Following the rollout of the EU’s General Data Protection Regulation (GDPR) and a string of high-visibility privacy scandals at U.S. companies (like Equifax, Facebook, and Google), Federal regulators are finally getting serious about privacy.
The National Institute of Standards and Technology (NIST) is convening a series of workshops to develop a new Privacy Framework, which the body envisions will be a voluntary set of standards for assessing organizations’ privacy risks. This isn’t regulation and it won’t be mandatory, but it will create a benchmark against which companies’ data handling practices can be judged. And voluntary standards can become de facto mandates: if a company in the midst of a privacy PR disaster promises to do better by adhering to NIST standards, they can be held accountable by the FTC (under their “deceptive practices” enforcement authority) if they fail to do so.
Simultaneously, the National Telecommunications and Information Administration (NTIA) is developing an “approach” to consumer privacy on behalf of the Department of Commerce which has the potential to eventually inform privacy rules made by Federal agencies.
If you’re interested in all of this and want to weigh in during the policymaking process, now may be your best chance. Until November 9th, the NTIA is seeking public comment on a draft set of high-level goals and intended outcomes for the upcoming policy. You can write whatever you want, but effective public comments are brief, focused on a specific recommendation or point of clarification, and introduce relevant technical facts to make a cogent argument.
Below I’ve reproduced a comment I submitted to the NTIA’s request arguing that the way they use the term “personal information” is insufficiently vague and that it must be defined more broadly than it has been in other U.S. data protection laws. (more…)