By David Hoffman, Intel’s director of security policy and global privacy officerIntel is pleased that the U.S. Federal Trade Commission today has released its final privacy report, “Protecting Consumer Privacy in an Era of Rapid Change,” its follow-up report issued in December 2010. The Commission should be commended for their thorough analysis of the issues, thoughtful consideration of submitted comments, and for furthering the protection of consumer privacy.
We are particularly pleased that the Commission has recommended that Congress consider enacting comprehensive privacy legislation, a position we have advocated in our filings with the Commission and the Administration. The Commission wrote that it “is prepared to work with Congress and other stakeholders to craft such legislation.” Intel is ready to work with Congress and the Commission to make technology neutral and flexible baseline legislation a reality. Intel calls upon others to support the Commission’s efforts to pass a law to provide an environment where individuals can trust their use of technology.
Intel supports the principle in the FTC’s final report that encourages companies to incorporate privacy protection into their design processes. We agree that a Privacy by Design model should ensure that privacy is included as a foundational component of the product and service development process. As the report notes, incorporating privacy protections into the product development process is much preferable to requiring after-the-fact reviews.
The report carefully makes some particularly important revisions to its preliminary report. The FTC has now specifically recognized that privacy is highly contextual. Like the Administration’s recent privacy blueprint, it recognizes that privacy protection must be flexible and look to the expectations individuals have when they use technology within a specific context. The Commission calls out specific contexts where individuals have implicitly chosen to have their data collected and processed. The Commission’s inclusion of the need to process data for security purposes, as one of these contexts, is a welcome recognition of the increased need for improved cybersecurity.
The report also now recognizes data which can be reasonably linked to a specific consumer, computer, or device, requires privacy protection. However, the Commission also provided useful guidance on how an organization can avoid a determination that the data is “reasonably linked.” The elements for avoiding falling under the definition of “reasonably linked” are: (1) a company takes reasonable measures to de-identify data, (2) it publicly commits to maintain and use the data in a de-identified fashion and not attempt to re-identify the data, and (3) if using service providers or third parties, the company contractually prohibits those others from attempting to re-identify the data.
We are pleased that the FTC has recognized the importance of providing certainty to businesses and setting baseline standards of privacy protections for all businesses, a view that we at Intel have long held as essential to providing consumer trust in technology. If individuals are confident their privacy will be protected, they will be further encouraged to adopt new and innovative technologies and services. The resulting investment in new businesses can spark development of new technologies and drive economic growth. We look forward to continued discussion and future work with the Commission on these important issues.