A draft Commerce Department report being reviewed by the White House that recommends the creation of a privacy policy office and passage of legislation that establishes "a baseline privacy framework" was leaked yesterday and is proliferating as we speak (or write). In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals. The department plans to seek formal comment on the questions in a separate Federal Register notice.

The 54-page draft document, entitled "Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age," is the work of Commerce’s Internet Policy Task Force. The Task Force held more than six months of consultations, issued a notice of inquiry in April 2010, and held a symposium in May. The document is expected to be released in the coming weeks. The Task Force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.

Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy. It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.

The report seeks to demonstrate that a compelling need exists "to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners – all without compromising the current framework’s ability to accommodate new technologies."

However, several industry groups, like broadband industry providers, have staunchly opposed any legislation, recommending in its stead that online privacy protections be pursued through self-regulation, industry standards, and best practices.

The Commerce's report said that baseline legislation should be "built on an expanded set of Fair Information Practice Principles (FIPPs). Widespread adoption of comprehensive FIPPs is essential to achieving the goals we have set for the Dynamic Privacy Policy Framework. Widespread adoption of FIPPs would protect privacy interests in data that currently receive little or no statutory privacy protection. Also, given the flexibility inherent in the individual principles, a FIPPs baseline would help ensure consumer privacy protection as new technologies emerge. Finally, the FIPPs-based framework that we envision would allow companies to direct resources to the principles that matter most for protecting privacy in a particular technological, business, or social context. Legislation would authoritatively establish a FIPPs-based framework, but action by industry, civil society, the Executive Branch, and enforcement agencies can also help this framework take hold." It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.

As for other congressional action, the report said that lawmakers "should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways. The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities." And while it called for "baseline" privacy legislation, the report said that such a measure "should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections."

In addition, the document said that "[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment." Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.

The report also called on the Obama administration to "review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services. The goal of this effort should be to ensure that, as technology and market conditions change, the ECPA continues to provide a fair balance between individuals' expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe."

Regarding the privacy policy office (PPO), the Task Force has suggested that it could either be housed within Commerce or in the Executive Office of the President. The office would not have enforcement authority. As both a convener of diverse stakeholders and a center of Executive Branch privacy policy expertise, the PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct. Voluntary principles developed through this process would be enforceable by the Federal Trade Commission and would serve as a safe harbor for companies facing complaints about their privacy practices.

We will certainly report on more developments with respect to this topic, as these leaks turn into babbling brooks and streams of information.