Last month the Internet Policy Task Force (a Commerce Department group drawing on expertise from the Patent and Trademark Office, the International Trade Administration, the National Institute of Standards and Technology, and the National Telecommunications and Information Administration) released a report on commercial data privacy. This complemented the release in the same month of a Federal Trade Commission report about online privacy.
Responding to the report, and to some of the specific questions the Task Force wants answers for, USACM submitted comments. A major theme of our comments is that Fair Information Practice Principles (FIPPs) are good (and should be broadly implemented), but they are insufficient in themselves for ensuring data privacy in an age of rapidly shifting practices and technological capabilities. We strongly encourage the use of three additional items to help strengthen online privacy protection.
A dataflow-based lexicon – The lexicon would help define flows of personal information and provide meaningful references terms. This will assist in managing the variety of different purposes for which information could be used online and be adaptable to reflect changing technologies.
Enhanced privacy risk models – FIPPs do not adequate address norms and harms, which means that practices that are otherwise compliant with FIPPs could be contrary to what a ‘reasonable’ person would expect or cause harms. An enhanced privacy risk model would address context and harms, as well as be able to adapt for changes in technology and how those changes affect currently held assumptions about privacy.
Privacy Impact Assessments (PIA) – A practice followed by some government agencies, such impact assessments can help spread the use of enhanced privacy risk models.
Privacy and security doesn’t have to be an either/or proposition. By following practices like those suggested in USACM’s comment, both privacy and security can be attained.