48600 Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices

Estimated Total Annual Burden outlines of the ecosystem that should be foreign countries, and some U.S. states, Hours: 150 hours. created to provide those protections. have articulated distinct visions for how Estimated Total Annual Cost to DATES: Comments must be received by to address privacy concerns, leading to Public: $0 in capital and reporting/ 11:59 p.m. Eastern Daylight Time on a nationally and globally fragmented recordkeeping costs. October 26, 2018. regulatory landscape. Such fragmentation naturally disincentivizes IV. ADDRESSES: Written comments identified by Docket No. 180821780– innovation by increasing the regulatory Comments are invited on: (a) Whether 8780–01 may be submitted by to costs for products that require scale. The the proposed collection of information [email protected]. Comments Administration hopes to articulate a is necessary for the proper performance submitted by email should be machine- renewed vision, one that reduces of the functions of the agency, including readable and should not be copy- fragmentation nationally and increases whether the information shall have protected. Written comments also may harmonization and practical utility; (b) the accuracy of the be submitted by mail to the National nationally and globally. Further, changes in the way personal agency’s estimate of the burden and Information information is used by organizations, (including hours and cost) of the Administration, U.S. Department of and how users interact with the proposed collection of information; (c) Commerce, 1401 Constitution Avenue products and services with which they ways to enhance the quality, utility, and NW, Room 4725, Attn: Privacy RFC, frequently engage, have increased the clarity of the information to be Washington, DC 20230. collected; and (d) ways to minimize the belief that users are losing control over FOR FURTHER INFORMATION CONTACT: burden of the collection of information their personal information. As seen in Travis Hall, Telecommunications Policy on respondents, including through the data collected by the National Analyst, Office of Policy Analysis and use of automated collection techniques Telecommunications and Information Development, National or other forms of information Administration (NTIA), at least a third Telecommunications and Information technology. of online households have been deterred Administration, U.S. Department of Comments submitted in response to from certain forms of online activity, Commerce, 1401 Constitution Avenue this notice will be summarized and/or such as financial transactions, due to NW, Room 4725, Washington, DC 1 included in the request for OMB privacy and security concerns. The 20230; telephone: 202–482–3522; email: approval of this information collection; Administration takes these concerns [email protected]. seriously and believes that users should they also will become a matter of public For media inquiries: Anne Veigle, record. be able to benefit from dynamic uses of Director, Office of Public Affairs, their information, while still expecting Dated: September 20, 2018. National Telecommunications and organizations will appropriately Sarah Brabson, Information Administration, U.S. minimize risks to users’ privacy. Risk- NOAA PRA Clearance Officer. Department of Commerce, 1401 based flexibility is therefore at the heart [FR Doc. 2018–20850 Filed 9–25–18; 8:45 am] Constitution Avenue NW, Room 4897, of the approach the Administration is BILLING CODE 3510–JE–P Washington, DC 20230; telephone: (202) requesting comment on in this RFC. We 482–7002; email: [email protected]. are mindful of the potential impact of a SUPPLEMENTARY INFORMATION: solution on small and mid-sized DEPARTMENT OF COMMERCE I. Background businesses, and we will be looking for solutions that support their continued National Telecommunications and The U.S. Department of Commerce ability to innovate and support Information Administration (Department) requests comment on economic growth. ways to advance consumer privacy The United States has a history of [Docket No. 180821780–8780–01] while protecting prosperity and providing strong protections for privacy innovation. Every day, individuals RIN 0660–XC043 dating back to 1789, with the drafting of interact with an array of products and our Bill of Rights, including the Fourth Developing the Administration’s services, many of which have become Amendment. The United States also has Approach to Consumer Privacy integral to their daily lives. Often, been a leader in developing privacy especially in the digital environment, norms, be it through the development of AGENCY: National Telecommunications these products and services depend on what ultimately became known as the and Information Administration, U.S. the collection, retention, and use of Fair Information Practice Principles Department of Commerce. personal data about their users. Users (FIPPs) in the 1970’s, or through the ACTION: Notice; request for public must therefore trust that organizations strongest privacy enforcement regime in comments. will respect their interests, understand the world. For users of products and what is happening with their personal services in several sectors (e.g., SUMMARY: On behalf of the U.S. data, and decide whether they are healthcare, education, financial Department of Commerce, the National comfortable with this exchange. Trust is services), specific laws cover how Telecommunications and Information at the core of the United States’ privacy organizations handle personal Administration (NTIA) is requesting policy formation. Through this Request information. Where no sector-specific comments on ways to advance for Comment (RFC), the Administration laws apply, the Federal Trade consumer privacy while protecting will determine the best path toward Commission (FTC) has the authority to prosperity and innovation. NTIA is protecting individual’s privacy while ensure that organizations are not seeking public comments on a proposed fostering innovation. deceiving consumers or operating approach to this task that lays out a set The time is ripe for this unfairly. In all respects, the United of user-centric privacy outcomes that Administration to provide the underpin the protections that should be leadership needed to ensure that the 1 NTIA Blog, ‘‘Most Americans Continue to Have produced by any Federal actions on United States remains at the forefront of Privacy and Security Concerns, NTIA Survey Finds’’ (Aug. 20, 2018), https://www.ntia.doc.gov/ consumer-privacy policy, and a set of enabling innovation with strong privacy blog/2018/most-americans-continue-have-privacy- high-level goals that describe the protections. A growing number of and-security-concerns-ntia-survey-finds.

VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00016 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1 daltland on DSKBBV9HB2PROD with NOTICES Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices 48601

States has successfully investigated and clarity, this principle is implemented by service, the privacy risks that the taken enforcement actions against mandating notice and choice. To date, product or service may be creating, organizations that violate these existing such mandates have resulted primarily other means of mitigating these privacy Federal laws. This RFC asks how best to in long, legal, regulator-focused privacy risks, the impact of access and strengthen the protections users policies and check boxes, which only correction on other organizational risks, currently enjoy; it does not propose help a very small number of users who and other relevant factors, in order to changing current sectoral federal laws.2 choose to read these policies and make determine the degree or manner in This RFC is the outcome of an binary choices. which access and correction could help interagency process led by the National The Administration is instead achieve a user-centric privacy outcome Economic Council (NEC) of the United proposing that discussion of consumer without creating needless costs. States. NTIA has worked in privacy in the United States refocus on 1. Transparency. Users should be able coordination with the International the outcomes of organizational to easily understand how an Trade Administration (ITA) to ensure practices, rather than on dictating what organization collects, stores, uses, and consistency with international policy those practices should be. The desired shares their personal information. objectives, and in parallel with the work outcome is a reasonably informed user, Transparency can be enabled through of the National Institute of Standards empowered to meaningfully express various means. Organizations should and Technology (NIST) in developing a privacy preferences, as well as products take into account how the average user voluntary risk-based Privacy Framework and services that are inherently interacts with a product or service, and as an enterprise risk management tool designed with appropriate privacy maximize the intuitiveness of how it for organizations. In developing this protections, particularly in business conveys information to users. In many RFC, the Department conducted contexts in which relying on user cases, lengthy notices describing a significant outreach to a diverse set of intervention may be insufficient to company’s privacy program at a individuals and organizations, manage privacy risks. Using a risk-based consumer’s initial point of interaction including a broad range of industries, approach, the collection, use, storage, with a product or service does not lead academics, and civil society and sharing of personal data should be to adequate understanding. organizations. These meetings helped to reasonable and appropriate to the Organizations should use approaches shape this Administration’s proposed contex. Similarly, user transparency, that move beyond this paradigm when general approach to privacy, described control, and access should be reasonable appropriate. below. and appropriate relative to context. This 2. Control. Users should be able to This approach is divided into two outcome underpins many of the exercise reasonable control over the parts: (1) A set of user-centric privacy principle-based approaches, including collection, use, storage, and disclosure outcomes that underpin the protections the FIPPs. The Administration is of the personal information they provide that should be produced by any Federal proposing that these outcomes be to organizations. However, which actions on consumer-privacy policy, operationalized through a risk- controls to offer, when to offer them, and (2) a set of high-level goals that management approach, one that affords and how they are offered should depend describe the outlines of the ecosystem organizations flexibility and innovation on context, taking into consideration that should be created to provide those in how to achieve these outcomes. factors such as a user’s expectations and protections. This Administration is Protecting both privacy and the sensitivity of the information. The approaching this subject with humility, innovation requires balancing flexibility controls available to users should be an understanding of the complexity of with the need for legal clarity and strong developed with intuitiveness of use, the issues at hand, and a commitment consumer protections. Being overly affordability, and accessibility in mind, and should be made available in ways to a transparent process. As such, this prescriptive can result in compliance checklists that stymie innovative that allow users to exercise informed RFC does not call for the creation of a privacy solutions. In addition, a decision-making. In addition, controls statutory standard. Rather, it is looking prescriptive approach does not used to withdraw the consent of, or to to commenters to respond with details necessarily provide measurable privacy limit activity previously permitted by, a as to how these privacy outcomes and benefits. An outcome-based approach consumer should be as readily goals can be achieved. These comments emphasizes flexibility, consumer accessible and usable as the controls will help to inform future protection, and legal clarity can be used to permit the activity. Administration policy, actions, and achieved through mechanisms that 3. Reasonable Minimization. Data engagement on consumer privacy.3 focus on managing risk and minimizing collection, storage length, use, and A. Privacy Outcomes harm to individuals arising from the sharing by organizations should be minimized in a manner and to an extent Principle-based approaches to collection, storage, use, and sharing of that is reasonable and appropriate to the privacy, particularly when written to be their information. The following outcomes are provided context and risk of privacy harm. Other operationalized, often encapsulate the to spur comments, discussion, and means of reducing the risk of privacy desired outcome and the means used to engagement on how best to achieve harm (e.g., additional security achieve this outcome. For example, the user-centric privacy outcomes in a safeguards or privacy enhancing consent of an informed user is the end- manner that is both flexible and clear, techniques) can help to reduce the need goal of most approaches to consumer not to propose the text of a legal for such minimization. privacy, but in order to create legal standard. They should be read as a set 4. Security. Organizations that collect, of inputs for building better privacy store, use, or share personal information 2 These sectoral laws include, but are not limited to, the Children’s Online Privacy and Protection protections into products and services. should employ security safeguards to Act, Gramm-Leach-Bliley Act, the Health Insurance For example, Access and Correction secure these data. Users should be able Portability and Accountability Act (HIPAA), and (item 5, below) is not an abstract to expect that their data are protected the Fair Credit Reporting Act. requirement. Rather, organizations from loss and unauthorized access, 3 This Request for Comment is focused solely on private collection, use, storage, and sharing of should consider the overall context in destruction, use, modification, and personal data. It does not address lawful which the product or service operates, disclosure. Further, organizations government access to such data. including the purpose of the product or should take reasonable security

VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00017 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1 daltland on DSKBBV9HB2PROD with NOTICES 48602 Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices

measures appropriate to the level of risk 1. Harmonize the regulatory making decisions about how to adopt associated with the improper loss of, or landscape. While the sectoral system various privacy practices. Outcome- improper access to, the collected provides strong, focused protections and based approaches also enable personal data; they should meet or should be maintained, there is a need to innovation in the methods used to ideally exceed current consensus best avoid duplicative and contradictory achieve privacy goals. Risk and practices, where available. privacy-related obligations placed on outcome-based approaches have been Organizations should secure personal organizations. We are actively successfully used in cybersecurity, and data at all stages, including collection, witnessing the production of a can be enforced in a way that balances computation, storage, and transfer of patchwork of competing and the needs of organizations to be agile in raw and processed data. contradictory baseline laws. This developing new products, services, and 5. Access and Correction. Users emerging patchwork harms the business models with the need to should have qualified access personal American economy and fails to improve provide privacy protections to their data that they have provided, and to privacy outcomes for individuals, who customers, while also ensuring clarity in rectify, complete, amend, or delete this may be unaware of what their privacy legal compliance. data. This access and ability to correct protections are, and who may not have 5. Interoperability. The growth and should be reasonable, given the context equal protections, depending on where advancement of the -enabled of the data flow, appropriate to the risk the user lives. Steps need to be taken to economy depends on personal of privacy harm, and should not ensure that the regulatory landscape for information moving seamlessly across interfere with an organization’s legal organizations that process personal data borders. However, the Administration obligations, or the ability of consumers in the United States remains flexible, recognizes that governments approach and third parties to exercise other rights strong, predictable, and harmonized. consumer privacy differently, creating provided by the Constitution, and U.S. 2. Legal clarity while maintaining the the need for mechanisms to bridge law, and regulation. flexibility to innovate. The ideal end- differences, while ensuring personal state would ensure that organizations data remains protected. The 6. Risk Management. Users should have clear rules that provide for legal Administration should therefore seek to expect organizations to take steps to clarity, while enabling flexibility that reduce the friction placed on data flows manage and/or mitigate the risk of allows for novel business models and by developing a regulatory landscape harmful uses or exposure of personal technologies, as well as the means to that is consistent with the international data. Risk management is the core of use a variety of methods to achieve norms and frameworks in which the this Administration’s approach, as it consumer-privacy outcomes. The United States participates, such as the provides the flexibility to encourage Administration understands that APEC Cross-Border Privacy Rules innovation in business models and balancing legal clarity, flexibility, and System. privacy tools, while focusing on consumer privacy requires compromise 6. Incentivize privacy research. The potential consumer harm and and creative thinking. It is in striking U.S. Government should encourage maximizing privacy outcomes. this balance, however, that the United more research into, and development of, 7. Accountability. Organizations States has been able to maintain products and services that improve should be accountable externally and international leadership in both privacy protections. These technologies within their own processes for the use innovation and privacy enforcement, and solutions will include measures of personal information collected, and any future action should strive to built into system architectures or maintained, and used in their systems. create a system that to the greatest product design to mitigate privacy risks, As described below in the High-Level extent possible maximizes each. as well as usability features at the user- Goals for Federal Action section, 3. Comprehensive application. Any interface level. These innovations external accountability should be action addressing consumer privacy require more research into structured to incentivize risk and should apply to all private sector understanding user preferences, outcome-based approaches within organizations that collect, store, use, or concerns, and difficulties, as well as an organizations that enable flexibility, share personal data in activities that are understanding of the impact on legal encourage privacy-by-design, and focus not covered by sectoral laws. The obligations of third parties and the on privacy outcomes. Organizations that differences between business models ability of third parties to exercise other control personal data should also take and technologies used should be rights provided by law. Privacy research steps to ensure that their third-party addressed through the application of a will inform the development of vendors and servicers are accountable risk and outcome-based approach, standards frameworks, models, for their use, storage, processing, and which would allow for similar data methodologies, tools, and products that sharing of that data. practices in similar context to be treated enhance privacy. 7. FTC enforcement: Given its history B. High-Level Goals for Federal Action the same rather than through a fragmented regulatory approach. of effectiveness, the FTC is the The Administration is also looking to 4. Employ a risk and outcome-based appropriate federal agency to enforce gather feedback on the following high- approach. Instead of creating a consumer privacy with certain level goals for Federal action. These compliance model that creates exceptions made for sectoral laws goals should be understood as setting cumbersome red tape—without outside the FTC’s jurisdiction, such as the broad outline for the direction that necessarily achieving measurable HIPAA. It is important to take steps to Federal action should take, in addition privacy protections—the approach to ensure that the FTC has the necessary to comments on the goals, we are also privacy regulations should be based on resources, clear statutory authority, and looking for comments with details as to risk modeling and focused on creating direction to enforce consumer privacy how these goals can be achieved. Below user-centric outcomes. Risk-based laws in a manner that balances the need is a non-exhaustive and non-prioritized approaches allow organizations the for strong consumer protections, legal list of the Administration’s priorities. flexibility to balance business needs, clarity for organizations, and the We understand that there is consumer expectations, legal flexibility to innovate. considerable work to be done to achieve obligations, and potential privacy 8. Scalability: The Administration these goals. harms, among other inputs, when should ensure that the proverbial sticks

VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00018 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1 daltland on DSKBBV9HB2PROD with NOTICES Federal Register / Vol. 83, No. 187 / Wednesday, September 26, 2018 / Notices 48603

used to incentivize strong consumer explore additional commercial data publicly accessible. Do not submit privacy outcomes are deployed in privacy-related issues? If so, what is the confidential business information or proportion to the scale and scope of the recommended focus and desired otherwise sensitive or protected information an organization is handling. outcomes? information. In general, small businesses that collect 3. What aspects of the Department’s Dated: September 21, 2018. little personal information and do not proposed approach to consumer David J. Redl, privacy, if any, are best achieved via maintain sensitive information about Assistant Secretary for Communications and their customers should not be the other means? Are there any Information, National Telecommunications primary targets of privacy-enforcement recommended statutory changes? and Information Administration. D. The Department understands that activity, so long as they make good-faith [FR Doc. 2018–20941 Filed 9–25–18; 8:45 am] some of the most important work in efforts to utilize privacy protections. BILLING CODE 3510–60–P Similarly, there should be a distinction establishing privacy protections lies between organizations that control within the definitions of key terms, and personal data and third-party vendors seeks comments on the defintions. In particular: COMMODITY FUTURES TRADING that merely process that personal data COMMISSION on behalf of other organizations. Just as 1. Do any terms used in this organizations should employ outcome- document require more precise Agency Information Collection based approaches when developing definitions? Activities Under OMB Review privacy protections for their customers, 2. Are there suggestions on how to the government should do the same better define these terms? AGENCY: Commodity Futures Trading with its approach to privacy 3. Are there other terms that would Commission. enforcement and compliance. benefit from more precise definitions? ACTION: Notice. 4. What should those definitions be? II. Request for Comment E. One of the high-level end-state SUMMARY: In compliance with the A. Through this RFC, the Department goals is for the FTC to continue as the Paperwork Reduction Act of 1995 is first seeking feedback on what it Federal consumer privacy enforcement (PRA), this notice announces that the believes are the core privacy outcomes agency, outside of sectoral exceptions Information Collection Request (ICR) that consumers can expect from beyond the FTC’s jurisdiction. In order abstracted below has been forwarded to organizations. to achieve the goals laid out in this RFC, the Office of Management and Budget 1. Are there other outcomes that would changes need to be made with (OMB) for review and comment. The should be included, or outcomes that regard to the FTC’s resources, processes, ICR describes the nature of the should be expanded upon as separate and/or statutory authority? information collection and its expected items? F. If all or some of the outcomes or costs and burden. 2. Are the descriptions clear? Beyond high-level goals described in this RFC DATES: Comments must be submitted on clarity, are there any issues raised by were replicated by other countries, do or before October 26, 2018. how any of the outcomes are described? you believe it would be easier for U.S. ADDRESSES: Comments regarding the 3. Are there any risks that accompany companies to provide goods and burden estimate or any other aspect of the list of outcomes, or the general services in those countries? the information collection, including approach taken in the list of outcomes? G. Are there other ways to achieve suggestions for reducing the burden, B. The Department is also seeking U.S. leadership that are not included in may be submitted directly to the Office feedback on the proposed high-level this RFC, or any outcomes or high-level of Information and Regulatory Affairs goals for an end-state for U.S. consumer- goals in this document that would be (OIRA) in OMB within 30 days of this privacy protections. detrimental to achieving the goal of notice’s publication by either of the 1. Are there other goals that should be achieving U.S. leadership? following methods. Please identify the included, or outcomes that should be Instructions for Commenters comments by ‘‘OMB Control No. 3038– expanded upon? 0069.’’ 2. Are the descriptions clear? Beyond This is a general solicitation of • By email addressed to: clarity, are there any issues raised by comments from the public. We invite [email protected] or how the issues are described? comments on the full range of questions • By mail addressed to: the Office of 3. Are there any risks that accompany presented by this RFC and on issues that Information and Regulatory Affairs, the list of goals, or the general approach are not specifically raised. Commenters Office of Management and Budget, taken by the Department? are encouraged to address any or all of Attention Desk Officer for the C. The Department is seeking the questions above. Comments that Commodity Futures Trading comments that describe what the next contain references to specific court Commission, 725 17th Street NW, steps and measures the Administration cases, studies, and/or research should Washington DC 20503. should take to effectuate the previously include copies of the referenced A copy of all comments submitted to discussed user-centric privacy materials along with the submitted OIRA should be sent to the Commodity outcomes, and to achieve an end-state in comments. Commenters should include Futures Trading Commission (the line with the high-level goals. In the name of the person or organization ‘‘Commission’’) by either of the particular: filing the comment, as well as a page following methods. The copies should 1. Are there any aspects of this number on each page of the refer to ‘‘OMB Control No. 3038–0069.’’ approach that could be implemented or submissions. All comments received are • By mail addressed to: Christopher enhanced through Executive action, for a part of the public record and will Kirkpatrick, Secretary of the example, through procurement? Are generally be posted on the NTIA Commission, Commodity Futures there any non-regulatory actions that website, www.ntia.doc.gov/ Trading Commission, Three Lafayette could be undertaken? If so, what actions privacyrfc2018, without change. All Centre, 1155 21st Street NW, should the Executive branch take? personal identifying information (for Washington, DC 20581; 2. Should the Department convene example, name or address) voluntarily • By Hand Delivery/Courier to the people and organizations to further submitted by the commenter may be same address; or

VerDate Sep<11>2014 19:21 Sep 25, 2018 Jkt 244001 PO 00000 Frm 00019 Fmt 4703 Sfmt 4703 E:\FR\FM\26SEN1.SGM 26SEN1 daltland on DSKBBV9HB2PROD with NOTICES