FPF Senior Fellow Peter Swire: FTC Deserves Praise for Its De-Identification “Safe Harbor”

FPF Senior Fellow Peter Swire: FTC Deserves Praise for Its De-Identification “Safe Harbor”

Surprisingly to most observers, one of the biggest effects of the new FTC report will be in the area of de-identified data.  The FTC’s new approach, highlighted by them as the top issue of interest to techies, provides a major incentive for companies to improve their data processes.

The earlier report would have applied to “consumer data that can be reasonably linked to a specific consumer, computer, or other device.”  The debate has been about what it means to be “reasonably linked.”  Consumer groups have correctly focused on the risks to consumers — new technology can link a vast range of data to individual consumers. Industry has correctly focused on the problems that come with an over-broad definition of “reasonably linked,” which could extend privacy rules to an almost unlimited range of data processing.

I believe the FTC has found a Goldilocks solution for the problem of de-identified data.  The FTC provides what amounts to a safe harbor where: “(1) a given data set is not reasonably identifiable; (2) the company publicly commits not to re-identify it, and (3) the company requires any downstream users of the data to keep it in de-identified form.”

The FTC approach provides a major incentive for companies to comply with the de-identification safe harbor.  For data in the safe harbor, all of the other privacy requirements do not apply.  That reduces the scope and cost of compliance.

The FTC approach correctly recognizes that a promise not to re-identify data is key.  Once a company makes that promise, it is subject to enforcement for a deceptive practice under Section 5 of the FTC Act.  The company thus will have a strong reason to control its internal processes, to make sure that data that should be de-identified stays de-identified.

Similarly, the requirement of promises from the downstream users keeps data protected against the main risks.  Data that can be potentially re-identified stays within a protected bubble – the companies promise not to re-identify, on pain of Section 5 enforcement.

I have long believed that technical controls are not enough to protect consumers against possible re-identification, as shown in a 2009 report by the Center for Democracy and Technology and my December talk on de-identified data.  The best path is to have reasonably strong technical protections, supplemented by the sorts of enforceable promises that the FTC report supports.

In short, companies now will have an important incentive to comply with the de-identification safe harbor, so that their other databases won’t have to comply with privacy requirements.  The result will be better data practices for the information that could otherwise cause the most risk to consumers.

Going forward, defining the scope of this “safe harbor” could be a good candidate for a multi-stakeholder process facilitated by the U.S. Department of Commerce.  The Administration is asking for public comments on “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct.”  By defining the meaning of “reasonably identifiable” in concrete settings, companies will have a stronger incentive to put effective de-identification measures into place.

Please see slides and videos for a recap of FPF’s December 5, 2011 event “Personal Information: The Benefits and Risks of De-Identified Data.”

Leave a Reply


Privacy Calendar

Apr
22
Tue
10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
Apr
24
Thu
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
Apr
29
Tue
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
Apr
30
Wed
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
May
7
Wed
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
Jun
5
Thu
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
Jun
8
Sun
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar