Recently, both the Federal Trade Commission and the Department of Commerce suggested a need for a better regulatory structure to protect the privacy of Internet users, calling on Congress to address perceived gaps in current privacy legislation. These reports, however, arise in the context of a political shift, as a result of the mid-term elections. What are the prospects for significant reform in privacy protection, in light of those political changes?

In December 2010, the FTC staff issued a "preliminary" report, aimed at providing a "broad privacy framework to guide policymakers, including Congress and industry." See Preliminary FTC Staff Report, Protecting Consumer Privacy In An Era Of Rapid Change: A Proposed Framework for Businesses And Policymakers (Dec. 2010). The report called for a wholesale "re-examination" of the nation’s approach to privacy protection.

The FTC noted that privacy issues have become "larger, more complex," and often "incomprehensible to consumers." While many companies offer disclosure of their practices, fewer "actually offer consumers the ability to control these practices." As a result, the FTC suggested, "consumers face a substantial burden in reading and understanding privacy policies and exercising the limited choices offered [.]" Further, the FTC emphasized the "nearly ubiquitous" collection of consumer data, and that data collectors "share the data with multiple entities," due to "economic incentives [that] drive the collection and use of more and more information about consumers." The FTC expressed concern with the increasing erosion of anonymity on the Internet.

The FTC suggested that industry self-regulatory efforts had "fallen short" and recommended a Do Not Track program, modeled on, but technically different from, the FTC’s existing "Do Not Call" protective system for unwanted tele-marketing. The FTC also called for efforts to "simplify" consumer choices. The FTC suggested that companies should provide "reasonable access" to the consumer data they maintain, with access to be "proportionate to the sensitivity of the data and the nature of its use." The FTC pointed to the need for "affirmative express consent" before companies use consumer data "in a materially different manner than claimed when the data was collected."

Shortly after the FTC released its 2010 report, the Department of Commerce issued its own report on Internet privacy issues. See Department of Commerce, Internet Policy Task Force, Commercial Data Privacy In The Internet Economy: A Dynamic Policy Framework (Dec. 2010). The DOC report suggested that a "new approach may well be necessary," in view of the increasingly "vital role" of the Internet in "daily life." The report cited a need for "[f]oundational principles" to "strengthen commercial data privacy." The report recommended "broad adoption" of "Fair Information Practice Principles," to "help close gaps in current policy, provide greater transparency, and increase certainty for business." The report also recommended creation of a "privacy office," within the DOC, to work with other agencies (including the FTC), to "convene multi-stakeholder discussions," and to "lead an international outreach" for development of commercial data privacy policies.

Both the FTC and DOC called for comments on their proposals, which the agencies are in the process of gathering. To date, the FTC has received more than 200 comments on its proposals. Industry groups asked for, and were granted, additional time to comment on the FTC report. Further reports will likely follow, later this year. But will these reports spark actual legislative change? Several hurdles must be overcome for any significant change to occur.

Historically, the Congress has favored a sectoral, rather than a comprehensive, approach to privacy protection. Thus, as opposed to the European Union, which adopted a broad set of information privacy principles more than a decade ago, Congress has acted episodically, in response to specific perceived concerns, such as protection of children (the Children’s Online Privacy Protection Act), health information (the Health Insurance Portability and Accountability Act) and financial privacy (the Gramm-Leach-Bliley Act). Even where Congress has acted, moreover, agency implementation has often required substantial time and effort. FTC implementation of the "do not call" rule, for example, required almost a decade to complete. Thus, in the U.S. system, efforts at privacy regulation generally require sustained attention, or clear focus, or both, to succeed.

A question of legislative priorities immediately arises. Both the FTC and DOC appear to recognize that major changes in privacy policy (such as the creation of a "do not track" system by the FTC, or a new privacy-protection division within DOC), will require legislation. But Congress may have bigger (or at least other) legislative priorities. Rep. Fred Uton (R-Mich.), the incoming Chair of the House Committee on Energy and Commerce (which has primary House oversight authority on matters related to the Internet) has placed repeal and replacement of the Obama administration’s health care system at the top of his agenda.

In the arena of Internet regulation, moreover, Congress may focus more on fighting "net neutrality" rules than it does on privacy. Opponents of the net neutrality system developed by the Federal Communications Commission ("FCC"), have labeled the regulations "socialist," and vowed to rescind them. Conservatives expressed particular concern that the agency proceeded without a specific legislative mandate for the system (and in the face of at least one adverse court ruling). Again, Rep. Upton has indicated that the House Commerce Committee will hold hearings, early in 2011, "on the harm regulation of the Internet [by the FCC] will cause to investment, innovation and jobs[.]" Rep. Upton suggested that "[t]he FCC’s hostile actions toward innovation, investment and job creation cannot be allowed to stand." Already, Marsha Blackburn (R-Tenn.) has introduced a bill (supported by at least 60 members in the House) that would strip the FCC of authority to issue "any regulations regarding the Internet or IP-enabled services." Thus, it appears that net neutrality will become a significant legislative priority in this congressional session.

Senators Rockefeller (D-W. Va.) and Kerry (D-Mass) have both indicated that they may sponsor online privacy legislation in 2011. Sen. Rockefeller serves as Chair of the Senate Committee on Commerce, Science and Transportation (the equivalent of the House committee chaired by Rep. Upton), and has indicated that he plans to hold committee hearings on the issue (as he did in 2010). Yet, Senator Rockefeller is also a major proponent of net neutrality regulation, and may face a significant political challenge in defending that system in Congress (distracting attention and resources from the online privacy issue). Conservative conspiracy theorists have ratcheted up their rhetoric against Sen. Rockefeller, claiming that his regulatory efforts are meant to "take control over the Internet," through such mechanisms as net neutrality, control of "smart grid" technology, and even a military takeover. Critics also chide Sen Rockefeller for his public question (at a Senate hearing, in the context of Internet security concerns): "would it have been better if we had never invented the Internet?"

Sen. Rockefeller, representing the economically depressed state of West Virginia also may be expected to focus the Senate Commerce Committee on job creation and the economy. As Sen. Rockefeller noted, at the beginning of the new year: "Right now, nearly 1 in 10 West Virginians are looking for work, and job creation and economic security are our top priorities. As we begin a new Congress, every action we take must be measured against its impact on working families and their prosperity." His statement of "key priorities" for the Senate Commerce Committee, moreover, began with "a focus on jobs, economic security and growth," followed by "homeland security," and "consumer protection" (including "privacy on the Internet") at the bottom of the list. In response to the President’s State of the Union address, Sen. Rockefeller noted: "I am glad that the White House is putting a renewed focus on manufacturing and innovation as a way of revitalizing American businesses and creating jobs." Noting the President’s call to reexamine the regulatory system and its effects on the economy, Sen. Rockefeller stated: "We must give our core industries here at home, and across the nation, a more efficient regulatory system. The president wants that, and I think we should do it. I think we need to give them greater predictability."

Legislative activity in the area of Internet privacy butts up against a conservative movement against government regulation in general, and "job-killing" regulation in particular. A preliminary "backgrounder" memorandum for the incoming House Commerce Committee members, for example, referred to the FCC’s actions on net neutrality as an "abuse of power and process," and criticized the agency as "slow, inefficient, and less than transparent." Conversely, Rep. Upton, speaking of the prospect of congressional action to authorize additional public auctions of broadband spectrum, approved of the system as a means to "not only promote broadband, but jumpstart the economy, create jobs, and generate significant revenue for American taxpayers." Rep. Upton, moreover, represents Michigan, a state hard-hit by the recession, and an area hoping to rebound, at least in part, on the strength of a new boom in technology companies and innovation.

Rep. Upton faced a bruising fight for the Chair of the House Commerce Committee. Conservative commentators, including Glenn Beck and Rush Limbaugh, together with Tea Party adherents, accused Rep. Upton of being too "moderate." Limbaugh complained that Rep. Upton had once co-sponsored a bill to ban the incandescent light bulb (a measure aimed at promoting "green" technology). Limbaugh called this approach "nannyism" and "statism." In the end, Rep. Upton won the Chair position, claiming that he would stand "shoulder to shoulder" with the conservative leadership of the House, to "repeal Obamacare, fight rampant job-killing regulations, cut spending and help put folks back to work." In his press release after election to the Chair position, Rep. Upton announced his priorities: "[W]e will focus on jobs. We will focus on the economy. . . . Where we find burdensome regulations that hamper our economy, we will repeal them."

Rep. Rick Boucher (D-Va.), former Chair of the House Commerce Committee’s Subcommittee on the Internet, offered a "discussion" draft of an online privacy bill in 2010. In response, the President of the Interactive Advertising Bureau (which represents Internet advertisers and networks) claimed that the Boucher bill would "imprison the Internet economy" and "erode the burgeoning field of e-commerce, harm ad-supported news and entertainment media, and destroy tens of thousands of small businesses[.]" Rep. Boucher was defeated in his bid for re-election to the House. Rep. Cliff Stearns (R-Fla.), who worked with Rep. Boucher on the online privacy bill, was re-elected, and announced plans to sponsor another online privacy bill in 2011. Rep. Stearns sought to chair the House Commerce Committee in the new Congress, but was defeated by his fellow Republicans.

Rep. Joe Barton (R-Tex.), the former minority leader of the House Commerce Committee, sought to stay on, as Chair, under a special waiver of a Republican term limits rule. Rep. Barton had previously supported online privacy regulation under the auspices of the FTC, and suggested that, if elected Chair, he would "put Internet privacy policies in the crosshairs." The Republican majority chose not to permit Rep. Barton to serve as Chair of the House Commerce Committee. He will remain on the committee, but will not control its agenda. Meanwhile, the recent "backgrounder" memorandum for the committee referenced the idea that the "FTC is seeking expanded regulatory authorities that were rejected by Republicans (and Congress as a whole) last year," and noted that "[m]any industries are concerned with the direction of the FTC’s regulatory priorities."

One area where legislative action in the Internet arena may achieve some results actually would decrease privacy protection. The Justice Department, together with the International Association of Chiefs of Police, supported the creation of a "uniform data retention mandate," for Internet Service Providers ("ISPs") at least. The measure would require ISPs to store Internet protocol address information concerning users, for at least two years. The law enforcement justification for the measure is to facilitate investigations of Internet child pornography and other crimes, which may be frustrated by lack of data.

The Bush Justice Department supported a similar measure, and Rep. Lamar Smith (R-Tex.) previously introduced a bill to implement the minimum data retention requirement. Rep. Smith became Chair of the House Judiciary Committee after the 2010 mid-term elections, and promptly conducted an initial hearing on the data retention proposal. At the hearing, an ISP industry representative expressed concern about the burdens of building databases to store such records. Rep. F. James Sensenbrenner (R-Wisc.), Chair of the Judiciary Subcommittee on Crime, Terrorism, and Homeland Security, observed at the hearing that Congress would use a "carrot and stick" to ensure that law enforcement needs are met. Rep. Sensenbrenner told the industry representative: "Try to bring your industry together to deal with this problem on a largely voluntary basis. If you aren’t a good rabbit and don’t start eating the carrot, we’re all going to be throwing the stick at you." In a separate statement, Rep. Sensenbrenner indicated: "I think there’s a desire on the part of both the administration and Congress to legislate in this area."

Significantly (in the other direction), the Obama administration recently suggested the creation of a "universal Internet identification," to help improve Internet security. The system, to be facilitated by the Commerce Department, would be implemented on a voluntary basis. Conservative commentators, however, suggested that the proposal could be the start of increased regulation of the Internet, leading to a "chokehold" on anonymity and (as a result) free speech. Ironically, the Center for Democracy and Technology joined in the view that a government-created Internet identity system "wouldn’t be trusted." Conservative critics, moreover, pointed to the Wikileaks controversy, and noted that "a government [that] cannot protect [its] own classified documents" cannot be trusted to create an online central database of Internet users. More moderate commentators suggested that the proposal was a "solution in search of a problem," in that the free market, through self-regulation and innovation, could create a nearly-identical system.

Congressional politics on privacy thus reflects the generally schizophrenic state of American attitudes toward privacy and government intervention. Historically, Americans have greatly valued their privacy, and worried about the consequences of technology as a means to invade the personal sanctum. The famous 1890 Warren & Brandeis article on "The Right To Privacy," in the Harvard Law Review, responded to then-recent "inventions and business methods," including instant photography and the telephone, which "threaten[ed] to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’" Yet, today, we have created a culture where 24/7, instant access communication and information gathering are the norm. Ubiquitous use of social media, moreover, has encouraged sharing (perhaps over-sharing) of personal information, and the convenience of online shopping is a universal fact of life. For regulators and legislators, the question becomes: can we (and should we) attempt to shape these cultural and technological developments through government processes? Political answers to that question range across the spectrum of national interests: concern for individual liberties, concern for jobs and the economy, and concern for national security and public order. The answers also depend on views toward the role of government itself: last resort when self-regulation and the market do not work, facilitator and coordinator of national policy, or essential bulwark against invasion of personal freedoms. Conflicts in these views readily appear in nearly every debate about American privacy policy. Those debates, no doubt, will continue over the next few years.

Steven C. Bennett is a partner in the New York City offices of Jones Day, and Chair of the Firm’s Ediscovery Committee. He teaches Electronic Discovery at New York Law School and Conflicts of Law at Hofstra Law School. The views expressed are solely those of the author, and should not be attributed to the author’s firm, or its clients.