Rulemaking in the Privacy and Cybersecurity Landscape

2019-06-24 - 3 minutes read

Back in 2012, when both Cameron Kerry and Daniel Weitzner were framing the 2012 White House Consumer Privacy Bill of Rights, their proposal did not include rulemaking authority for the Federal Trade Commission (FTC). In a recent Brookings article, Kerry and Weitzner note that at the time they purposely left out rulemaking in their proposed bill due to its political feasibility and a focus on articulating clear rights while also allowing flexibility and innovation with broad principles. The bill demonstrated the authors’ “view that traditional notice-and-comment rulemaking is a cumbersome tool for an issue that shifts rapidly with changes in technology, uses of data, and the innumerable variations in the context in which that data is shared.” As a result, the proposal consisted of codes of conduct that the FTC could legally enforce instead of rulemaking.

The Federal Trade Commission. Image by Eric Drost and licensed under CC BY 2.0.

Now, the privacy and cybersecurity landscape has changed, with a new desire for privacy legislation and rulemaking. While the authors note this change and do see an important role for rulemaking in federal privacy law, their previous caution about becoming overly reliant on rulemaking authority is still relevant.

Elaborating, Kerry and Weitzner discuss a series of “principles on how to approach the delegation of legislative authority through rulemaking in privacy law” in their article. Included in this discussion is their preference for developing rules through case-by-case enforcement.

The article also shares a list of areas where rulemaking could be particularly helpful, such as defining procedures for individual access to personal information that are acceptably secure and privacy-protective, as well as clarifying the technical issues related to data portability.

On the other hand, the authors are sure to point out that there are risks to both the privacy of individuals and commercial interests if we become over-dependent on rulemaking authority. Rulemaking is more partisan than enforcement and rulemaking disputes may favor industry over consumer voices. In light of this, Kerry and Weitzner also discuss using codes of conduct as a partial alternative to traditional rulemaking. For more details, check out the full article via the button below.

Near the end of their article, Kerry and Weitzner “suggest that the role of rulemaking be focused and concrete and that Congress include incentives for more iterative, adaptive, and nimble policymaking”

Read the full article below…