Legal think tank suggests third-party “accountability agent” could certify and  jump start U.S. privacy rules

A trio of privacy lawyers has an idea for jump-starting a uniform privacy framework in the United States without waiting for Congress to act — form a nonprofit certification organization for creating and enforcing model privacy policies.  The idea appears to be similar in part to the work of the Information Trust Exchange Governing Association (ITEGA), publisher of this email blog.

The “Concept Proposal” is outlined by attorneys Markus Heyder, Sam Groga and Matthew Starr in an eight-page white paper published to the web on Sept. 26 without fanfare.  The three practice law at the Washington, D.C., office of Hunton Andrews Kurth LLP in what it calls its “Centre for Information Policy Leadership,” a corporate-member think tank.

“There is a lot of interest among our member companies,” Heyder told Privacy Beat this week. “We want to see if there is enough interest among federal government stakeholders and member companies to build a working group and develop this code.”

The nonprofit third-party organization would manage certifications “enabling enforcement or regulatory bodies with otherwise-limited investigative and enforcement resources to leverage certifying bodies’ review and monitoring of organizations’ compliance with the code.”  They term the third-party certifier an “accountability agent.”

Currently only California, Maine and Nevada have digital data-privacy laws in place, they say, and the European Union’s General Data Protection Regulation (GDPR) still lacks many implementing codes or certification requirements. The National Conference of State Legislatures tracks privacy proposals.

The lawyers  suggest a “multistate privacy interoperability code of conduct or certification” as a way small businesses coil more easily comply with diverse state privacy requirements. Emergence of and compliance with such a code could increase accountability, privacy protection and consumer trust, they write.

Noncompliance could ultimately be legislatively defined as an unfair or deceptive business practice and thus prosecuted by the U.S. Federal Trade Commission, they say.  They also suggest that fast development of such an interstate code could “mitigate the slow pace at which the GDPR codes and certifications are being developed” and serve as a model for them.