At this week's International Association of Privacy Professionals (IAPP) Global Privacy Summit, the FTC and the White House made several important announcements.
FTC Commissioner Julie Brill stated that the FTC privacy priorities are mobile, the so-called "Internet of Things," data security, and data brokers.
Commissioner Brill announced that the FTC should be issuing a report soon related to its study of the practices of nine data brokers. In addition, she indicated that the Consumer Privacy Bill of Rights needs to be more focused on the collection of Big Data and she wants to work with the White House to make any necessary changes to it.
Commissioner Brill also stated that she expects that the FTC will issue a report from its recent workshop on the Internet of Things. When asked whether the FTC has jurisdiction over the Internet of Things she stated that the question is not whether the FTC has jurisdiction but how the FTC will exercise that jurisdiction. We should expect that the report will focus on how to give consumers notice of the collection of their personal information through the Internet of Things. Commissioner Brill stated that was her biggest concern since many of the products in the Internet of Things have no interface mechanism with consumers.
Echoing the statements of the Attorney General and the FTC over the past week, Commissioner Brill again emphasized the need for federal data breach legislation. What is she looking for in new federal legislation? First, she emphasized the trigger for notification must be robust enough to protect consumers. Second, she stated that any preemption of state laws should not strip state AGs of the ability to enforce a new federal data breach law.
Commissioner Brill also stated that there is a need for a federal data security law. Because of the inherent difficulties for businesses to comply with multiple state data security laws, she believes that an argument for a preemption clause in a data security law is much more "salient."
After the announcement of 15 settlements related to companies fraudulently claiming that they complied with the EU safe harbor, Commissioner Brill indicated that similar enforcements will continue. Commissioner Brill expects that future enforcements may include not only companies that fraudulently claim to be covered by the safe harbor but also companies that do not comply with the safe harbor regulations.
Yesterday, the White House gave a preview of the ninety day study on Big Data due on April 17. Combined with the statements of Commissioner Brill that the Consumer Privacy Bill of Rights needs to be more focused on Big Data, it appears that the White House may be setting the stage to update the Consumer Privacy Bill of Rights.
At the conference, the White House also shed some light on the new Cybersecurity Framework. According to White House representatives, the White House hopes that the new Cybersecurity Framework will be used on a much broader basis - not just by critical infrastructure. The Framework is intended to apply also to vendors of critical infrastructure and government. The White House said this Framework may be "best practices" for the critical infrastructure at this time, but the White House hopes for it to grow into "common practices" for even non-critical infrastructure companies. If one of the several data security bills which places the responsibility of creating data security regulations on the FTC passes Congress, the White House's Cybersecurity Framework may be the basis of new regulations.