ALEXANDRIA, Va. — There are at least five U.S. government efforts to regulate data and online privacy, according to a new U.S. government internet policy official, who said that some kind of privacy regulation appears likely.
Ari Schwartz, who left the Center for Democracy and Technology two months ago to become senior internet policy advisor at the Commerce Department's National Institute of Standards and Technology (NIST), told the Predictive Analytics World conference this week that stories like Facebook's never-ending privacy concerns are getting noticed both by consumers and government officials.
"We're starting to see a lot of these stories pile up, a lot more people are talking about these issues," Schwartz said. "Whether you believe privacy is a major concern ... it's important to realize it's not going away."
Schwartz cited five U.S. and three international efforts to regulate data and online privacy, along with other government and industry standards in various stages of development.
In the U.S., there are three congressional legislative initiatives under development. H.R. 5777, the Rush privacy best practices act, has been introduced. Also on the House side, Reps. Boucher and Stearns have released a discussion draft, and Sens. Pryor and Kerry are considering privacy legislation in the Senate. On the regulatory side, the FTC and Commerce Department are both preparing reports on data privacy and behavioral tracking.
If anything, the U.S. has "too many privacy laws," said Schwartz, citing a number of industry-specific and state laws. He sees the FTC as the likely eventual enforcer of any national law or regulation.
The EU has two initiatives, the Data Protection Directive and adequacy process, while the 30-year review of the OECD Privacy Guidelines is also leading to a reassessment of data privacy.
The Department of Homeland Security's Fair Information Practice Principles are "basically universally accepted" principles, said Schwartz, while the Ontario, Canada privacy commission has launched the Privacy by Design initiative.
On the industry front, Schwartz said the Web Analytics Association Code of Ethics released last month contains an important if unstated principle. "There's a difference between anonymity and aggregation," he said. It's not enough to strip out identity; "you have to aggregate it to some degree," he said.
Schwartz said Congress is also watching efforts by the Interactive Advertising Bureau and other groups to develop an industry-standard self-regulatory behavioral advertising program. "They've been talking about it for years," but it has yet to be fully implemented, he said.
Schwartz said missing from the data privacy debate is a lack of objective measures. "We must move from procedural standards to performance standards," he said. "...We need a lot more measurement in the privacy space."