 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
H.R. 4678, the Consumer Privacy Protection Act of 2002
Subcommittee on Commerce, Trade, and Consumer Protection
Mr. Marc Rotenberg
My name is Marc Rotenberg. I am the Executive Director of the Electronic
Privacy Information Center in Washington. I am on the faculty of Georgetown
University Law Center, where I have taught Information Privacy Law since 1990. I
am co-author of a forthcoming casebook with Professor Daniel J. Solove on Information
Privacy Law (Aspen Publishing). I have also recently been named chairman of
the American Bar Association Committee on Privacy and Information Protection,
though my comments today reflect only my views and not those of the ABA. I appreciate the opportunity to testify before the Subcommittee today on
HR 4678, the "Consumer Privacy Protection Act of 2002." I am well aware of
the extensive work of the Subcommittee on privacy issues during this Congress.
Therefore it is with some misgivings that I say to you today that this bill will
have little support among consumer or privacy organizations, privacy experts, or
the general public.[1]
In many respects it seems crafted to protect privacy violators from legal
accountability. On almost every key provision it favors industry over the
consumer, the invasion of privacy over the protection of privacy. While it is
true that is a sweeping measure in the sense that it applies to all data
collection organizations, both off-line and on-line, the intent appears to be to
insulate companies from any real accountability for what they might do with the
personal information they acquire. Given the important tradition in the United
States of safeguarding privacy as new technologies emerge, as well as the
testimony provided by several witnesses on the need to protect privacy going
forward, I can only hope that a better bill will be introduced in the future. "Protection of Individual Privacy in Interstate Commerce"
(Title I) The substantive provisions of the measure are set out in Title I. Simply
stated they require a company to adopt a privacy policy that can say virtually
anything and can be changed at any point in time to say anything else. Under
Title I of the Act, if a company states that it takes sensitive personal
information and puts in on the Internet for all to see, it will be in compliance
with the Consumer Privacy Protection Act. A company can adopt a policy that
states that it will zealously protect sensitive personal information, acquire
customer data, then change its mind, and post it on the Internet. It too will be
in compliance with the Consumer Privacy Protection Act. There is an interesting section that attempts to limit the sale of
personal data to third parties, but this provision is easy to defeat by simply
offering the consumer a benefit, such as the service originally sought. A
companion provision that seeks to limit "other information practices" is
also almost meaningless because consumers will not have access to any relevant
information to make an informed decision and even if they go to the effort of
exercising this right, the company can exercise its right to "terminate its
compliance with the limitation" on thirty days notice. (This section might be
called the "Now you see it, now you don't" privacy provision.) The Act would create policies for policies -- a form of bureaucratic red
tape for consumers -- without ever giving a consumer access to personal
information held by the company. Does a company have inaccurate information
about you? You'll never know. Does it discriminate against you because of
confusion about names, incorrect addresses, or bad information provided by a
third party? You'll have no idea. There is nothing in the bill that even
attempts to hold companies responsible for the accuracy of their information on
consumers. The bill places enormous confidence in self-regulatory programs. It
imposes only the most modest obligations on these consulting firms. The generous
eight-year certification period for self-regulatory companies contrasts sharply
with the thirty days notice provided to consumers about material changes in
privacy polices permitted under the Act. This deference to self-regulation is
extraordinary, considering not only that Truste continued to approve Microsoft
even as its Passport service was found to violate the FTC Act, as well as the
clear experience in this last few years of abuse stemming from industry
self-policing. The Act noticeably creates no safeguards on disclosure of personally
identifiable information to law enforcement agencies. In other words,
individuals who provide information to businesses will have no protections
against fishing expeditions by the police. Virtually every other privacy law in
the United States sets out a Fourth Amendment standard to regulate police access
to personal information held by third parties. The purpose is not to prevent law
enforcement access or to frustrate criminal investigations, but rather to ensure
that when police go to a private business in search of information about
customers or clients they do so with something that approaches probable cause or
reasonable suspicion that a crime has been committed. Under the "Consumer
Privacy Protection Act" there will be no new safeguards established to protect
consumers from searches that might otherwise be overly board, intrusive or
unlawful. Under this approach, video rental records will remain protected under
a 1988 Act, but there will be no similar protection for new services offered
over the Internet or the extensive record of purchases and interests collected
and maintained by Amazon. The Act forcefully creates no private right of action. This goes far
beyond any reasonable concern about large damage awards. There are any number of
alternative approaches that would preserve a private right of action. It is
possible for example, to allow individuals go into small claims court and seek
relief as they do currently and effectively under the Telephone Consumer
Protection Act. Alternatively, the state attorneys general could be empowered to
enforce rights created by the federal statute as others have proposed, or damage
awards could be capped. The point is that there are many ways to make a private
right of action work. The absence of a private right of action is all the more problematic
because as the bill is currently structured there are no procedural rights for
consumers who file complaints at the FTC nor are there any formal means of
reporting or appeal if the FTC fails to act on a complaint. What happens, for
example, if a drug company discloses the names of Prozac users on the Internet,
a complaint is filed, and the FTC chooses not to act? It is clear that that the
company's action violates the FTC Act as the FTC has already found, but if the
Commission chooses, for whatever reason, not to pursue the complaint, that is
the end of the matter. This grants the agency unprecedented discretionary
authority. Having constructed a bill that effectively provides no substantive rights
for consumers, the Act preempts states that are seeking to provide greater
protection to their citizens. It even preempts state common law which is an
extraordinary step for the Congress. Has this Committee concluded that there
should be no state remedies anywhere in the United States for breaches of
privacy committed by an organization that collects personal information? That
would be an extraordinary assault on both the common law and our federal form of
government. International Provisions The purpose of Title III is apparently to raise questions about the
enforcement of the Safe Harbor Arrangement and other international agreements
that the United States has pursued to support the protection of privacy. As
currently drafted, the section asks the Comptroller General to review these
various arrangements to determine whether such laws, regulations or agreements
"result in discriminatory treatment of United States entities." Members of the Subcommittee should realize that the Safe Harbor
Arrangement addresses concerns that European governments have raised about
privacy protection for their own citizens. Safe Harbor came about to assist
US businesses who had complained that it would be difficult to comply with
privacy law in Europe. The concerns of European officials about US practices
have been substantiated in the United States by both state attorneys general and
the Federal Trade Commission. For example, European privacy officials raised
concerns that the Microsoft Passport service violated European law, but it was
ultimately the US Federal Trade Commission that found that Microsoft violated
Section 5 of the FTC Act. Earlier, European officials asked the Doubleclick
company to modify its Internet advertising practices to comply with European
privacy laws, but it was US officials who ultimately clamped down on the
company's plans for invasive profiling of Internet users. Do we really want to be in the position of objecting to the efforts of
foreign governments to safeguard the privacy rights of their own citizens when
US officials have expressed similar concerns? This is not a wise or
forward-looking policy. I'd also like to bring to the attention of the Committee the important
role that the United States has historically played in helping to enforce
international standards for privacy protection. The Department of State, under
both political parties, has supported the international human rights community
by monitoring compliance with the International Covenant of Civil and Political
Rights. The ICCPR includes a critical provision on unlawful surveillance and
police practices that threaten political freedom all around the world. As the web site of the Department of State currently notes: The protection of fundamental human rights was a
foundation stone in the establishment of the United States over 200 years ago.
Since then, a central goal of U.S. foreign policy has been the promotion of
respect for human rights, as embodied in the Universal Declaration of Human
Rights. The United States understands that the existence of human rights helps
secure the peace, deter aggression, promote the rule of law, combat crime and
corruption, strengthen democracies, and prevent humanitarian crises.[2]
Section 1, paragraph f in the annual report prepared by the State
Department addresses specifically "Arbitrary Interference With Privacy,
Family, Home, Correspondence." For example in the 2002 report on China, the
State Department notes that: The Constitution states that the "freedom and
privacy of correspondence of citizens are protected by law." Despite legal
protections, authorities often do not respect the privacy of citizens in
practice. Although the law requires warrants before law enforcement officials
can search premises, this provision frequently has been ignored; moreover, the
Public Security Bureau and the Procuratorate can issue search warrants on their
own authority. Authorities monitor telephone conversations, facsimile
transmissions, e-mail, and Internet communications. Authorities also open and
censor domestic and international mail. The security services routinely monitor
and enter the residences and offices of persons dealing with foreigners to gain
access to computers, telephones, and fax machines. Government security organs
monitor and sometimes restrict contact between foreigners and citizens. All
major hotels have a sizable internal security presence.[3]
Now I agree that the United States should look more carefully at some of
the current international agreements that impact privacy, but the commercial
agreements such as Safe Harbor, which are intended to safeguard privacy and
facilitate trade, are the wrong place to start. I would urge the Comptroller
General to consider whether such proposals as the Council of Europe Cybercrime
Convention would violate the privacy rights of American citizens that would
otherwise be protected under US law and the US Constitution.[4]
That proposal, which some in the Administration continue to promote as if
it were national law, even though it has never been introduced in the Congress
let alone ratified by the United States, contains many provisions that deeply
implicate American Constitutional values.[5]
It is the Cybercrime Convention, not the Safe Harbor arrangement, that
poses a direct threat to the interests of the United States and American
citizens. It is that proposal that should be given careful scrutiny by the
Congress. Conclusion This has been a difficult year on the privacy front. The country faces
new challenges after September 11. Even so, many of us have been heartened by
the efforts of government officials to safeguard this essential American value.
A secretive federal court has spoken out against the misuse of the Foreign
Intelligence Surveillance Act. The House leadership has taken strong stands on
such issues as Carnivore, TIPS, and video surveillance. The White House has
indicated its reluctance to endorse a national identity card. The Federal Trade
Commission has issued important orders on Microsoft, Eli Lilly, and proposed a
new rule on telemarketing. The state attorneys general have acted to protect
consumers against egregious practices that have led to the disclosure of medical
records, financial information, and the misuse of student records. Even the President's Critical Infrastructure Protection Board, charged
with safeguarding the nation against future terrorist threats said in the recent
report on the National Strategy to Secure Cyberspace: The nation's Strategy must be consistent with the
core values of its open and democratic society. Accordingly, Americans must
expect government and industry to respect their privacy and protect it from
abuse. This respect for privacy is a source of our strength as a nation;
accordingly, one of the most important reasons for ensuring the integrity,
reliability, availability, and confidentiality of data in cyberspace is to
protect the privacy and civil liberties of Americans when they use -- or when
they personal information resides on -- cyber networks. To achieve this goal,
the National Strategy incorporates privacy principles -- not just in one section
of the Strategy, but in all facets. The overriding aim is to reach toward
solutions that both enhance security and protect privacy and civil liberties.[6]
This was an extraordinary statement coming from an organization tasked
with protecting the country from cyber warfare and future acts of terrorism.
Still, they seemed to leave little doubt that the protection of privacy could
not be sacrificed even as the country works to strengthen cybersecurity.
Certainly, there could be a similar commitment to protect privacy in less
critical circumstances. Thank you for your attention. I would be pleased to answer your questions. [1]
The bill appears to ignore the testimony of every public interest
advocate appearing before the Subcommittee. My own testimony of June 21, 2001 advocated a system of rights
similar to the Cable Communications Policy Act of 1984, one that includes
notice, opt-in, access, and a private right of action. Ed Mierzwinski's testimony of April 3, 2002, on behalf of the US
Public Interest Research Group, called for a law that incorporated a system
of FIPs. Specifically, Mr.
Mierzwinski testimony called for collection limitations, comprehensive
notice, opt-in, guarantees of accuracy and security, no preemption, and a
private right of action. Frank Torres' testimony of April 3, 2001, on behalf
of Consumers Union, broadly outlined current problems in HIPAA and the GLBA.
Mr. Torres recommended comprehensive notice, full access and
correction rights, and opt-in consent. More than thirty organizations across
the political spectrum endorsed a set of principle at the beginning of this
Congress on which to base federal privacy legislation: 1. The Fair Information Practices: the right to notice,
consent, security, access, correction, use limitations, and redress when
information is improperly used, 2. Independent enforcement and oversight, 3. Promotion of genuine Privacy Enhancing Technologies
that limit the collection of personal information, 4. Legal restrictions on surveillance technologies such
as those used for locational tracking, video surveillance, electronic
profiling, and workplace monitoring, and 5. A solid foundation of federal privacy safeguards
that permit the private sector and states to implement supplementary
protections as needed. Many good proposals from leading US academics were apparently also
ignored. Professor Joel Reidenberg, testifying on March 8, 2001, said that
the "United States is rapidly on the path to becoming the world's
leading privacy rogue nation." Reidenberg
recommended that the Congress promote the negotiation of a "General
Agreement on Information Privacy." As for public opinion, polls
consistently find strong support among Americans for privacy rights in law
to protect their personal information from government and commercial
entities. See EPIC, "Public Opinion and Privacy" (http://www.epic.org/privacy/survey/default.html) [2]
Department of State, "Human Rights," http://www.state.gov/g/drl/hr/
(last visited September 21, 2002) [3]
Department of State, "China (includes Hong Kong and Macau),"
http://www.state.gov/g/drl/rls/hrrpt/2001/eap/8289.htm [4]
Council of Europe Committee of Ministers, 109th Sess, Convention on
Cyber-Crime (adopted Nov 8, 2001), available online at http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185. [5]
See, e.g., id. Arts. 2-11 (requiring member country statutory
criminalization of offenses such as hacking, the production, sale or
distribution of hacking tools, and child pornography, and an expansion of
criminal liability for intellectual property violations. The treaty's intellectual property provisions significantly expand
criminal liability for intellectual property violations and tilt copyright
law away from the public interest: U.S.
intellectual property law contains a delicate balance between the rights of
intellectual property holders and the rights of the public through the First
Amendment and the law of "fair use" of copyrighted materials, but
the Cyber crime Convention criminalizes copyright infringement with no
mention of fair use); id. Arts 16-22 (requiring participating nations to
grant new powers of search and seizure to its law enforcement authorities,
including the power to force an ISP to preserve a citizen's internet usage
records or other data, and the power to monitor a citizen's online
activities in real time--while including no provisions to protect citizens'
privacy. In the United States,
the treaty requires the U.S. to authorize the use of devices like Carnivore,
the FBI's "Internet-tapping" surveillance system.); id. Arts 23-35 (requiring law enforcement in every participating
country to assist police from other participating countries by cooperating
with "mutual assistance requests" from police in other
participating nations "to the widest extent possible." This obliges American law enforcement to cooperate with
investigations of behavior that is illegal abroad but perfectly legal in the
U.S.) . The Administration has stated that "The Convention will
help us and other countries fight criminals and terrorists who use computers
to commit crimes..." Promoting Innovation and Competitiveness: President
Bush's Technology Agenda, at http://www.whitehouse.gov/infocus/technology/tech3.html. [6]
p. 43 (emphasis added).
|