Privacy's Preemptive StrikeBy Jeffrey Rothfeder
Hewlett-Packard Co., eBay inc. and Microsoft Corp. have a vested interest in seeing online commerce prosper. Their growth strategies are directly linked to making money from Internet sales and transactions. Hence, these high-tech leaders' worst nightmare is that the failure to protect digital privacy will frighten off Web consumers and lead to federal regulations that will stymie the free-form, lucrative evolution of the Web.
Motivated by that sentiment, these and other companies formed a consortium of a dozen corporations earlier this year, dubbed the Consumer Privacy Legislative Forum. Its primary goal is to produce a model federal privacy law that will be acceptable to U.S. businesses and that can outflank the many recent attempts in Congress to pass data-protection bills, all of which have so far fallen flat. The group has just started to sculpt a proposal that will likely call for these baseline standards:
"We are trying to create a minimum level of expectation about privacy that will ensure basic consumer trust," says Scott Taylor, chief privacy officer at H-P. "Once you establish that baseline, it depends on the company to go above the bar or not."
The CPL Forum is a significant milestone in that it is the first pro-privacy corporate consortium. It has endorsed the concept of federal privacy legislation, which U.S. companies have strongly resisted, claiming instead that voluntary self-policing is adequate. But the CPL Forum's approach raises suspicions about whether its efforts will be entirely for the good.
Privacy advocates are concerned that CPL Forum legislation will simply codify lowest-common-denominator privacy protections. They fear it could preempt tougher state rules already in place, as well as proposed federal legislation for strict data-protection systems in every large company, such as the Personal Data Privacy and Security Act sponsored by Senators Arlen Specter and Pat Leahy. Moreover, CPL Forum members demur on the question of whether companies should be penalized for data-protection failures and privacy intrusions. Most of the proposed federal laws provide for explicit fines, and even jail terms, for such violations.
Compromising personal data or failing to provide necessary protections," says Senator Leahy. "This creates an incentive for companies to protect personal information." H-P's Taylor, a CPL Forum leader, isn't convinced. "Certainly companies need to be held accountable, but penalties are not necessarily the right answer," Taylor says. "I'm not prepared to comment on penalties."
Be sure to read the main story: