“Reflections on the White House Privacy Office” Peter P. Swire U.S. Chief Counselor for Privacy, 1999-2001 OSU College of Law, 2001- present CFP, March 8, 2001
Mar 27, 2015
“Reflections on the White House Privacy Office”
Peter P. SwireU.S. Chief Counselor for Privacy, 1999-
2001OSU College of Law, 2001-present
CFP, March 8, 2001
Overview
Clinton Administration Privacy Actions What Privacy Institutions Should the U.S.
Have? The New Administration
– Medical Privacy Rules
I. Clinton Administration Privacy Actions Privacy hot buttons before I entered
government in 2/99:– Clipper– CALEA– Know Your Customer
People, and even governments, learn
Actions since early 1999
Brief & favorable descriptions Q&A afterward on these
Medical Privacy Rule
HIPAA in 1996 Support for legislation through 8/99 Proposed rule 10/99 52,000 comments by 2/00 Final rule 12/00 Executive Order 12/00: limits on using
health oversight record for law enforcement
Financial Privacy
Clinton speech 5/99 House bill with half that 6/99 Significant Administration push for privacy Gramm-Leach-Bliley 11/99 Administration proposal for more, 4/00
Federal Government Privacy
6/99 OMB memorandum to post clear privacy policies on agency sites
6/00 OMB memorandum presumption against cookies on federal sites & reports to OMB on privacy in the budget process
12/00 OMB memorandum on agency data sharing, including push for privacy impact assessments
Federal CIO Council privacy committee
Some other privacy actions
Crypto policy change 9/99 Genetic Discrimination E.O. 2/00 NAS study now underway on authentication
and privacy– CFP next year?
Bankruptcy and privacy study 1/01: public records and privacy issue
Other privacy actions
Safe Harbor (low number of companies because it is so strict?)
Network Advertising Code 6/00 SSN bill proposed 6/00, and fought Gregg
bill Wiretapping bill summer 2000, with higher
standards for trap-and-trace and email wiretaps
How to find these documents?
Agency web sites change & not well archived Presidential privacy web archive up this week www.privacy2000.org Technology Policy Group of the Ohio
Supercomputer Center send documents you want to add to
II. The Privacy Office in the U.S. Chief Counselor for Privacy,
– U.S. Office of Management and Budget– Executive Office of the President– Old Executive Office Building
4 functions:– Government data handling– Clearance– Enforcement/Ombudsman– Bully Pulpit
Government Data Handling
Big advantage if in OMB “Management”
– Office of Information & Technology Policy “Budget” Can’t do in an independent agency Major issue in U.S. privacy debates
Clearance
Testimony, legislative proposals cleared in OMB
Less formal statements also cleared Examples:
– FIDNet– Money laundering– New hire data base
Can’t do as well in independent agency
Enforcement/Ombudsman
Can’t do in OMB HHS and financial agencies FTC for consumer protection Web seals & CPAs (expand scale)? Private rights of action?
Bully pulpit Cons:
– Fishbowl in White House therefore cautious about statements
– Can’t comment on individual products or companies Pro:
– Big impact if President or Cabinet speak– Any White House official can raise the issue’s
visibility & help on the Hill Independent agency has more flexibility
The New Administration
Bush and Clinton statements similar No privacy official named yet My guess is that they won’t until have some
privacy blowups
Medical Privacy Rule
Why now?– HIPAA “administrative simplification” rule last
summer– Protocols for electronic record sharing– Need to build in privacy & security at the same
time– Delay means, at best, privacy will be a retrofit
in medical systems
Fair Information Practices
Notice Opt in consent for nonmedical purposes Strong access protections Security rule HHS enforcement (need more) Employee protections
Marketing provision
BAD name -- “communications with existing customers”
Doctor or insurer can communicate with own customer
If does so on behalf of 3d party, must say so and say who is paying, and opt out
Information to 3d party only as agent of the doctor, such as mail shop– 3d party can’t use for its own purposes
What next?
Public comments by March 30 to HHS Decision by April 15 whether to cancel Best choice: let rules go into effect & make
specific changes as needed If not: huge homework for new Administration
(it took us 70 people for a year) If not: strong likelihood the rule will never issue
More information
www.osu.edu/units/law/swire.htm www.healthprivacy.org
Conclusion
Substantial privacy activity past two years New Administration has made encouraging
statements but we need to watch their actions
Will need organized U.S. ways to handle privacy issues over time