Commerce Dept. suggests new privacy regulations

New 88-page report suggests, but stops short of formally endorsing, new laws regulating data collection, data breaches, and cloud computing privacy.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
2 min read

The Commerce Department today edged toward endorsing new federal laws regulating companies' data collection practices and requiring that customers be notified of data breaches.

In an 88-page report (PDF), the department also suggested rewriting a 1986 privacy law to address "privacy protection in cloud computing and location-based services," but didn't offer any details. That broad approach is backed by tech companies including Google, Microsoft, AT&T, and eBay, but is likely to be opposed by the Justice Department.

All of these ideas have been advanced before, of course: California's data breach notification law took effect more than seven years ago, and a pair of House of Representatives committees approved similar legislation back in 2006. No fewer than 46 states, plus the District of Columbia and Puerto Rico, have followed California's lead.

The Federal Trade Commission released its own 122-page report on these topics only two weeks ago--it, too, served up a generally similar set of recommendations, including that consumers should have "reasonable access to the data that companies maintain about them."

Officially, today's Commerce Department report is the public product of a task force that Secretary Gary Locke convened in April. Unofficially, it marks a turf battle with the FTC over which agency will emerge as a leader on this topic, especially at a time when privacy concerns on Capitol Hill are growing after flaps this year involving Facebook, personal data collection, and behavioral advertising.

"The Department of Commerce is uniquely positioned," the report argues, "to provide continued leadership and to work with others inside and outside government to consider a new framework."

It also appears to mark a change from a historically laissez-faire approach. Ever since the days of the Clinton administration, executive branch agencies have generally not pushed for new regulations targeting private companies.

Now at least one executive branch agency--today's report is carefully couched as suggestions that "the administration should review" certain areas, meaning other agencies may have different ideas--is veering in a different direction. (The department stresses that its "green paper does not express a commitment to specific policy proposals.")

"Industry self-regulation has largely failed," said Sen. Jay Rockefeller (D-WV), chairman of the Senate Commerce Committee. "And I hope that the Department of Commerce in its final report will reach the conclusion that legislation is necessary to protect consumers."

The Center for Democracy and Technology's Justin Brookman said in a statement that today's report "lays out a creative and flexible approach," which should be followed by Congress enacting "a baseline consumer privacy law."

Another recommendation from the Department of Commerce: creating a new privacy bureaucracy inside the agency. A Privacy Policy Office "would continue the work of the department's Internet Policy Task Force by acting as both a convener of diverse stakeholders and a center of administration commercial data privacy policy expertise."