FPF Senior Fellow Peter Swire: FTC Deserves Praise for Its De-Identification “Safe Harbor”

FPF Senior Fellow Peter Swire: FTC Deserves Praise for Its De-Identification “Safe Harbor”

Surprisingly to most observers, one of the biggest effects of the new FTC report will be in the area of de-identified data.  The FTC’s new approach, highlighted by them as the top issue of interest to techies, provides a major incentive for companies to improve their data processes.

The earlier report would have applied to “consumer data that can be reasonably linked to a specific consumer, computer, or other device.”  The debate has been about what it means to be “reasonably linked.”  Consumer groups have correctly focused on the risks to consumers — new technology can link a vast range of data to individual consumers. Industry has correctly focused on the problems that come with an over-broad definition of “reasonably linked,” which could extend privacy rules to an almost unlimited range of data processing.

I believe the FTC has found a Goldilocks solution for the problem of de-identified data.  The FTC provides what amounts to a safe harbor where: “(1) a given data set is not reasonably identifiable; (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form.”

The FTC approach provides a major incentive for companies to comply with the de-identification safe harbor.  For data in the safe harbor, all of the other privacy requirements do not apply.  That reduces the scope and cost of compliance.

The FTC approach correctly recognizes that a promise not to re-identify data is key.  Once a company makes that promise, it is subject to enforcement for a deceptive practice under Section 5 of the FTC Act.  The company thus will have a strong reason to control its internal processes, to make sure that data that should be de-identified stays de-identified.

Similarly, the requirement of promises from the downstream users keeps data protected against the main risks.  Data that can be potentially re-identified stays within a protected bubble – the companies promise not to re-identify, on pain of Section 5 enforcement.

I have long believed that technical controls are not enough to protect consumers against possible re-identification, as shown in a 2009 report by the Center for Democracy and Technology and my December talk on de-identified data.  The best path is to have reasonably strong technical protections, supplemented by the sorts of enforceable promises that the FTC report supports.

In short, companies now will have an important incentive to comply with the de-identification safe harbor, so that their other databases won’t have to comply with privacy requirements.  The result will be better data practices for the information that could otherwise cause the most risk to consumers.

Going forward, defining the scope of this “safe harbor” could be a good candidate for a multi-stakeholder process facilitated by the U.S. Department of Commerce.  The Administration is asking for public comments on “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct.”  By defining the meaning of “reasonably identifiable” in concrete settings, companies will have a stronger incentive to put effective de-identification measures into place.

Please see slides and videos for a recap of FPF’s December 5, 2011 event “Personal Information: The Benefits and Risks of De-Identified Data.”

Leave a Reply


Privacy Calendar

Oct
24
Fri
9:00 am Web Privacy & Transparency Confe... @ Princeton University
Web Privacy & Transparency Confe... @ Princeton University
Oct 24 @ 9:00 am – 4:00 pm
On Friday, October 24, 2014, the Center for Information Technology Policy (CITP) at Princeton University is hosting a public conference on Web Privacy and Transparency. It will explore the quickly emerging area of computer science research that[...]
Oct
29
Wed
4:00 pm Big Data and Privacy: Navigating... @ Schulze Hall
Big Data and Privacy: Navigating... @ Schulze Hall
Oct 29 @ 4:00 pm – 7:00 pm
The rapid emergence of “big data” has created many benefits and risks for businesses today. As data is collected, stored, analyzed, and deployed for various business purposes, it is particularly important to develop responsible data[...]
Oct
30
Thu
9:00 am The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
10:15 am You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]
Nov
12
Wed
all-day PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
Nov 12 all-day
The Privacy and Civil Liberties Oversight Board will conduct a public meeting with industry representatives, academics, technologists, government personnel, and members of the advocacy community, on the topic: “Defining Privacy.”   While the Board will[...]
Nov
20
Thu
all-day W3C Workshop on Privacy and User... @ Berlin, Germany
W3C Workshop on Privacy and User... @ Berlin, Germany
Nov 20 – Nov 21 all-day
The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection[...]

View Calendar