Page 1
INFORMATION PRIVACY AND THE MODERN GLOBAL FIRM: AN ARGUMENT IN FAVOR OF COMPREHENSIVE FEDERAL LEGISLATION
Philip Larson, 2E, GMUSL, [email protected]
I. INTRODUCTION
The commercial distribution of consumers’ personal information is rapidly
multiplying. While this information can be used to benefit consumers by providing them
with more choices and better services, it can also be misused in ways that invade
consumers’ privacy and destroy confidences. The adoption of two emerging technologies
– Service-Oriented Architectures (SOAs) and Business Process Management Suites
(BPM) – are breaking down organizational processes into individual tasks and other
manageable segments. These technologies have made it more common for an
organization’s business processes to consist of a network of decentralized services.. To
stay competitive, organizations are outsourcing many services in these business processes
in order to benefit from cheap foreign labor markets. While this can help organizations
reduce costs, it is also putting consumers’ personal data in the hands of a growing number
of foreign commercial entities. Consumers are losing control of their personal data.
To address these privacy concerns the time has come for the United States to
enact comprehensive federal privacy legislation. Part II of this article describes how
SOA and BPM technology are enabling companies to outsource business processes and
thereby distribute consumers’ personal data to growing numbers of global service
providers. Part III argues that self-regulation has not provided sufficient protection for
consumers’ privacy. Part IV discusses the limitations of the existing “sectional”
approach to United States federal privacy law in addressing concerns over potential
1
Page 2
abuses by third-party outsourcing service providers. Part V argues that Congress should
address these deficiencies by enacting comprehensive federal privacy legislation.
II. THE ADOPTION OF EMERGING TECHNOLOGIES AND INCREASED DEPENDENCE ON OUTSOURCING ARE MAGNIFYING DATA PRIVACY ISSUES.
The world is getting smaller. Organizations are adopting emerging technologies
that are making it easier to transact with service providers located anywhere in the world.
As a result, consumers’ personal information is increasingly being distributed to a wider
network of companies magnifying the risk of data privacy and security abuse.
A. Business Process Outsourcing (BPO) and Networks of Global Service Providers.
Outsourcing is the practice of shifting an organization’s operations to a third party
vendor.1 Business process outsourcing (BPO) is when an organization leverages third
party services to streamline a variety of processes from administrative support to
telemarketing and product development.2 The market for BPO is growing rapidly in
multiple industries.3 While there are many models of outsourcing, the two most common
are on-shoring - outsourcing to a vendor located domestically - and off-shoring -
outsourcing to a vendor in a different country.4 While India is the most preferred
1 Outsourcing, http://en.wikipedia.org/w/index.php?title=Outsourcing&oldid=61793844 (last visited July 3,
2006).
2 Business Process Outsourcing, http://en.wikipedia.org/w/index.php?
title=Business_process_outsourcing&oldid=16941873 (last visited July 3, 2006).
3 On a global scale, IDC has estimated that the worldwide market for BPO will reach $641.2 billion by
2009, up from $382.5 billion in 2004. Romala Ravi, Brian Bingham & Lisa Rowan, Worldwide and U.S.
Business Process Outsourcing (BPO) 2005-2009 Forecase: Market Opportunities by Horizontal Business
Functions, Aug. 2005, at http://www.idc.com/getdoc.jsp?containerId=33815 (last visited July 3, 2006).
4 Modes of outsourcing, http://www.tutorial-reports.com/book/print/604 (last visited July 3, 2006).
2
Page 3
destination for offshore BPO, continued growth of outsourcing to China and Eastern
Europe is expected to continue.
Organizations have cited many drivers for this trend towards increased
outsourcing of business processes. Cost savings is the most frequently cited driver, with
some estimates arguing that outsourcing can cut costs by 25-30% and up to 50% when
off-shored. 5 Outsourcing enables organizations to focus attention on their core
competencies without the distraction of having to manage non-core services.6 Moreover,
by using off-shore outsourcing vendors in different time zones, organizations benefit
from consistent, round-the-clock access to these services. In customer service processes,
this can reduce the difficulty of managing 24/7 customer support agreements. In product
development processes, this can reduce the time required to bring a new product to
market.7
However, while these benefits are driving adoption of BPO, certain risks have
slowed its adoption. Companies fear losing control over their operations and processes as
well as losing their expertise and industry knowledge to these third party service
providers.8 The relative financial instability of outsourcing vendors has also been a
5 For example, a study by University of California at Berkeley found that programming jobs paying $60-
80k in the United States go for as little as $8,952/year in China, $5,880 in India and $5,000 in Russia.
Lynn Ward, To Outsource or Not to Outsource?, E-CommerceTimes, June 17, 2003, at
http://www.ecommercetimes.com/perl/story/21700.html (last visited July 3, 2006).
6 Outsourcing, supra note 2.
7 Id.
8 Outsourcing, supra note 2.
3
Page 4
concern. Moreover, as more third parties participate in an organization’s business
processes concerns over data privacy and information security have increased.9
B. Service-Oriented Architectures (SOAs) are Enabling Businesses to Leverage Services from Global Third-Party Service Providers.
Service-Oriented Architecture (SOA) projects are becoming more common across
a number of different industries.10 An SOA is a software architecture approach that
exposes an organization’s business components as reusable “services.”11 These services
are self-contained, reusable software components that can be invoked in a standard way
by other people and systems over the Internet.12
The scope of a service in an SOA can range from very narrow to quite broad. It
may be a simple, one-step task, such as updating an employee’s home address, or a more
complex task involving processing an invoice or approving a loan application. In the
travel industry, for instance, there are services that check hotel availability, book airline
tickets, make dinner reservations, etc. Each of these autonomous services might be
provided by separate vendors and combined by a single organization to create an overall
“vacation” process.
An SOA enables applications to easily pass data over the Internet to invoke
services from anywhere in the world. Therefore, in addition to enabling geographic
9 Id.
10 Michael Barnes, Daniel Sholler & Paolo Malinverno, Benefits and Challenges of SOA in Business
Terms, Gartner Group, Sept. 6, 2005, at http://www.gartner.com/DisplayDocument?
ref=g_search&id=485146 (last visited July 3, 2006).
11 Service Oriented Architecture, http://en.wikipedia.org/w/index.php?title=Service-
Oriented_Architecture&oldid=17012698 (last visited July 3, 2006).
12 Id.
4
Page 5
independence, an SOA makes it easier for an organization to outsource services in its
business processes to third-parties.13 It is therefore understandable that the adoption of
SOA is gaining momentum, particularly in global organizations looking to outsource
aspects of its operations.14 While older applications typically reside in a single
geographic location, SOAs are enabling applications to become a composition of services
provided by multiple vendors located anywhere in the world. As long as the
performance, reliability and security of the services are sufficiently high, they can be
linked together as parts of these composite applications.15
Naturally, use of an SOA creates data security and data privacy concerns.16 The
messages exchanged between these services often contain user credentials and other
personal information necessary to invoke the service.17 This personal information may
include names, addresses, Social Security numbers or even credit card and banking
information. As a result, an increasing amount of U.S. consumer data is being located in
13 David Chappell, Service-Oriented Architecture: What Next?, Apr. 4, 2004, at
http://web-services.gov/chappell4804.ppt (last visited July 3, 2006).
14 Id.
15 Bob Sutor, Open Standards vs. Open Source, at http://www.sutor.com/newsite/essays/e-OsVsOss.php
(last visited July 3, 2006).
16 Eric Pulier & Hugh Taylor, Security in a Loosely Coupled SOA Environment, June 13, 2006, at
http://www.aspnews.com/strategies/print.php/11296_3613041 (last visited July 3, 2006) (arguing that as
long as quality of service, including performance, reliability and security, are sufficient, it does not matter
where on the planet the service is provided).
17 Id.
5
Page 6
offshore databases and repositories making it more likely that the security or privacy of
the data will be compromised.18
C. Business Process Management (BPM) Software is Also Driving the Outsourcing of Services to Third-Party Service Providers.
Business Process Management (BPM) refers to software used to design, execute,
monitor and optimize an organization’s business processes.19 BPM is rapidly becoming
the preferred architecture for building agile composite applications by linking together
services exposed through an organization’s SOA.20 According to Gartner, adoption of
BPM is on the rise and will continue to grow at a “high rate” through the end of the
decade.21
BPM and SOA technologies therefore complement each other nicely. The more
business components a company exposes through their SOA, the more services BPM has
to orchestrate within the enterprise processes it manages. Using analytics capabilities,
BPM can also help benchmark and monitor the performance of the services executing in
the process to ensure they are aligned with performance goals.22 Therefore, BPM is
reducing the risk of outsourcing services to third parties by providing a standard
18 Pulier, supra note 23.
19 Business Process Management, http://en.wikipedia.org/w/index.php?
title=Business_Process_Management&oldid=61784948 (last visited July 3, 2006).
20 Id.
21 Gartner states that BPM new license revenue grew 17.3 percent from 2003 through 2004, amounting to
$603.4 million in 2004. Moreover, revenue grew across all 10 of the geographic regions and subsegments
showing that there is a major, global market for this technology. Jim Sinur, Janelle Hill & Michael
Melenovsky, Market Share: Pure-Play BPM Software Worldwide 2004, Gartner Group, Nov. 22, 2005, at
http://www.gartner.com/DisplayDocument?ref=g_search&id=487272 (last visited July 3, 2006).
22 Id.
6
Page 7
mechanism for evaluating vendor performance and service reliability. Moreover, BPM
makes it much easier for organizations to swap services in and out of their enterprise
processes helping organizations become more agile and adapt quickly to changing
business needs. BPM reduces the cost for organizations to experiment with different
combinations of third party service providers enabling them to identify the most efficient
combination for their business. BPM can then encapsulate these best practices and
ensure the processes execute consistently and optimally.23
D. The Growing Adoption of BPM, SOA and BPO Creates Additional Concerns Over Data Privacy and Security.
Globalization has forced a “fundamental transformation from regional
economies to a single, integrated global economy.”24 With this transformation has come
increased awareness and concern over consumer privacy and security of personal data.
SOA and BPM are breaking down organizational processes into individual tasks
and other manageable segments making it easier to swap new services in and out of end-
to-end business processes. To stay competitive, organizations are outsourcing many
services in their business processes in order to benefit from cheap foreign labor markets.
It is now much easier to collect, analyze and transmit consumer information
instantaneously to a wider network of affiliates, service providers and partners.
While this has increased the efficiency and agility of organizations, it has also
raised new data privacy concerns. Foreign companies and workers are gaining access to
some of the most private information about American consumers. This information
23 Id.
24 Alison Diana, Outsourcing by the Numbers, E-commerce Times, Nov. 12, 2003, at
http://www.ecommercetimes.com/story/32114.html (last visited July 3, 2006).
7
Page 8
includes credit card numbers, Social Security numbers, and bank records as well as
medical data.25 There have already been examples of employees at foreign outsourcing
companies using this data to steal from and defraud American consumers.26 Reports have
been made of Indian gangs offering to pay employees at outsourced call centers for
Western consumers’ credit card and bank account information.27 With over 150,000
American tax returns prepared in India in 2004, many fear that exploitation of personal
data will only increase.28 The privacy and intellectual property laws in common
outsourcing destinations like India, China and Russia, are not strict enough to protect
consumers.29 Additionally, since these processes can involve companies in many legal
25 Lou Dobbs, Is Nothing Private Anymore?, U.S. News & World Rep., May 17, 2004, available at
http://www.usnews.com/usnews/opinion/articles/040517/17dobbs.htm (last visited July 3, 2006)
(discussing the case of a disgruntled worker in Pakistan who threatened to post patient files on the Internet
if she was not given the back pay she was owed by her employer).
26 In April 2005, employees of a BPO company in Pune, India were arrested for the theft of $300,000 from
four Citibank customers. Citibank did not find out about the problem until it was notified of discrepancies
by its American customers. John Ribeiro, Indian Call Center Workers Charged with Citibank Fraud, April
7, 2005, at http://www.infoworld.com/article/05/04/07/HNcitibankfraud_1.html (last visited July 3, 2006).
27 Edmund Conway, Legal Challenge to Call Centres: Bank Union Claims Outsourcing to India Can
Contravene European Law, Daily Telegraph (London), Aug. 18, 2004, at 27.
28 Dobbs, supra note 33 (referencing comments from Sen. Liz Figueroa arguing in favor of privacy
legislation that would prevent “outsourcing without any protections for privacy”).
29 The U.S. placed India and China on its “priority watch list” of countries that do not provide adequate
protection to intellectual property. U.S. Department of State, China Has a High Rate of Intellectual
Property Infringement, Apr. 29, 2005, at http://usinfo.state.gov/usinfo/Archive/2005/Apr/29-580129.html
(last visited July 4, 2006). While there has been “some progress” in China’s efforts to enforce intellectual
property rights, the country still has “a long way to go.” Cassie Duong, Intellectual Property Rights
Protection Weak in China U.S. Says, June 7, 2006, at http://usinfo.state.gov/xarchives/display.html?
8
Page 9
jurisdictions, there is question as to who may exercise authority when there are privacy
issues.
III. SELF-REGULATION HAS NOT PROVIDED ADEQUATE PRIVACY PROTECTION FOR CONSUMERS.
The United States has traditionally promoted a market-based self-regulatory
approach towards protecting information privacy combined with targeted, sectional
legislation. In 1998, the Online Privacy Alliance (OPA) was formed to encourage
industry self-regulation of privacy.30 The OPA created privacy guidelines that encouraged
two modes of self-regulation: 1) the adoption of privacy policies and 2) the creation of
certification groups.31 This approach has not provided adequate protection against the
misuse of consumer data by foreign companies.
A. Privacy Policies Are Insufficient to Protect Consumers’ Personal Data.
Privacy policies articulate the manner in which a company collects, uses, and
protects data, and the choices they offer consumers to exercise rights in how their
personal information is used.32 With privacy policies, consumers may determine whether
and to what extent they wish to make information available to companies.33 While
American law does not require companies to post privacy policies, under Section 5 of the
p=washfile-english&y=2006&m=June&x=20060608164932cagnoud0.1814234 (last visited July 4, 2006).
30 Marcia Smith, Internet Privacy: Overview and Pending Legislation, CRS Report for Congress, July 6,
2004, at http://fpc.state.gov/documents/organization/35133.pdf (last visited July 5, 2006).
31 Id.
32 Esther Dyson, Privacy Protection: Time to Think and Act Locally and Globally, Apr. 1998, available at
http://www.firstmonday.org/issues/issue3_6/dyson/index.html (last visited July 5, 2006).
33 Id.
9
Page 10
FTC Act the FTC has sued companies for failing to comply with their stated privacy
policies.34
Nevertheless, the adoption of privacy policies has not provided adequate
protection to consumers. American law does not even require companies to post privacy
policies let alone ensure the policies are drafted in ways that actually protect consumers.
Moreover, having individual privacy policies for each website means users have to read
through thousands of statements in order to understand how each site they visit protects
their privacy. In many cases consumers have actually misinterpreted the meaning of
privacy policies and have been lulled into a false sense of confidence.35 It is an
unreasonable burden to require consumers’ to read all of these statements, particularly
when most of them state that they may change their policies at any time. Privacy policies
therefore do not sufficiently protect consumers from the misuse of their personal data by
third party service providers.
34 15 U.S.C. § 45(a).
35 A June 2005 poll stated that 75% of respondents falsely believed that the presence of a privacy policy on
a web site meant the company could not sell customers' information to others. Joseph Turow, Lauren
Feldman, and Kimberly Meltzer, Open to Exploitation: American Shoppers Online and Offline, June 1,
2005, at
http://www.annenbergpublicpolicycenter.org/04_info_society/Turow_APPC_Report_WEB_FINAL.pdf
(last visited July 5, 2006). Similarly, a 2003 poll claimed 57% of respondents believed that if a company
had a privacy policy, they would not share information with other entities. Joseph Turow, Americans and
Online Privacy: The System is Broken, Annenberg Public Policy Center, June 2003, available at
http://www.annenbergpublicpolicycenter.org/04_info_society/2003_online_privacy_version_09.pdf (last
visited July 5, 2006).
10
Page 11
B. Private Sector Certifications Fail to Adequately Protect the Privacy of
Consumers’ Personal Information.
The Better Business Bureau (BBB), TRUSTe, and WebTrust have created “seals”
certifying various levels of privacy protection for participating websites.36 The seal may
only be displayed if the company abides by specific privacy principles. While advocates
of self-regulation suggest that these seal programs preclude the need for federal
legislation, these seal programs have not proven effective at protecting consumer privacy.
First, these seal programs do not carry the weight of law.37 Second, they tend to only
apply to data provided through an organization’s websites.38 Third, TRUSTe
and BBBOnline have been criticized for being mere corporate apologists rather than
defenders of privacy.39 Regarding TRUSTe, even people central to the establishment of
the seal program have been disappointed with it.40 Therefore, while these programs
combined with other forms of self-regulation are useful, the solution to protecting
consumer privacy is not complete without legislation bringing the weight of law behind
these transactions.
IV. THE UNITED STATES’ PATCHWORK OF FEDERAL PRIVACY LAW LEAVES TOO MANY PRIVACY GAPS.
36 Smith supra note 38.
37 Id.
38 Id.
39 Id.
40 Esther Dyson, who is credited with playing a central role in the establishment of the seal program, stated
that Truste's board "ended up being a little too corporate, and didn't have any moral courage." Paul Boutin,
Just How Trusty is Truste?, Wired News, Apr. 9, 2002, at
http://www.wired.com/news/exec/0,1370,51624,00.html (last visited July 6, 2006).
11
Page 12
In addition to self-regulation, a variety of federal laws and regulations regarding
data privacy have emerged. Unlike the broader European approach to privacy law, U.S.
privacy law has been more “sectional.”41 The United States’ patchwork of privacy
legislation regulates how certain types of entities may use information, including health
care organizations, financial institutions, and consumer reporting agencies.
Unfortunately, current federal privacy laws do not protect individuals in many contexts
when foreign companies misuse their personal information.
A. The Gramm-Leach-Bliley Act and Consumer Protection in Financial Institutions.
In 1999, the Gramm-Leach-Bliley Financial Modernization Act (“GLBA”) was
enacted in order to protect the privacy of consumer information held by “financial
institutions.”42 The two primary components of the GLBA that govern the collection,
disclosure and protection of consumers’ nonpublic personal information are the Financial
Privacy Rule and the Safeguards Rule.
The Financial Privacy Rule gives consumers more control over how and when
financial institutions share their personal information.43 First, financial institutions are
prohibited from disclosing their customers' account numbers to non-affiliated companies
when it comes to telemarketing, direct mail marketing or other marketing through e-
mail.44 Second, when a financial institution passes consumer information to a service
41 Fred H. Cate, The EU Data Protection Directive, Information Privacy, and the Public Interest, 80 IOWA
L. REV. 431, 438 (1995).
42 15 U.S.C. §§ 6801-09.
43 Id.
44 FTC, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act , available at
http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm (last visited July 15, 2006).
12
Page 13
provider that service provider may only use the information for limited purposes.45 If the
consumer had no right to opt-out, the service provider may not sell the information to
other organizations or use it for marketing.46 However, if the service provider receives
nonpublic personal information from a financial institution and the consumer chose not to
opt-out, the service provider may use the information for its own purposes or re-disclose
it to a third party.47
The Safeguards Rule requires financial institutions to implement reasonable
safeguards to prevent misuse of clients’ nonpublic personal information.48 This rule
requires the company to develop, monitor and test their program to ensure the security of
their client’s information. Moreover, this rule requires companies to select only
appropriate service providers and require them by contract to implement the safeguards.49
Therefore, while both the Financial Privacy Rule and the Safeguards Rule provide
some protection from misuse of consumer information by third party service providers,
the protection is limited to companies providing services to “financial institutions.”
Therefore, the GLBA does not protect against abuse by offshore outsourcing vendors that
receive consumer information from other types of organizations and institutions.
B. Health Insurance Portability and Accountability Act
Enacted by Congress in 1996, the Health Insurance Portability and Accountability
Act (HIPAA) required the establishment of national standards for electronic health care
45 Id.
46 Id.
47 Id.
48 15 U.S.C. §§ 6801-09.
49 Id.
13
Page 14
transactions.50 The HIPAA Privacy Rule, which took effect on April 14, 2003, applies to
health plans and any health care providers that transmit health information in electronic
form.51 In particular, the Privacy Rule protects all “individually identifiable health
information” held or transmitted by a “covered entity” or one of its business associates.52
In addition to requiring covered entities to take reasonable steps to protect the
confidentiality of communications with consumers of health care services, it also states
that a covered entity may not use or disclose protected health information unless the
individual authorizes it in writing.53
Therefore, similar to the Gramm-Leach Bliley Act, HIPAA provides some
protection against misuse of personal information by third party service providers
receiving health information from health care providers. However, HIPAA only applies
to “covered entities” which consist of those who pay for health care “in the normal course
of business.”54 This definition would not provide protection from misuse by many
offshore outsourcing vendors that receive information from other types of companies and
institutions.
C. Section 5 of the Federal Trade Commission Act.
Under the Federal Trade Commission Act (“FTCA”), the FTC is empowered to
(a) prevent unfair methods of competition, including unfair or deceptive acts in
commerce; (b) seek monetary redress for injured consumers; (c) prescribe trade
50 HIPAA, http://en.wikipedia.org/w/index.php?title=HIPAA&oldid=31293402 (last visited July 15, 2006).
51 45 C.F.R. 164.501.
52 Id.
53 Id.
54 42 U.S.C. 1395x(s).
14
Page 15
regulation rules defining practices that are unfair or deceptive; (d) conduct investigations
relating to organizations engaged in commerce; and (e) make reports and legislative
recommendations to Congress.55
Section 5 of the Federal Trade Commission Act (“FTCA”) prohibits “deceptive”
business practices.56 Deceptive practices are material representations or omissions that are
likely to mislead consumers acting reasonably under the circumstances.57 The FTC stated
in 1998 that using personal information in violation of a posted privacy policy constitutes
a “deceptive practice” and is actionable under the FTCA. Since 1998, the FTC has been
quite successful in bringing suits against companies that fail to comply with their stated
privacy policies.58
In addition to prohibiting deceptive practices, Section 5 also prohibits “unfair”
practices.59 Unfair practices are those that are likely to cause consumers substantial
injury that is neither reasonably avoidable by consumers nor offset by countervailing
benefits to consumers or competition.60 The FTC has used this authority to successfully
bring suits against companies whose practices, while not in direct violation of their stated
privacy policies, still threaten data security. For example, the FTC sued DSW for having
55 15 U.S.C. §§ 41-58.
56 15 U.S.C. § 45(a).
57 Cliffdale Associates, Inc., 103 F.T.C. 110 (1984).
58 Petko Animal Supplies, Inc. (FTC Docket No. C-4133) (Mar. 4, 2005); Tower Records (FTC Docket No.
C-4110) (May 28, 2004); Microsoft Corp. (FTC Docket No. C-4069) (Dec. 20, 2002); Eli Lilly & Co. (FTC
Docket No. C-4047 (May 8, 2002). Documents related to these enforcement actions are available at
http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html (last visited July 8, 2006).
59 15 U.S.C. § 45(n).
60 Id.
15
Page 16
insufficient security measures to protect credit card and checking account information
and found that this constituted an “unfair” practice.61 Similarly, BJ’s settled similar
charges for failing to encrypt information stored on its networks and failing to change
default user id and passwords leading to the breach of thousands of credit and debit cards
numbers.62 Most recently, the FTC levied a groundbreaking $15 million fine after finding
that ChoicePoint’s security measures violated Section 5 and resulted in a breach that led
to over 800 cases of identity theft.63
While the FTCA is different from GLBA and HIPAA in that it is not limited to
industry-specific institutions, the FTC has never used its Section 5 authority to bring suit
against a company that provided consumers’ personal information to a foreign affiliate
that then abused or misused the information. Therefore, the current application of the
FTCA does not provide adequate protection from offshore service providers that receive
consumers’ personal information from American companies in the context of enterprise
processes.
V. THE TIME HAS COME FOR COMPREHENSIVE FEDERAL PRIVACY LEGISLATION.
There is a growing risk to consumer privacy as businesses adopt emerging
technologies that create an increased dependence on outsourced services. The solution is
61 Press Release, FTC, DSW Inc. Settles FTC Charges, Dec. 1, 2005, at
http://www.ftc.gov/opa/2005/12/dsw.htm (last visited July 7, 2006).
62 Press Release, FTC, BJ's Wholesale Club Settles FTC Charges, June 16, 2005, at
http://www.ftc.gov/opa/2005/06/bjswholesale.htm (last visited July 8, 2006).
63 Press Release, FTC, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil
Penalties, $5 Million for Consumer Redress, Jan. 26, 2006, at
http://www.ftc.gov/opa/2006/01/choicepoint.htm (last visited July 8, 2006).
16
Page 17
comprehensive federal privacy legislation. The general public, as well as a growing
consortium of private sector companies, supports national privacy legislation. Moreover,
comprehensive US legislation could harmonize privacy requirements with those of the
EU creating a model for the rest of the world.
A. The General Public Supports National Privacy Legislation
Opinion polls suggest that a majority of the American public would support
national privacy legislation. In a June 2001 Gallup poll two thirds of respondents were in
favor of new federal legislation that would protect online privacy.64 In April 2001, the
American Society of Newspaper Editors found that 51% of respondents were “very
concerned” and 30% were “somewhat concerned” that companies would violate their
personal privacy.65 In a 2002 Harris Poll, 63% of respondents considered current law
inadequate to protect their privacy and a majority of consumers stated they did not trust
businesses to handle their personal information properly.66
In particular, consumers have shown interest in legislation that would restrict a
company’s ability to provide their personal information to third parties. A 1991 Time-
CNN Poll stated that 93% of respondents believed companies should obtain permission
from the individual before selling personal information to a third party.67 A March 2000
Harris Poll found that 88% of users supported requiring a website to obtain consent
before sharing personal information with others.68
64 Id.
65 Id.
66 Id.
67 Electronic Privacy Information Center (EPIC), Public Opinion on Privacy, at
http://www.epic.org/privacy/survey (last visited July 4, 2006).
68 Id.
17
Page 18
Therefore, the general public appears to support broad privacy legislation that
would give them greater control over how companies use their personal data.
B. There is Growing Support in the Private Sector for Comprehensive Federal Privacy Legislation.
The private sector traditionally has been opposed to broad federal privacy
legislation. Nevertheless, support for federal privacy legislation has been growing even
in the private sector, particularly among large, global firms. Recently, twelve companies
formed the Consumer Privacy Legislative Forum (“CPLF”), an advocacy group to lobby
for greater protection of private information.69 The CPLF includes both high tech
companies such as Microsoft, Google and eBay as well as companies that haven’t
traditionally had a large online presence such as Eastman Kodak Co., Eli Lilly and Co.
and Procter & Gamble Co. The broad range of industries represented by members of the
CPLF suggest that new data privacy issues are not unique to particular industries and that
sectional, targeted federal legislation is therefore inappropriate.
The group believes the “time has come” for “comprehensive harmonized federal
privacy legislation” to create a “uniform but flexible legal framework” for protecting
consumers’ personal data.70 While the CPLF has not yet recommended specific language
for the statute, the law would likely require businesses to provide notice to consumers
when collecting or using personal information and provide individuals control over how
the information is used.71
69 Consumer Privacy Legislative Forum, Statement of Support in Principle for Comprehensive Consumer
Privacy Legislation, June 20, 2006, at http://www.cdt.org/privacy/20060620cplstatement.pdf (last visited
July 15, 2006).
70 Id.
71 Id.
18
Page 19
The members of the CPLF have given a number of reasons for their position in
favor of federal regulation. According to Nicole Wong, Google’s associate general
counsel, the "uneven patchwork" of state privacy laws in the United States has made it
difficult and expensive for companies to comply.72 Additionally, Microsoft supports
national legislation because it believes fear of identity theft and other abuses has chilled
commerce.73
Therefore, the current approach towards privacy law in the United States has
become burdensome on the private sector and a growing number of companies believe
the time has come for comprehensive, federal legislation.
C. Federal Privacy Legislation Would Harmonize U.S. Policy with International Laws.
As companies’ enterprise processes continue to invoke more and more services
from around the world to streamline operations and implement corporate strategy,
consumers’ personal data will pass between many countries with a variety of different
legal standards. Therefore, foreign privacy laws may apply to certain transactions. It is
important for any American legislation to consider these foreign privacy laws in
developing its own privacy legislation in order to prevent conflicting obligations on
global businesses.
72 Kim Hart, Firms Seek Federal Privacy Rules, Washington Post, June 21, 2006, at
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/20/AR2006062001367.html (last visited
July 8, 2006).
73 Press Release, Microsoft Corporation, Microsoft Advocates Comprehensive Federal Privacy Legislation,
Nov. 3, 2005, at http://www.microsoft.com/presspass/press/2005/nov05/11-03DataPrivacyPR.mspx (last
visited July 8, 2006).
19
Page 20
A comprehensive, harmonized federal approach to privacy legislation would be
more in line with most of the world than the United States existing patchwork approach.
The European Union Data Protection Directive, in effect since October 1998, created a
set of common rules for protecting personal data in the EU.74 The Directive requires
companies to ensure that data is collected only for specific purposes, is accurate and
current, and is discarded when no longer needed.75 The Directive creates certain
obligations on the “processors” of personal data defining the circumstances by which the
data may be transferred to a third party.76 Article 25 prohibits the transfer of personal
information regarding EU citizens to countries that lack “adequate” privacy laws.77
Therefore, since most countries do not have data privacy laws that satisfy the EU
standards, third party service providers are susceptible to legal challenges under the
Directive.78
The EU Privacy Directive has also dramatically influenced the adoption of
privacy law in non-EU countries. Argentina, Australia, Canada, Hong Kong, Hungary,
74 Press Release, European Union, EU Directive on Personal Data Protection Enters Into Effect, Oct. 23,
1998.
75 Id.
76 Id.
77 The EU determined that US privacy laws were inadequate in January 1999. However, the U.S.
Commerce Department negotiated a Safe Harbor agreement by which U.S. companies can exempt
themselves from the Directive. The Safe Harbor requires these companies to voluntarily adhere to a set of
privacy principles including notice, choice, onward transfer, security, data integrity, and access.
78 The EU sued Lloyds TSB stating that its outsourcing work to India put customers’ data at risk and
therefore violated the Directive. Jill Treanor, Union Claims Lloyds Outsourcing Breaches Data Laws,
Guardian (London), Aug. 18, 2004, at 26.
20
Page 21
New Zealand and Switzerland have all adopted data protection laws that are substantively
very similar to the EU. In May 2003, Japan enacted a broad privacy bill applying to any
business that uses personal information databases.79 Additionally, even officials in India
have stated that they believe the EU Privacy Directive is comprehensive and that Indian
legislation will be “more or less based on the EU model.”80
Given that a large part of the world appears to be following the EU model by
adopting broad privacy legislation, American legislation must not fall behind or create
conflicting requirements on global businesses. By adopting comprehensive federal
legislation, the U.S. can harmonize its privacy requirements with those of the EU and
thereby create a unified model for the rest of the world. This will reduce the number of
conflicting privacy regulations imposed on global businesses and will create appropriate
privacy incentives for the rising number of third party service providers gaining access to
consumers’ personal information.
D. The FTC Supports More Comprehensive Privacy Legislation.
In addition to the general public and a growing portion of the private sector, the
FTC is also in favor of broader federal privacy legislation. The FTC has recognized that
the protection of data privacy and security “is increasingly international in nature.”81
They have even noted that the globalization of the marketplace means “an increasing
79 Amy Worlton, Asia Opts for EU-Style Privacy, Privacy in Focus, June 2003, at
http://www.wrf.com/publication_newsletters.cfm?
sp=title&year=2003&ID=10&publication_id=10468&keyword= (last visited July 8, 2006).
80 Privacy: India Drafting EU-Style Data Privacy Bill – Seeks to Attract Business from Europe, 104 Daily
Rep. for Executives A-18 (BNA) (May 30, 2003).
81 Prepared Statement of the FTC, Data Breaches and Identity Theft, June 16, 2005, at
http://www.consumer.gov/idtheft/pdf/ftc_06.16.05.pdf (last visited July 15, 2006).
21
Page 22
amount of U.S. consumer information may be accessed illegally by third parties outside
the United States or located in offshore databases.”82
Given these structural changes, the FTC has recommended that Congress create a
broader, uniform privacy paradigm. For example, the FTC has recommended that
Congress extend the “Safeguards Rule” of the GLBA to companies that are not financial
institutions.83 Currently, the Safeguards Rule applies only to “customer information”
collected by “financial institutions” and therefore does not cover most data provided to
third party service providers.84 Therefore, while the GLBA restricts disclosure of a
consumer’s social security number and address by a financial institution, that same
information is often readily available for purchase on the Internet from a non-financial
institution.85
The FTC should also request that Congress extend its Section 5 authority to bring
suit against companies that provide consumers’ personal information to foreign affiliates
that do not have adequate security protections in place. This could simply be an
extension of the FTCA’s existing prohibition on “unfair” business practices. Providing
consumers’ personal information to third party providers that do not have adequate
security protections in place is “likely to cause consumers substantial injury that is
neither reasonably avoidable by consumers nor offset by countervailing benefits to
consumers or competition.” As such, the extension of the FTCA to cover this situation
would be entirely logical.
82 Id.
83 Id.
84 Id.
85 Id.
22
Page 23
VI. CONCLUSION
The adoption of emerging technologies like SOA and BPM are helping to fuel
growth in business process outsourcing. This is creating a structural change in
organizations’ in which business processes are increasingly becoming a composition of
services provided by geographically dispersed affiliate and partner organizations.
Foreign companies and workers are gaining access to private personal information about
American consumers without adequate protections in place to prevent misuse. While the
use of privacy policies and private sector certifications have afforded some protection,
self-regulation itself is not adequate. Moreover, the United States patchwork of federal
privacy law applies only to specific areas like finance and healthcare leaving too many
gaps.
The time has come for comprehensive privacy legislation. The general public and
a growing number of companies in the private sector have recognized this need.
Comprehensive legislation would help the U.S. harmonize its privacy policies with the
international community protecting global companies from the threat of conflicting
legislation. Moreover, the FTC has acknowledged that broader legislation extending the
FTCA would enable it to more effectively protect the privacy interests of consumers
against misuse and abuse by third party service providers.
23