On December 1, 2010, the Federal Trade Commission ("FTC") released its preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers."¹ The FTC report argues that the FTC's current privacy models (the so-called "notice-and-choice" and "harm-based" approaches) insufficiently address evolving privacy issues. The staff faulted the notice-and-choice model because complex and rapidly-changing uses of consumer data often complicate meaningful consumer consent. The staff found that the "harm-based" approach neglects the reputational and psychological harms from violations of privacy. The FTC report suggests a new framework, built around three core concepts:

1. Privacy by Design;²
2. simplification of consumer choice; and
3. greater transparency.

In conjunction with its eight recommendations, the FTC staff provided over 60 questions to elicit public comment. Among its specific proposals, the FTC report suggests industry development of a "Do Not Track" feature to allow consumers to prevent the tracking of their internet activities. As part of its transparency analysis, the FTC report also attempts to address the consumer challenge of third-party, non-consumer-facing users of consumer data by requiring collectors of consumer data to disclose any entity with whom that data is subsequently shared. Although the FTC report explores many specific legislative and regulatory mechanisms, it also advocates flexibility by recommending that a company's privacy obligations be proportionate to the amount and sensitivity of consumer data that company collects. The FTC is seeking comments until January 31, 2011.

On December 16, 2010, the Department of Commerce ("Commerce") Internet Policy Task Force released a privacy green paper, "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework."³ The Commerce report makes 10 recommendations and includes more than 40 corresponding questions and prompts for discussion. The Commerce report focuses on reducing barriers to business development and innovation and recommends minimal regulation using voluntary, enforceable privacy codes that would be created by industry. As part of this approach, Commerce advocates a privacy framework based on revitalized Fair Information Practice Principles ("FIPPs"). Commerce staff suggests that FIPPs would provide a baseline of privacy protection that would engender consumer trust while maximizing flexibility for business development and innovation. In the absence of analysis of specific regulations, the Commerce report discusses issues such as the importance of global interoperability among diverse international privacy frameworks, including the creation of "safe harbors." The Commerce report also calls for the creation of a Privacy Policy Office within Commerce that would liaise with businesses and other government offices regarding privacy issues. Commerce is seeking comments until January 28, 2011.

Much of the commentary on the FTC and Commerce reports has focused on the substantial differences between them. Instead of representing mutually exclusive approaches, however, these two reports approach privacy from unique, but complementary, directions. The FTC advocates moving beyond the FIPPs model advocated by Commerce. The APEC Data Privacy Pathfinder project—which the Commerce Report specifically discusses—offers that way forward.

The Asia-Pacific Economic Cooperation ("APEC") is a collective of 21 Pacific Rim countries, termed "Member Economies," promoting economic cooperation in the region. In 2004, the APEC Member Economies endorsed the APEC Privacy Framework, which provides nine high-level principles regarding the collection, use, and handling of personally identifiable information ("PII").⁴ The APEC approach recognizes that although each country or Member Economy may enact its own privacy requirements, commerce typically is international, if not global. The APEC approach respects individual privacy requirements while permitting businesses to continue operating efficiently.

The APEC framework has several characteristics that make it a useful tool for both the FTC and Commerce approaches to privacy. First, the APEC framework's use of high-level principles is consistent with the Commerce report's proposed use of FIPPs. These high-level principles provide a measure of predictability for businesses and instill trust in consumers. At the same time, the principles allow the maximum room for development and innovation.

Second, the APEC framework embodies both Commerce's admonition of respect for existing sectoral privacy regimes and the FTC's request for comment on the applicability of its suggested approach to companies covered by Gramm-Leach-Bliley and HIPAA. The APEC Privacy Framework was designed not to interfere with more comprehensive privacy programs already in place for certain businesses.

Third, the APEC framework embraces Privacy by Design, which is a focus of the FTC report. Privacy by Design requires companies to incorporate substantive privacy protections into every aspect of their internal business. This includes incorporating privacy protections into product design and planning for the protection of consumer data for the lifetime of a product.

Fourth, the APEC framework provides a model of international harmonization. Both FTC and Commerce recognize that consumer data crosses national boundaries. Therefore, global interoperability is a crucial part of a meaningful privacy framework. The APEC framework also provides an example of how to provide clarity and predictability for multi-national businesses.

Using the APEC Privacy Framework as a guide, the FTC and Commerce proposals can be merged to create a comprehensive yet dynamic privacy program capable of evolving to meet the changing privacy challenges to come. 

This article was prepared by Pamela Jones Harbour (pharbour@fulbright.com, 202 662 4505 or 212 318 3324), Sue Ross (sross@fulbright.com or 212 318 3280), Erika Brown Lee (ebrownlee@fulbright.com or 202 662 0398), and Travis J. Mock (tmock@fulbright.com or 212 318 3281) from Fulbright's Privacy, Competition, and Data Protection Practice Group.

[1] The FTC report is available at http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.
[2] Privacy by Design is an approach advocated by Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, Canada. More information is available at http://www.privacybydesign.ca/.
[3] The Commerce report is available at http://www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green-paper.pdf.
[4] The FTC report observes that the distinction between PII and non-PII is increasingly irrelevant, due to the emerging practice of combining pieces of non-PII to identify individual consumers.