Privacy Advisor

National Research Council Report Discusses Possible Future of Privacy Regulation in the U.S.

September 1, 2007

Jacqueline Klosek, CIPP

The prestigious National Research Council (NRC) recently issued a comprehensive report on privacy and technology in the digital age. In addition to providing a very thoughtful and detailed overview of privacy, the report outlines the need for a national privacy commissioner or standing privacy commission to provide ongoing and periodic assessments of privacy developments. Exceeding 450 pages, the report, "Engaging Privacy and Information Technology in a Digital Age," examines the past present and future of privacy in great detail. It also provides recommendations on the future of privacy regulation. While its value as a tool for prognosticating the near-term future of privacy remains questionable, it is a thought-provoking read for individuals interested in privacy issues.

History of the Report
The NRC, a body organized by the National Academy of Sciences (NAS) in 1916 to advise the federal government, assembled a committee of 16 people with a fairly broad range of expertise, including senior individuals with backgrounds in information technology; business; government; consumer protection; liability; economics; and privacy law and policy. From 2002 to 2003, the committee held five meetings to explore a wide range of different viewpoints. For example, briefings and/or other input were obtained from government officials at all levels, authorities on international law and practice relating to policy, social scientists and philosophers concerned with personal data collection, experts on privacy-enhancing technologies, business representatives concerned with the gathering and uses of personal data, consumer advocates, and researchers who use personal data.

Findings and Recommendations
An overriding theme present in the findings was that privacy is ever-evolving and highly contextual. The researchers contended that one's view of privacy and interpretation of its value and importance will often vary, depending upon the circumstances, including the situation and relationships at hand, the intentions of the parties involved, and other contextual factors. Despite the contextual factors impacting privacy, the report's authors still found that the loss of privacy can, and often does, result in significant harm to individuals and groups. Ultimately, the report concluded that privacy is an important value that should be protected.

Select Recommendations
The report placed a lot of attention on the role of the government in the privacy equation. As a result, many of the recommendations were focused on the government:

  • Governments at various levels should establish formal mechanisms for the institutional advocacy of privacy within government. The report made the case for the establishment of a national privacy commissioner or standing privacy commission to provide guidance on privacy developments. While this is a viable approach in many other countries that have implemented national privacy commissioners with broad oversight, it is questionable whether this well-founded approach has enough support in the U.S.  
  • The U.S. government should undertake a broad systematic review of national privacy laws and regulations. Privacy advocates have long criticized the U.S. for having a piecemeal approach to privacy. For some time now, many individuals have contended the sectoral-based approach to privacy should be replaced with a system that is much more comprehensive. Back in the late 1990s, when the main European privacy directive was coming into force, there seemed to be a fair amount of momentum toward enacting a comprehensive privacy law in the U.S. However, since then, privacy has taken a large step back, and it seems there are many reasons to be skeptical about the passage of a comprehensive privacy law in the United States any time soon.
  • Government policy makers should respect the spirit of privacy-related laws. The report's authors observed that various governmental bodies have important roles to play in protecting individual privacy rights. However, they concluded that the existing legal and regulatory framework surrounding privacy is still a patchwork that lacks consistency. As a result, the authors suggested that policymakers pursue a less decentralized and more integrated approach to privacy policy and regulation.
  • Congress should pay special attention to, and provide special oversight over, the government's use of private sector organizations to obtain personal information about individuals. During the past few years, increased governmental demands for data from the private sector have raised major concerns among privacy advocates.  The authors recognized this and suggested that Congress begin to focus more closely on these issues.
  • Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy. In the report, the experts observed that the availability of individual recourse for recognized violations of privacy is an essential element of public policy regarding privacy. They contended that the lack of sufficient recourse is a weakness of the present U.S. system.

The report also contained a number of recommendations that are applicable to the private sector:  

  • The FTC principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations. The principles of fair information practice for the protection of personal information, first enunciated back in a 1973 report of the U.S. Department of Health, Education and Welfare, are, according to the committee, still of great relevance today. The report suggests that private sector enterprises should abide by such fair information principles.
  • Organizations with self-regulatory privacy policies should take both technical and administrative measures to ensure their enforcement. In addition, organizations should routinely test whether their stated privacy policies are being fully implemented; produce privacy impact assessments when they are appropriate; strengthen their privacy policy by establishing a mechanism for recourse if an individual or a group believes they have been treated in a manner inconsistent with an organization's stated policy; and establish an institutional advocate for privacy. While acknowledging that companies operating in the privacy sector can develop and implement self-regulatory regimes for protecting personal data, the authors also expressed concern that self-regulation is limited as a method for ensuring privacy. At the same time, however, they did acknowledge that self-regulation does provide some level of protection that might not otherwise be available to the public.
  • Where policy decisions require that individuals shoulder the burden of protecting their own privacy, law and regulation should support that goal. In order to enhance privacy, individual, organizational and public policy actors have roles to play. Individuals can take a number of steps to enhance the privacy of their personal data as well as to become better informed about the extent to which their privacy has been compromised, although the effectiveness of these measures is bound to be limited.


Likely Impact of the Report
The report is comprehensive, but it has been subject to a fair amount of criticism. For one, it contains so many recommendations, which waters down the report's value. Instead, the report's authors may have been better-advised to focus on a smaller number of critical issues. In addition, there are real questions about the practical value of many of the recommendations. This may be due in part to the fact that many of the report's authors were academics. Arguably, it would have been more advantageous to have more practitioners and privacy advocates on board. Finally, and, perhaps most significantly, there seems to be very little political will for movement on these issues at this time. Indeed, all indications suggest that the present administration is of the view that privacy should take a backseat to expansive information collection efforts that are even tangentially connected to the ongoing War on Terror. At the same time, while there has been a fair amount of attention on discrete aspects of privacy and data security, in particular, the legislative response to data security breaches, there has not been a lot of serious focus on efforts to enact a comprehensive federal practice law. In sum, although the report is an interesting read, there is little reason to hope that it will actually lead to significant changes in privacy regulation.

Jacqueline Klosek is Senior Counsel with Goodwin Procter LLP, where she specializes in privacy and intellectual property. She is the author of many publications concerning privacy law, including the re-cently published War on Privacy (Praeger, 2006). She may be reached for comment at: jklosek@goodwinprocter.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .


A Free Executive Summary of the Report on Engaging Privacy and Information Technology in a Digital Age is available at: www.nap.edu/catalog/11896.html. Information about obtaining the full report is also available on the Web site of the NAP at www.nap.edu.