A recent report issued by the US Department of Commerce recommends that the US Government consider a new online privacy framework, driven largely by advances in cloud computing and the security challenges with that new technology. The report suggests that the US should articulate core privacy principles to ensure basic consumer protections and that both government and commercial stakeholders work together to address privacy issues. While this is probably a good idea, I’m wondering — doesn’t this seem the slightest bit ironic these days that the US Government is giving out advice on keeping data private?
Admittedly, that’s a bit tongue-in-cheek and seriously, privacy and security of customer data is a big deal and it does deserve attention. In the EU, there is a general directive for data privacy and security which each individual country can amend to be more restrictive, if they deem it necessary. Because of this, most EU eCommerce vendors strive to meet the most restrictive country’s requirements. A similar arrangement in the US, where a Federal directive could be made more restrictive by individual state would potentially create a nightmare scenario for eCommerce companies in trying to keep up with all the various versions for every US state and territory. Let’s hope a less cumbersome path is chosen.
The report makes suggestions as to what the DOC would like the current administration to consider. There are four general areas of focus in the report:
- Revitalized Fair Information Practice Principles (FIPPs)
- Encourage the development of voluntary, enforceable privacy codes of conduct
- Encourage Global Interoperability
- Ensure Nationally Consistent Security Breach Notification Rules
The first two points could make overall privacy and security practices a bit more consistent, which would be a good thing in my opinion. Ensuring Global Interoperability is really focused on making the US privacy and security principles more compatible with other world standards. As mentioned in a previous post, Safe Harbor might be due for an overhaul. Lastly, making breach notification rules consistent across all US jurisdiction would greatly simplify current compliance requirements for eCommerce companies.
This is a good start for addressing privacy and security standards more holistically. There are obvious advantages to issuing guidelines that help eCommerce vendors more effectively compete globally and ease the burden of varying compliance requirements. Any new legislation that arises from this effort should be carefully examined for impact on commerce. I can easily envision the creation of an entirely new authority within the DOC tasked with creating, administering and enforcing new data security and privacy laws. Exactly how such an authority would be funded should be on everyone’s radar. With all the chatter about eCommerce taxation, I’m cringing a bit thinking about the potential negative impact this would have on eCommerce vendors. And therein lies yet another potential irony: That a unified approach to data privacy and security designed to help expand eCommerce could have a negative overall effect on the eCommerce economy as we know it today.