Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
Document 80 of 261.
Copyright 2000
Federal News Service,
Inc.
Federal News Service
View Related Topics
May
18, 2000, Thursday
SECTION:
PREPARED TESTIMONY
LENGTH:
3270 words
HEADLINE:
PREPARED TESTIMONY OF JOEL R. REIDENBERG PROFESSOR OF LAW AND DIRECTOR OF THE GRADUATE PROGRAM FORDHAM UNIVERSITY SCHOOL OF LAW
BEFORE THE
HOUSE
COMMITTEE ON THE JUDICIARY SUBCOMMITTEE ON COURTS AND INTELLECTUAL PROPERTY
SUBJECT - PRIVACY AND ELECTRONIC COMMERCE
BODY:
Summary
In 1977, the U.S. Privacy Protection Study Commission, reported to Congress that "neither law nor technology now gives an individual the tools to protect his legitimate interests in the records organizations keep about him." Sadly, more than twenty years later, the Commission's conclusion remains equally true today despite the rhetoric of self- regulation, technological mechanisms and sectoral rights. But, electronic communications make the stakes much higher for American citizens and the future of our democracy.
Data stalking and information trafficking are routine in the United States. Technologies of surveillance, data creep and commercial profiling create wide spread abuse of American citizen's right to
privacy
in
personal information.
Existing legal rights do not come close to protecting citizens against offensive data practices.
Self-regulation and technical mechanisms are an inadequate substitute for legal rights. In a democracy, privacy is a basic political right that cannot be sold out in the marketplace. In the absence of legal standards, the history of the development and deployment of technical mechanisms does not demonstrate conformity to fair information practices. The failure to assure citizen privacy in America places the United States at odds with the rest of the world and jeopardizes US commercial interests in global data flows. My recommendations are:
1. Congress should grant U.S. citizens a right to information privacy by enacting the internationally acclaimed OECD Guidelines as a legal mandate with minimum statutory damages for violations.
2. Congress should establish a U.S. Privacy Commission to promote fair information practices in the United States, offer industry a mechanism to obtain assurances of compliance with statutory rights, and represent the interests of the United States at international policy- making bodies.
**************
Mr. Chairman and Members of the Committee,
I would like to thank you for the invitation to testify and to commend you for convening this oversight hearing on privacy and electronic communications. My name is Joel Reidenberg. I teach information technology law courses, including data privacy law, at Fordham University School of Law and also serve as the Director of the law school's Graduate Program. I appear today as a scholar on data privacy law and policy and do not represent the views of any organization with which I hold affiliations.
My testimony will focus on the lack of citizen privacy in America today and will offer recommendations for legislative action that draw on my research concerning online privacy issues.
In 1977, after three years of Congressionally mandated study, the U.S. Privacy Protection Study Commission, reported back to Congress that "neither law nor technology now gives an individual the tools to protect his legitimate interests in the records organizations keep about him." Sadly, more than twenty years later, the Commission's conclusion remains equally true today despite the rhetoric of self- regulation, technological mechanisms and sectoral rights. Specifically, I would like to make four points:
1. Data stalking and information trafficking have become the norm in the United States.
* Self-regulation and technical mechanisms are inadequate to protect the inherently political right of citizens to informational privacy.
* Congress should enact the internationally acclaimed OECD Guidelines as a legal standard and provide minimum statutory damages for misuse of personal information.
* Congress should create an independent Data Protection Commission that promotes fair information practices in the United States, offers industry a mechanism to obtain assurances of compliance with statutory obligations, and represents the interests of the United States at international privacy policy-making bodies.
Data Stalking and Information Trafficking in the United States
First, the state of American's data privacy is appalling. Data stalking and information trafficking have become the norm in the United States. Within the last eighteen months, Americans have been horrified to learn of Intel's plan to impose a hidden digital fingerprint for the users of every Pentium III chip, of Microsoft's equivalent to a digital social security number secretly emblazoned on files, of DoubleClick's surprise matching of off-line data with hidden collections of online data, and of RealNetwork's surveillance of music listeners. Despite these public scandals, even now, the current version of Microsoft's Internet Explorer (Version 5.0) comes equipped with default settings that facilitate hidden surveillance of users and the current version of Netscape Communicator (Version 4.72) reports back to Netscape every time a user reads Messenger email. In effect, the tendency in the United States is to develop technology that increases data collection and decreases the transparency to citizens of such monitoring.
As a result of increased computing and communications power, previously unimaginable profiles of citizens are now readily available on the Internet. For example, Venture Direct, a New York based company, sells a list of fat black women who are offered as targets for self-improvement products. Not to be outdone, Acxiom, a company unknown to the public at large, but holding dossiers on 160 million Americans boasted of its "new ethnic system .... identifying individuals who may speak their native language, but do not think in that manner." Unless I am missing something, Acxiom is essentially offering a list of ethnic Americans who "speak foreign," but "think white." Within weeks of my publicizing this outrageous example at the National Association of Attorneys General last September, Acxiom removed its full data catalog from the company's web. Now, the site merely offers "specialty lists" with a specific mention of the Hispanic market and declines to state clearly that those on the list can even learn of the existence of their profile.
These egregious practices in the business community are just a few examples that offend common decency and represent invidious stereotyping. While industry lobbyists like to say that such practices have not resulted in economic loss to individuals, this argument seriously misconstrues the harm to society from the loss of faith and confidence in the fairness of information practices. The very misuse of personal information is a harm to the individual citizen that calls for redress.
Existing legal rights in the United States simply do not respond to abusive data practices and the need for sanctions against the misuse of personal information. American law is sporadic, confused and wholly inadequate to protect citizens in the face of privacy-invasive technical advances and pervasive online commercial surveillance. The principal statutes protecting American's privacy in the context of electronic communications have simply not kept pace with private sector information processing developments. The Electronic Communications Privacy Act, the Telecommunications Act of 1996, the Cable Communications Policy Act of 1982, and the Video Privacy Protection Act each contain narrow data privacy provisions that do not cover the vast array of online activities. Indeed, Congress has granted drug abusers greater privacy protection than lawful users of the Internet. Even the recent law suits filed across the country in several of the more prominent data scandal cases are forced to rely on deceptive trade practice theories since basic privacy rights are not clearly established in either the common law or statute.
Inadequacy of Self-Regulation and Technological Mechanisms to Protect Privacy
As U.S. industry moved into the business of information trafficking, American public policy decisions continually deferred to industry self-regulation and technological mechanisms for fair information practices. The history of industry self-regulation and technological privacy, however, demonstrates that these mechanisms have not and will not provide effective protection for citizens. These non-regulatory solutions may have been promoted with the best intentions of industry and, most recently, of the Clinton Administration. But self-regulation and technical tools have proven to be little more than public relations and the avoidance of meaningful information privacy for citizens.
Privacy rights mark the boundary between totalitarian and democratic governance. Privacy is central to our freedom of association and our ability to define ourselves in society. These are basic political rights in a democracy and a fundamental American value. In contrast to the political nature of privacy, self-regulation assumes that all privacy values can and should be resolved by a marketplace. Democractic societies do not , however, typically sell off the political rights of citizens. Indeed, Article 1, Section 1 of the California state constitution was amended by referendum to include express protection for privacy and to apply that protection against business gathering and use of personal information.
Reliance on self-regulation is not an appropriate mechanism to achieve the protection of basic political rights. Self-regulation in the United States reduces privacy protection to an uncertain regime of notice and choice. As a set of privacy principles, this misses key elements of the package of universally recognized fair information practice principles such as data minimization, data access, and storage limitations. Self-regulation also enables data collectors to change the rules after the data has been collected from individuals. As a practical matter, most web privacy notices are nothing more than confusing nonsense for the average American citizen. Policies are often found only through obscure links buried at the bottom of a web page and are routinely made 'subject to change.' Once found, USA Today reports that a linguistic analysis of the policies of 10 major sites affected by data scandals shows that readers will not be able to understand the privacy statements without a college education and many could not be understood without a post-graduate education. In fact, privacy policies are practically impossible to draft at a reading level that most Americans can comprehend. Self-regulation, thus, denies the average American citizen an opportunity to make informed choices and reserves privacy for the nation's college educated citizens.
The seal programs are not a substitute for clear independent legal recourse. Seals, at best, offer an incomplete response to the misuse of personal information. Seal programs are inconsistent on the substantive
privacy
standards that web sites should apply to
personal information.
Programs such as Truste omit key fair information practice standards from the minimum requirements of certification such as mandatory access to stored personal information. With the rare exception of the ESRB, seal programs do not require as a condition for certification that damage remedies be granted to the victims of information misuse. Seal programs are also unlikely to cover the vast majority of web sites. The two major seal programs, BBBOnline and Truste, collectively certify a miniscule fraction of American web sites. Major sites such as Amazon.com do not even appear to participate.
Furthermore, seal programs narrowly restrict the scope of their certifications in ways that defy reasonable expectations of privacy. For example, Truste only certifies sites with respect to the information that "is used to identify, contact, or locate a person." Yet, Business Week reports that sixty-three percent of Internet users were uncomfortable with web sites tracking their movements even though the sites did not tie the surveillance data with a user's name or real world identity. Seal programs tend only to apply to the collection of data during specific, narrowly defined interactions such as those with web sites. As a result, major data scandals involving Truste licensees such as Intel, Microsoft and RealNetwork turned out to be outside the scope of Truste's certification.
Just as self-regulation and seal programs are flawed, the promise of technology does not work by itself either. In a society where the typical citizen cannot figure out how to program a VCR, how can we legitimately expect the American public to understand the privacy implications of dynamic HTML, web bugs, cookies and log files? The commercial models, however, are predicated on "personalization" and "customization" using these technologies.
Technologies are not policy neutral. Technical decisions make privacy rules and, more often than not, these rules are privacy invasive. For technology to provide effective privacy protection, three conditions must be met: (1) technology respecting fair information practices must exist; (2) these technologies must be deployed and (3) the implementation of these technologies must have a privacy protecting default configuration.
The marketplace alone does not rise to these three conditions. One of the most celebrated technologies, P3P, has been on the drawing board since 1996. Indeed, pressure from European legal requirements was instrumental in moving the standard forward and in affecting the substantive privacy provisions. But, the standard is still only a proposal. Even if the standard is finalized this year, P3P will be useless unless incorporated in web browsers and widely adopted by web sites. And, even if P3P is incorporated in web browsers and widely adopted by web sites, the default configurations may still be set as a privacy-invasive implementation. And even if the default configurations are set to afford maximum privacy protection, P3P offers no means to assure that the practices of web sites actually conform to stated standards. To paraphrase Justice Potter Stewart, "I do not know it when I cannot see it."
Average citizens are in no position to make judgments about the impact of these technologies on their privacy. Despite the widespread press reports about "cookies" technology and the routine deployment by web sites to track site visitors, only 40% of computer users had ever heard of a "cookie" and only 30% of computer users recognize that a cookie is used to track online habits.
In short, self-regulation and technology will not be adequate to assure the public's right to privacy.
Enactment of the OECD Guidelines and Minimum Statutory Damages for Misuse of Personal Information
Congress needs to enact comprehensive legal rights for data privacy. Americans deserve a baseline of data privacy protection and our democracy requires a framework of consistent fair information practices across different types of uses of personal information and processing arrangements. The United States does not need to reinvent the wheel. The O.E.C.D. Guidelines on data privacy were inspired by the United States and endorsed by the United States. These internationally acclaimed Guidelines offer a full set of standards that provide for citizen protection while receiving praise for their sensitivity to business concerns. Congress should enact these principles as a legal standard and provide for minimum statutory damages in the event of violations. With basic rights and statutory damages, citizens will be able to vindicate their privacy without the need for intrusive government oversight.
The existence of a legal baseline in the United States will provide the necessary incentive to stimulate the rapid development and deployment of privacy-protective technologies. With legal accountability, industry will be unable to continue the current practices of data stalking and information trafficking and will have to implement fairly any new technologies that affect citizen privacy.
In the international economy, these legal rights are essential. The United States stands alone among industrialized democracies with its existing haphazard and weak data privacy rules. Although privacy began as an American concept at the end of the 19th Century with Warren and Brandeis' famous law review article, the United States has lost its leadership role in defining privacy at the start of the 21st Century. In contrast, the European Union through Directive 95/46/EC requires each of its member states to harmonize data protection rights for citizens at a high level with a complete set of legal standards. Other countries around the world including Australia, Canada and emerging economies in Latin America are turning to the European model of data privacy for guidance rather than the U.S. industry-driven model. Indeed, the World Trade Organization treaty expressly authorizes our trading partners to restrict data flows in order to protect the privacy of their citizenry. In the absence of stronger legal protection in the United States, US industry is vulnerable to data flow restrictions. The conflict with the European Union over trans- Atlantic data flows is a clear example. Despite the U.S. Department of Commerce's assertions, the safe harbor negotiated with the European Union for data flows to US companies is far from certain to resolve the issue. Whether Europe accepts the deal remains to be seen and there are significant questions about the legality of the deal on both sides of the Atlantic. At the national level in Europe, data protection agencies have expressed substantial opposition to the safe harbor and they will still have considerable latitude in dealing with the United States. Ironically, should the safe harbor become policy, US companies would commit to treating European data in the United States with greater privacy than they would be required to the data of US citizens.
Establishment of a Data Protection Commission
Lastly, Congress needs to establish a Data Protection Commission. The implementation of privacy principles in the dynamic and complex online environment requires expertise, independent judgment and constant vigilance across disciplines and existing agency jurisdictional boundary lines. While the Federal Trade Commission and Peter Swire at the OMB have exercised important roles recently in promoting data privacy, their institutional missions are too narrow for this function. An independent commission offers critical guidance since citizens may undervalue the interests of industry and society at large to information flows and industry will undervalue citizen's privacy.
The roles I propose for the Data Protection Commission are:
(1) to promote fair information practices in the United States through constant advice and publicity on privacy issues to Congress, industry and the public;
(2) to offer industry a mechanism to obtain assurances of compliance with statutory rights. Since the interpretation of any enacted data privacy rights will be context specific and may not provide sufficient certainty for industry, the Data Protection Commission should have the authority to issue safe harbor guidance like SEC no-action letters. Such approval would mean that specific practices conform to the legal obligations for the fair treatment of personal information. This safe harbor function should also allow the Data Protection Commission to approve technical protocols, default settings and implementations for their conformity to legal obligations; and
(3) to represent the interests of the United States at international policy-making bodies. At present, the United States is irregularly represented at critical meetings where international privacy issues and policies are set that affect global data flows.
END
LOAD-DATE:
May 19, 2000
Document 80 of 261.
Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.
