[From RRE --Declan]
Date: Fri, 3 Oct 1997 14:18:57 -0400 From: Marc Rotenberg <rotenberg@epic.org> Subject: EPIC Speech in Brussels
[...]
-------
"Data Protection in the United States: A Rising Tide?"
Marc Rotenberg Electronic Privacy Information Center Washington, DC
17 September 1997 19th Intentional Conference on Data Protection Brussels, Belgium
Thank you, Mr. Chairman, ladies and gentlemen. I am grateful for the opportunity to be with you this morning.
I will speak today on behalf of consumers and users of the Internet in the United States. There are few issues of greater concern to us than the protection of privacy. You can read about this in our newspapers and our magazines. Privacy stories routinely appear on the front pages of national magazines and in the daily newspapers. In just the past few weeks stories about privacy have appeared in Time Magazine, the Washington Post and USA Today. So extensive is our discussion of privacy concerns that we even export the news of our problems. I found a story from the New York Times about the use of the Internet to collect detailed personal information on the front page of the International Herald Tribune that I purchased yesterday morning here in Brussels.
We believe that strong measures must be taken to protect personal privacy. You can see this in our responses to public polls. We have consistently expressed concern about the loss of privacy, and we have consistently shown support for new legislation to protect privacy.
We know that law is often an imperfect solution, but we are also firm believers in the rule of law. You will recognize this if you trace the development of privacy law in the United States over the twentieth century. You can see this if you understand that our country has always shown great regard for the right of privacy and expressed widespread concern when privacy was at risk.
So, when I say to you today that privacy is a great concern in the United States and that we need to do much more to protect it, I do so with the newspaper stories piled high, the polling numbers unambiguous, and with a respect for history that makes clear that few rights in American life are more greatly valued than the right to protect private life.
I will speak now to the three central issues that need to be addressed to build a bridge between the United States and Europe so that we can enter the information society together with mutual standards that protect the privacy rights of our citizens . The first issue concerns current attitudes of consumers in the United States and the current policies of government. The second concerns the short-comings of self- regulation. My final point is two recommendations for how we should proceed.
First, it is clear the consumers and users of the Internet favor the passage of law to protect personal privacy. Professor Westin found this year that 58% of the American public want government o pass law to protect privacy now. And 24% said that government should formally recommend privacy standards. Only 15% favored letting groups develop voluntary privacy standards and government taking action only if real problems arise.
Professor Westin's results are consistent with other surveys of attitudes toward privacy in the United States. A 1991 poll conducted by Time Magazine found that 93% of the U.S . public felt that companies that sell personal information to others should be required to obtain explicit permission. And the most comprehensive poll of Internet users ever undertaken found that users of the Internet in the United States, on a 1 to 5 scale, said that the Internet needs new laws to protect privacy at a level of 3.8.
Public support for privacy legislation is clear.
Second, it is also clear that some political leaders favor the adoption of privacy law. While it is true that the White House has expressed the opinion that privacy legislation is unnecessary at this time, members of Congress are of a different opinion. Bills have been introduced in the House and the Senate that address a wide range of privacy issues. One bill would limit the disclosure of Social Security Numbers. Another bill would prohibit Internet Service Providers from disclosing customer information without consent. A third bill restricts the ability of direct marketers to sell information about young children. Several bills have been introduced to address public concern about unsolicited commercial email. Many other bills are also under consideration.
It is also clear that the United States is fully capable of enacting privacy laws to address public concern, particularly when new technologies threaten personal freedoms. In fact, we have passed several laws in a little over a decade that specifically target new technologies. Privacy protections for cable subscriber records were enacted in 1984. Electronic mail was covered in 1986. Video rental records gained protection in 1988. Even junk faxes and auto- dialers became subject to privacy legislation in 1991.
So, we must observe at this point, that the view of some that the United States does not support passage of privacy legislation is not supported by the majority of people of the United States, many of our elected officials, or our recent history.
Much has been said in the last few months in support of self-regulation. Self- regulation has been offered as a privacy solution, a way to steer a course between government control and free market chaos. It is critical to look closely at the case for self-regulation.
First, it should be said that the current argument for self-regulation is based on a preference and not a principle. While much has been said about the "common philosophy" of the Administration's policy toward the Internet, it is quite clear, some would say painfully clear, that the Administration is prepared to regulate if the interest at stake is copyright or cryptography./1/
Second, self-regulation as an argument against privacy protection is hardly new in the United States. The direct marketing industry has argued for more than twenty years that it did not need privacy regulation. The result is that today Americans receive a flood of junkmail, more junkmail per capita than any other country in the world. Millions of Americans sign up for the Mail Preference Service to escape this onslaught, but there is no assurance that the privacy of these people will be protected. Professor Reidenberg and Professor Schwartz have shown in their study of data protection in the United States that the Mail Preference Service is ignored by about half the members of the Direct Marketing Association./2/
Self-regulation has also failed repeatedly in the last few years as trade groups and individual companies have been unwilling to uphold their own principles and their own contractual agreements. In 1991 the Direct Marketing Association failed to take action against the Lotus Marketplace product even though it plainly violated the industry's own guideline on the need to offer an effective opt-out. Similarly, the DMA failed to take any action against Metromail after the company turned a mailing list into a look-up service in violation of another DMA edict. Companies also appear unable to police themselves. America Online entered into a deal with a telemarketing firm even after it assured customers in its service agreement that it would not disclose telephone numbers to others. There are many other similar cases.
Consumer groups challenged these practices, and eventually changes were made. But this is hardly proof, as some proponents have claimed, that the self- regulatory approach is working.
The advocates for self-regulation have also redefined privacy in a way that is ultimately harmful to the interests of consumers. Instead of focusing on the obligations of the organizations that collect personal information to safeguard the information and use it only for appropriate purposes, the self-regulatory environment has produced numerous proposals that all share the common goal of extracting as much information from the individual as the individual can be coerced to give up by means of contract. A typical negotiation in an environment produced by P3 or OPS requires consumers to satisfy the information disclosure requirements of the business as a condition of gaining access to services.
As my colleague Professor Agre has observed, these relationship easily become asymmetric with the organization having the greater power to control what information about itself is released while simultaneously obscuring the nature and scope of the information it has obtained about individuals.
Of course, one remains "free" to withhold consent and to therefore be denied admission to a web site, service from a web-based company, and many other opportunities in the Information Society regardless of whether a fair justification for the data collection is provided.
Simply stated, self-regulation elevates the principles of notice and consent to stratospheric heights and ignores virtually all other principles of privacy and data protection. It is, to borrow from the British philosopher Jeremy Bentham, "contracts on stilts."
This has been made clear by virtually all of the proposals in the United States that focus on obtaining consent. The most ironic of these was one recommendation earnestly made by a government official on this issue of children's privacy who proposed in place of legislative safeguards the use of biometric identifiers to ensure that a parent's consent to make use of a child's data for marketing purposes had in fact been obtained.
Self-regulation has also given rise to the emphasis on a multiplicity of privacy preferences. But whether individuals actually have such diverse privacy preferences, particularly in routine commercial transactions or in data gathering activity remains to be seen. As Professor Agre notes, "particular importance should be paid to uniformity of protocols across different industries and applications, so that consumers are not overwhelmed by a pointless diversity of interfaces and contracts." /3/
He suggests that it will be particularly important to look at a broad range of criteria, "including ease of understanding, adequacy of notification, compliance with standards, contractual fairness and enforceability, appropriate choice of defaults, efficiency relative to the potential benefits, and integration with other means of privacy protection."
Self-regulation has a further problem: it provides a very limited view of the problems surrounding privacy protection. It focuses on the microeconomic relationship between buyer and seller and ignores the larger social questions of architecture and design. Should highway systems be designed with anonymous toll payment ? Which technologies could facilitate commerce and protect privacy ? What stand should governments take on the use of cryptography ? Self- regulation provides no answers to these questions, it provides no mechanisms to find solutions.
Self-regulation have failed to work even in areas where public and industry support is overwhelming. The Center for Media Education found that more than a year after the release of a widely publicized report on children's privacy that companies were continuing to collect personally identifiable information from children at their web sites without disclosing how the information will be used, who will have access to it, and without obtaining parental consent. As the CME concluded, "it is clear that industry self-regulation does not provide adequate protection for children's privacy."
It has been proposed that the Federal Trade Commission could enforce a self- regulatory privacy regime by prosecuting deceptive trade practices. But the FTC's ability to actually enforce privacy protection in this manner is highly suspect. First, the legal authority of the FTC under section 5 of the Federal Trade Commission Act typically requires a showing of <<<< actual harm ~ to consumers. As those who have studied privacy law in the United States know, this will be a difficult test to satisfy. But even if this problem is overcome, one could well ask why the FTC, if it had such legal authority, pursued only one privacy case after two years of intense privacy investigation. And in the single case that the FTC investigated, the Commission issued an opinion only after the company had discontinued the challenged practice. There was no actual judgment against the firm or any sanction imposed. Finally, what expectation can there be that the FTC will pursue any privacy actions in the near future when the Commissioner responsible for privacy matters has now left the Commission ? One can look to the Federal Trade Commission for the enforcement of privacy safeguards on the Internet, but you will see only an empty chair.
Finally, there is a significant legal objection to self-regulation as a means to protect consumer privacy in the United States: such an arrangement could be impermissible under anti-trust law. It is, as one commentator has noted, a violation of competition law for businesses in the same market to combine to set the terms of competition and then to enforce those terms on their competitors. Establishing industry-wide privacy standards could have exactly this consequence. Some commentators have suggested that it may be possible for such agreements to survive anti-trust scrutiny if the codes are sensibly designed and do not discourage competition. But drafting such a policy may not be so simple.
What happens, for example, if industry adopts a code based on an opt-out procedure and an innovative company, recognizing the need for a higher privacy standard, prefers to offer an opt-in procedure instead? If the industry association discourages the company from offering the higher standard, consumers would be harmed and an anti-trust action could result. Indeed, there is already anecdotal evidence that the marketing industry has engaged in just such practices. (Note that in this example a regulatory framework that established opt-out in law could still permit the innovative company to offer the opt-in procedure.)
What we realize now is that self-regulation provides neither the assurance of a legal right nor the innovation and competitive benefit of the marketplace. It is simply an answer to the question: how do we regulate without the government ? This is not a path to privacy protection, it is not even privacy policy.
THE FUTURE
It seems to me surprising that we are unable today to resolve the privacy differences between Europe and the United States particularly as they concern the Internet. Both regions share a high regard for privacy and a long privacy tradition. Both regions seem eager for greater privacy safeguards. We know also that there is a convergence in the development of privacy standards around the globe./4/
But even more obviously, the Internet offers the ideal environment to establish uniform standards to protect personal privacy. This is clear to anyone who recognizes that the platform is consistent around the globe, that the protocols are consistent, and the customs surrounding commercial transactions off-line are surprisingly consistent: money buys products and services, the disclosure of one's address is necessary to receive delivery of goods, and the release of personal financial information may be necessary when credit is sought.
For the vast majority of transactions on the Internet, simple, predictable, uniform rules offer enormous benefits to consumers and businesses. It is clear what the goal is.
We must find a way forward. The Commission would have ample justification at this point if it decided to restrict certain data flows to the United States because of the absence of appropriate privacy safeguards. How can this point be disputed? Consumers in the United States know that we lack adequate privacy protection.
I think it is time to end what Colin Bennett has called "American Exceptionalism.~ There is little support in our public attitudes, law, or history for this stance. The United States should move quickly to establish a privacy agency, and then proceed to explore the application of the OECD Privacy Guidelines to the private sector. This useful framework provides a strong foundation for the development of technical means to protect privacy and the development of new privacy standards and legal safeguards. It is already found today in several US privacy laws and in the practices of many US companies.
I also propose today that the United States, Europe, and Asia join together to develop an intentional convention on privacy protection based on the OECD Guidelines. A simple framework of general goals combined with a consultative process that brings together a wide array of countries could help ensure that privacy standards are extended to all comers of the globe
Only when we have established privacy standards and guidelines as strong as security standards and guidelines will users of advanced networked services have the trust and confidence to participate fully in the Information Society.
It is also my hope that in the process of working together toward a common goal that some of the current differences between the United States and Europe will diminish. There is too much at stake for consumers, and citizens, and users of the Internet to risk a clash of privacy rules.
We share a common interest in the protection of privacy. Let us go forward together and establish the policies that will launch the information economies of the next era while preserving the personal freedoms we cherish today.
I thank you for your attention.
NOTES
/1/ Framework for Electronic Commerce (1997)
/2/ Paul M. Schwartz and Joel R. Reidenberg, Data Privacy Law (New York: Michie, 1996).
/3/ Philip E. Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape (Cambridge and London: MIT Press, 1997)
/4/ Colin J. Bennett, Regulating Privacy (Ithaca: Cornell Press, 1992)