* This article originally appeared in Law360 on September 27, 2018.
But the devil, as they say, will most definitely be in the details. Developing regulatory policy is necessarily an exercise in balancing values that are difficult to compare, and no regulatory scheme can be all things to all people. How easily, for example, must companies make it for consumers to dictate how their data is collected, used, stored and disclosed in order for those consumers to have a “meaningful” opportunity to express their privacy preferences? The administration has not answered this question, or many others like it, yet, but at some point it will have to do so. And it is how the Trump administration answers the questions it has posed that will ultimately define the precise nature — and success — of its regulatory initiative.
Focusing on Privacy “Outcomes” Rather Than Regulatory Prescriptions
As noted above, one of the pillars of the administration’s approach is a focus on key privacy “outcomes,” rather than mandating detailed privacy rules. The latter approach, the RFC notes, “can result in compliance checklists that stymie innovative privacy solutions” and “does not necessarily provide measureable privacy benefits.” The RFC contrasts this with its proposed “outcome-based approach” that focuses on adopting privacy practices that are “reasonable and appropriate relative to context.”
The RFC further provides an initial set of desirable outcomes that are provided “to spur comments, discussion, and engagement on how best to achieve user-centric privacy outcomes in a manner that is both flexible and clear, not to propose the text of a legal standard.” This starter list of outcomes is as follows:
- Organizations should be transparent about how they collect, use, share, and store users’ personal information.
- Users should be able to exercise control over the personal information they provide to organizations.
- The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
- Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
- Users should be able to reasonably access and correct personal data they have provided.
- Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
- Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.
A Risk-Based, Rather Than Prescriptive, Approach
A second major pillar of the administration’s approach is its calls for balanced privacy, security and data minimization safeguards — i.e., “measures appropriate to the level of risk” that are “reasonable and appropriate to the context and risk of privacy harm.” Privacy regulation should avoid “cumbersome red tape.” Although the proposed outcomes include elements of the GDPR and CCPA, such as withdrawal of consent, access and correction, and controls on third parties, it would thus appear the administration hopes to stake out a regulatory alternative to those more prescriptive and bureaucratic regimes. Indeed, at a Brookings Institution event on Sep. 24, National Institute of Standards and Technology Director Walter Copan was explicitly critical of the GDPR and CCPA models as “unsustainable” and questioned whether they produce measurable improvements in privacy outcomes.
The RFC describes the administration’s approach as follows:
The proposal acknowledges that consumers benefit from “dynamic” uses of their information. In particular, the following key passages in the Federal Register notice capture the administration’s balancing philosophy for privacy regulation:
The Administration takes these [consumer privacy and security] concerns seriously and believes that users should be able to benefit from dynamic uses of their information, while still expecting organizations will appropriately minimize risks to users’ privacy. Risk-based flexibility is therefore at the heart of the approach the Administration is requesting comment on in this RFC. ***
Protecting both privacy and innovation requires balancing flexibility with the need for legal clarity and strong consumer protections. Being overly prescriptive can result in compliance checklists that stymie innovative privacy solutions. In addition, a prescriptive approach does not necessarily provide measurable privacy benefits. An outcome-based approach emphasizes flexibility, consumer protection, and legal clarity can be achieved through mechanisms that focus on managing risk and minimizing harm to individuals arising from the collection, storage, use, and sharing of their information.
Ambitious Goals and Devilish Details
The RFC makes clear the administration’s lofty ambitions, laying out a “non-exhaustive and non-prioritized” list of what the administration hopes to accomplish using its outcome-driven, risk-based approach. In addition to adopting the outcome and risk-based approach that provides legal clarity while maintaining flexibility discussed above, these goals include the following:
Promoting Regulatory Harmonization and Interoperability
The administration seeks to promote domestic and international regulatory harmonization and “interoperability.” The RFC decries the growing “patchwork of competing and contradictory baseline [privacy] laws.” The Federal Register notice states the following:
However, the RFC recognizes that governments approach consumer privacy differently.
The RFC is looking for alternatives that could reduce the impediments to data flows by developing a more harmonious international regulatory landscape. The RFC proposes to draw on international norms from frameworks in which the United States participates, such as the APEC Cross-Border Privacy Rules System.
Adopting a Comprehensive Approach
While the RFC does not propose to modify existing sector-specific laws like Gramm-Leach-Bliley and the Fair Credit Reporting Act (for financial data), the Health Insurance Portability and Accountability Act (for health data) and the Children’s Online Privacy Protection Act (for children’s data), it does call for a comprehensive framework that would apply to all businesses in the U.S. not covered by such laws. Thus, the RFC would appear to call for a level playing field for all Internet players, for example, by addressing differences between business models and technologies through the framework’s risk- and outcome-based approach. According to the RFC, this would allow for similar data practices in a similar context to be treated the same rather than through a fragmented regulatory approach.
Incentivizing Privacy Research
The RFC states that the “U.S. Government should encourage more research into, and development of, products and services that improve privacy protection.” This research, the RFC emphasizes, should focus on “privacy-by-design,” that is, “measures built into system architectures or product design to mitigate privacy risks, as well as usability features at the user-interface level.”
Empowering the FTC
The administration proposes to retain and enhance the authority of the Federal Trade Commission as the appropriate federal agency to enforce consumer privacy other than with respect to the sectoral laws outside the FTC’s jurisdiction. As such, the RFC says that it is “important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws” in an appropriate manner.
Finally, the administration notes that any privacy framework should “ensure that the proverbial sticks used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling.” In other words, the government should employ outcome-based approaches with respect to its privacy enforcement and compliance, such as drawing a distinction between data processors and controllers and not targeting enforcement efforts at small businesses that don’t handle much consumer data and that make “good-faith efforts to utilize privacy protections.”
Key Regulatory Questions
The administration’s goals are laudable. Given the recent and massive technological advances that have changed how information is both created and used, there is certainly a case to be made for taking a look at whether there are smarter ways to protect privacy in this digital age. And, in doing so, it’s hard to argue with seeking an approach that produces desirable privacy outcomes in a way that maximizes benefit while minimizing costs and that promotes regulatory harmony.
What it is not hard to argue about, however, are the specifics of how to achieve these laudable goals. People hold widely divergent views on data privacy: Some are nonplussed about sharing their entire lives on social media, while others shy away from even shopping on the internet. Likewise, companies make many varied uses of customer data: Some need it solely to make sure their products are delivered to the right address, while others use it customize the entire user experience. And this diversity is reflected in the myriad regulatory approaches that have arisen in this area — there is, after all, a reason that such approaches must be harmonized.
The administration’s focus on a flexible and context-specific approach could help to address these divergent views, and the RFC admirably recognizes that “there is considerable work to be done” for the administration to achieve its goals. But a full evaluation of the administration’s approach to privacy will only be possible when it starts to grapple with the difficult trade-offs that will accompany the application of its broad principles into specific regulatory choices. As the administration makes these choices, the answers to some key regulatory questions, including the following, will come into focus:
What are the relevant privacy risks?
While adopting a “risk-based” approach will hopefully serve to focus regulatory efforts where they are most needed, the RFC neither defines what privacy risks warrant regulation, nor does it propose a process to help develop this crucial parameter. The RFC does not refer either to the FTC’s recently initiated series of hearings on competition and consumer protection in the 21st century, or to former Acting FTC Chairman Maureen Ohlhausen’s initiative to “better identify the qualitatively different types of injury to consumers and businesses from privacy and data security incidents.” It is difficult to see how the administration could conduct meaningful cost-benefit analysis and succeed with an outcome-based model without engaging in a rigorous qualitative assessment of the privacy risks being regulated.
Is the administration committed to cost-benefit analysis for privacy regulation?
The administration has asked for comments on the consumer privacy RFC by Oct. 26, 2018. Given the salience of these issues, the administration’s proposals will surely elicit extensive public comment and lead to new policy initiatives and perspectives at the federal level.
As these revisions occur, it will be interesting to see how the administration’s initiative dovetails with the growing drumbeat for privacy legislation — exemplified by the Chamber of Commerce, Business Roundtable, and Internet Association recently endorsing comprehensive legislation and staking out what should, and should not, be in it — that is increasingly being heard at the other end of Pennsylvania Avenue. Significantly, every one of the six tech and telecom companies that testified before the Senate Commerce Committee at its Sept. 26 hearing on “Examining Safeguards for Consumer Data Privacy” supported comprehensive federal legislation.
The RFC also occurs in parallel to the National Institute of Standards and Technology development of a privacy risk management framework, modeled on the NIST Cybersecurity Framework, which was announced on Sept. 4. It is likely that NIST will soon issue its own RFC to accompany the NTIA’s, with the NIST privacy framework is intended to provide a guide to implementing a risk-based approach to privacy at the enterprise level. If it operates like the Cybersecurity Framework, it could have a significant impact on how organizations deal with privacy risk management.
The RFC explicitly recognizes these other initiatives, seeking comment on both the need for legislation and what “executive action” could help implement the administration’s approach. The former door opening is probably a recognition of the fact that, with the growing number of state (i.e., the CCPA) and local privacy laws coming online, it is hard to visualize making progress on domestic — to say nothing of international — harmonization without more statutory support. Conversely, limited actions the RFC suggests (i.e., federal procurement and convening Department of Commerce meetings) may signal the limits of what can be done in the absence of legislation.
Regardless of which direction the administration and Congress decide to take, the issuance of the RFC just further underscores that the coming months will be a busy time for the many companies, trade associations, and privacy advocates who wish to influence the next paradigm for privacy regulation in America.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc. or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 This “cost-benefit” approach to regulation has traditionally been enforced on behalf of the various presidents by the Office of Management and Budget (OMB). OMB Circular A-4 provides guidance to federal agencies regarding the “Regulatory Analysis” required to justify new regulations as cost-effective. The Circular advises agencies to choose “performance standards” for new regulations that specify the desired “outcomes” rather than the specific means to achieve those ends. https://obamawhitehouse.archives.gov/omb/circulars_a004_a-4/.
Performance Standards Rather than Design Standards
Performance standards express requirements in terms of outcomes rather than specifying the means to those ends. They are generally superior to engineering or design standards because performance standards give the regulated parties the flexibility to achieve regulatory objectives in the most cost-effective way. In general, you should take into account both the cost savings to the regulated parties of the greater flexibility and the costs of assuring compliance through monitoring or some other means.
This guidance was issued to assist agencies in applying the cost-benefit requirements of Executive Order 12866, that remain in effect today. https://www.archives.gov/files/federal-register/executive-orders/pdf/12866.pdf. Specifically, the Order states that “[e]ach agency shall identify and assess alternative forms of regulation and shall, to the extent feasible, specify performance objectives, rather than specifying the behavior or manner of compliance that regulated entities must adopt. The principal cost-benefit analytics provisions of the Order are set forth here:
President Trump’s Executive Order on “Reducing Regulations and Controlling Regulatory Costs” confirms that Executive Order 12866 remains in effect. See https://www.whitehouse.gov/presidential-actions/presidential-executive-order-reducing-regulation-controlling-regulatory-costs/.