In recently released comments, network operators and other telecom players expressed general support for federal data privacy regulation — especially if the alternative is a patchwork of state or even local guidelines.
The U.S. Department of Commerce’s National Telecommunications and Information Administration asked for public comment in September on a high-level framework for consumer data privacy, as part of a number of federal efforts to modernize U.S. data privacy policy. NTIA released the comments it received last week.
In one comment, the Federal Trade Commission staff neatly summed up the double-edge sword of personal data collection and use by tech and telecom companies, particularly as more everyday devices are connected.
“Today, companies often provide digital services and content powered by (or in exchange for) consumer data. News headlines draw attention to remarkable innovation—in mobile apps, mobile payment systems, connected devices, automated cars, etc.—that both stems from and necessitates the collection, use, and disclosure of consumer data. At the same time, however, news headlines highlight potentially problematic privacy practices: a dating app’s disclosure of HIV status to software vendors, a tracking firm’s inadvertent exposure of the real-time geolocation data of 200 million people, or an IoT firm’s decision to track sex toy use without users’ consent. These twin trends—data-driven innovation and increasing data privacy concerns—have raised important questions about the ability of the existing legal landscape to protect consumers’ privacy interests.”
Below are some excerpts from telecom and tech companies’ comments on the proposal by NTIA on the development of a national framework for consumer data handling, privacy, security and the extent to which consumers will be able to edit or correct existing data.
–Arm: The microprocessor company said in its comment that in addition to its work in semiconductors, that it is “also increasingly providing services that manage the devices Arm microprocessors end up in, as well as services that collect, organize, transport, maintain, and make sense of the exponentially increasing amount of data coming from the growth in the number and use of devices connected to the internet.”
Arm said as privacy frameworks are developed based on current technologies, that regulators keep in mind how radically artificial intelligence and machine learning may change the use of data.
“The advancement and more widespread utilization of AI/ML is likely to change the way companies and individuals think about using data. In a fully developed AI world we will be hoping for AI machines to be able to interrogate data, and come up with useful results, in ways we may not have yet thought of or predicted. This may mean that some of our current data protection concepts may need rethinking and reframing, particularly if they could impede significant benefits to society or individuals. These could include looking at elements like detailed explicit consent, use of anonymized data, length of time data can be retained etc. At the same time AI may well introduce its own challenges, around unfair bias, transparency of decision-making, and other related issues. A new data protection system designed today must be open to the future challenge from AI.”
Arm also said that federal guidance on privacy should “give more direction and considerations for third-party vendors and service providers to take into account with respect to the role they play in this process. Supply chains in this area are varied and complex. Third party vendors often handle, process, store, and analyze personal data, but with less or unclear direction on what is expected of them. While it is difficult or impossible to provide a one size fits all approach, providing security guidance and risk management options for third party vendors to consider would clarify the responsibilities of those entities in the data protection process.”
–AT&T said in its comment that it was generally supportive of both the federal government playing a role in data privacy regulation and the goals of establishing a federal privacy law that: harmonizes the regulatory landscape; maintains flexibility to innovate; applies comprehensively on a technology-neutral basis; is risk-based; and is enforced by the Federal Trade Commission.”
“In a connected world, where individuals use multiple devices and services from different providers, the most effective way to protect consumers is through one set of rules which apply to the collection and use of consumer data,” AT&T said. It went on to add that while some individual data privacy regulations that have been established for specific sectors (such as healthcare) may endure, federal adoption of a comprehensive privacy law would make Communications Act provisions on privacy — which apply to traditional telecom services — unnecessary, calling those regulations “dated” and saying that they “fail to reflect the convergence that has taken place in the communications sector.”
AT&T also added that “to the extent that other sector-specific regulations are retained, they should be carefully targeted at the uses of personal data that are unique to the pertinent sector. For example, it may be appropriate for health care institutions to apply special protections to a certain category of protected health information, but they should also be subject to the same rules governing collection and use of other personal data that apply to edge providers, communications companies, equipment manufacturers, retailers, and others.”
AT&T said that federal legislation on privacy should preempt state privacy laws and “provide consumers one set of consistent privacy protections, choices and controls.” The network operator also recommened the express recognition that “certain types of data collection and use may be subject to the consumer’s implied consent, accompanied by proper notice,” and that the access and ability to correct data should be “reasonable.”
“In assessing reasonableness of any right to access or correction, the administration should consider the costs, risks and benefits of any such requirements,” AT&T said, adding that the Trump administration “should assess the actual benefit that access to data brings to consumers, the cybersecurity and fraud risks that any obligations might create, and the operational and compliance costs to businesses.”
AT&T also called for a role for voluntary efforts and best practice codes in any federal privacy law, as safe harbors that enable companies to adapt in rapidly changing conditions.
-Cable provider Charter Communications emphasized the importance of consumer control in its comment, saying that “consumer empowerment must be the cornerstone of any policy or framework that protects consumer online privacy, and the framework must establish uniform online privacy protections for all Americans, no matter where they go on the internet or how they interact with online services.”
Charter went on to express skepticism about the use of “context” to justify the use of consumer data and said that should only apply in “clear and limited” scenarios. “To the extent that NTIA includes the context concept in its privacy framework, considerable effort needs to be undertaken to clarify exactly what context means (and doesn’t mean) to ensure consumers are empowered to control their personal online data.”
–CTIA said that “consumer trust is key for the continued growth of the mobile ecosystem” and said that trust is a strong incentive for companies to “develop robust privacy programs and practices.” The group emphasized the need for national harmony in privacy policy, rather than a patchwork approach.
“The United States has reached a turning point on privacy as other countries turn to prescriptive regulation and state and local governments threaten to fragment the U.S. digital market,” CTIA said, citing the European Union’s General Data Protection Regulation and forced data localization requirements in a number of countries. “Domestically, consumers and companies are seeing fragmentation as various agencies weigh in on privacy,” the organization continued. “Domestic fragmentation is compounded as some state governments increasingly regulate privacy, which is particularly problematic in light of the global and interstate nature of the Internet ecosystem. There is a risk of even further fragmentation in the United States, as local governments join states in attempts to regulate privacy. With fifty states and over 30,000 localities, the specter of balkanization is increasingly worrisome.”
CTIA called flexibility in a national policy another critical component, and said tht it supports reasonable consumer control of their personal data — however, it added that “NTIA should be cautious when making recommendations or determinations on access and correction rights. This is an area for risk management and flexibility. … All users, for example, may not need access to or the right to amend data in many circumstances, particularly where data is not being used in access decisions like employment or credit. Organizations, especially small organizations, will have different abilities to allow consumers to access and correct data. Access and correction rights also raise security considerations. Requiring companies to provide access, especially along with correction rights, will present challenges for companies, including those related to authentication of users and the burden to appropriately verify the accuracy of ‘corrected’ information being provided.”
–Verizon said that it has supported a federal data regulation policy since 2011, adding that it supports “strong, comprehensive privacy legislation, which should be simple to understand and should be targeted to users’ needs and today’s digital reality.”
Verizon emphasized the need for a federal policy as opposed to a state-by-state approach. “In today’s Internet economy it is impractical for state borders to serve as differentiators as to how products and services are offered. The Internet does not recognize state boundaries, and consumers should not have their privacy protections depend on their state,” the company said.
The operator also commented that in terms of flexibility, one important component would be “not dictating that all personal information should be treated the same. There must be built-in flexibility to tailor protections based on the sensitivity of the information” and a risk-based approach.
The carrier also said that “while privacy policies describing companies’ privacy practices are valuable, additional mechanisms, such as privacy dashboards and ‘just in time’ notices can serve to well-inform customers and enable them to understand the practices being described and the choices they have at a more relevant time.”
When it comes to security, Verizon noted, there is no comprehensive federal policy as to when consumers must be notified about data breaches and suggested that a national policy on data collection should address this, although a separate policy on data breach notification may be necessary.
The carrier also said that promoting international cross-border data flows is “critical.”
“As noted by NTIA, a regulatory landscape in the United States that is consistent with the international norms and frameworks developed in the multilateral forums in which the United States participates, will help in reducing barriers to seamless data flows,” Verizon said. “The privacy outcomes and high-level goals outlined in the [request for comment] generally align with many of the privacy principles developed by the Organization for Economic Cooperation and Development and the Asia-Pacific Economic Cooperation forum. Federal legislation that implements these outcomes and goals will further enhance Administration efforts both within international organizations, as well as through engagements with international stakeholders, to develop mechanisms to further enhance the free-flow of data.”