NIST Touts Upcoming Expansion of Privacy Framework, Gets Initial Stakeholder Praise
The National Institute of Standards and Technology is already expanding beyond the recently released “Version 1.0”of its privacy framework, including plans to create a “guide to help small and medium-sized businesses build in privacy” using the document, said Director Walter Copan at a Wednesday Center for Strategic and International Studies event. The framework, released last month, provides a set of privacy protection practices for companies and other entities to use, along with related risk management strategies. The framework can provide a guide for federal and state lawmakers as they aim to enact privacy standards, though NIST has been careful to stress its document is meant to be entirely voluntary, officials said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The framework “is not a checklist of requirements,” Copan said. “It allows organizations to prioritize and design the most effective privacy solutions for their business environment.” It’s “designed to be agnostic to any particular law or regulation,” he said. “But it can help organizations create the building blocks for the privacy outcomes they want, so they can meet their privacy obligations to their customers, boards or regulators.” He repeatedly referenced NIST’s widely adopted cybersecurity framework (see 1402130026),noting it and the new privacy guidelines both aim to “foster communications within and between organizations.”
NIST “will be reaching out” to small and medium-sized businesses “over the next few months” to “better understand how the privacy framework can help enhance their operations,” Copan said. The agency wants “to know what lessons we can learn, and what our next steps should be to ensure that this framework continues to evolve to meet the needs of stakeholders.” NIST is “considering supporting materials we can develop with stakeholders to provide further clarity on how to use” the framework, he said. The agency also aims for framework users to utilize its Privacy Engineering Collaboration Space to “discover, share, discuss and improve upon open source tools, solutions and processes that support privacy engineering and risk management.”
The framework’s introduction comes at a significant “inflection point” between privacy and technology that will allow companies to “make better decisions” about the privacy impacts of their products before consumers are even able to use them, said NIST Senior Privacy Policy Adviser Naomi Lefkovitz. It can be a model for “shifting the conversation” on risk management and provides the “building blocks” for future policymaking.
Center for Democracy and Technology interim co-CEO Chris Calabrese and executives from IBM and Microsoft gave the framework glowing reviews during the CSIS event, though all emphasized the continued need for a long-sought federal privacy law. It’s “a really useful tool for coming to a common understanding” on privacy practices and risk management, but “it’s not a substitute” for “a legislative approach or a regulatory approach,” Calabrese said. He later said it won’t be able to handle every specialized privacy matter, noting it’s “not best equipped to handle” facial recognition issues. That would be “asking too much of the framework,” Calabrese said.
The framework is an “excellent first document” that Microsoft plans to actively participate in expanding, said Corporate Standards Group General Manager Jason Matusow. There’s “still room to grow,” including the addition of further “in-depth guidance.” IBM also “strongly supports” the framework, said Vice President-Ethics and Policy Michael Cronin. It’s “easy to apply” at a company of any size and can be used globally because it’s designed to interact in a range of regulatory environments. He noted it can “work well together” with the EU general data protection regulation because they're both based on same “underpinning” philosophy of accountability.
Privacy legislation is unlikely to pass Congress this year, but “in the next couple of years we have a real opportunity” to enact a bipartisan law, Calabrese said. The NIST framework will help set up the “latticework” of privacy concepts that will help build privacy regulation over the coming decades, though the point of legislation will always be about setting a floor for bad actors to meet. The House Consumer Protection Subcommittee circulated its draft privacy bill last month, drawing significant feedback (see 2001240063). House Oversight Committee leaders are drafting facial recognition legislation (see 2001150035).
IBM supports federal privacy legislation and the framework can help “inform” the approach U.S. lawmakers take, Cronin said. Such a bill is “necessary at this point in time” given the adoption of privacy standards in California and other states. It’s important for any federal bill to take a “balanced” approach between protecting consumers’ privacy and ensuring the tech sector’s ability to continue innovating, he said. Risk-based legislation could work “hand in hand” with the ethical guidelines NIST set out in its framework.