Last month, we looked at NIST’s efforts to develop a new Privacy Framework to supplement its widely used Cybersecurity Framework.  This month we review a couple of the Administration’s other data privacy initiatives, which reflect that further changes in data protection requirements are a virtual certainty and coming soon.

1. Federal Trade Commission:  On August 6, 2018, the Federal Trade Commission (FTC) requested comments and announced a series of public hearings on key consumer issues, including competition, privacy, artificial intelligence and predictive analytics.  Comments are due by February 18, 2019.  The seventh FTC hearing took place on November 13-14, 2018.

In addition to its own hearings, the FTC is participating in the Department of Commerce’s National Telecommunications and Information Administration (NTIA) initiative reference below.  A copy of the FTC’s comments in that proceeding can be found here

They indicate that the FTC views itself as the nation’s consumer protection and competition agency, due to its enforcement of the HIPAA Notification Rule, the Fair Credit Reporting Act, Gramm-Leach-Bliley and COPPA among other consumer protections relating to the E.U.–U.S. Privacy Shield, telemarketing, spam, etc.

2. NTIA Request for Comments:  On November 14, 2018, the NTIA published a Request for Information on a proposed approach to advancing consumer privacy while protecting prosperity and innovation.  The comment period closed on October 26 and NTIA has published all comments.  They include comments from the FTC and the European Commission, author of the EU General Data Protection Regulation (“GDPR”), and make for an interesting read.  To the extent that the NTIA notice does not go as far as GDPR, and it doesn’t, the European Commission recommends it go further.  Other notable issues raised by NTIA:

  • The NTIA is recommending an “outcomes-based” and “principles-based” approach to privacy rather than dictating specific practices,
  • Those principles include (i) transparency, (ii) control, (iii) reasonable minimization, (iv) security, (v) right of access and correction, (vi) risk management, and (vii) accountability.  The FTC is said to be the “appropriate federal agency to enforce consumer privacy” with certain exceptions like HIPAA.
  • While this list seems fairly comprehensive, the European Commission recommends the addition of principles addressing (A) lawful data processing for specific purposes, (ii) separate treatment of sensitive data, (iii) requirements for reporting of data breaches, (iv) enforceable legal remedies and deterrent sanctions, and (v) automated decision-making.
  • Let’s call the EU vision the “Son of GDPR” and it is not one we would bet against.

The relevance of these initiatives is that they will have a direct and material effect on data configuration and compliance separate from other U.S. requirements relating to data security and data breaches.   Forewarned would seem to be forearmed.

Berenzweig Leonard is teaming up withRed Team Consultingfor a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the January 2019 Monthly Insights newsletter. To sign up for Monthly Insights,please click here.

Steve Britt is a Partner at Berenzweig Leonard and leads the firm’sCybersecurity Law practice. Steve can be reached at[email protected]