NIST Begins Developing a Voluntary Online Privacy Framework

NIST Begins Developing a Voluntary Online Privacy Framework
Friday, November 2, 2018

The Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced in early September intention to create a Privacy Framework.  This Privacy Framework would provide voluntary guidelines that assist organizations in managing privacy risks.  The NIST announcement recognized that the Privacy Framework is timely because disruptive technologies, such as artificial intelligence and the internet of things, not only enhance convenience, growth, and productivity, but also require more complex networking environments and massive amounts of data.

Building on the success of the NIST Cybersecurity Framework, the Privacy Framework is meant to be a transparent, enterprise-level tool that helps organizations prioritize resources and strategies in order to create flexible, risk-based privacy solutions.  Deliberations between industry, civil society groups, academic institutions, federal, state, and local government entities, standard-setting organizations, and others kicked off with a workshop in Austin, Texas on October 16th, which set the stage by examining how organizations currently manage privacy risks, identifying where the challenges lie, and determining how the Privacy Framework can help organizations meet such challenges.

Shortly thereafter, on October 29, 2018, NIST Senior Privacy Policy Advisor Naomi Lefkovitz discussed the future of the Privacy Framework with a group convened by the American Bar Association’s Section of Science & Technology Law’s E-Privacy Committee.  During the discussion, Ms. Lefkovitz emphasized why a Privacy Framework is needed in addition to NIST’s existing, cyber-related frameworks.  Although good cybersecurity practices can help manage privacy risks by protecting people’s information, privacy risks also can arise from organizations’ authorized collection, storage, use, and sharing of information to meet their mission or business objectives.  If not effectively managed and communicated, privacy risks can have both individual and industry-wide consequences (such as failure to achieve societal acceptance of an otherwise useful technology due to lack of trust in the marketplace).

Ms. Lefkovitz stressed the benefits of the NIST Privacy Framework as it is currently imagined, including:

  • Risk-Based, Outcome-Based Approach: The NIST Privacy Framework incorporates a risk-based model that encourages self-evaluation by organizations. Specifically, the Framework is meant to enable organizations to determine what programs and protocols are appropriate for the organization based on the type, nature, and quantity of data collected.  In addition, because the model is framed around outcomes, rather than as a set of prescriptive requirements or a “check-the-box” exercise, the Privacy Framework will be more effective because it will be more tailored to the organization’s extent and scope of data collection, storage, use, and sharing
  • Avoids the Pitfalls of the GDPR: Ms. Lefkovitz noted that the Privacy Framework sidesteps some of what she believes to be major pitfalls of the GDPR.  For example, Ms. Lefkovitz believes that the GDPR inappropriately buckets activities and roles into separate categories (specifically, “processors” and “controllers”).  Ms. Lefkovitz explained that such distinctions are not pragmatic in the age of disruptive technologies, which often blurs the roles played by various data stakeholders. Unlike the GDPR, the Privacy Framework does not bucket activities or roles, but instead asks organizations to think through the type of data they collect and use, the risks involved with the data, and how to mitigate those risks through organizational controls.
  • May Reduce Compliance Burdens: The Privacy Framework emphasizes predictability, manageability, and disassociability in a way that allows businesses of all sizes and scales to adopt relevant and appropriate controls for their data practices.  Although this reduces some of the burden of scaling a risk management program for a smaller organization, Ms. Lefkovitz acknowledged that the model still requires a baseline level of risk management expertise in an organization to build and manage a program.

As an initial step, NIST is considering how it should structure the Framework in order to achieve its proposed minimum attributes, which include being consensus-driven, adaptable, non-prescriptive, and compatible with other privacy approaches.  Ms. Lefkovitz explained that the Framework may be structured around the information life cycle, objectives (such as compliance with applicable laws, or with the NIST privacy engineering objectives of predictability, manageability, and disassociability), principles such as the fair information practices principles (FIPPs), or a combination of sources.  In addition, NIST has asked stakeholders to consider whether certain, broadly applicable privacy practices should be included (such as de-identification, enabling user preferences, and providing users with a reliable understanding of how their information is being collected, stored, used, and shared).

NIST plans to use the input provided at the October 16th workshop to draft an annotated outline of the Privacy Framework, and is scheduled to host a Q&A-based webinar on the Framework on November 29th.  At the same time, the Department of Commerce’s National Telecommunications and Information Administration has put out a request for comment regarding its proposed federal consumer privacy framework that is meant to protect innovation.  Comments are due November 9, 2018.

© 2024 Covington & Burling LLP

Current Legal Analysis

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC