Testimony and Statement for the Record of
Marc Rotenberg
Executive Director
Electronic Privacy Information Centeron
Consumer Privacy Protection Act of 2002
HR 4678before the Subcommittee on Commerce, Trade
and Consumer Protection,
House Committee on Energy and CommerceSeptember 24, 2002
2322 Rayburn House Office Building
My name is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center in Washington. I am on the faculty of Georgetown University Law Center, where I have taught Information Privacy Law since 1990. I am co-author of a forthcoming casebook with Professor Daniel J. Solove on Information Privacy Law (Aspen Publishing). I have also recently be named chairman of the American Bar Association Committee on Privacy and Information Protection, though my comments today reflect only my views and not those of the ABA.
I appreciate the opportunity to testify before the Subcommittee today on HR 4678, the "Consumer Privacy Protection Act of 2002." I am well aware of the extensive work of the Subcommittee on privacy issues during this Congress. Therefore it is with some misgivings that I say to you today that this bill will have little support among consumer or privacy organizations, privacy experts, or the general public.1 In many respects it seems crafted to protect privacy violators from legal accountability. On almost every key provision it favors industry over the consumer, the invasion of privacy over the protection of privacy. While it is true that is a sweeping measure in the sense that it applies to all data collection organizations, both off-line and on-line, the intent appears to be to insulate companies from any real accountability for what they might do with the personal information they acquire. Given the important tradition in the United States of safeguarding privacy as new technologies emerge, as well as the testimony provided by several witnesses on the need to protect privacy going forward, I can only hope that a better bill will be introduced in the future.
"Protection of Individual Privacy in Interstate Commerce" (Title I)
The substantive provisions of the measure are set out in Title I. Simply stated they require a company to adopt a privacy policy that can say virtually anything and can be changed at any point in time to say anything else. Under Title I of the Act, if a company states that it takes sensitive personal information and puts in on the Internet for all to see, it will be in compliance with the Consumer Privacy Protection Act. A company can adopt a policy that states that it will zealously protect sensitive personal information, acquire customer data, then change its mind, and post it on the Internet. It too will be in compliance with the Consumer Privacy Protection Act.
There is an interesting section that attempts to limit the sale of personal data to third parties, but this provision is easy to defeat by simply offering the consumer a benefit, such as the service originally sought. A companion provision that seeks to limit "other information practices" is also almost meaningless because consumers will not have access to any relevant information to make an informed decision and even if they go to the effort of exercising this right, the company can exercise its right to "terminate its compliance with the limitation" on thirty days notice. (This section might be called the "Now you see it, now you dont" privacy provision.)
The Act would create policies for policies -- a form of bureaucratic red tape for consumers -- without ever giving a consumer access to personal information held by the company. Does a company have inaccurate information about you? Youll never know. Does it discriminate against you because of confusion about names, incorrect addresses, or bad information provided by a third party? Youll have no idea. There is nothing in the bill that even attempts to hold companies responsible for the accuracy of their information on consumers.
The bill places enormous confidence in self-regulatory programs. It imposes only the most modest obligations on these consulting firms. The generous eight-year certification period for self-regulatory companies contrasts sharply with the thirty days notice provided to consumers about material changes in privacy polices permitted under the Act. This deference to self-regulation is extraordinary, considering not only that Truste continued to approve Microsoft even as its Passport service was found to violate the FTC Act, as well as the clear experience in this last few years of abuse stemming from industry self-policing.
The Act noticeably creates no safeguards on disclosure of personally identifiable information to law enforcement agencies. In other words, individuals who provide information to businesses will have no protections against fishing expeditions by the police. Virtually every other privacy law in the United States sets out a Fourth Amendment standard to regulate police access to personal information held by third parties. The purpose is not to prevent law enforcement access or to frustrate criminal investigations, but rather to ensure that when police go to a private business in search of information about customers or clients they do so with something that approaches probable cause or reasonable suspicion that a crime has been committed. Under the "Consumer Privacy Protection Act" there will be no new safeguards established to protect consumers from searches that might otherwise be overly board, intrusive or unlawful. Under this approach, video rental records will remain protected under a 1988 Act, but there will be no similar protection for new services offered over the Internet or the extensive record of purchases and interests collected and maintained by Amazon.
The Act forcefully creates no private right of action. This goes far beyond any reasonable concern about large damage awards. There are any number of alternative approaches that would preserve a private right of action. It is possible for example, to allow individuals go into small claims court and seek relief as they do currently and effectively under the Telephone Consumer Protection Act. Alternatively, the state attorneys general could be empowered to enforce rights created by the federal statute as others have proposed, or damage awards could be capped. The point is that there are many ways to make a private right of action work.
The absence of a private right of action is all the more problematic because as the bill is currently structured there are no procedural rights for consumers who file complaints at the FTC nor are there any formal means of reporting or appeal if the FTC fails to act on a complaint. What happens, for example, if a drug company discloses the names of Prozac users on the Internet, a complaint is filed, and the FTC chooses not to act? It is clear that that the companys action violates the FTC Act as the FTC has already found, but if the Commission chooses, for whatever reason, not to pursue the complaint, that is the end of the matter. This grants the agency unprecedented discretionary authority.
Having constructed a bill that effectively provides no substantive rights for consumers, the Act preempts states that are seeking to provide greater protection to their citizens. It even preempts state common law which is an extraordinary step for the Congress. Has this Committee concluded that there should be no state remedies anywhere in the United States for breaches of privacy committed by an organization that collects personal information? That would be an extraordinary assault on both the common law and our federal form of government.
International Provisions
The purpose of Title III is apparently to raise questions about the enforcement of the Safe Harbor Arrangement and other international agreements that the United States has pursued to support the protection of privacy. As currently drafted, the section asks the Comptroller General to review these various arrangements to determine whether such laws, regulations or agreements "result in discriminatory treatment of United States entities."
Members of the Subcommittee should realize that the Safe Harbor Arrangement addresses concerns that European governments have raised about privacy protection for their own citizens. Safe Harbor came about to assist US businesses who had complained that it would be difficult to comply with privacy law in Europe. The concerns of European officials about US practices have been substantiated in the United States by both state attorneys general and the Federal Trade Commission. For example, European privacy officials raised concerns that the Microsoft Passport service violated European law, but it was ultimately the US Federal Trade Commission that found that Microsoft violated Section 5 of the FTC Act. Earlier, European officials asked the Doubleclick company to modify its Internet advertising practices to comply with European privacy laws, but it was US officials who ultimately clamped down on the companys plans for invasive profiling of Internet users.
Do we really want to be in the position of objecting to the efforts of foreign governments to safeguard the privacy rights of their own citizens when US officials have expressed similar concerns? This is not a wise or forward-looking policy.
Id also like to bring to the attention of the Committee the important role that the United States has historically played in helping to enforce international standards for privacy protection. The Department of State, under both political parties, has supported the international human rights community by monitoring compliance with the International Covenant of Civil and Political Rights. The ICCPR includes a critical provision on unlawful surveillance and police practices that threaten political freedom all around the world.
As the web site of the Department of State currently notes:
The protection of fundamental human rights was a foundation stone in the establishment of the United States over 200 years ago. Since then, a central goal of U.S. foreign policy has been the promotion of respect for human rights, as embodied in the Universal Declaration of Human Rights. The United States understands that the existence of human rights helps secure the peace, deter aggression, promote the rule of law, combat crime and corruption, strengthen democracies, and prevent humanitarian crises.2
Section 1, paragraph f in the annual report prepared by the State Department addresses specifically "Arbitrary Interference With Privacy, Family, Home, Correspondence." For example in the 2002 report on China, the State Department notes that:
The Constitution states that the "freedom and privacy of correspondence of citizens are protected by law." Despite legal protections, authorities often do not respect the privacy of citizens in practice. Although the law requires warrants before law enforcement officials can search premises, this provision frequently has been ignored; moreover, the Public Security Bureau and the Procuratorate can issue search warrants on their own authority. Authorities monitor telephone conversations, facsimile transmissions, e-mail, and Internet communications. Authorities also open and censor domestic and international mail. The security services routinely monitor and enter the residences and offices of persons dealing with foreigners to gain access to computers, telephones, and fax machines. Government security organs monitor and sometimes restrict contact between foreigners and citizens. All major hotels have a sizable internal security presence.3
Now I agree that the United States should look more carefully at some of the current international agreements that impact privacy, but the commercial agreements such as Safe Harbor, which are intended to safeguard privacy and facilitate trade, are the wrong place to start. I would urge the Comptroller General to consider whether such proposals as the Council of Europe Cybercrime Convention would violate the privacy rights of American citizens that would otherwise be protected under US law and the US Constitution.4 That proposal, which some in the Administration continue to promote as if it were national law, even though it has never been introduced in the Congress let alone ratified by the United States, contains many provisions that deeply implicate American Constitutional values.5
It is the Cybercrime Convention, not the Safe Harbor arrangement, that poses a direct threat to the interests of the United States and American citizens. It is that proposal that should be given careful scrutiny by the Congress.
Conclusion
This has been a difficult year on the privacy front. The country faces new challenges after September 11. Even so, many of us have been heartened by the efforts of government officials to safeguard this essential American value. A secretive federal court has spoken out against the misuse of the Foreign Intelligence Surveillance Act. The House leadership has taken strong stands on such issues as Carnivore, TIPS, and video surveillance. The White House has indicated its reluctance to endorse a national identity card. The Federal Trade Commission has issued important orders on Microsoft, Eli Lilly, and proposed a new rule on telemarketing. The state attorneys general have acted to protect consumers against egregious practices that have led to the disclosure of medical records, financial information, and the misuse of student records.
Even the Presidents Critical Infrastructure Protection Board, charged with safeguarding the nation against future terrorist threats said in the recent report on the National Strategy to Secure Cyberspace:
The nations Strategy must be consistent with the core values of its open and democratic society. Accordingly, Americans must expect government and industry to respect their privacy and protect it from abuse. This respect for privacy is a source of our strength as a nation; accordingly, one of the most important reasons for ensuring the integrity, reliability, availability, and confidentiality of data in cyberspace is to protect the privacy and civil liberties of Americans when they use -- or when they personal information resides on -- cyber networks. To achieve this goal, the National Strategy incorporates privacy principles -- not just in one section of the Strategy, but in all facets. The overriding aim is to reach toward solutions that both enhance security and protect privacy and civil liberties.6
This was an extraordinary statement coming from an organization tasked with protecting the country from cyber warfare and future acts of terrorism. Still, they seemed to leave little doubt that the protection of privacy could not be sacrificed even as the country works to strengthen cybersecurity. Certainly, there could be a similar commitment to protect privacy in less critical circumstances.
Thank you for your attention. I would be pleased to answer your questions.
1 The bill appears to ignore the testimony of every public interest advocate appearing before the Subcommittee. My own testimony of June 21, 2001 advocated a system of rights similar to the Cable Communications Policy Act of 1984, one that includes notice, opt-in, access, and a private right of action. Ed Mierzwinski's testimony of April 3, 2002, on behalf of the US Public Interest Research Group, called for a law that incorporated a system of FIPs. Specifically, Mr. Mierzwinski testimony called for collection limitations, comprehensive notice, opt-in, guarantees of accuracy and security, no preemption, and a private right of action. Frank Torres' testimony of April 3, 2001, on behalf of Consumers Union, broadly outlined current problems in HIPAA and the GLBA. Mr. Torres recommended comprehensive notice, full access and correction rights, and opt-in consent. More than thirty organizations across the political spectrum endorsed a set of principle at the beginning of this Congress on which to base federal privacy legislation:
1. The Fair Information Practices: the right to notice, consent, security, access, correction, use limitations, and redress when information is improperly used,
2. Independent enforcement and oversight,
3. Promotion of genuine Privacy Enhancing Technologies that limit the collection of personal information,
4. Legal restrictions on surveillance technologies such as those used for locational tracking, video surveillance, electronic profiling, and workplace monitoring, and
5. A solid foundation of federal privacy safeguards that permit the private sector and states to implement supplementary protections as needed.
Many good proposals from leading US academics were apparently also ignored. Professor Joel Reidenberg, testifying on March 8, 2001, said that the "United States is rapidly on the path to becoming the world's leading privacy rogue nation." Reidenberg recommended that the Congress promote the negotiation of a "General Agreement on Information Privacy." As for public opinion, polls consistently find strong support among Americans for privacy rights in law to protect their personal information from government and commercial entities. See EPIC, Public Opinion and Privacy (http://www.epic.org/privacy/survey/default.html)
2 Department of State, Human Rights, http://www.state.gov/g/drl/hr/ (last visited September 21, 2002)
3 Department of State, China (includes Hong Kong and Macau), http://www.state.gov/g/drl/rls/hrrpt/2001/eap/8289.htm
4 Council of Europe Committee of Ministers, 109th Sess, Convention on Cyber-Crime (adopted Nov 8, 2001), available online at http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=185.
5 See, e.g., id. Arts. 2-11 (requiring member country statutory criminalization of offenses such as hacking, the production, sale or distribution of hacking tools, and child pornography, and an expansion of criminal liability for intellectual property violations. The treaty's intellectual property provisions significantly expand criminal liability for intellectual property violations and tilt copyright law away from the public interest: U.S. intellectual property law contains a delicate balance between the rights of intellectual property holders and the rights of the public through the First Amendment and the law of "fair use" of copyrighted materials, but the Cyber crime Convention criminalizes copyright infringement with no mention of fair use); id. Arts 16-22 (requiring participating nations to grant new powers of search and seizure to its law enforcement authorities, including the power to force an ISP to preserve a citizen's internet usage records or other data, and the power to monitor a citizen's online activities in real time--while including no provisions to protect citizens' privacy. In the United States, the treaty requires the U.S. to authorize the use of devices like Carnivore, the FBI's "Internet-tapping" surveillance system.); id. Arts 23-35 (requiring law enforcement in every participating country to assist police from other participating countries by cooperating with "mutual assistance requests" from police in other participating nations "to the widest extent possible." This obliges American law enforcement to cooperate with investigations of behavior that is illegal abroad but perfectly legal in the U.S.) . The Administration has stated that "The Convention will help us and other countries fight criminals and terrorists who use computers to commit crimes... Promoting Innovation and Competitiveness: President Bush's Technology Agenda, at http://www.whitehouse.gov/infocus/technology/tech3.html.