- Obama Administration Continues Push for National Privacy Governance
- March 25, 2015 | Author: Matthew D. Lawless
- Law Firm: Taft Stettinius & Hollister LLP - Cincinnati Office
- Privacy has been a hot political topic the last couple of months. President Obama proposed, among other things, that Congress enact the following:
- Personal Data Notification and Protection Act, which would nationalize consumer privacy standards and breach notification obligations.
- Consumer Privacy Bill of Rights, which would give Internet users certain rights to control their data.
These initiatives signal the administration’s belief that there should be a national solution for what we all know is already a national problem: cyber attacks. But expanding the federal government’s role in these areas, as the media has reported here and elsewhere, raises some concerns.
The Personal Data Notification and Protection Act and Consumer Privacy Bill of Rights
The proposed PDNPA and CPBR would overrule - lawyers use the word “preempt” - state law. In theory, this seems like a good idea: if the law is uniform, it will be easier to comply with, and it will cost less to do so. And the administration’s draft Consumer Privacy Bill of Rights - released today - looks promising inasmuch as it incorporates the “fair information practices” of transparency, participation, purpose specifications and use limitations, data minimization, data quality and integrity, security, and accountability and auditing. If done right, these national laws could be a benefit to consumers and companies looking for well thought-out and straightforward rules.
Right now the current state of affairs is manageable. Every state, save three, has a data privacy law governing the disclosure of personal information. These laws are not uniform. They apply to different types of information. They require different notice periods to consumers. And some require notice to state attorneys general or consumer credit reporting agencies, while others do not.
It therefore remains to be seen whether federalization of the legal landscape will be better than the current regime (or will happen at all).
Cyber Threat Intelligence Integration Center
The CTIIC, like the federalization of consumer privacy protection laws, also seems like a good idea in theory. It makes sense to have a single agency analyze cyber threats and coordinate strategy to counter those threats, rather than separate agencies with separate information silos. A single agency can build an institutional memory and respond to attack trends in ways that separate entities realistically cannot - presumably with more speed and coordination. One concern, however, is that this agency will increase the government’s ability to conduct domestic surveillance. But the force of this concern will, as with President Obama’s proposed federal privacy laws, largely depend on the actual execution of the plan - how the agency will operate in practice. The relatively small team of 50 CTIIC employees will likely be too busy analyzing and responding to cyber attacks to do much else any time soon.