I spoke recently on a panel concerning privacy policy sponsored by the Joint Center for Economic and Political Studies. My remarks are excerpted below.
The Internet economy is sparking tremendous innovation. During the past fifteen years, networked information technologies – personal computers, mobile phones, wireless connections and other devices – have been transforming our social, political and economic landscape. A decade ago, going online meant accessing the Internet on a computer in your home. Today, “going online” includes smartphones, portable games, and interactive TVs, with numerous companies developing global computing platforms in the “cloud.”
The Internet is also an essential platform for economic growth, both domestically and globally. Almost any transaction you can think of is being conducted online – from consumers purchasing books, movies and clothes; to consumers accessing educational resources; to searching for and applying for job opportunities.
As powerful and exciting as these developments are, they also highlight privacy concerns. Mobile devices in particular are transforming how people access the Internet and how they communicate. Studies from the Pew Center consistently show that African Americans are among the most active users of mobile devices to connect to the Internet. Mobile has become much more central to people’s lives and more personal to them. People bring their address books with them in their devices. They personalize them much more than a home connection that may be shared by many in the household. And mobile users are reachable anywhere they are, whenever they want to connect. No longer do people call or connect with a location – a home or office. They connect directly with the mobile device of a person wherever they are.
To harness the full power of the Internet age, we need to establish norms and ground rules that promote innovative uses of information while respecting consumers’ legitimate privacy interests.
As we go about establishing these privacy guidelines, we also need to be careful to avoid creating an overly complicated regulatory environment.
The United States has a range of data privacy laws that apply to individual sectors of the economy, such as health care, consumer credit, and personal finance. But these laws may not offer protection to some of the data uses associated with consumers’ activities in the Internet economy. An overarching set of privacy principles on which consumers and businesses can rely could create a stronger foundation for consumer trust in the Internet by providing this broadly applicable framework.
Verizon believes it is time to consider how we establish a privacy policy framework that covers all players in the online space creating a “level playing field” that will spur competition and innovation and provide consumers with more certainly and reduced confusion about accountability. We believe the Kerry-McCain legislation offers a good starting point for discussing such a framework.
The legislation would set forth baseline consumer data privacy protections that are enforceable at law and are based on a comprehensive set of Fair Information Practice Principles or FIPPs. Comprehensive FIPPs, a collection of agreed-upon principles for the handling of consumer information, would provide clear privacy protections for personal data in commercial contexts that are not covered by existing Federal privacy laws.
The bill also provides a single expert agency – the FTC - with the authority to enforce any baseline protections. The agency would not pursue its work with traditional rulemaking but instead would use the consumer enforcement and investigation tools that have proven to be an effective model to both protect consumers and allow for the growth of innovation.
The legislation also creates a framework that provides incentives for the development of codes of conduct as well as continued innovation around privacy protections. It authorizes the use of safe harbors for companies that implement codes of conduct that are consistent with the baseline protections. This approach is designed to be flexible, to keep its requirements well-tailored, and to provide a basis for greater interoperability with other countries’ privacy laws.
The use of baseline principles, safe harbors and investigative enforcement procedures would establish an approach that is broad and flexible enough to allow consumer privacy protection and business practices to adapt as new technologies and services emerge. This type of flexible but accountable approach will help motivate firms to produce an industry code of conduct as a way to construe and clarify the statutory scheme. Thus, a baseline privacy framework and incentives for industry to develop codes of conduct can go hand-in-hand.
A baseline law holds the promise of making our consumer data privacy framework more interoperable with international frameworks. FIPPs is a common language used by many governments worldwide, so use of similar terminology will enhance opportunities for agreement and practical approaches to data policy. Establishing baseline commercial data privacy principles will contribute to the further harmonization of the global ecommerce market, especially for the countries aligned with the work around privacy in the European Union, the OECD, and APEC. Improving global interoperability could benefit companies by removing the barriers to seamless cross-border services that compliance with differing privacy regimes can impose.
This process would allow stakeholders to develop codes of conduct that address privacy issues in emerging technologies and business practices, without the need for additional legislation. In this framework, appropriate incentives, such as a safe harbor, will spur business to develop and adopt effective codes of conduct. Compliance with an approved code of conduct could be deemed compliance with the statutory FIPPs.
We think it is time to consider the adoption of a legislative privacy framework. The legislative framework we adopt should not add duplicative or overly burdensome regulatory requirements to businesses that are already adhering to the principles in baseline consumer data privacy legislation. Legislation should be technology-neutral, so that it allows firms flexibility in deciding how to comply with its requirements and encourages business models that are consistent with baseline principles but use personal data in ways that we have not yet contemplated but could add new value for consumers. And, domestic privacy legislation should provide a basis for greater transnational cooperation on consumer privacy enforcement issues, as well as more streamlined cross-border data flows and reduced compliance burdens.
With the right policy framework, we believe it is possible to create an environment that gives consumers more certainty, choices and protection while at the same time encouraging innovation and new value for consumers, hallmarks of the mobile services industry.