Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, 1999- 2001 OSU College of Law, 2001-present CFP, March 8,

“Reflections on the White House Privacy Office”

Peter P. SwireU.S. Chief Counselor for Privacy, 1999-

2001OSU College of Law, 2001-present

CFP, March 8, 2001

Overview

Clinton Administration Privacy Actions What Privacy Institutions Should the U.S.

Have? The New Administration

– Medical Privacy Rules

I. Clinton Administration Privacy Actions Privacy hot buttons before I entered

government in 2/99:– Clipper– CALEA– Know Your Customer

People, and even governments, learn

Actions since early 1999

Brief & favorable descriptions Q&A afterward on these

Medical Privacy Rule

HIPAA in 1996 Support for legislation through 8/99 Proposed rule 10/99 52,000 comments by 2/00 Final rule 12/00 Executive Order 12/00: limits on using

health oversight record for law enforcement

Financial Privacy

Clinton speech 5/99 House bill with half that 6/99 Significant Administration push for privacy Gramm-Leach-Bliley 11/99 Administration proposal for more, 4/00

Federal Government Privacy

6/99 OMB memorandum to post clear privacy policies on agency sites

6/00 OMB memorandum presumption against cookies on federal sites & reports to OMB on privacy in the budget process

12/00 OMB memorandum on agency data sharing, including push for privacy impact assessments

Federal CIO Council privacy committee

Some other privacy actions

Crypto policy change 9/99 Genetic Discrimination E.O. 2/00 NAS study now underway on authentication

and privacy– CFP next year?

Bankruptcy and privacy study 1/01: public records and privacy issue

Other privacy actions

Safe Harbor (low number of companies because it is so strict?)

Network Advertising Code 6/00 SSN bill proposed 6/00, and fought Gregg

bill Wiretapping bill summer 2000, with higher

standards for trap-and-trace and email wiretaps

How to find these documents?

Agency web sites change & not well archived Presidential privacy web archive up this week www.privacy2000.org Technology Policy Group of the Ohio

Supercomputer Center send documents you want to add to

[email protected]

II. The Privacy Office in the U.S. Chief Counselor for Privacy,

– U.S. Office of Management and Budget– Executive Office of the President– Old Executive Office Building

4 functions:– Government data handling– Clearance– Enforcement/Ombudsman– Bully Pulpit

Government Data Handling

Big advantage if in OMB “Management”

– Office of Information & Technology Policy “Budget” Can’t do in an independent agency Major issue in U.S. privacy debates

Clearance

Testimony, legislative proposals cleared in OMB

Less formal statements also cleared Examples:

– FIDNet– Money laundering– New hire data base

Can’t do as well in independent agency

Enforcement/Ombudsman

Can’t do in OMB HHS and financial agencies FTC for consumer protection Web seals & CPAs (expand scale)? Private rights of action?

Bully pulpit Cons:

– Fishbowl in White House therefore cautious about statements

– Can’t comment on individual products or companies Pro:

– Big impact if President or Cabinet speak– Any White House official can raise the issue’s

visibility & help on the Hill Independent agency has more flexibility

The New Administration

Bush and Clinton statements similar No privacy official named yet My guess is that they won’t until have some

privacy blowups

Medical Privacy Rule

Why now?– HIPAA “administrative simplification” rule last

summer– Protocols for electronic record sharing– Need to build in privacy & security at the same

time– Delay means, at best, privacy will be a retrofit

in medical systems

Fair Information Practices

Notice Opt in consent for nonmedical purposes Strong access protections Security rule HHS enforcement (need more) Employee protections

Marketing provision

BAD name -- “communications with existing customers”

Doctor or insurer can communicate with own customer

If does so on behalf of 3d party, must say so and say who is paying, and opt out

Information to 3d party only as agent of the doctor, such as mail shop– 3d party can’t use for its own purposes

What next?

Public comments by March 30 to HHS Decision by April 15 whether to cancel Best choice: let rules go into effect & make

specific changes as needed If not: huge homework for new Administration

(it took us 70 people for a year) If not: strong likelihood the rule will never issue

More information

www.osu.edu/units/law/swire.htm www.healthprivacy.org

Conclusion

Substantial privacy activity past two years New Administration has made encouraging

statements but we need to watch their actions

Will need organized U.S. ways to handle privacy issues over time