, financial, and health data, leaving them little to fear from regulators."
“While this proposal from the White House focuses attention on the need for strengthening the privacy rights of Americans, it falls far short of what is needed to ensure consumers and families are squarely in control of their personal data,” said Sen. Ed Markey (D-Mass.) “Instead of codes of conduct developed by industries that have historically been opposed to strong privacy measures, we need uniform and legally-enforceable rules that companies must abide by and consumers can rely upon. We didn’t celebrate a great victory yesterday in the fight to protect the Internet for American consumers just to turn around and enable their online information to be easy prey for digital bandits seeking to pilfer Americans’ personal information."
Markey also said he would be introducing legislation to "require accountability and transparency for data brokers who are collecting and selling personal and sensitive information about consumers."
“I am concerned that this proposal includes a provision that could preempt strong state laws that already are protecting the privacy rights of consumers," said Markey. "The White House is proposing preempting state laws that overlap with the privacy protections. It would also make it easier to administer a code-of-conduct safe harbor without those laws in place."
Democratic Reps. Jan Schakowsky (D-Ill.) and House Energy & Commerce Committee ranking member Frank Pallone (D-N.J.) agreed that having industry-created codes of conduct—the Federal Trade Commission would have to approve them—are problematic.
"The draft encourages a self-regulatory system that could allow companies to design the privacy policies the FTC would enforce. Based on that model, all current practices related to data collection, use, and sharing – even flawed practices – would be allowed to continue," they said. "The FTC’s already limited authority to prevent the unfair acts or practices regarding privacy would be further weakened."
They also shared Markey's concern about preemption. They had other problems, but praised the removal of a provision that would have weakened FCC authority over privacy. "We were pleased to see that the Administration took our suggestion and removed the provision, found in an earlier draft, which would have moved telecommunications carriers and cable companies from the privacy regime regulated and enforced by the Federal Communications Commission to a self-regulatory system within the Federal Trade Commission’s (FTC) purview," they said. "But much more work remains."
“Many of the principles found in the Administration’s draft proposal are quite sensible as best practices, but the danger here is that they could soon be converted into a heavy-handed, bureaucratized regulatory regime for America’s highly innovative, data-driven economy," said Adam Thierer, senior research fellow at the Mercatus Center at George Mason University.
"No matter how well-intentioned this proposal may be, it is vital to recognize that restrictions on data collection could negatively impact innovation, consumer choice, and the competitiveness of America’s digital economy," he said.
"The Administration has repeatedly failed to demonstrate that privacy legislation is needed to address concrete harms or that such legislation would improve consumer welfare," said Thomas Lenard, president of the Technology Policy Institute. "The discussion draft unfortunately reflects the traditional focus on limiting data collection and use. This is in direct contradiction to recent reports from the White House and the President’s Council of Advisors on Science and Technology, which indicate such approaches are increasingly irrelevant and harmful in a big data world. If language similar to the discussion draft is eventually adopted by Congress, it is likely to harm innovation and ultimately make consumers worse off."
“The bill envisions a process where industry will dominate in developing codes of conduct,” said John M. Simpson, Consumer Watchdog’s privacy project director. “The bill is full of loopholes and gives consumers no meaningful control of their data.”
The Consumer Electronics Association joined the chorus of concern.
“We appreciate the Obama Administration’s effort to address important consumer privacy and security, but its proposal could hurt American innovation and choke off potentially useful services and products," said CEA president Gary Shapiro. "If enacted, the proposal's broad definitions, expanded bureaucratic authorities and steep penalties could burden the tech economy with uncertainty and stifle the development of the Internet of Things (IoT), which holds promise for novel new services and products, consumer safety and security, and job creation."
Daniel Castro, VP of the Information Technology and Innovation Foundation, slammed the legislative proposal.
“Today’s legislative proposal to enact a set of strict, top-down data privacy rules for the private sector would be a huge step backwards for consumers and businesses," Castro said. "Rather than continue to refine the flexible, sector-specific rules that have allowed the United States to dominate the Internet economy for the past decade, the President and his allies have decided to take a page out of the European playbook best known for stifling innovation and productivity."
But not everybody was finding problems around every clause.
“The Obama Administration is committed to protecting consumer privacy while also giving U.S. businesses the flexibility they need to grow and innovate," said Lawrence Strickling, head of NTIA. "With this discussion draft the White House released today, we want to advance President Obama’s framework for protecting consumer privacy by bringing all parties to the table to further discuss how we effectively apply privacy protections in the digital age.”
NTIA has been working on individual voluntary codes of conduct related to the privacy bill of rights, but they did not have the backing of legislation
"This bill contains significant improvements over a deeply problematic draft we were able to see a week ago," said Laura Moy, senior policy counsel, for New America's Open Technology Institute, "but it still has a number of critical shortcomings and has a long way to go before we can say that it would improve consumer privacy protections. We don't understand why the White House waited until last week to engage with privacy advocates on this bill, but we are encouraged by the fact that it has tried to improve the bill in that time, and we look forward to working with the Administration to continuing to improve the bill."
Microsoft was OK with the bill as a welcome conversation starter. "In an era of more personal computing, the proposed framework for privacy legislation unveiled by the White House today is a welcome development that we hope will kick-start a much-needed conversation about how to protect people’s personal information," said Microsoft chief privacy officer Brendon Lynch.
"Fostering innovation while protecting consumer privacy is at the heart of what we do every day at Microsoft. We understand that people will only use technology they trust. That’s why we work hard to build privacy protections into our products and policies. And it’s why we’ve thrown our support behind better privacy laws. For example, since 2005 we’ve called for the adoption of comprehensive federal privacy legislation. And in 2012, we joined the industry and privacy advocates to support the Consumer Privacy Bill of Rights."