CDD Calls on NTIA to Broaden the Scope of the Proposed Approach to Consumer Privacy - Privacy Self-Management Will Not Do It

CDD submits comments to The National Telecommunications and Information Administration On “Developing the Administration’s Approach to Consumer Privacy (link is external)”

CDD argues that

• - Focus on “outcomes” is good but
• - Outcomes as defined by NTIA are too narrow and must include a broader discussion on privacy harms. They must include
  • + identification harms (risks of identity theft, re-identification and sensitive inferences),
  • + discrimination harms (inequities in the distribution of benefits and risks of exclusion), as well as
  • + exploitation harms (personal data as commodity and risks to the vulnerable).
• - Legislation must not only achieve a reduction in privacy harms but must also ensure that “privacy benefits are fairly allocated”. Policy remedies must consider and be effective in addressing the inequities in the distribution of privacy benefits and harms.
• - NTIA’s list of desired outcomes of transparency, control, reasonable minimization, security, access and corrections, risk management, and accountability is a restatement of all-too-familiar privacy self-management paradigm. Privacy self-management alone is not enough as a policy solution.
• - Privacy is not an individual, commodified good that can and should be traded for other goods.
• - Legislation should focus less on data and more on outputs of data processing. So, instead of narrowing the scope of legislation to “personal data”, legislation must focus in on inferences, decisions and other data uses.
• - A risk-management approach must define risks broadly. NTIA should develop methodologies to assess the human rights, social, economic and ethical impacts of the use of algorithms in modern data processing.