Elon University

Breakout Panel Session – Privacy Regulation in the US: Bottom-Up Versus Top-Down Approaches

IGF USA LogoBrief session description:

Monday, July 24, 2017 –  This panel took place during the afternoon session of IGF-USA 2017 at the Center for Strategic and International Studies in Washington, D.C. Read the print story and see video highlights on this page. You can view the full, archived video of this plenary panel session here.

This session was aimed at addressing ways to deal with the issues surrounding public privacy online in an age in which many governments are using the Internet for surveillance and many Internet-driven corporations’ business models are based upon the monitoring of individuals’ private information and actions online and sales of that data. Among the questions the panelists were asked to consider are: How should the US deal with the issue of regulating privacy? Should we be focusing on government regulation or should we explore bottom-up solutions such as self-certification?

Details of the session:

The session was moderated by Shuli Hallak, executive director of the New York chapter of the Internet Society. Panelists included:

  • Naomi Lefkovitz, senior privacy policy advisor in the Information Technology Lab at the National Institute of Standards and Technology (NIST) for the US Department of Commerce, a leader of the privacy engineering program, which focuses on integrating privacy risk management processes and technical solutions
  • Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology, advocating for data privacy rights and protections in legislation and regulation
  • Kara Sutton, senior manager of the US Chamber of Commerce Center for Global Regulatory Cooperation; she oversees international high-tech and digital policy work, with an emphasis on global data privacy
  • Caroline Greer, leads European Public Policy for Cloudflare, covering a wide range of policy and regulatory issues related to Cloudflare’s mission of helping build a better Internet
  • Craig Spiezle, founder and managing partner of AgeLight LLC, recognized authority on trust and the convergence of privacy and security promoting ethical privacy practices, end-to-end security and the importance on moving from a compliance mindset to stewardship; serves as charmain emeritus of the Online Trust Alliance

Privacy regulation in the U.S. must be driven by consumer choice, transparency and inclusivity, while navigating a complex landscape of government policy, an uprising of grassroots movements, and a continually evolving and widely varied definition of the concept in itself, according to panelists. They also discussed the merits and concerns about current approaches, including the EU’s General Data Protection Regulation.

The massive amounts of ultra-sensitive data continually collected from users are intended to provide consumers and businesses with information, and are contingent on mutual trust. Security frameworks are challenged to protect users—from anything from embarrassment to identify theft—while also sharing data.

Privacy Regulation Panel Discussion Photo“What we try to do is create a frame of analysis for privacy in systems,” said Naomi Lefkovitz, senior privacy policy advisor in the Information Technology Lab at the National Institute of Standards and Technology at the U.S. Department of Commerce. “We need to avoid creating problems for individuals, essentially when our systems are processing for information.”

The “rigid-rules” based approach threatens to become a checklist for security screening, while a risk-management approach finds errors and then adapts to provide protection. Both frameworks require set principles, such as how to give consumers notice and how to address consumer choice.

“You have to give people choices about things that you can meaningfully make choices about,” said Shuli Hallak, executive director of the Internet Society, New York chapter. “If you’ve built an infrastructure that already created privacy risks, then there’s nothing for them to consent to at that point other than to use the system or not.”

The protection of Internet users’ choice to surrender certain elements of privacy in exchange for goods and services is made difficult by increasing technological innovation. The Internet can no longer be thought of as a screen—online data are everywhere.

“Your apartment building — who owns that data?” asked Craig Spiezle, founder and chairman emeritus of the Online Trust Alliance. “It all comes down to user control. … It’d be a horrible situation that you’d have to give an iris scan, your fingerprint to get into your apartment.”

The ability to turn off features that track data is critical to the preservation of privacy, but what happens when it results in a notification every time you try to search your own emails? According to Kara Sutton, senior manager of the U.S. Chamber of Commerce Center for Global Regulatory Cooperation, too much disclosure by a company to the consumer can translate into a concern for the consumer.

Of security notifications, Sutton said, “At some point it can be too much, where the consumer doesn’t pay attention to it the same way anymore.”

The General Data Protection Regulation (GDPR) is a top-down approach due for implementation within the E.U. in May 2018. Caroline Greer, leader of European Public Policy for Cloudfare, provided a European perspective. The general concepts, which emphasize transparency and business accountability, allow room for a code of conduct, certifications and seals.

The benefits discussed include the provision of a blueprint for businesses, a concrete movement of progress and the promise of equal impact.

Sutton and Greer Panel Discussion Photo“One of the things that I think is the most interesting out of the European approach is the fact that Europeans start with humans, people,” said Michelle De Mooy, director of the privacy and data project at the Center for Democracy and Technology. “The human being is the first part of accessing something. Here in the United States, it’s much more about the technology as a solution and a remedy.”

“At the end of the day,” Greer added, “this is a new piece of legislation and we’re all grappling with it to a certain extent.”

In the U.S., widely varying state legislatures make it difficult to make progress on privacy regulation. As a result, consumers are taking the matter into their own hands.

“I don’t disparage self-regulation,” De Mooy said. “I know that it’s not the best and more effective tool … but these are the tools that we have to use. Creating tools that are the most reflective and inclusive are the way to go.”

Spiezle highlighted California’s recent increase in consumer interest at the legislative level. The distribution of personal data to third-party vendors seems to be a big motivator.

“You’re already paying for the service with your credit card. I don’t believe you should be paying in perpetuity with your personal data,” he said. “They’ve essentially set the bar for the nation.”

A change is necessary in privacy regulation, especially as the term continues to evolve, whether it be via bottom up or top down. As of today, consumers should stay vigilant in understanding how data exchange works and how they have control over their personal data.

“If you think of it less in terms of ‘this is my data, this is your data’ and more about how accessing it is providing those benefits and harms, I think you’ll get to a better result,” Lefkovitz said.

– By Deirdre Kronschnabel

Click here to return to IGF-USA 2017 homepage.

The multimedia reporting team for Imagining the Internet at IGF-USA 2017 included the following Elon University School of Communications students, staff and faculty:

Janna Anderson, Bryan Baker, Camille Behnke, Liam Collins, Diego Pineda Davila, Colin Donohue, Maya Eaglin, Christina Elias, Meagan Gitelman, Alex Hager, Tommy Kopetskie, Deirdre Kronschnabel, Jared Mayerson, Emmanuel Morgan, Grace Morris, Jackie Pascale, Mariah Posey, Alexandra Roat, Ginna Royalty, Alexandra Schonfeld, Jamie Snover, Erik Webb, Brooke Wivagg