Government and industry in the United States have started getting serious about privacy.
With the effective date of the European Union's directive on data protection getting closer, other nations have been working against an Oct. 31 deadline to convince the EU that the confidentiality and integrity of personal information is at least "adequately" observed by both government and business. The possible penalty for noncompliance is a shut-off of personal information, particularly transactional data, flowing from EU countries.
And beyond the transfer of specific data to the United States, the EU is likely to want assurances that personal information collected, used and disseminated through the Internet is also protected, regardless of whether the site owner is specifically doing business in EU countries. EU citizens have access to U.S.-based Web sites, and if those Web sites do not pass scrutiny, then European data commissioners may decide to take legal action.
The EU has been working on its data-protection directive for most of this decade, and the United States has tried to ignore it. When they realized the issue would not go away, both government and industry lauded the privacy laws already on the books, such as the Privacy Act of 1974, the Fair Credit Reporting Act, the Right to Financial Privacy Act and the Video Rental Protection Act. Yet they haven't acknowledged that a sectorial approach, while ameliorating some of the worst problems, also illustrates how silly some fixes can be. Vice President Al Gore recently complained that video-rental records are better protected than medical records. What Gore implicitly recognized is that political circumstances -- in the case of the Video Rental Protection Act, the unauthorized disclosure of Supreme Court nominee Robert Bork's video-rental records -- frequently lead to bad laws. Protecting the privacy of video rental records while refusing to protect the privacy of medical records shows Europeans and others interested in a seamless scheme of privacy protection just how random and ill-considered our patchwork really is.
To its credit, the Clinton administration has recognized the problem and has been willing to take more action than previous administrations. However, budget constraints have led the administration to place emphasis on a potpourri of small, inexpensive fixes, and the solution supported by the administration has been self-regulation -- let industry develop practices that will be acceptable to the Europeans and provide the flimsiest gloss of government oversight to patrol industry actions.
Some of the most concentrated action has been at the Federal Trade Commission (FTC), where Commissioner Christine Varney, well-connected to the White House, championed efforts to coerce industry into providing better privacy protections, using the FTC's authority to police unfair business practices as a cudgel. It didn't hurt that stories about potential large-scale commercial dissemination of personal information, such as Lexis-Nexis' P-Trac program, were announced and then quickly withdrawn under a barrage of public criticism.
The FTC investigated children's Web sites, examining issues surrounding the collection of personal information from children, particularly without parental consent. The commission's report indicated that privacy protection at such sites was abysmal, and it recommended some kind of congressional action. Gore this summer supported the FTC's call for legislation in this area. But the administration is still unwilling to recommend government regulation when it comes to adults. It has been clear that the government is giving business the benefit of every doubt in developing a feasible self-regulatory solution. Varney, who left the commission to return to private practice, is spearheading the Online Privacy Alliance, an industry group pledged to cover aspects of fair information practices on its Web sites.
Recently the alliance has added a feature that would provide a logo displayed by members, a kind of seal of approval indicating that the site met certain standards. So far, the idea of standardized logos has not caught on; Truste, a group offering a similar service, has signed up fewer companies than it would like, although some clients are major players in the electronic marketplace.
Strict Adherence Needed
Missing from the industry approach is any strict adherence to the code of fair information practices. Instead, industry has taken to picking and choosing which of the code's practices it will adopt. Critics have noted that this approach boils down to nothing more than initial choice. In other words, customers are given the choice to protect their personal information entirely by not participating at the site, or they can waive any privacy protections beyond those offered by the site and participate in transactions or data collections. Typically, the sites do not detail the restrictions that will be put on the use of the personal information collected. There is no right to correct inaccurate information and no legal remedy for the misuse of personal information.
Recently, both government and industry officials have criticized the EU directive whenever they've had the chance. U.S. Secretary of Commerce William Daley told a House committee this summer that the EU directive was the single most important issue threatening the development of worldwide electronic commerce. "This could have an impact on millions of transactions," he said. "It could have an impact on the free flow of information." However, he said at the time that he was optimistic that the United States would meet the October deadline.
Bob Wientzen, CEO of the Direct Marketing Association, whose industry stands to be particularly hurt by the EU directive, told an Australian audience, "We think the directives are entirely unnecessary and could hurt European business badly. Europeans can't afford to restrict trade like this and many businesses are telling their own governments that they have gone too far on this issue."
Can self-regulation work? If industry and government are serious about meeting the EU concept of "adequate protection," the goal could be achieved by serious self-regulation in which policies are based on an objective application of fair information practices. Consumers must have a right to legitimate privacy protection beyond merely opting out of the process altogether. If industry can provide dispute-resolution mechanisms that really work and are viewed as fair and dispassionate, then self-regulation might work. The trouble is that such proposals rarely, if ever, live up to their rhetoric. One of the most cogent criticisms of the self-regulatory approach appears in a report by the Irish Law Reform Committee concerning the ability of the press to regulate itself on matters of privacy: "We cannot agree that the interested parties who would normally be defendants to a court action should instead be allowed to judge for themselves ... complainant's legitimate expectations of privacy, whether these have been infringed and whether there is a countervailing justification for infringement based on the public interest." Can the foxes guard the hen house? It seems unlikely, but the short-term resolution of the problem presented by the EU directive appears to be heading in that direction.
Harry Hammitt is editor/publisher of Access Reports, a newsletter published in Lynchburg, Va., covering open-government laws and information-policy issues.
November Table of Contents