02 October 2018

The Trump Administration’s Approach to Data Privacy, and Next Steps

* This article originally appeared in Law360 on September 27, 2018.

On Sept. 25, 2018, the Trump administration proposed an approach and initiated a process to modernize U.S. data privacy policy.  The administration’s approach is “risk-based” rather than rule-based, and, as such, signals a willingness to move away from a privacy model of mandated notice and choice that has “resulted primarily in long, legal, regulator-focused privacy policies and check boxes.” Rather, the administration is proposing that U.S. privacy policy “refocus” on achieving desirable privacy “outcomes,” such as ensuring that users are “reasonably informed” and can “meaningfully express” their privacy preferences, while providing organizations with the flexibility to continuing innovating with cutting-edge business models and technologies.

This ambitious proposal, which is embodied in a request for comments announced in a press release issued by the U.S. Department of Commerce’s National Telecommunications and Information Administration, was issued on the eve of the first of a series of Senate Commerce Committee hearings on the possibility of privacy legislation and in the midst of a series of privacy policy principles and frameworks developed by various trade associations. It plants a Trump administration flag in this developing debate and has the potential to remake the U.S. approach to privacy and achieve the administration’s expressed goal of regaining U.S. leadership in the field. Successfully implemented, the administration’s approach could reverse the trend toward “prescriptive” privacy regulation embodied in recent enactments like the EU General Data Protection Regulation and the California Consumer Privacy Act of 2018 and potentially spur greater domestic and even global regulatory harmony around a flexible and risk-based approach.

But the devil, as they say, will most definitely be in the details. Developing regulatory policy is necessarily an exercise in balancing values that are difficult to compare, and no regulatory scheme can be all things to all people. How easily, for example, must companies make it for consumers to dictate how their data is collected, used, stored and disclosed in order for those consumers to have a “meaningful” opportunity to express their privacy preferences? The administration has not answered this question, or many others like it, yet, but at some point it will have to do so. And it is how the Trump administration answers the questions it has posed that will ultimately define the precise nature — and success — of its regulatory initiative.

Focusing on Privacy “Outcomes” Rather Than Regulatory Prescriptions

As noted above, one of the pillars of the administration’s approach is a focus on key privacy “outcomes,” rather than mandating detailed privacy rules. The latter approach, the RFC notes, “can result in compliance checklists that stymie innovative privacy solutions” and “does not necessarily provide measureable privacy benefits.” The RFC contrasts this with its proposed “outcome-based approach” that focuses on adopting privacy practices that are “reasonable and appropriate relative to context.”

The RFC further provides an initial set of desirable outcomes that are provided “to spur comments, discussion, and engagement on how best to achieve user-centric privacy outcomes in a manner that is both flexible and clear, not to propose the text of a legal standard.” This starter list of outcomes is as follows:

  • Organizations should be transparent about how they collect, use, share, and store users’ personal information.
  • Users should be able to exercise control over the personal information they provide to organizations.
  • The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
  • Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
  • Users should be able to reasonably access and correct personal data they have provided.
  • Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
  • Organizations should be accountable for the use of personal data that has been collected, maintained or used by its systems.

A Risk-Based, Rather Than Prescriptive, Approach

A second major pillar of the administration’s approach is its calls for balanced privacy, security and data minimization safeguards — i.e., “measures appropriate to the level of risk” that are “reasonable and appropriate to the context and risk of privacy harm.” Privacy regulation should avoid “cumbersome red tape.” Although the proposed outcomes include elements of the GDPR and CCPA, such as withdrawal of consent, access and correction, and controls on third parties, it would thus appear the administration hopes to stake out a regulatory alternative to those more prescriptive and bureaucratic regimes. Indeed, at a Brookings Institution event on Sep. 24, National Institute of Standards and Technology Director Walter Copan was explicitly critical of the GDPR and CCPA models as “unsustainable” and questioned whether they produce measurable improvements in privacy outcomes.

The RFC describes the administration’s approach as follows:

Risk management is the core of this Administration’s approach, as it provides the flexibility to encourage innovation in business models and privacy tools, while focusing on potential consumer harm and maximizing privacy outcomes. *** Risk-based approaches allow organizations the flexibility to balance business needs, consumer expectations, legal obligations, and potential privacy harms, among other inputs, when making decisions about how to adopt various privacy practices.

The proposal acknowledges that consumers benefit from “dynamic” uses of their information. In particular, the following key passages in the Federal Register notice capture the administration’s balancing philosophy for privacy regulation:

The Administration takes these [consumer privacy and security] concerns seriously and believes that users should be able to benefit from dynamic uses of their information, while still expecting organizations will appropriately minimize risks to users’ privacy. Risk-based flexibility is therefore at the heart of the approach the Administration is requesting comment on in this RFC. ***

Protecting both privacy and innovation requires balancing flexibility with the need for legal clarity and strong consumer protections. Being overly prescriptive can result in compliance checklists that stymie innovative privacy solutions. In addition, a prescriptive approach does not necessarily provide measurable privacy benefits. An outcome-based approach emphasizes flexibility, consumer protection, and legal clarity can be achieved through mechanisms that focus on managing risk and minimizing harm to individuals arising from the collection, storage, use, and sharing of their information.

Ambitious Goals and Devilish Details

The RFC makes clear the administration’s lofty ambitions, laying out a “non-exhaustive and non-prioritized” list of what the administration hopes to accomplish using its outcome-driven, risk-based approach. In addition to adopting the outcome and risk-based approach that provides legal clarity while maintaining flexibility discussed above, these goals include the following:

Promoting Regulatory Harmonization and Interoperability

The administration seeks to promote domestic and international regulatory harmonization and “interoperability.” The RFC decries the growing “patchwork of competing and contradictory baseline [privacy] laws.” The Federal Register notice states the following:

A growing number of foreign countries, and some U.S. states, have articulated distinct visions for how to address privacy concerns, leading to a nationally and globally fragmented regulatory landscape. Such fragmentation naturally disincentivizes innovation by increasing the regulatory costs for products that require scale. The Administration hopes to articulate a renewed vision, one that reduces fragmentation nationally and increases harmonization and interoperability nationally and globally.

However, the RFC recognizes that governments approach consumer privacy differently.

The RFC is looking for alternatives that could reduce the impediments to data flows by developing a more harmonious international regulatory landscape. The RFC proposes to draw on international norms from frameworks in which the United States participates, such as the APEC Cross-Border Privacy Rules System.

Adopting a Comprehensive Approach

While the RFC does not propose to modify existing sector-specific laws like Gramm-Leach-Bliley and the Fair Credit Reporting Act (for financial data), the Health Insurance Portability and Accountability Act (for health data) and the Children’s Online Privacy Protection Act (for children’s data), it does call for a comprehensive framework that would apply to all businesses in the U.S. not covered by such laws. Thus, the RFC would appear to call for a level playing field for all Internet players, for example, by addressing differences between business models and technologies through the framework’s risk- and outcome-based approach. According to the RFC, this would allow for similar data practices in a similar context to be treated the same rather than through a fragmented regulatory approach.

Incentivizing Privacy Research

The RFC states that the “U.S. Government should encourage more research into, and development of, products and services that improve privacy protection.” This research, the RFC emphasizes, should focus on “privacy-by-design,” that is, “measures built into system architectures or product design to mitigate privacy risks, as well as usability features at the user-interface level.”

Empowering the FTC

The administration proposes to retain and enhance the authority of the Federal Trade Commission as the appropriate federal agency to enforce consumer privacy other than with respect to the sectoral laws outside the FTC’s jurisdiction. As such, the RFC says that it is “important to take steps to ensure that the FTC has the necessary resources, clear statutory authority, and direction to enforce consumer privacy laws” in an appropriate manner.

Scalability

Finally, the administration notes that any privacy framework should “ensure that the proverbial sticks used to incentivize strong consumer privacy outcomes are deployed in proportion to the scale and scope of the information an organization is handling.” In other words, the government should employ outcome-based approaches with respect to its privacy enforcement and compliance, such as drawing a distinction between data processors and controllers and not targeting enforcement efforts at small businesses that don’t handle much consumer data and that make “good-faith efforts to utilize privacy protections.”

Key Regulatory Questions

The administration’s goals are laudable. Given the recent and massive technological advances that have changed how information is both created and used, there is certainly a case to be made for taking a look at whether there are smarter ways to protect privacy in this digital age. And, in doing so, it’s hard to argue with seeking an approach that produces desirable privacy outcomes in a way that maximizes benefit while minimizing costs and that promotes regulatory harmony.

What it is not hard to argue about, however, are the specifics of how to achieve these laudable goals. People hold widely divergent views on data privacy: Some are nonplussed about sharing their entire lives on social media, while others shy away from even shopping on the internet. Likewise, companies make many varied uses of customer data: Some need it solely to make sure their products are delivered to the right address, while others use it customize the entire user experience. And this diversity is reflected in the myriad regulatory approaches that have arisen in this area — there is, after all, a reason that such approaches must be harmonized.

The administration’s focus on a flexible and context-specific approach could help to address these divergent views, and the RFC admirably recognizes that “there is considerable work to be done” for the administration to achieve its goals. But a full evaluation of the administration’s approach to privacy will only be possible when it starts to grapple with the difficult trade-offs that will accompany the application of its broad principles into specific regulatory choices. As the administration makes these choices, the answers to some key regulatory questions, including the following, will come into focus:

What are the relevant privacy risks?

While adopting a “risk-based” approach will hopefully serve to focus regulatory efforts where they are most needed, the RFC neither defines what privacy risks warrant regulation, nor does it propose a process to help develop this crucial parameter. The RFC does not refer either to the FTC’s recently initiated series of hearings on competition and consumer protection in the 21st century, or to former Acting FTC Chairman Maureen Ohlhausen’s initiative to “better identify the qualitatively different types of injury to consumers and businesses from privacy and data security incidents.” It is difficult to see how the administration could conduct meaningful cost-benefit analysis and succeed with an outcome-based model without engaging in a rigorous qualitative assessment of the privacy risks being regulated.

Who is in charge of privacy policy? 

The administration proposal would strengthen the role of the FTC for enforcement, but does not propose any particular federal coordinator for privacy policy. Given that the FTC is an independent agency, it is hard to see how it is effectively positioned to play the lead policymaking role, or coordinate the approaches of cabinet departments and agencies that are also involved in privacy, data protection and cybersecurity regulation (e.g., U.S. Departments of Treasury, Justice, Commerce, Health and Human Services, Office of Management and Budget, etc.).

Is the administration committed to cost-benefit analysis for privacy regulation? 

While the RFC refers frequently to “appropriate” or “reasonable” regulation, and the need to “compromise” and “balance” flexibility, innovation and consumer protection,” there is no explicit reference to the type of cost-benefit analysis the administration generally applies to new regulations. Thus, while the RFC clearly frames its concepts in the classic vocabulary of cost-benefit analysis and regulatory review as prescribed in a succession of presidential executive orders from Reagan to Trump (including, notably, Clinton and Obama), there is no express commitment to subject prospective privacy policy-making to the regulatory review executive orders administered by OMB.[1] It thus remains to be seen exactly how the administration proposed to achieve the careful, context-specific balancing of interests its proposal contemplates.

What’s Next?

The administration has asked for comments on the consumer privacy RFC by Oct. 26, 2018. Given the salience of these issues, the administration’s proposals will surely elicit extensive public comment and lead to new policy initiatives and perspectives at the federal level.

As these revisions occur, it will be interesting to see how the administration’s initiative dovetails with the growing drumbeat for privacy legislation — exemplified by the Chamber of Commerce, Business Roundtable, and Internet Association recently endorsing comprehensive legislation and staking out what should, and should not, be in it — that is increasingly being heard at the other end of Pennsylvania Avenue. Significantly, every one of the six tech and telecom companies that testified before the Senate Commerce Committee at its Sept. 26 hearing on “Examining Safeguards for Consumer Data Privacy” supported comprehensive federal legislation.

The RFC also occurs in parallel to the National Institute of Standards and Technology development of a privacy risk management framework, modeled on the NIST Cybersecurity Framework, which was announced on Sept. 4. It is likely that NIST will soon issue its own RFC to accompany the NTIA’s, with the NIST privacy framework is intended to provide a guide to implementing a risk-based approach to privacy at the enterprise level. If it operates like the Cybersecurity Framework, it could have a significant impact on how organizations deal with privacy risk management.

The RFC explicitly recognizes these other initiatives, seeking comment on both the need for legislation and what “executive action” could help implement the administration’s approach. The former door opening is probably a recognition of the fact that, with the growing number of state (i.e., the CCPA) and local privacy laws coming online, it is hard to visualize making progress on domestic — to say nothing of international — harmonization without more statutory support. Conversely, limited actions the RFC suggests (i.e., federal procurement and convening Department of Commerce meetings) may signal the limits of what can be done in the absence of legislation.

Regardless of which direction the administration and Congress decide to take, the issuance of the RFC just further underscores that the coming months will be a busy time for the many companies, trade associations, and privacy advocates who wish to influence the next paradigm for privacy regulation in America.


The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc. or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] This “cost-benefit” approach to regulation has traditionally been enforced on behalf of the various presidents by the Office of Management and Budget (OMB). OMB Circular A-4 provides guidance to federal agencies regarding the “Regulatory Analysis” required to justify new regulations as cost-effective. The Circular advises agencies to choose “performance standards” for new regulations that specify the desired “outcomes” rather than the specific means to achieve those ends. https://obamawhitehouse.archives.gov/omb/circulars_a004_a-4/.

Performance Standards Rather than Design Standards

Performance standards express requirements in terms of outcomes rather than specifying the means to those ends. They are generally superior to engineering or design standards because performance standards give the regulated parties the flexibility to achieve regulatory objectives in the most cost-effective way. In general, you should take into account both the cost savings to the regulated parties of the greater flexibility and the costs of assuring compliance through monitoring or some other means.

This guidance was issued to assist agencies in applying the cost-benefit requirements of Executive Order 12866, that remain in effect today. https://www.archives.gov/files/federal-register/executive-orders/pdf/12866.pdf. Specifically, the Order states that “[e]ach agency shall identify and assess alternative forms of regulation and shall, to the extent feasible, specify performance objectives, rather than specifying the behavior or manner of compliance that regulated entities must adopt. The principal cost-benefit analytics provisions of the Order are set forth here:

… (3) Each agency shall identify and assess available alternatives to direct regulation, including providing economic incentives to encourage the desired behavior, such as user fees or marketable permits, or providing information upon which choices can be made by the public. (4) In setting regulatory priorities, each agency shall consider, to the extent reasonable, the degree and nature of the risks posed by various substances or activities within its jurisdiction. (5) When an agency determines that a regulation is the best available method of achieving the regulatory objective, it shall design its regulations in the most cost-effective manner to achieve the regulatory objective. In doing so, each agency shall consider incentives for innovation, consistency, predictability, the costs of enforcement and compliance (to the government, regulated entities, and the public), flexibility, distributive impacts, and equity. (6) Each agency shall assess both the costs and the benefits of the intended regulation and, recognizing that some costs and benefits are difficult to quantify, propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. (7) Each agency shall base its decisions on the best reasonably obtainable scientific, technical, economic, and other information concerning the need for, and consequences of, the intended regulation. (8) Each agency shall identify and assess alternative forms of regulation and shall, to the extent feasible, specify performance objectives, rather than specifying the behavior or manner of compliance that regulated entities must adopt. … [emphases added]

President Trump’s Executive Order on “Reducing Regulations and Controlling Regulatory Costs” confirms that Executive Order 12866 remains in effect. See https://www.whitehouse.gov/presidential-actions/presidential-executive-order-reducing-regulation-controlling-regulatory-costs/.

EmailShare
XSLT Plugin by BMI Calculator