Government takes baby steps in data privacy with NIST framework, bill discussions

Data privacy is having a renaissance, no thanks to its dwindling strength under the overbearing gaze of large corporations and data brokers.

Last September, President Trump ordered the National Institute of Standards and Technology (NIST) to establish privacy standards for American consumers. Following the landmark enactment of the European Union's GDPR, the passage of California's state privacy legislation (CCPA) and a series of high-profile consumer privacy breaches and violations, data privacy could sit on the backburner no longer.

The privacy framework is set for an October release, and — if it follows the path of the Cybersecurity Framework — could provide industrywide understanding and best practices for businesses handling consumer data.

But as effective as the frameworks can be, they are ultimately voluntary. With a patchwork of state data privacy regulations emerging, federal legislators are also beginning to question what they should do.

A new framework

In November, NIST issued a request for information (RFI), asking organizations with a stake in the matter to weigh in on how they manage privacy risk and what a framework should entail.

Information technology companies delivered, with big names such as Apple, Google, Microsoft, IBM, and Salesforce, and industry associations, such as the ITIF and and Internet Association, turning in comments.

Last month, the Commerce Department arm provided a working outline of the feedback it received. Key takeaways indicated respondents do not share a consistent understanding of privacy risk management. The majority, however, did support a risk- and outcome-based, voluntary and nonprescriptive approach to privacy that can be adaptable across organizations, technologies, sectors and use cases.

Forming the framework is a very iterative process, and the agency will be transparent with the public and seek regular input from stakeholders, Naomi Lefkovitz, senior privacy policy advisor and lead for the privacy framework, said in an interview with CIO Dive. NIST will hold a second workshop in May to discuss the outline and work toward the draft framework.

Businesses and executives need to chime in to ensure the framework aligns well with industry processes, integrating and addressing their concerns early on instead of tacking them on at the end, Lefkovitz said. If it follows the cyber framework, the privacy document is likely to look very different in its final form than it does now.

Many organizations referenced NIST's Cybersecurity Framework in their comments. The cyber framework has been widely commended for helping establish security best practices and creating a common language and understanding among businesses, in the U.S. and even in some foreign countries.

The cyber framework, which was also kicked off by an executive order, recently celebrated its five-year anniversary. The most recent iteration came out last April, and relative to its first version has a much broader impact — a testament to the living and evolving role these frameworks are supposed to hold.

NIST is aiming for the privacy framework to be similarly supportive for organizations and government bodies as well as agnostic to law and regulation, Lefkovitz said. Organizations should be able to use it as an underlying tool to help demonstrate compliance.

One of the cybersecurity framework's most successful factors was creating a common and accessible language for businesses to use, an accomplishment NIST is looking to replicate in the privacy domain.

Some respondents to the RFI called for NIST to define concepts such as personal data, privacy risk or what constitutes harm. But with some definitions already in place by existing laws and regulations, others cautioned the agency from setting semantic boundaries.

Calls for federal legislation prevail

Many stakeholders who submitted RFIs reiterated the need for federal privacy legislation.

Many organizations and experts are worried about an emerging patchwork of privacy legislation they must to contend with at the state and international level. House and Senate committees held hearings in February with industry and consumer stakeholders to discuss the merits of federal legislation.

Politicians are in a difficult situation. Pro-business interests fear the stifling effect of regulation on innovation and commerce, and pro-consumer interest fear exploitation of personal data by large corporations serving their own interests.

Many organizations and experts are worried about an emerging patchwork of privacy legislation they must to contend with at the state and international level.

Congress could promulgate regulations that affect businesses who rely on data to market their services, but they could also harm consumers who rely heavily on marketing to find relevant products and services, according to Dan Goldstein, president of Page 1 Solutions, LLC, in an interview with CIO Dive.

It's concerning for businesses that they could be operating in a world that is too restricted by different hurdles across the states, Goldstein said. Data privacy crosses party lines to an extent, though there is still the business versus consumer interest, and it is important for federal legislators to come together and preempt state laws.

Some experts, such as Goldstein, view GDPR as too restrictive on businesses; while CCPA is slightly better in his view, it was still passed in a rush and could exact unintentional consequences on states. Many Silicon Valley companies have also urged Congress to push back on state mandates.