Would a federal privacy agency be useful in addressing or even resolving some of the current privacy conflicts? I think so.
Privacy agencies began in Europe, and every European Union member state now has one as do most other industrialized nations. Each state in Germany has its own privacy agency, and provincial agencies can also be found in Australia, Canada and elsewhere. Some privacy offices also manage freedom of information functions. Clearly, much of the world finds value in having an office devoted to privacy.
I have long been a supporter of a privacy agency in the United States. When I worked for a subcommittee at the U.S. House, I drafted several bills to establish a nonregulatory privacy agency. I emphasize the non regulatory aspect of the proposals because most people from the business community insisted that they opposed a privacy agency because they opposed more regulations. No matter how many times I explained that the agency did not have regulatory powers, it was hard to shake people from their anti-regulatory mantra.
I have a somewhat new conception of a privacy agency today. I still do not see any need for any regulatory powers. The principal role of a privacy agency is to help solve problems. Consumers want better representation of privacy in government and business. Self-regulation has not succeeded because there is no focused external pressure making it more than a group of companies agreeing among themselves to do as little as possible to address privacy. I think that self-regulation has the potential to be balanced, effective and reasonable if someone represented consumers in the process.
Businesses also need someone who can help to mediate and resolve the conflicts over consumer demands. At least some in the business community are willing to do more to satisfy consumers, but no one speaks with authority. Privacy advocates are happy to criticize, but they find it hard to say something nice about a compromise without being attacked by purists. A privacy agency could help raise self-regulation out of its least-common-denominator mode without going to an extreme.
On the international level, the EU wants some office in the federal government to play in the international privacy sandbox. It has been so hard to reach agreement with the EU because the United States is unwilling to discuss a privacy agency. Many of the procedural and enforcement problems that have tied up the safe harbor negotiations could be resolved if the United States had a privacy agency.
So now that we all agree on the value of a privacy agency, how do we proceed? Hear me out.
The central role of a privacy agency would be to encourage the adoption of fair information practices. I see fair information practices as the central element to addressing privacy problems.
We will never reach agreement in the United States on a mandatory code of fair information practices. That is the European omnibus approach. We can and should, however, agree on fair information practices as a goal. Let’s enact a basic code of fair information practices as a national objective, with the privacy agency being an instrument of voluntary persuasion. My proposal does not include any legal requirements, causes of action or enforceable rights.
My U.S. privacy agency has no regulatory powers, but it has a mission to encourage greater use of fair information practices by everyone. Companies or industries could voluntarily bring their policies or self-regulatory codes to the privacy agency for review. Although approval by the privacy agency will not be required, the review process will add enough tension to make self-regulation more balanced. It might even reduce some pressures for legislation if self-regulation can be demonstrated to be useful and not self-serving.
Internationally, the formal adoption of fair information practices as a legislative goal would be welcome. And a U.S. privacy agency would create considerable goodwill in Europe and elsewhere.
One more element would make this privacy agency functional and useful. The agency must have some degree of independence from the administration to be able to criticize activities in the executive branch.
I believe that the United States will eventually have a privacy agency. I just don’t know when it will happen.