ALEXANDRIA, Va. — Momentum is growing to regulate data and online privacy, according to a new U.S. government internet policy official, who cited a number of domestic and international efforts that could lead to stronger controls on personal data.
Ari Schwartz, who left the Center for Democracy and Technology two months ago to become senior internet policy advisor at the Commerce Department's National Institute of Standards and Technology (NIST), told the Predictive Analytics World conference this week that stories like Facebook's never-ending privacy concerns are getting noticed both by consumers and government officials.
"We're starting to see a lot of these stories pile up, a lot more people are talking about these issues," Schwartz said. "Whether you believe privacy is a major concern ... it's important to realize it's not going away."
Among the regulatory and legislative efforts cited by Schwartz are three congressional initiatives: one bill that has been introduced, a draft bill that is being circulated, and a third initiative that hasn't advanced beyond the discussion phase.
H.R. 5777, the Rush privacy best practices act, was introduced by Rep. Bobby Rush in June. Also on the House side, Reps. Rick Boucher and Cliff Stearns have released a discussion draft, while Sens. Mark Pryor and John Kerry are considering privacy legislation in the Senate.
On the regulatory side, the FTC and Commerce Department are both preparing reports on data privacy and behavioral tracking, but the agencies may lack authority without congressional action.
If anything, the U.S. has "too many privacy laws," said Schwartz, citing a number of industry-specific and state laws. He said the FTC could be the eventual enforcer of any national law or regulation.
Internationally, the EU has its Data Protection Directive and adequacy process, while the 30-year review of the OECD Privacy Guidelines will include discussions on data privacy.
The Department of Homeland Security's Fair Information Practice Principles are based on concepts that are "basically universally accepted," said Schwartz, while the Ontario, Canada privacy commission has launched the Privacy by Design initiative.
On the industry front, Schwartz said the Web Analytics Association Code of Ethics released last month contains an important if unstated principle. "There's a difference between anonymity and aggregation," he said. It's not enough to strip out identity; "you have to aggregate it to some degree," he said.
Schwartz said Congress is also watching efforts by the Interactive Advertising Bureau and other groups to develop an industry-standard self-regulatory behavioral advertising program. "They've been talking about it for years," but it has yet to be fully implemented, he said.
Schwartz said missing from the data privacy debate is a lack of objective measures. "We must move from procedural standards to performance standards," he said. "...We need a lot more measurement in the privacy space."