A few months ago, Congress took up the matter of online privacy via consideration of three inter-related and arguably flawed proposals. Understanding the differences between the bills demanded a certain degree of technological sophistication. Understanding the consequences of a free-wheeling and largely self-regulating environment for online “living” does not.
Last week the Obama administration in conjunction with the Federal Trade Commission and the Commerce Department again took up the charge.
As it currently stands, the FTC only has limited authority to enforce internet privacy laws. F.T.C. chairman Jon Leibowitz and Cameron F. Kerry, general counsel for the Commerce Department, told a Senate commerce committee hearing that writing new laws and giving the FTC power to enforce them (through civil penalties) would promote Internet commerce by increasing American trust in online transactions.
While the FTC can monitor whether an Internet company has a privacy policy and whether said company abides by its own policy, the agency has no authority to sanction companies that run afoul of stated standards. Moreover, the FTC has little say in how companies operate when they have no written privacy rules.
As Kerry told the Senate committee, this yields a situation in which the FTC is essentially helpless to combat the excesses of Internet commerce. “Granting direct enforcement authority to the FTC would enable the commission to take action against outliers and bad actors even if their actions do not violate a published privacy policy,” he said. As we have seen repeatedly, toothless government agencies, tasked with monitoring self-regulated industry, is seldom good for American consumers.
Independent reporting for Pine Bluff & Jefferson County since 1879.
Committee chairman Sen. John D. Rockefeller IV, (D-WV) concurred. In prepared remarks, Rockefeller observed: “Sometimes industry self regulation efforts do not end up protecting consumers… In my experience, corporations are unlikely to regulate themselves out of profits.”
History certainly validates this position. Of course, the Internet is unlike any beast we have ever attempted to tame. The Internet is intrinsically international and as a consequence, readily compartmentalizes its more nefarious bits to inaccessible environs. Unfortunately, our conundrum deepens due to the fact that both friends and foes get a say in how things unfold.
As recently reported in the New York Times, both Sen. John F. Kerry, (D-MD) and his brother, Cameron Kerry (above), said it was important for the United States to establish its own privacy standard and not let European regulators dictate the industry standard.
To this point, British Information Commissioner Christopher Graham, speaking before the London meeting of Infosecurity Europe 2012, warned against the introduction of mandatory data breach notification requirements for all companies. Graham argued that if mandatory disclosure was introduced, as proposed in new draft EU regulations currently under consideration, the Information Commissioner’s Office (ICO) would be “buried” under a deluge of breach notifications. Graham contends the ICO needs to be “selective to be effective.” He said the current system of voluntary breach disclosure works well because companies know they are less likely to be punished if they are open about breaches, rather than trying to cover them up.
As Graham told the technology industry publication, SearchSecurity.co.uk, “They know that they will be dealt with more severely if they attempt to conceal a breach.” Back in the U. S., Republicans voiced a predictable dismissal of the issue.
Sen. Patrick J. Toomey, (R-PA), said he does not believe there is a demonstrated need for new privacy laws. “It’s premature to begin discussing specific legislative fixes … when we don’t fully know whether the problem exists,” he said.
While one can respect a cautious, well-considered approach to any issue, this stance is difficult to defend. With every week seeming to reveal a new “accidental release” of customer records by a major online vendor, it is hard to imagine what additional proof Toomey and the tech experts in Europe might require.
Of course this is how regulatory battles progress. Industry cries “death knell” and policy makers hold on for dear life. Politics and technology rarely keep the same calendar. This time they should.