Digital Discourse / Archives for privacy

Administration Seeks Input on Data Privacy, Cyber Legislative Proposals Proliferate and NIST Releases Draft Security Guidance with Cloud and Mobile Implications

March 6, 2012 By

Administration Seeks Input on Data Privacy

As a follow-up to the release of the White House Privacy Report, the DOC National Telecommunications and Information Administration (NTIA) has formally requested comment on what issues should be addressed through the privacy multi-stakeholder process, as well as procedures to foster the development of these codes. Comments are due by March 26th.

Consistent with indications from Administration officials, the Federal Register Notice explains that while the NTIA plans to facilitate the development of enforceable codes of conduct that implement the full Consumer Privacy bill of Rights proposed in the Report, as a start to the process “NTIA seeks to conduct a privacy multi-stakeholder process focused on a definable area where consumers and businesses will receive the greatest benefit in a reasonable timeframe.”

Among the list of potential topics, the list of potential topics supplied by NTIA includes: mobile apps and associated issues, cloud computing services, accountability mechanisms, online services directed towards children and teens, trusted identity systems, such as NSTIC, and data collection from various technologies.

Cyber Legislative Proposals Proliferate

Following the release last week of a new cybersecurity legislative proposal, the Secure IT Act, offered by Sens. John McCain (R-Ariz.), Kay Bailey Hutchison (R-TX) and several other Republicans, Reps. Mary Bono Mack (R-CA) and Marsha Blackburn (R-TN) announced Monday their intention to introduce companion legislation. Sponsors have offered the legislation as an alternative to the Cybersecurity Act (S. 2105), introduced last month by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME), that would not give the Homeland Security Department the power to require critical computer systems to meet certain security standards, and both bills propose to enhance cybersecurity information sharing, reform FISMA, increase cybersecurity R&D and enhance cybercrime enforcement.

And at a time when cybersecurity is becoming an increasingly partisan issue, House E&C Subcommittee Chair Greg Walden (R-OR), in conjunction with the upcoming hearing on Wednesday, announced the formation of a bipartisan Communications and Technology Cybersecurity Working Group, which will include Reps. Lee Terry (R-NE), Anna Eshoo (D-CA), Doris Matsui (D-CA), Bob Latta (R-OH), Michael Doyle (D-PA) and Adam Kinzinger (R-IL).

NIST Security Guidance with Implications on Cloud and Mobile

Last Wednesday, NIST released a draft revision to Federal Guidelines on Security and Privacy Controls for Federal Information Systems and Organizations. Known as SP 800-53, the recent revision results from a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations, seeking to handle “insider threats, supply chain risk, mobile and cloud computing technologies, and other cyber security issues.” In announcing the document, NIST highlighted that “in most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches.

Indian Gov. Adopts New Localization Procurement Rule

India has recently approved a new procurement rule that imposes a preference for domestically manufactured electronic products. Specifically, the rule creates a 30% domestic content requirement on an ill-defined range of electronic products and services. Not only does the rule explicitly target laptops and computers, but it could also extend to any software, application or electronic content that the Indian government might deem to be covered. SIIA is working with other leading trade associations to urge the U.S. government to engage strongly with the government of India to rollback this protectionist policy.


Learn more about key policy developments affecting the software and digital content communities with Digital Policy Roundup.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Digital Policy Roundup, Policy Tagged With: , , ,

Privacy: Administration Releases Long-Awaited Privacy Report, Highlights DNT Agreement

February 28, 2012 By

Last Thursday, The Obama Administration released its long awaited Privacy Whitepaper proposing a framework for consumer privacy in the digital age. The whitepaper calls for both a “Privacy Bill of Rights,” as well as an announcement of the Administration’s intention to lead a multistakeholder processes to implement general principles for particular sectors or contexts.

In conjunction with the release of the Report, the Administration cited an agreement by members of the Digital Advertising Alliance (DAA) to comply when consumers choose to opt out of tracking as an “example of the value of industry leadership as a critical part of privacy protection going forward.” In response to this report, SIIA issued a statement of support for the goal to adopt voluntary, industry-specific privacy guidelines while cautioning that one-size-fits-all privacy laws or regulations would inhibit innovation, without establishing the most effective privacy protection for the public.

Cloud Computing: US-China Seminar
The U.S. Department of Commerce and the Chinese Ministry of Industry and Information Technology (MIIT) will co-host a Cloud Computing Seminar under the auspices of the Joint Commission on Commerce and Trade (JCCT) Information Industry Working Group (IIWG) on April 19 in Beijing, China. The seminar presents U.S. and Chinese industry and government leaders with the opportunity to discuss trends and challenges in cloud computing in each country, including the government’s role in cloud computing promotion, business models and technologies, data privacy and cross-border data flows, and the regulatory environment for cloud computing services.

This event is being coordinated by USITO, SIIA’s partner organization in China, so please follow-up with SIIA for more information.

ACTA: EU Puts Agreement on Hold
Following the mass protests against ACTA in Europe, several EU member states, including Poland, Latvia and the Czech Republic, withdrew their intent to ratify ACTA or delayed the decision in their national parliaments. Last week, pursuant to a request by the European Trade Commissioner, the EC put the ACTA ratification process on hold and referred the treaty to the European Court of Justice to determine if it is compatible with EU law.


Learn more about key policy developments affecting the software and digital content communities with Digital Policy Roundup.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Digital Policy Roundup Tagged With: ,

Reply to Chertoff: Do Not Let the Perfect be the Enemy of the Good on Privacy and the Cloud

February 10, 2012 By

In his recent op-ed (Cloud computing and the looming global privacy battle, February 9, 2012), Michael Chertoff properly worries about privacy in the cloud. But he’s wrong to think that all problems are equally important or that they all must be solved at once.

We shouldn’t wait for harmonized privacy regimes before making progress on cross border data flows. The priority going forward should be a system of clear and simple procedures that allow global companies to comply with substantively different privacy regimes. In the absence of simple compliance procedures, millions of dollars will be spent on unnecessary bureaucratic paper shuffling instead of on productive investments that can generate economic growth and jobs. Eliminating this waste must be a priority, especially given the worldwide economic challenges.

One way forward is through international agreements that put streamlined compliance procedures in place. To accomplish this, countries have to be willing to approve data transfers across borders when companies demonstrate that they are in compliance with local rules. Mechanisms adopted by the Asia Pacific Economic Cooperation group move in this direction. Proposals tabled in the Trans Pacific Partnership trade discussions also contain this key idea. And the European Union’s proposed data protection regulation provides that compliance can be based on contracts, binding corporate rules or codes of conduct approved by single EU member regulator.

Deep integration of privacy regimes is a worthy, but distant goal. Fostering interoperability and cross border data flows are urgent immediate needs. We shouldn’t let the perfect be the enemy of the good.

Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology.

Share|
Filed Under: All About the Cloud, Cloud Computing, Cloud/Gov, Policy, Policy - Privacy, Software Tagged With: ,

Facebook, Cyber Security and Small Businesses Dominate the Hill

November 30, 2011 By

Headlining the day, the FTC announced that Facebook agreed to settle the Commission’s charges that it deceived consumers. The proposed settlement requires Facebook to take several steps to enhance its privacy practices, including the terms for which it provides notice to consumers and provides for consent for information sharing, and it would require the Company to undergo privacy audits over the next two decades. The settlement underscores the need for broad privacy legislation, this is further confirmation that the FTC’s long-standing authority over unfair or deceptive trade practices is sufficient for providing thorough enforcement in the privacy arena.

Keeping the cybersecurity train moving forward in the House, and keeping consistent with the House Cybersecurity Task Force goal to address cyber on an individual basis within the committees of jurisdiction, there are two cyber developments scheduled for this week. First Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) will unveil new bipartisan cybersecurity legislation on Wednesday to provide the government “the authority to share classified cyber threat information on potential attacks with approved American companies.”

And on Thursday, the House Small Business Committee will hold a cyber hearing on protecting small businesses, where Phyllis Schneck, Vice President for McAfee, Inc., will be testifying on behalf of SIIA. The hearing will also include testimony from Task Force leader Rep. Mac Thornberry (R-TX), highlighting the recent recommendations of the House Task Force.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Court Cases, Digital Policy Roundup, Policy, Security, Software Tagged With: , ,

Clock Winds Down on 2011, Cyber and Privacy Gear Up for Action in 2012

November 22, 2011 By

With Congress in recess for the Holiday, and the “Super Committee” officially resigned to stalemate, it’s unclear how the last month of 2011 will play out in Washington. However, last week saw significant developments for the advancement of cybersecurity legislation. Notably, in a letter to Minority Leader Mitch McConnell (R-KY), Majority Leader Harry Reid (D-NV) indicated that the Senate will consider the issue in early 2012. At about the same time, the Ranking Members of six key senate committees of jurisdiction on Cybersecurity sent a joint letter to the President expressing their desire to move forward on several key cybersecurity issues, and highlighting those that are not quite ready. The one thing that’s for sure is that early 2012 will see a flurry of cyber discussions.

Similarly, indications last week are that privacy issues will also heat up in early 2012. While a firm date has still not been given for the official release of the Commerce Department report on privacy, it’s expected the Report will be released the week of Nov. 28th. Importantly, while the Report will continue to support a legislative Consumer Privacy Bill of Rights, officials have expressed the goal to begin moving forward with a multi-stakeholder process to craft privacy codes of conduct as early as January.

On Monday, the U.S. Department of Commerce released the results of the 22nd US-China Joint Commission on Commerce and Trade (JCCT) meeting between U.S. and Chinese government officials, where a number of commitments were made by Chinese officials during the meeting to address issues between the two countries. Most significantly to SIIA members, the summary indicates that China will take steps to address the use of unauthorized copies of software by government agencies and state-owned enterprises. China pledged to complete this software legalization process by 2012 for Chinese provincial entities and by 2013 for municipal and county-level governments.

And in other IP news, the House Judiciary Chairman Lamar Smith (R-TX) has announced his plan to mark-up the Stop Online Piracy Act (SOPA), H.R. 3261 on Dec. 15th. However, following the lengthy and sometimes contentious hearing that took place last Wednesday, it is quite possible the date will slip while Committee members deliberate several key provisions of the bill.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Digital Policy Roundup, Government, Policy, Software Tagged With: , ,

While Europe Presents Roadblock for Cloud, NIST Presents Roadmap

November 9, 2011 By

Yesterday, EU Justice Commissioner Viviane Reding, Vice-President of the European Commission, and the German Federal Minister for Consumer Protection, Ilse Aigner, released a statement calling for a robust data protection framework. In the statement, the Commissioners stated explicitly that “companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a ‘cloud.’”

As the EC continues working to revise the 1995 Data Protection Directive with a deadline to produce a proposal by the end of Jan. 2012, this is a very strong statement highlighting the potential challenges for U.S. businesses, and the cloud computing industry, working effectively in Europe under these new regulations. However, the statement does still leave some flexibility for demonstrating compliance through codes of conduct, binding corporate rules, contracts or safe harbor arrangements.

Meanwhile, in the U.S. there seems to be increasing recognition that the clock has all but run out on privacy legislation for 2011, and we continue to wait for the release of the DOC report on data privacy reflecting the Administration’s position on the issue broadly. It obviously gets tiring to keep typing that it’s expected to be released “any day now,” but, it’s reportedly finalized and expected to be released… any day now.

On the Hill, indications after the House Energy and Commerce Cmte. Republican member meeting last week are that Chairman Upton (R-MI) and Sbcmte. Chair Bono Mack (R-CA) are still moving forward with intentions of advancing the SAFE Data Act before the end of the year. But again, indications are that time and opportunities have almost all but run out for passage of data security legislation in 2011.

Also last week, the National Institute of Standards and Technology (NIST) released its much anticipated U.S. Government Cloud Computing Technology Roadmap, a series of three volumes that combine to provide guidance for agencies around cloud computing, and to shorten the adoption cycle, enable near-term cost savings and increased ability to quickly create and deploy safe and secure cloud solutions. The Roadmap is part of a very aggressive strategy by the Administration to implement its “cloud-first” policy, and to develop standards and definitions in key areas such as security, interoperability, portability and eventually procurement. The Roadmap is open for public comment until Dec. 2 SIIA has been highly engaged with NIST’s efforts around cloud computing, and we are reviewing the Roadmap and planning to comment.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Cloud Computing, Digital Policy Roundup, International Policy, Policy, Software Tagged With: , , ,

In the midst of Hill privacy buzz, Obama Administration and EU are moving forward

October 18, 2011 By

Despite Capitol Hill continuing to dominate news headlines regarding data privacy, the work and policy proposals pending from the Obama Administration and the European Commission are more significant at this time.

Here in the U.S., both the Federal Trade Commission and the Dept. of Commerce are readying to release their long-awaited reports on Commercial Data Privacy, seeking to conclude parallel processes launched in late 2010. The Commerce Report will echo the Administration’s call for legislation to provide for baseline privacy regulation, and to propose a framework for establishing a voluntary codes of conduct to be developed through a multi-stakeholder process, specifying how these basic principles should be implemented for a specific industry sector. A promise to abide by the code would be enforceable by the FTC.

On the other side of the Atlantic, the EU is working on revising the EU Data Protection Directive, with proposed revisions expected to be released in the first quarter of 2012. Key issues under consideration include the so-called “right to be forgotten,” “privacy by design” and an accountability framework.

The accountability framework is the way in which the EC is proposing to relax restrictions on cross-border data flows. Instead of further attempts to clarify what an “adequate” legal framework for privacy might be, the proposed EU directive would look to representations by companies regarding their privacy practices. This might create substantial efficiencies compared to negotiating separate arrangements with data protection authorities. The U.S. Government is actively talking with their EU Commission and national officials to move this accountability framework from concept to practical implementation.

Meanwhile, there is not a consistent understanding of what would be required for implementation of the mandatory opt-in consent for cookies. This is already part of the EU ePrivacy Directive, but it has not been implemented by most EU countries.

For a more detailed report on US and EU privacy, visit the recent SIIA policy update.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy.

Share|
Filed Under: Digital Policy Roundup, Policy, Software Tagged With: , ,
« Older Posts
Newer Posts »