Testimony of Marc Rotenberg: Privacy in the Commercial World
Testimony and Statement for the Record of
Electronic Privacy Information Center, Executive Director
Georgetown University Law Center, Adjunct Professor
Privacy in the Commercial World
Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
U.S. House of Representatives
March 1, 2001
2322 Rayburn House Office Building
In the spirit of this hearing, I will make several general comments about the development of privacy law in the commercial world and the role of technology. First, the protection of privacy in law is a central contribution of the US legal system. This is true not only with respect to the Fourth Amendment that limits searches by the state, but also for the private right of action that came to be known as the "American tort" and the general framework for the protection of personal information - the "Fair Information Practices" - which were first articulated in the United States.
Second, the basic structure of information privacy law is to place responsibilities on organizations that collect personal data and to give rights to individuals that give up their data. This is sensible for many reasons, including the fact that it is the entity in possession of the data that controls its subsequent use. Information privacy law also promotes transparency by making data practices more open to scrutiny and encourages the development of innovative technical approaches.
Third, privacy laws, particularly in the United States, are widespread and have invariably come about in response to new technologies and new commercial practices. From the telephone, to the computer database, to cable television, electronic mail, video tape rentals, and the Internet, the American tradition is to establish a right of privacy in law to enable the development of new commercial services.
Fourth, privacy protection by means of self-regulation is a very recent development and there is little evidence so far to show that it is an effective means to protect privacy. "Notice and choice" is a very different approach than Fair Information Practices established in law. There are also specific reasons with respect to the Internet why market-based approaches may be problematic, including the fact that many of the key technical standards that affect online privacy are determined outside of the marketplace.
Fifth, technology has a role to play in protecting privacy but in pursuing technical solutions, it is critical to understand whether the technique limits or facilitates the collection of personal data. In my view, genuine Privacy Enhancing Technologies limit or eliminate the collection of personally identifiable information.
Sixth, there is no doubt that the First Amendment and the right of privacy do at times collide. But those cases are the exception and not the rule. This is clearly not a zero-sum relationship. There are many countries with little regard for personal privacy or freedom of expression. The success of the US legal system is to preserve both interests, to safeguard free expression and to protect individual privacy.
Seventh, on the issue of preemption, it is important to note that federal privacy law has by tradition operated as a baseline and allowed the states to regulate upward if they wish. Recognizing that there may be competing interstate commerce claims, it is nonetheless important to understand why Congress has generally deferred to stronger state safeguards where they arise.
Finally, it is significant in the legislative realm when there is broad-based public support to take action. The debate that we are having today is not simply academic; there are real policy choices and there are policy consequences that flow from inaction, as well as action, in the effort to safeguard privacy in America.
I appreciate the opportunity to appear before the Committee today to discuss privacy issues. My name is Marc Rotenberg. I am Executive Director of the Electronic Privacy Information Center in Washington, and I have taught the Law of Information Privacy at Georgetown since 1990. As both an advocate and academic, I have participated in many of the leading privacy debates in this country. In the spirit of this hearing, I will focus my comments on several general observations about privacy law. Id like to emphasize at the start that this is an enormously interesting and important topic and I appreciate the decision of the Committee to begin with a discussion at a high level.
1. The Protection of Privacy in Law is Central to the American Legal Tradition
The protection of privacy in law is one of the great contributions of the American legal system. When the framers of the Bill of Rights set out in the Fourth Amendment a legal procedure that placed a judge between the authority of the state and the rights of the citizen, they established a structure that today distinguishes democratic governments from dictatorships. It is without question a burden to the police that they may not freely seize evidence, intercept phone calls, or detain individuals without probable cause, but this is a burden that every Constitutional democracy accepts as a fundamental requirement to safeguard the rights of it citizens.
But it is not just with respect to government that our country has established rights of privacy in law; we have done so also with respect to actions among private individuals, the practices of business, the use of new technology, and the collection and use of personal information for commercial purposes. When Brandeis and Warren first set out the right of privacy in the famous 1890 law review article it came to be known as the "American tort." The privacy tort became the basis for privacy claims that were recognized in state courts, state legislatures, and eventually Congress.
Our tradition of protecting privacy rights in law has carried forward with each new technology. From the telephone, to computers, cable television, electronic mail, video tape rentals. Our privacy laws, like all laws, are imperfect. But they reflect at their core a belief that we have the ability, through our government and our legal institutions, to control the technologies that we create, to ensure the we can obtain the benefits of new technology and preserve important political values.
So, when privacy and consumer advocates testify in support of restrictions on government surveillance, safeguards for financial records, and protections for consumers in electronic commerce, it is with full regard and understanding of the American legal tradition. The burden of justifying the self-regulatory approach falls squarely on its supporters. The first lesson of US law is that the presumption favors legal safeguards.
I make this point at the outset because there is a tendency in the policy debates about privacy to ask the question whether to "regulate" or what is the "appropriate role" of government. The better starting point is with the recognition that in the United States we have long understood that privacy is a right protected in law.
2. Privacy Law Allocates Rights and Responsibilities and Ensure Fairness and Transparency in the Collection and Use of Personal Information
Next we should consider what we mean when we discuss privacy laws. Some believe that privacy laws are simply a restriction on the right to speak freely. There is an aspect of privacy protection that may, in some circumstances, limit the disclosure of certain types of personal information obtained in the context of certain relations. But to view privacy law as only a restriction on publication is to misunderstand the structure, history and purpose of privacy laws in the United States.
Typically, privacy laws set out a range of rights and responsibilities for the collection and use of personal information. The Fair Credit Reporting Act, for example, does not simply limit the disclosure of information contained in a credit report, it also places on the credit reporting agency an obligation to ensure that the information is correct and timely, and it provides the subject of the credit report the opportunity to inspect the record and correct it if necessary. These responsibilities help ensure that information collected is used for its intended purposes and that determinations, such as whether a person qualifies for a car loan or can obtain a home mortgage, are based on accurate information.
The rights and responsibilities that provide the basis of privacy laws have come to be known as "Fair Information Practices." Although the specific elements that make up Fair Information Practices may vary somewhat, what is significant is the high degree of commonality of these principles, across subject matter, technologies, and jurisdictions. In many respects this is not surprising. The goal is simply to fairly allocate the responsibilities to safeguard personal information.
Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection. The most well known of these international guidelines are the Organization for Economic Co-operation and Development's Recommendations Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data ("OECD Guidelines"). Fair Information Practices also provided the basis for the recently concluded Safe Harbor arrangement between the United States and Europe.
3. Privacy Laws Respond to New Technologies
It is critical to understand that the recent history of privacy law in the United States is largely a story of efforts by Congress to pass laws to safeguard privacy as new technologies emerge. There is for example, the Federal Wiretap Act of 1968, the Act that limits the monitoring of private communications. There is also the Privacy Act of 1974 that established a legal framework for the records collected by the federal government and addressed the specific concern of Big Brother monitoring by means of automated databases. There are the privacy subscriber provisions of the Cable Act of 1984 (cable television), the Video Privacy Protection Act (video rental records), the Electronic Communications Privacy Act of 1998 (electronic mail), the Polygraph Protection Act of 1988 (lie detectors), and the Telephone Consumer Protection Act of 1991 (auto-dialers and junk faxes), the Childrens Online Privacy Protection of 1999 (Childrens data obtained by companies operating on the Internet). In addition, many laws at the state level are designed to further limit the monitoring of private activities in the United States.
Privacy laws have come about in response to challenges posed by new technologies. But the aim is rarely to limit the technology or to stifle a new business; it is instead to ensure that the data collection is fair, transparent, and subject to law. This approach builds consumer confidence, establishes a stable business environment, and allows for the benefits of new technology while safeguarding key interests.
4. Privacy Protection by Self-regulation is a Recent Development
Until about 1996, if one were asked to describe the US approach to privacy protection for personal information, you would likely have said there is "omnibus" protection with respect to records held by the federal government and "sectoral" protection concerning the private sector. The point is that the Privacy Act of 1974 covered all federal agencies, while regulation in the private sector had been done on a more piecemeal basis. The contrast with the European approach was also understood: Europe had adopted an "omnibus" approach for private sector records, based in part on the need to harmonize national law as part of the establishment of the European Union. In the United States there was little discussion of privacy protection through "self-regulation." There were a few efforts by trade groups to establish privacy practices, most notably the Mail Preference Service of the Direct Marking Associations, but these efforts typically came about as means to hold off legislation.
Beginning in 1996 an effort began to develop a more comprehensive self-regulatory approach to privacy protection. Companies posted policies, privacy seals were announced, new organizations were established to review privacy practices, and the FTC said it would take action against firms that failed to follow their privacy policies. This was done for several reasons, including growing public concern about the loss of privacy, fear that legislation restricting certain business practices might be adopted, and recognition that the European Union might limit the transfer of personal information about European consumer to American firms unless steps were take to establish stronger privacy safeguards.
It may be too soon to say whether this new "self-regulatory" approach will over time effectively protect the privacy of American consumers. The FTC last year concluded that while progress had been made, legislation was nonetheless required. But there are several recent developments that deserve further consideration by the Committee if there is going to be a meaningful evaluation of self-regulation. Here are five issues that I believe call into question the effectives of self-regulation:
- The redefinition of privacy. There has been a sharp departure from the bundle of rights associated with Fair Information Practices to a narrow characterization of privacy as simply "notice and choice" that is at odds with the tradition of privacy law in the US. Privacy notices appear to operate more like disclaimers or warning labels than any actual assurance of protection.
- The development of intrusive new marking practices. Profiling, tracking, and monitoring of American consumers have become far more widespread as a result of the self-regulatory approach to privacy. It is not clear yet what the impact will be on educational or employment opportunities, but there is always that risk, in the absence of legislation, that once permanent dossiers on Americans are created they will be used for purposed completed unrelated to the original collection.
- The ability of the FTC to operate as an effective privacy agency. The FTC appears to lack the statutory authority, the resources, and the reporting requirements that are required to operate effectively on privacy issues. There are too many complaints, too little adjudication, and too little oversight.
- The ability to respond to new technologies. In the next few years we are going to see the development of new technologies that both hold great promise for innovation and technical achievement as well as significant risk to personal privacy. The use of genetic information, for example, poses new challenge that may be addressed more effectively through privacy legislation than the "notice and choice" approach.
- Growing public concern about the loss of privacy. At least one measure of success for a policy approach must be public support. There is little evidence to indicate that the public favors the self-regulatory approach to privacy protection.
While I remain very skeptical about self-regulation to protect privacy, I want to emphasize that establishing a right of privacy in law does not necessarily extensive regulation. There are many privacy of only a few pages that extraordinarily effective. The subscriber privacy provision in the Cable Act of 1984, for example, is one of the most effective privacy laws in the US. It provides a very good model going forward for emerging privacy issues in the commercial world.
5. Genuine Privacy Enhancing Technologies (PETs) Limit or Eliminate the Collection of Personally Identifiable Information
My fifth point is that technology does have a role to play in privacy protection, but it is critical to think carefully about the collection and use of personal information in evaluating various technical methods. To say simply "there must be technological solutions to technological problems" really does not tell us anything. Some technologies clearly exacerbate the loss of privacy, others may help restore privacy.
Over the last several years I have become particularly interested in the development of Privacy Enhancing Technologies (PETs). I have presented papers at international conferences and worked closely with several of the leading technical innovators in the world. I believe that there are methods that enable commerce and communication and that respect privacy. In my view, the goal is to promote genuine Privacy Enhancing Technologies that limit or eliminate the collection of personally identifiable information. Anonymity, for example, is critical to the future of privacy.
Of all the various approaches to online privacy, P3P may be the most problematic. It is the one privacy standard that provides no inherent privacy protection. It can as easily be used to extract data from consumers as it could be used to limit the collection of data. And I think this is fairly well understood by the industry groups that favor P3P. They do not believe that this standard will pose any significant obstacles to their plans for collecting and using persona information.
A better approach would seek to both enable commerce and to limit the collection of personal information. We have many examples of this in the physical world, from the metro card to movie tickets to the cash in our wallets. Privacy technologies should not hinder commerce but they should also not force consumers to trade privacy to participate in commerce.
6. Free Expression and Privacy Protection are Complimentary Values
On the question of the privacy and freedom of expression, this is clearly not a zero-sum relationship. This can be shown by the fact that there are many countries today with little regard for personal privacy or freedom of expression. The success of the US legal system is to preserve both interests, to safeguard free expression and to protect individual privacy.
There are also a series of cases that make clear that privacy and the First Amendment are complimentary interests. In MacIntyre v. Ohio, for example, the Supreme Court struck down an ordinance that required the publisher of a handbill to place her actual name on the pamphlet. In so doing, the Court recognized that the freedom to express ones views includes also the right to withheld ones identity. There are many other examples in American law where we safeguard privacy to promote free expression and freedom of association. Its worth noting, for example, that the freedom to vote as one wishes in a democratic society is safeguarded by the privacy of the voting both
There are tough cases where the First Amendment and privacy interests collide. The Supreme Court, for example, must determine this term whether the press may publish the contents of a private telephone call obtained by means of an unlawful wiretap. EPIC, my own organization, dedicated to both the protection of privacy and the promotion of free speech, struggled with the question on which side we would file an amicus. In the end, we decided it was too difficult a case. But recognizing that there are, in some instances, difficult case does not mean as a general matter that it is not possible to protect privacy and to promote free expression.
7. Federal Privacy Legislation Typically Does Not Preempt State Law
The issue of federal preemption is arising increasingly in discussions about privacy protection. It is important to understand that as a general matter, federal privacy law operates as a baseline and does not preempt stronger state statutes. This is clear from laws such the Video Privacy Protection Act of 1988 and the subscriber privacy provision in the Cable Act of 1984. This approach was reaffirmed recently in the privacy provisions of the Financial Modernization Act of 2000 and the HIPAA regulations.
There are important reasons in our form of government to continue to allow the states to operate as "laboratories of democracy." Congress may fail to act or it may act in such a way that reduces or limits the protections that a state might otherwise choose to provide for its citizens. States may also innovate and explore different approaches to common problems. California, for example, has recently passed legislation to address emerging privacy concerns and Maryland is now looking at new legislation that would provide important new protections.
8. Public Support for Privacy Protection is a Significant Consideration in the Legislative Process
In understanding the protection of privacy in America it is critical to keep in mind the central role that the Congress and the state legislatures have played in safeguarding privacy. In some instances, it has been the courts that have established rights of privacy, but more often it has been the legislature that has set out by means of statute the rights and responsibilities associated with the use of personal information in the commercial realm.
My belief is that there is today widespread public support to establish Fair Information Practices for the collection and use of personal information in the commercial sector. There is a strong American tradition to protect privacy in law, many legislative precedents and broad based public support. The question is whether Congress will accept the challenge and act to safeguard this right, described by Justice Brandeis "as the most comprehensive of all rights and the one most cherished by a free people."
I appreciate the opportunity to appear before the Committee today and will be pleased to answer your questions.
Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape (MIT Press 1997)
Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell Press 1992)
Julie Cohen, "Examined Lives: Informational Privacy and the Subject as Object," 52 Stanford Law Review 1373 (May 2000)
EPIC, "Surfer Beware I: Personal Privacy and the Internet" (1997) [http://www.epic.org/reports/surfer-beware.html]
EPIC, "Surfer Beware II: Notice is Not Enough" (1998)
EPIC, "Surfer Beware III: Privacy Policies without Privacy Protection (1999)"
Oscar Gandy, "Exploring Identity and Identification in Cyberspace," 14 Notre Dame Journal of Law, Ethics & Public Policy 1085 (2000)
Jerry Kang, "Information Privacy in Cyberspace Transactions," 50 Stanford Law Review 1193 (1998)
Jessica Litman, "Information Privacy, Information Property, 52 Stanford Law Review 1283 (May 2000)
Privacy International [http://www.privacyinternational.org]
Privacy Coalition [http://www.privacypledge.org]
Privacy Site [http://www.privacy.org]
Margaret J. Radin, Contested Commodities (Harvard University Press, 1997)
Priscilla M. Regan, Legislating Privacy: Technology, Social Values and Public Policy (University of North Carolina Press 1995)
Marc Rotenberg, The Privacy Law Sourcebook 2000: United States Law, International Law, and Recent Developments (EPIC 2000).
Marc Rotenberg, "Fair Information Practices and the Architecture of Privacy (What Larry Doesn't Get)" 2001 Stanford Technology Law Review 1 (2001).
Marc Rotenberg, "Can We Keep a Secret?" American Lawyer 57 (January 2001).
Gregory Shaffer, "Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of U.S. Privacy Standards," 25 Yale Journal of International Law 1 (Winter 2000)
Paul Schwartz and Joel Reidenberg, Data Privacy Law: A Study of United States Data Protection (Michie 1996)
Paul M. Schwartz, "Privacy and Democracy in Cyberspace," 52 Vanderbilt Law Review 1609 (November 1999)
Paul M. Schwartz, "Free Speech v. Information Privacy: Eugene Volokhs First Amendment Jurisprudence," 52 Stanford Law Review 1559 (May 2000)
Paul M. Schwartz, "Internet Privacy and the State: Charting a Privacy Research Agenda," 32 Connecticut Law Review 815 (Spring 2000)