Digital Policy Roundup

District Court Upholds FTC Data Security Authority

On April 7, U.S. District Judge Esther Salas in New Jersey upheld the Federal Trade Commission’s authority to bring cases against firms for failure to observe reasonable security practices. The FTC has brought over 30 data security cases in the last decade, but the hotel chain Wyndham World challenged that authority in court in 2012 after the FTC brought a case against them. The judge refused to “carve out a data-security exception to the FTC’s authority” to protect consumers, saying Wyndham’s position would “bring us into unchartered territory.” The judge, however, also said her ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” The ruling was silent on the merits of the underlying complaint, and Wyndham said it continued to believe that the FTC lacked authority to bring the case.

European Court Rejects Data Retention Mandate

The European Court of Justice (ECJ) ruled today that the 2006 EU directive requiring telecom operators to retain data for two years in invalid. The directive, which was passed as an anti-terrorism measure after the July 7, 2005 London subway and bus terrorist bombings, obliged telecom firms to keep data for two years about customer locations, calls texts and emails. The operators were not obliged to keep the contents of these communications. However, the ECJ still ruled that the directive contravened the EU’s Charter of Fundamental Rights and therefore recommended that the directive be overturned. The directive has been controversial since it was passed and some member states such as Germany have not passed legislation implementing it. The ECJ heard the case in response to complaints from civil society groups about telephone data retention laws in Ireland and Austria. Those laws can now be challenged. Member of the European Parliament and General Data Protection Regulation Rapporteur, Jens Albrecht, welcomed the ruling.

House Committee Ponders Preservation and Reuse of Copyrighted Works

Last week, the House Judiciary Subcommittee on Courts, IP and the Internet held a hearingon Preservation and Reuse of Copyrighted Works. The hearing spanned a wide range of topics, and Committee Chairman Goodlatte (R-VA) expressed interest in several key issues, including digitization in cases of deterioration of works caused by age and decay; the notion that Copyright Act is outdated in the digital age; how to best allow public access to works that may have been abandoned; and technological platforms to connect users and copyright owners. However, there was no uniform view from the six witnesses testifying, nor were there consensus positions demonstrated by committee members. In all, the hearing provided another significant input into the Committee’s ongoing copyright review process. For more information about the hearing and witness testimony, check out the Cmte site.

Recommended Read: The Global War for Internet Governance

Professor Laura DeNardis discussed her book: “The Global War for Internet Governance” at the New America Foundation on April 3. DeNardis book is timely, especially given the Commerce Department’s March 14 decision to privatize the Internet Domain Name Function. She stated that this decision was, in fact, a “big deal.” Brazilian Embassy Minister Counselor Benoni Belli said that as a result of the decision, the atmosphere surrounding the April 23-24 Internet Governance “Netmundial” conference in Sao Paulo is much better. Briefly, the management of the Internet’s root zone file will be transferred from ICANN and Verisign to a multistakeholder body as early as 2015 when the ICANN/Versign contracts with the Department of Commerce lapse. There are conditions though, chiefly that whatever model emerges supports and enhances the multistakeholder approach. DeNardis supports “multistakeholderism,” although she cautioned that the multistakeholder approach is not the answer to every Internet Governance challenge.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Digital Policy Roundup

SIIA Weights in with White House on “Big Data and Privacy”

On Monday, SIIA submitted comments in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of “big data” analytics. SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. Additional inputs for the ongoing Obama Administration big data review process include full day workshops at UC Berkely on April 1st, and NYU on March 17th. The Administration is expected to release the outcome of the 90 day review on April 17th.

Student Data Privacy Legislative Update

Student data privacy bills are pending in a majority of state legislatures, though few have reached the finish line. Most notably, SB 167 was defeated in Georgia, a significantly modified version of NY S6007 was included in the NY State Budget signed into law yesterday, and discussions are ongoing regarding CA SB 1177. SIIA continues to emphasize the need to limit restrictions to “personally identifiable” information, the challenges to schools of parent opt-in/out policies, the important use of meta-data to drive product algorithms, and that one-size requirements on service providers will not work if they fail to address school primary governance in areas such as breach notification, data deletion, and access and correction. Meanwhile, U.S. Senator Markey (MA) indicates continued work toward introducing a bill to amend the Federal Family Educational Rights and Privacy Act (FERPA). SIIA members interested in student privacy should contact SIIA’s Mark Schneiderman.

New School Technology Funding Advances

State and federal initiatives are advancing around technology access, infrastructure and related educator supports. The 2014-2015 New York State Budget signed into law yesterday will authorize up to $2 billion from state bonds to fund school broadband infrastructure and student devices, pending voter approval, with funding distributed on a needs-base formula over the next few years to schools with a state approved technology plan. Equity in technology access was among the SIIA recommendations in testimony 18 months ago to Governor Cuomo’s education reform commission. At the federal level, the FCC issued a second NPRM for the E-rate, calling for comments on their proposed rules, including to prioritize new funding for internal connections including school Wi-Fi, eliminate or phase out voice support, and potentially provide funding eligibility to caching servers and network filtering software. Finally, President Obama’s 2015 Education Budget proposal includes $200-$500 million for a new ConnectEDucators program, which would provide competitive grants for teacher and principal professional development in the improvement of curriculum and instruction through technology.
[Read more...]

Governments can harness the power of data to advance national goals while protecting privacy

SIIA submitted comments yesterday  in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of big data analysis. We concur with the goals of President’s Obama’s Big Data Initiative to harness the power of data to advance national goals such as economic growth, education, health, and clean energy; use competitions and challenges; and foster regional innovation. Technologists, privacy advocates and policymakers can work together to foster the societal, governmental and business opportunities provided by data-driven innovation, while also meeting the challenge of protecting privacy.

SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. SIIA therefore urges you to avoid support for broad policies that will dramatically curb data collection and analysis.

Other key points contained in SIIA’s big data comments include:

• The vast majority of big data is not personal or sensitive data, and the vast majority of new insights generated from big data analysis do not rely on personal information.

• Uninhibited cross-border, or cross-jurisdictional, data flows is perhaps the single greatest need for innovative U.S. companies to continue growing around the world.

• Big Data policies need to promote technology neutrality and avoid technology mandates, recognizing there is no one-size-fits-all approach.

• It is necessary to think creatively about any new policy regime governing privacy in the “era of big data,” one which increases risk assessment and appropriate data uses by entities—this review should also consider how existing laws have in many ways continued to function effectively and provide a significant degree of protection.

• Governments should continue to embrace open data policies and public-private partnerships that maximize access to critical public data.

Read our full comments, and our 2013 white paper explaining how this innovation presents tremendous economic and social value, capable of transforming the way we work, communicate, learn and live our lives.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPolicy.

Digital Policy Roundup

NTIA Relinquishing Hold Over Management of the Internet

Friday, the NTIA announced its intent to end its oversight role of the Internet Corporation for Assigned Names and Numbers (ICANN). Come September 2015, NTIA’s current contract with ICANN is set to expire. Transitioning to global stewardship, ICANN needs to develop a new governance model. The NTIA has made clear that the openness of the Internet must be maintained stating, “NTIA will not accept a proposal that replaces the NTIA role with a government-led or an inter-governmental organization solution.”

EU Parliament Approves Proposed Data Privacy Regulation

The European Parliament’s Wednesday vote, resulted in overwhelming support for theproposed European General Data Protection Regulation. In a press release the European Commission stated that for the proposed regulation to become law, it “has to be adopted by the Council of Ministers using the ‘ordinary legislative procedure.’” Members of the European Parliament (MEPs) also backed a resolution calling for suspension of the Safe Harbor deal. For a more detailed look at the implications take a look at this article.

Georgia Student Privacy Act, A Barrier to Student Learning

Legislation in Georgia is receiving much debate, centered largely on its primary task of pulling the state back off of the Common Core State Standards (CCSS). But also included in the controversial bill is Part II, the so-called “Student Right to Privacy Act.” The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access. The bill will have a chilling effect.

In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia. For more information, read SIIA’s Digital Discourse Blog.

The European Commission Should Consider Licensing Models as a Critical Element in the EU Review of Copyright Rules

In early March, SIIA filed comments with the European Commission’s Directorate General for the Internal Market regarding the public consultation on the review of the EU copyright rules. Licensing is a critical way for both the software industry and traditional publishers to deliver high quality and increasingly varied content. SIIA is working to ensure that the Commission makes licensing models a central component of the review. SIIA looks forward to working with the Commission and interested stakeholders on the many important and complex issues surrounding the review, and to promote the software and information industries in Europe and the United States.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Digital Policy Roundup

DOC Discussions on Copyright Policy in the Digital Economy

The Department of Commerce (DOC) Internet Policy Task Force (Task Force) recently announced that it will hold a series of multistakeholder discussions around key issues of copyright policy in the digital economy. The panels and discussions will be a follow-up to the Task Force’s 2013 Green Paper on Copyright Policy, Creativity, and Innovation in the Digital Economy that identified several key copyright topics worthy of more discussion. The first meeting, scheduled for March 20, will focus on what, if anything, needs to be changed about the current “notice and takedown” rules under the Digital Millennium Copyright Act – this topic is also expected to be the subject of a House Judiciary hearing next week.

DOC follow-up meetings on additional topics are expected to be held by the Task Force every six weeks, covering issues such as the relevance and scope of the first sale doctrine in the digital environment, issues around large-scale online infringement, how the government can facilitate the further development of a robust online licensing environment and the legal framework for the creation of remixes. The Task Force’s goal is to produce “an agreed outcome by the end of 2014,” which could mean recommendations for change in the law, or to leave it alone.

Administration Launches Privacy Workshop for “Big Data” Study

On Monday, the Office of Science and Technology Policy (OSTP) formally announced that it will be hosting a series of public events to hear from technologists, business leaders, civil society, and the academic community to advance the “Big Data” study called for by President Obama in January. The first event is a public workshop organized by the Massachusetts Institute of Technology (MIT), entitled “Big Data Privacy: Advancing the State of the Art in Technology and Practice,” held on March 3. This event will be followed by workshops at New York University on March 17, and Cal. Berkley. The President’s report on Privacy and Big Data is expected on April 17.

SIIA White Paper on Geographical Market Segmentation

Late last week SIIA released a white paper detailing the uses and benefits of geographical market segmentation and geolocation tools. Market segmentation – a strategy that divides a broad target market into subsets of customers with different characteristics – is a ubiquitous global business practice, which takes a variety of forms: geographical, behavioral, demographic, and psychographic. Market segmentation in general and geographical market segmentation in particular provide consumers with many advantages, including access to otherwise unavailable goods and services at a fair price.

The use of geolocation technology combined with a policy of conditioning access based on location – commonly referred to as ‘geoblocking’ – is the means thorough which different geographical markets for digital products are segmented. Some policy makers seem to think that this technique is intrinsically suspect and should be stringently restricted. Attempts to ban or restrict geolocation tools might be aimed at geographical market segmentation for digital goods, but they would make it impossible for websites and others to use this common technique for a variety of socially valuable purposes. For more info take a look at this blog.

Busy Week for Student Data Privacy, including SIIA and USDoED Best Practices

SIIA this week announced “Industry Best Practices to Safeguard Student Information Privacy and Data Security and Advance the Effective Use of Technology in Education.” These best practices build on a strong framework of existing laws and practices, which were further clarified today when the U.S. Department of Education Issued guidance, “Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices.” The Department of Education with Privacy Technical Assistance Center (PTAC) will be hosting a webinar on March 13 to review the guidance and solicit input.

SIIA commended the guidance for affirming the vital role of technology in education, clarifying the effective safeguards in current law, and providing an important roadmap for continued safeguarding. These best practices come at a time when many states are considering related legislative restrictions, some of which raise concerns of unintended restricting the important use of technology and student information to improve learning. Many of these issues were discussed yesterday at Common Sense Media’s school privacy Summit in Washington, DC, attended by SIIA and featuring Secretary Duncan, U.S. Senator Markey (MA), FTC Commissioner Brill and SIIA members McGraw-Hill Education and Amplify. The Summit followed a recent radio talk show discussion between SIIA’s Mark Schneiderman and CSM’s CEO Jim Steyer.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Digital Policy Roundup

White House Holds Patent Event
With Congress in recess this week, the Administration will pick up the torch on patent reform, holding a White House event on Thursday to highlight the progress on the Administration’s patent policy agenda. The event marks the one-year anniversary of the President’s call to action to combat the problem of “patent trolls” and abusive patent litigation, and will feature keynote addresses by senior administration officials, including PTO Deputy Director Michelle Lee, on the status of the reform agenda announced on June 4, 2013 and other efforts underway.

FTC Mobile Tracking Conference this Week
On Thursday, the Federal Trade Commission (FTC) will hold a conference on Mobile Device Tracking to explore the ways that “businesses have begun tracking consumers’ movements throughout and around retail stores and other attractions using technologies that identify signals emitted by their mobile devices.” The event will explore a key area of concern for the FTC: company use of technologies to reveal information about consumers, particularly where this tracking is invisible to consumers and occurs with no consumer interaction.

Administration Publishes Cyber Framework
Last week was the one year mark for the President Obama’s executive order (EO) on Cybersecurity, and as directed by the EO, the National Institute for Standards and Technology (NIST) officially unveiled the Cybersecurity Framework. SIIA and many of our members provided input into the development of the Framework, and we commended NIST for working expeditiously to produce a Cybersecurity Framework that leverages industry-led standards, and creates effective and flexible best practices for companies. It is a critical cybersecurity priority for SIIA is to preserve IT innovation and technology neutrality, and we are confident that this Framework will help achieve those goals. We look forward to continue collaborating with NIST as they identify gaps and evolve the framework, and with the Department of Homeland Security as they work to implement this.

Privacy-Facial Rec. Discussions Begin
Also last week, the Department of Commerce National Telecommunications and Information Administration (NTIA) held the first meeting of their privacy multistakeholder discussions on the Commercial Use of Facial Recognition Technology. Similar to the first NTIA initiative on Mobile Transparency, the goal of these talks is to produce a voluntary but enforceable code of conduct to guide businesses in their use of the technology. SIIA was a leading stakeholder in the effort to develop the mobile code of conduct, and we are looking forward to engage in these important discussions. The next meeting will take place on Feb. 25th, and SIIA will provide an update for members after that meeting to report on the progress and next steps for these important discussions.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Digital Policy Roundup

Data Security Takes Center Stage on Hill
As anticipated coming into 2014, data security is the hot topic in the House and Senate. Earlier this week, the Senate Banking Committee held a hearing focused on “Safeguarding Consumers’ Financial Data”, while the Senate Judiciary Committee held a more broad hearing on “Privacy in the Digital Age: Preventing Data Breaches and Combating Cybercrime”. And today the House Commerce Committee held a hearing: Protecting Consumer Information: Can Data Breaches Be Prevented?

While much of the discussions are focused specifically on credit card security, there is a considerable focus on the need for legislation to establish data security requirements for companies and to create a federal standard for breach notification. The lead legislation in the Senate is Chairman Leahy’s Data Privacy and Security Act, and in the House, Commerce Subcommittee Chairman Lee Terry today reiterated the need to avoid legislation that creates technical standards and cumbersome mandates. He is still expected to introduce targeted data breach notification legislation.

Meanwhile, FTC Chairwoman Edith Ramirez was a key witness in two of this week’s hearings, and she expressed the FTC’s support for legislation that establishes data security guidelines and requested the following increases in authority for the Commission: (1) grants civil penalty authority, expands rulemaking authority (APA) and expands jurisdiction to cover non-profits.

SIIA Applauds Progress on School High-Speed Connectivity
This week President Obama and FCC Commissioner Wheeler announced first steps to increase broadband to the nation’s neediest schools, per the President’s ConnectEd proposal. The FCC announced that “the agency will invest an additional $2 billion over the next two years…Funding for new investments in high-speed Internet will come from reprioritizing existing E-Rate funds to focus on high-capacity Internet connectivity, increasing efficiency, and modernizing management of the E-Rate program.” While SIIA views this as a step in the right direction, SIIA’s statement reflects disappointment that there is no significant new funding on the table at this time. SIIA Continues to support increasing total E-Rate funds. SIIA expects the FCC to issue a proposed rule soon to advance these program changes in time for the next funding window in the Fall 2014. The President’s announcements focused on the teacher PD priority around digital learning and philanthropic contributions from several high-tech companies including SIIA member Apple.

SIIA Comments on Virginia Student Data Proposal
Last week, SIIA offered public comment on VA legislation setting requirements on student data “in the cloud.” Specifically, VA SB 599 (and its companion HB 1114) would require that “No cloud computing service provider shall use cloud computing services for any secondary purpose that benefits the service provider or a third party, including online behavioral advertising, creating or correcting an individual household profile, the sale of student data for any commercial purpose, or any other similar for-profit activity.” In our testimony, SIIA outlined the current legal and business protections that companies use, and we expressed serious concerns that the bill would inappropriately inhibit core educational functions for VA students. Based on concern from SIIA and others, Senate and House committees voted to refer the bill to a joint study commission that will meet in the Fall. Meanwhile, related bills have been introduced in KY (SB 89), MD (HB 607), MS (SB 2737) and WV (HB 4279).

A Step Forward for Surveillance Transparency
Last week, the U.S. Department of Justice (DOJ) announced that it would allow companies to publicly report more details about the government’s demands for user data under national security authorities. SIIA issued a statement applauding this as significant improvement over current law, but that it still falls short of the recommendations provided by the President’s Review Group and the Privacy and Civil Liberties Oversight Board (PCLOB). It also falls short of broadly supportive legislative proposals, , providing less detailed reports on the number of requests and continuing to prohibit companies from specifying what provision of law authorized the order (for example, Section 702 or 703 of FISA). In response to the increased transparency, several leading technology companies were quick to disclose new data about government surveillance orders, but also continuing to support for additional reforms to surveillance programs and transparency.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.