[Page: S11777]---
Mr. LEAHY. Mr. President, I rise today, as Chairman of the Senate Democratic Privacy Task Force, to speak about the privacy rights of all American citizens and the failure of this Congress to address the important issues threatening these fundamental rights of the American people.
When he announced the creation of the Democratic Privacy Task Force earlier this year, the Senate Democratic Leader, Senator TOM DASCHLE, said, ``The issue of privacy touches virtually every American, often in extremely personal ways. Whether it is bank records or medical files or Internet activities, Americans have a right to expect that personal matters will be kept private.'' Yet, our laws have not kept pace with sweeping technological changes, putting at risk some of our most sensitive, private matters, which may be stored in computer databases that are available for sale to the highest bidder. As Senator DASCHLE stated, ``That is wrong, it's dangerous, and it has to stop.''
In leading the Democratic Privacy Task Force, I took this charge to heart and determined that an important first step in formulating workable and effective privacy safeguards was to make sure we understood the scope of the problem, both domestically and internationally, the status of industry self-regulatory efforts and the need for legislative solutions. At the announcement of the Privacy Task Force, I noted that we would focus on Internet, financial and medical records privacy, explaining that, ``It is important to come to grips with the erosion of our privacy rights before it becomes too late to get them back. We need to consider a variety of solutions, including technological one, and we need to look at the appropriate roles for private as well as public policy answers.''
To this end, the Senate Democratic Privacy Task Force sponsored several member meetings and briefings on administrative steps underway in the Clinton-Gore Administration to protect people's privacy, industry self-regulatory efforts, and other specific privacy issues. These meetings included a discussion with White House privacy experts Peter Swire, Chief Counselor for Privacy at the Office of Management and Budget, and Sally Katzen, Counselor to the Director at the Office of Management and Budget, on the status of multilateral negotiations on implementation of the EU Privacy Directive and the effects on U.S. business. At another meeting, officials from OMB and the Department of Treasury described financial privacy issues. Yet another meeting provided a public forum for industry executives representing various seal programs to describe the successes and pitfalls of internet privacy self-regulatory activities. These task force meetings focused on relevant and pressing issues affecting consumer privacy in this country, prompting many Democratic members to look at legislative solutions.
Democrats have worked to enhance consumer privacy protections through the introduction of several legislative proposals--some with bipartisan support-- regarding medical, financial, and online privacy and identity theft. Democratic Senators who have sponsored privacy legislation this Congress include, Senators BOXER, BREAUX, BRYAN, BYRD, CLELAND, DASCHLE, DORGAN, DODD, DURBIN, EDWARDS, FEINSTEIN, FEINGOLD, HARKIN, HOLLINGS, INOUYE, JOHNSON, KENNEDY, KERRY, KOHL, LAUTENBERG, MIKULSKI, MURRAY, ROBB, ROCKEFELLER, SARBANES, SCHUMER, TORRICELLI, and WELLSTONE.
Despite the best efforts of Democratic Senators to heed the public call for greater privacy protection and to bring privacy issues to the forefront of our legislative agenda, the Republican majority has failed to bring all sides and stakeholders together to craft workable and effective safeguards in any of the areas where privacy rights are most at risk, namely, for internet activities, medical records or financial information.
During this Congress, for example, instead of focusing on ways to enhance privacy safeguards, the largest number of hearings (thirteen) and innumerable briefings held by the Senate Judiciary Committee or its subcommittees were directed at dissecting the manner in which the Department of Justice handled the investigation and prosecution of certain cases involving national security-related information and campaign financing. In the eyes of some members, the convictions obtained were proof of success, and in the eyes of others they were not. In our next Congress, it is my hope that we will not be distracted by such partisan pursuits, but that our time will be better spent on crafting privacy legislation that will make a real difference in the lives of every American. This is no easy task and will require both hard work and the commitment of member and staff time, but the next Congress should not shy away from this important issue, as has this one.
The right to privacy is a personal and fundamental right protected by the Constitution of the United States. The digitalization of information and the explosion in the growth of computing and electronic networking offer tremendous potential benefits to the way Americans live, work, conduct commerce, and interact with their government. Yet, new technologies, new communications media, and new business services created with the best of intentions and highest of expectations challenge our ability to keep our lives to ourselves, and to live, work and think without having personal information about us collected and disseminated without our knowledge or consent. Indeed, personal information has become a valuable and widely traded commodity by both government and private sector entities, which may used the information for purposes entirely unrelated to its initial collection. Moreover, this information may be stolen, sold or mishandled and find its way into the wrong hands with the push of a button or click of a mouse.
The American people are becoming more aware of this problem and are growing increasingly concerned with expanding encroachments on their personal privacy. American consumers are demanding better privacy protection and simply avoiding those markets perceived to pose the most risk to privacy interests.
New technologies bring with them new opportunities, both for the businesses that develop and market them, and for consumers. It does not do anyone any good for consumers to hesitate to use any particular technology because they have concerns over privacy.
[Page: S11778]
help bolster consumer confidence by putting in place the appropriate legislative privacy safeguards. Let me outline some of the areas in which I have introduced privacy legislation and will continue to work for constructive solutions.
While many emerging technologies challenge privacy protection, the greatest modern threat may be found online. Concerns over the privacy of online interaction easily dominate both the media and the public. The American public has a number of concerns when they go online. They worry whether their privacy will be protected, whether a damaging computer virus will attack their computer, whether a computer hacker will steal their personal information, adopt their identity and wreak havoc with their credit, whether their kids will meet a sexual predator and whether government or private sector entities are surreptitiously monitoring their online activities and communications.
Unfortunately, these concerns are merited, and will continue to increase as online technology evolves. As the recent popularity of peer-to-peer sharing software, used in the Napster service, demonstrates, the way in which people use the personal computer is changing. Increasingly, personal information, such as diaries, finances, and schedules, will not be stored on hard drives, but instead on Internet-based files. Combined with the reality that a substantial amount of our information is being carried over the ``Wireless Web,'' access to our personal information--by private and by public snoopers--is also growing exponentially.
I proposed S. 854, the Electronic Rights for the 21st Century Act or the E-Rights bill, to address these concerns. This legislation would have modified the blanket exception in current law allowing electronic communications service providers to disclose a record or other information pertaining to a subscriber to any non-governmental entity for any purpose or use. Due to this exemption, ISPs and OSPs may sell their subscriber lists or track the online movements of their subscribers and sell that information--all without the subscribers' knowledge or consent. The E-RIGHTS Act would have cut back on this exemption by requiring ISPs to give subscribers an opportunity to prohibit disclosure of their personal information and enumerating the situation in which the information may be used or disclosed without subscriber approval. Serious consideration of this proposal would have provided a constructive basis for discussion of online privacy, a discussion that has been postponed until the next Congress.
Enhanced privacy protection for confidential information held by bankrupt firms is necessary. Internet users are often promised basic privacy protection, only to have their expectations disappointed and their personal information put up for sale or disseminated in ways to which they never consented. Sadly, expectations and assumptions are not always safe online. For example, Toysmart.com, an online toy store, recently filed for bankruptcy and its databases and customer lists were put up for sale as part of the liquidation of the firm's assets. This personal customer information was put on the auction block even though Toysmart.com's privacy statement promised that ``[w]hen you register with toysmart.com, you can rest assured that your information will never be shared with a third party.''
The Toysmart.com situation exemplifies the need for our privacy laws to recognize the dangers online services pose and to keep pace with the Internet's increased usage and ever evolving technology. I introduced, along with Senators TORRICELLI, KOHL and DURBIN, S. 2758, ``The Privacy Policy Enforcement in Bankruptcy Act of 2000'' specifically to address the problems created by Toysmart.com. Currently, the customer databases of failed Internet firms can be sold during bankruptcy, even in violation of the firm's stated privacy policy. This is unacceptable. The Act would prohibit the sale of personally identifiable information held by a failed business if the sale or disclosure of the personal information would violate the privacy policy of the debtor in effect when the personal information was collected, providing at least a modicum of protection for privacy rights online. It was my hope that the majority would support this legislation and effect swift passage so that we could at least make some progress in the protection of important privacy rights. Unfortunately the majority has chosen to ignore this legislation, along with other numerous privacy initiatives, with the consequence that is has gone nowhere.
Enhanced privacy protection from unreasonable government searches and surveillance is another area that requires attention. Internet users are concerned about whether their privacy rights are threatened by prodding surveillance technology, as demonstrated by the public outcry over the ``Carnivore'' program. Carnivore is used by the Federal Bureau of Investigation to monitor the Internet activity of suspected criminals and is completely undetectable as it intercepts the suspect's email, web, and chat-room activity. Fortunately, the ``Carnivore'' program is capable of filtering protected or unnecessary information from that which should be intercepted. Nevertheless, concerns persist over the capabilities represented by this electronic surveillance technology and its potential invasiveness.
The E-RIGHTS Act, S. 854, which I introduced in April, 1999, contains a number of provisions designed to update our fourth amendment rights in the face of technological advances and new surveillance technologies. This legislation enhances privacy protections in several areas by strengthening procedures for law enforcement access to private information stored on Internet networks, location information for cellular telephones, decryption assistance for encrypted intercepted communications and stored data, communications occurring over conference calls when the target of a wiretap order has dropped off the call, and information obtained under pen register and trap and trace orders. Once again, no action was taken on this legislation despite my continued efforts to urge the Judiciary Committee to take it up.
Just as the widespread dissemination of personal information through online services deserves Congressional attention, the rapid expansion of the financial services industry requires affirmative action to protect private, financial information. In November 1999, President Clinton signed into law the landmark Financial Modernization Act of 1999, which updated our financial laws and opened up the financial services industry to become more competitive, both at home and abroad. I supported this legislation because I believed it would benefit businesses and consumers. It makes it easier for banking, securities, and insurance firms to consolidate their services, cut expenses and offer more products at a lower cost to all. But it also raises new concerns about our financial privacy.
In the financial services industry, conglomerates are offering a wide variety of services, each of which requires a customer to provide financial, medical or other personal information. And nothing in the law prevents subsidiaries within the conglomerate from sharing this information for uses other than the use the customer thought he or she was providing it for. In fact, under current Federal law, a financial institution can sell, share, or publish savings account balances, certificates of deposit maturity dates and balances, stock and mutual fund purchases and sales, life insurance payouts and health insurance claims.
As President Clinton recently warned: ``Although consumers put a great value on privacy of their financial records, our laws have not caught up to technological developments that make it possible and potentially profitable for companies to share financial data in new ways. Consumers who undergo physical exams to obtain insurance, for example, should not have to fear the information will be used to lower their credit card limits or deny them mortgages.'' I strongly agree.
Senators BOXER, BRYAN, DURBIN, FEINGOLD, HARKIN, MIKULSKI and ROBB, and I introduced the Financial Information Privacy and Security Act of 1999, S. 1924, to give this Congress the historic opportunity to provide for the privacy of every American's personal financial information in the wake of
[Page: S11779]
In addition, the bill would have provided individuals the civil right of action to enforce their financial privacy rights and to recover punitive damages, reasonable attorneys fees, and other litigation costs. Privacy rights must be enforceable in a court of law to be truly effective.
I also joined with Senators SARBANES, BRYAN, DODD, DURBIN, EDWARDS, FEINSTEIN, HARKIN, KERRY and ROBB to introduce the Financial Information Privacy Protection Act of 2000, S. 2513. This bill was the Clinton Administration's proposal to give consumers real control over the use and disclosure of their financial and health-related information held by financial institutions.
I had hoped that these efforts would be just the beginning of this Congress's efforts to address the many financial privacy issues raised by ultra competitive marketplaces in the information age. It is clear that Congress needs to update our privacy laws in the evolving financial services industry to protect the personal, confidential financial information of all American citizens.
Unfortunately, our Republican colleagues on the Senate Banking Committee did not feel the same way. This important financial privacy protection never saw the Senate floor, leaving confidential financial information disturbingly vulnerable.
Just as troubling as the rejection of financial information protections is this Congress' failure to establish safeguards for the privacy of medical records. Undoubtably, maintaining the confidentiality of medical records is of the utmost importance. Medical records contain the most intimate, sensitive information about a person. For the past three Congresses, I have introduced comprehensive medical privacy legislation. In March 1999, I introduced S. 573, the Medical Information Privacy and Security Act, with Senators KENNEDY, DASCHLE, DORGAN, INOUYE, JOHNSON, KERRY and WELLSTONE, to establish the first comprehensive federal medical privacy law. This bill would close the existing gaps in federal privacy laws to ensure the protection of personally identifiable health information. Sadly, this legislation has gone nowhere, like all medical privacy legislation this Congress.
In fact, Congress gave itself three years to establish medical records privacy legislation, but by the August 21, 1999 deadline, comprehensive medical records privacy rules did not exist. Instead the Department of Health and Human Services, as directed by Congress, drafted its own version. These placeholder privacy rules are better than no rules at all, but in the long run, Congress--not a federal agency--should set the basic standards on medical privacy, so that different administrations do not keep reducing the protections. I had hoped that the administrative rule-making process may finally prod Congress into action on a full-fledged policy, but as this Congress nears its conclusion, my optimism is waning.
Even this past summer, when the Senate had an opportunity to protect the privacy of genetic information, it failed to do so. Senator DASCHLE introduced an amendment, which I supported, to the FY 2001 Labor HHS Appropriations bill that would have protected private genetic information from insurance companies and employers using such information to discriminate against individuals or raise insurance premiums. The Senate failed to adopt the amendment and failed, once again, to protect essential privacy rights.
Congress has spent too long defining the problem instead of fixing it. We have not moved tangibly toward solutions in the six years since I convened the first hearings on technology and medical records in 1993. Since then a number of bills have been introduced--by myself and others--but we have been unable to get the attention of the majority to move this legislation.
In 1996 we tried to include medical privacy protections in the Health Insurance Portability and Accountability Act of 1996, HIPAA. Majority Leader Bob Dole at the time agreed with us that ``a compromise of privacy'' that sends information about health and treatment to a national data bank, without a person's approval, would be something that none of us would accept. What we settled for in 1996 was a provision requiring Congress to enact medical privacy legislation by August 21 of 1999. If the deadline was not met, which it was not, the Administration then would be required to issue regulations by February 21, 2000, to protect the privacy of electronic records, but not paper-based medical records. This is the current, pitiful state of medical records privacy protection and it is clearly unacceptable.
The inexcusable failure to provide comprehensive medical records privacy for three-years and the obstruction of the Financial Information Privacy Act of 1999 are just two examples of this Congress' failure to affirmatively and aggressively protect the fundamental privacy rights of American citizens.
I regret that this Republican-led Congress has not chosen to act on even one of the multiple legislative proposals protecting consumer privacy during the 106th Congress. It is my hope that we put partisan politics aside in the 107th Congress and take a hard look at how we can and should protect the fundamental right of privacy in the 21st Century. As each day passes, new financial services, new online services, and new medical data bases are taking shape and institutional practices employing these new technologies are taking root. Unless we decide that privacy is worth protecting--and soon--the erosion of our privacy rights will become irreversible.
END