The United States, Privacy, and Data Protection Peter P. Swire Dutch Embassy Presentation January 19, 2001.

“The United States, Privacy, and Data Protection”

Peter P. SwireDutch Embassy PresentationJanuary 19, 2001

Overview

The Inevitability of Societal Decisions on Privacy

Clinton Administration Actions A Look Ahead

E-mail attachment as the new metaphor From mainframe to the e-mail attachment 1970s and mainframes

– Worry about large, centralized databases– Fair Credit Reporting Act, 1970– Privacy Act of 1974– First European data protection laws

Changes to the 1990’s

Everyone has a mainframe -- laptop or desktop

Transfers are free, instantaneous, & global Usually change symbolized by the web Better image is the e-mail attachment

– Anyone to anyone– Can attach anything to an e-mail– The lived experience of almost all users

Inevitability of Societal Decisions about Privacy The lack of a status quo Examples:

– State public records– Medical records– Financial records– Internet records

The Lack of a Status Quo

Old reality:– Relatively few databases– Relatively few rules -- by law or industry

New reality:– Far more databases, with more detail– If few rules, then vastly greater data flows– If try to retain pre-existing privacy balance,

then will have many more rules

Public Records

Old reality (e.g., 20 years ago)– Legal openness, state open government laws– Practical obscurity -- cost and bother of going

to the courthouse for paper records New reality:

– Legal openness, except drivers’ records– Practical openness, far more intensive use– Bankruptcy and privacy study

Medical Records

What has changed:– Mostly paper to mostly electronic– Records held by large providers and plans, and

used for many management purposes Societal response:

– HHS medical privacy regulations

Financial Records

What has changed:– Level of detail -- from credit history to

transactional history– Industry convergence

Societal response– FCRA– Financial Modernization law 1999– Clinton Administration pushed for more

Internet Privacy

Old reality?– None.

“Inevitability of societal decisions”– Web sites– Online profiling– GUIDs– Etc. -- IPv6, links to offline, and so on

What are “Societal Decisions”?

Technology -- engineers in the company or standards organizations

Markets -- company decisions and contracts with business partners

Self-regulation Governmental rules Transborder rules -- Safe Harbor

Conclusion on “societal decisions” No status quo: can’t return to few databases

and few rules Number and velocity of privacy issues

increasing rapidly E-mail attachments: solutions must be

robust in a world of anyone-to-anyone transfers

II. Clinton Administration Privacy Policy

Support self-regulation generally– Applaud self-regulatory efforts

Sensitive categories deserve legal protection– Medical & Genetic– Financial & ID Theft– Children’s Online

Government should lead by example

Internet Privacy

Quantity of policies– 15% to 66% to 88% from 1998 to 2000

Quality of policies– Seek fair information practices

Major legislative push this year

Safe Harbor

Now approved by E.U. Self-regulation as a core achievement Lawful basis for trans-Atlantic data flows Streamlined registration Up for review in summer, 2001 Financial services not yet addressed

Medical Records Privacy

HIPAA 1996 called for legislation by 8/99 President announced proposed regs 10/99 Over 53,000 submissions of comments Final rules announced December, 2000 Take effect early 2003

Genetic Discrimination

February 8 Executive Order– Prohibits federal agencies from using genetic

information in hiring or promotion Call for legislation

– Daschle/Slaughter bills– Extend protections to private sector– Apply to purchase of health insurance

Children’s Online Privacy

Children’s Online Privacy Protection Act of 1998

FTC rules took effect 4/2000 Key is “verifiable parental consent”

Financial Privacy

Financial Modernization Act – Notice for 3d parties and affiliates– Opt out choice for 3d parties only– Significant enforcement provisions

Federal Databases

Privacy Act in place since 1974 Now, all agencies have privacy policies at

their major web sites Summer 2000 -- presumption against the

use of “cookies” at federal web sites Other OMB actions

III. LookingAhead

Bipartisan interest in privacy protections Republican focus especially on misuse in

the government sector Democrats more likely to favor regulation

of the private sector Growing realization, though, that data flows

between the sectors

The Bush Administration

Campaign statements similar to Clinton Administration approach:– Focus on sensitive medical and financial– Encourage self-regulation– But, comments by Bush himself suggested

more activist

Which U.S. Institutions will Lead? OMB -- traditional role for government

databases Larry Lindsay -- possible policy lead FTC -- independent agency has called for

Internet legislation Hard to imagine a new federal privacy

agency in medium term

Conclusion

U.S. has taken significant legal steps toward protecting most sensitive information

Ongoing debate of whether to expand to the Internet, or even off-line

Unclear what institutions would regulate in the area

Likely significant change within 5-10 years