Internet firms will be fined for breaching users’ online privacy, as part of a White House drive to regulate personal data collection. The ‘consumer privacy bill of rights’ was launched on 23 February. However, the Obama Administration has no plans to regulate social media content.
America’s global influence makes it the natural starting point for changing how the internet operates. However, those rules can only work effectively in Europe with the European Commission’s backing, as it steers data protection policy for all 27 EU member states.
“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” President Obama stated.
The plan follows on from a year of talks between White House officials and internet companies, including Google, facebook and twitter. These talks will now turn to implementation, with the US Department of Commerce taking the lead. Seven basic rights are set out:
• individual control by consumers over what personal data companies collect from them and how they use it (with companies giving them “clear and simple” choices for consent);
• transparency about privacy and security practices, including clear descriptions of data, the reasons for collection, time limits on storage, and arrangements for sharing data with third parties;
• respect for context i.e. that companies use or disclose data in the way that was originally agreed with the consumer unless otherwise required by law;
• secure and responsible handling of personal data with companies maintaining reasonable safeguards against loss, tampering and improper disclosure;
• access and accuracy with consumers having the right to correct personal data and request either its deletion or limitations on its use;
• focused collection of data by companies (only as much as is needed according to the ‘respect for context’ principle), including securely disposing of personal data or removing anything that identifies the individual once it is no longer needed; and
• accountability of companies to enforcement authorities and consumers, and employees to companies (via staff training and regular evaluation), and obliging third party recipients to adhere to the bill’s principles.
The White House says that legislation is ultimately needed but progress will be slowed down by a hostile Congress and the presidential race. The charter’s voluntary nature also suits internet companies, which have lobbied for self-regulation. In its defence, the Administration points out that firms will face heavy penalties from the Federal Trade Commission for breaking the code. Google has also agreed to introduce ‘do not track’ buttons, which were resisted by the industry and advertisers.
However, tracking will still be allowed for market research, product development and law enforcement. The American Civil Liberties Union wants customers to have the option to stop all tracking.
The European Commission, meanwhile, plans to update the 1995 Data Protection Directive with new laws scheduled for 2014. Reforms could result in fewer notification requirements for companies but an urgent duty to report serious data breaches within 24 hours. The Commission also wants to give people “a right to be forgotten” i.e. the ability to delete data when there is good reason for retaining it.
Restricting freedom of expression (e.g. via social media) is forbidden by the US Constitution’s First Amendment, with limited exceptions. Theft can be prosecuted, as shown in the Wikileaks case, but the Administration cannot legally stop that information from being published. US Ambassador to the EU William Kennard has also pointed out that the Administration can restrain freedom of speech where there is the threat of “imminent violence”.
The Department of Homeland Security initially claimed that it only monitored social media to gather information on terrorism or natural disasters. However, a 2011 internal manual (released through a freedom of information query) allows analysts to monitor what users are saying about the department and its policies.