Privacy Legislation: The 107th Congress

Three years ago at the start of the 105th Congress, most of the privacy- interested community believed that the "stars were in alignment" for Congress to enact important information privacy legislation. "Enactment expectations" were based on:

Record high survey results showing that almost 90% of the American public is concerned about privacy
Frequent press stories chronicling privacy problems or decrying the lack of privacy protections
Aggressive federal regulatory action led by the Federal Trade Commission (FTC)
Unprecedented significant privacy activity in the states
New technological initiatives (such as Internet identification software)
New business arrangements (such as the CitiCorp/Travelers merger) which were perceived by the public as privacy-threatening
Significant pressure from the European community for the U.S. to strengthen its privacy laws.

Despite all this, privacy legislation, with rare exception, did not happen.

Privacy Talk; Will There be Action?

With the start of the 106th Congress, the "stars" are still in alignment. The question, however, is whether the 106th Congress will follow the pattern of recent congresses — lots of hearings, introductions and talk, but no privacy action. Several important factors suggest that the 106th Congress may be different. Three key information privacy issue clusters have matured to the point where both Republican and Democratic members and staff predict legislative enactments. First, medical record privacy has attracted intense congressional scrutiny for the last several years. Congress has given itself until August 19 to legislate or process defaults to the Department of Health and Human Services (HHS). Congress is expected to extend that deadline but take at least some substantive action prior to adjournment of the 106th in October 2000. Second, the Congress shows every sign of wanting to legislate on Internet privacy. Internet privacy has such a high profile that many believe it will prove irresistible. The issue has already attracted several important Republicans adherents. Third, financial record privacy activity is off to an early start in the 106th and may well be at the point where Congress feels compelled to act. The recent intense and indeed, unprecedented public reaction to the federal bank regulatory agencies' proposed "Know Your Customer" rules is seen by many to virtually guarantee that the Congress will take some action on financial record privacy. Another factor suggesting that the 106th Congress may be different is the reemergence of "Big Brother" fears. From 1974-1976, Congress enacted the Privacy Act, added privacy protections to the Freedom of Information Act and created the Privacy Protection Study Commission to allay concerns over government intrusion. Once again, the public, the media and members of Congress seem increasingly uncomfortable about the federal government’s use of numeric identifiers for health care payment purposes; use of Social Security Numbers (SSNs) and databases to track down deadbeat dads or identify illegal aliens; and, of course, about the now notorious "Know Your Customer" rules. Likelihood of Privacy Enactments in the 106th Finally, Congressional privacy enactments are frequently preceded by the private sector’s development of self-regulatory codes. Ironically, these codes are often developed, at least in part, to deflect legislation. However, they often provide a legislative template for congressional action. They give members of the Congress a comfort level that by incorporating self-regulatory standards into federal law, they are not disrupting the business practices of at least the industry leaders. And, enactment of federal legislation covers the "outliers" that have failed to subscribe to industry-initiated standards. When Congress enacted comprehensive reforms of the Fair Credit Reporting Act (FCRA) in 1996, they were merely codifying better privacy and business practices which the industry had introduced and implemented over the previous five years. Even taking these differences into account, no seasoned Washington observer would be surprised if the 106th adjourns without any significant privacy enactments. These same observers, however, would also not be surprised if the 106 th Congress proves to be the Congress in which significant and comprehensive privacy law is, in fact, enacted.

It seems increasingly likely that the 106th Congress will tackle financial record privacy. At present, financial information, when held by consumer reporting agencies and credit bureaus, is closely regulated under the FCRA (not to mention state credit reporting acts in almost two dozen states). So-called, "first party" financial record information however, is not subject to comprehensive federal privacy regulations. First party information refers to information about a financial institution's experience with its own customers. The theory justifying the privacy regulation of third party information (i.e., information held by consumer reporting agencies) but not first party information is that this information is as much the bank's record of its transactions with a consumer as it is the consumer's own information. Accordingly, it is argued that banks should be able to use this information (and, if they so choose, disclose this information) without statutory or regulatory restrictions. As a practical matter however, banks have been careful with this information, particularly as it relates to their relationship with depository customers. In addition to the bank’s pro-privacy custom and usage, there are some state statutory and regulatory restrictions and common law theories that work to restrict the disclosure of first party information. Most recently, the federal bank regulatory agencies have pressured banks to be sure that their policies restrict disclosure of first party information. Reform advocates argue that even if it was once true that the first party/third party distinction made sense, that distinction has lost its force since banks are increasingly part of much larger, affiliated corporate families which include brokerage houses and insurance companies. Further, critics of the critic regime argue that the first party/third party distinction is irrelevant to the question of how sensitive the information is and how much of a privacy threat its disclosure and/or misuse represent. Already, the 106 th Congress has begun what promises to be a heated debate over privacy regulation of first party information. The House Banking Committee got off to a fast start by including information privacy provisions in its financial modernization legislation. The Senate Banking Committee, by contrast, did not include privacy language in its financial modernization bill, S. 576, the "Financial Regulatory Relief and Economic Efficiency Act of 1999." Chairman Jim Leach’s (R-IA) "Financial Services Act of 1999," (H.R. 10) was approved on March 11. During the markup, the Committee signed off on a privacy amendment offered by Chairman Leach and Rep. Bruce Vento (D-MN) after a heated debate over a far more controversial first party proposal offered by Rep. Jay Inslee (D-WA). The Inslee amendment would have prohibited the sharing of financial and medical information among affiliated banks, insurance companies and securities firms if customers chose to opt-out. Industry representatives opposed this requirement because of the cost to administer an opt-out program and the ban on cross-marketing. The compromise Leach/Vento amendment requires depository institutions to disclose their privacy policies to customers. The privacy policies must address the institutions’ policies on disclosing customer information to third parties for marketing purposes and must include Fair Credit Reporting Act (FCRA) disclosures describing customers’ rights to choose not to allow affiliate sharing of information. The amendment also restricts dissemination of medical information. In particular, it prohibits insurance companies from sharing medical information with affiliated banks, except under certain circumstances. In addition, the amendment requires federal banking agencies to conduct a study to determine whether existing laws which regulate affiliate sharing of customer information provide adequate privacy protections. Finally, the amendment incorporates Chairman Leach’s "Financial Information Privacy Act of 1999," introduced as H.R. 30 on January 6. The provisions of the bill prohibit the act of obtaining customer information from a financial institution under false pretenses — that is, 1) by knowingly making a false, fictitious or fraudulent statement to a customer or an employee or agent of a financial institution or 2) using false or stolen identification with the intent to deceive the individual into providing the customer information. Under this proposal, it would also be illegal to ask another individual to obtain customer information under false pretenses. The Financial Information Privacy Act of 1999 The first party debate has also raged in the Senate. On January 19, Ranking Senate Banking Committee Member Paul Sarbanes (D-MD) introduced S. 187, the "Financial Information Privacy Act of 1999." S. 187 would require each of the federal banking agencies, and the Securities and Exchange Commission, to issue rules to protect the privacy of "first party" information. This includes, but is not limited to, personally identifiable information pertaining to deposit and trust accounts, certificates of deposit, securities holdings and insurance policies. The rules must establish the following system for protecting confidential customer information: Financial institutions must provide notice to consumers identifying the information to be shared/disclosed; the circumstances under which information will be shared/disclosed; with/to whom the information will be shared/disclosed; and for what purposes the information could be shared/disclosed Affiliates may not share the information if the consumer has opted-out Non-affiliates may not share the information unless the consumer has opted-in Customers must be provided access to their customer information in order to review it for accuracy and to correct inaccurate information Financial institutions must require that entities from which they obtain confidential customer information follow similar privacy protection procedures. Financial institutions would not be prohibited from sharing/disclosing confidential customer information in the following situations: If the information is essential to processing a customer-authorized financial transaction To a governmental, regulatory or self-regulatory authority for an authorized purpose To a court of competent jurisdiction To a consumer reporting agency for inclusion in a consumer report that is released for a § 604 permissible purpose When the information is not personally identifiable. The Act would not amend or alter FCRA. However, as introduced, the bill could be interpreted as making credit header information subject to privacy regulations. Credit header information would not fall under any of the exemptions including the exemption for financial institutions providing confidential customer information to consumer reporting agencies because credit header information is not a consumer report. So far, all eleven Senate Banking Committee Republicans oppose Sarbanes’ first party bill and all nine Democrats support the bill. Democrats are optimistic that before the 106th adjourns, they will pick up two Republican votes — at least on the affiliate sharing part of Sarbanes’ bill. Other Financial Privacy Bills Rep. Ron Paul (R-TX) introduced, the "FinCen Public Accountability Act" (H.R. 517) on February 3. Under this Act, consumers would be able to check data about themselves (i.e., suspicious activity reports) included in the database jointly run by the IRS and the Treasury Department’s Financial Crimes Enforcement Network (FinCen). Rep. Lynn Rivers (D-MI) introduced H.R. 649, the "Real Estate Transaction Privacy Promotion Act" on February 9. H.R. 649 would prohibit lenders from requiring borrowers to agree to provide lenders with unlimited access to their tax records unless certain conditions are met. It is expected that longtime privacy leader, Rep. Ed Markey (D-MA) will also introduce financial privacy legislation in the 106th. "Know Your Customer" Last December, bank regulatory agencies published for comment proposed "Know Your Customer" rules requiring banks to track customers’ routine activities and report inconsistencies to authorities in an effort to identify suspicious transactions. The banking regulatory agencies got more comment than perhaps they bargained for. On March 5, by an 8-0 vote, the Senate added a provision to the education bill prohibiting the bank regulatory agencies from adopting Know Your Customer rules. Meanwhile, the agencies were flooded with an unprecedented number of comments, the vast majority of which were sent via email, rejecting the proposal. After 3 months of debate, bank officials dropped the rule.

In late January, FTC Chairman Pitofsky stated that he may recommend that Congress enact online privacy legislation if it becomes clear that industry self-regulation is unsuccessful. The FTC will make its decision based upon the results of this year’s Internet "sweep" conducted in March. Their annual public workshop on consumer protection in the global electronic marketplace will be held June 8-9. In the meantime, Congress is gearing up to address online privacy concerns with several bills already introduced. House Commerce Committee Chairman Tom Bliley (R-VA) has expressed his support for bills that incorporate self-regulatory efforts to protect online privacy. Senate Judiciary Committee Chairman Orrin Hatch (R-UT) stated that e-commerce issues are a priority and that online privacy will be among those addressed in the 106th. Senate Commerce Communications Subcommittee Chairman, Conrad Burns (R-MT), has become the de facto leader in the Senate on online privacy issues. On January 29, Sen. Burns outlined his Subcommittee’s twelve legislative priorities for 1999. The priorities, dubbed the "Digital Dozen," include online privacy protection and encryption legislation, digital signature and spamming legislation. Bill Summaries While Sen. Burns has not formally introduced his own "Online Privacy Protection Act of 1999," his staff is circulating a draft version of the bill. The draft has been criticized for being: Too broad— It would require website operators and online services to obtain consent as a prerequisite for any collection, use or disclosure of personal information. Vague and contradictory—Despite its broad consent requirement, the bill attempts to carve out certain situations in which consent is not required. The exceptions listed are vague and inconsistent. Giving the FTC too much discretion— The bill gives the FTC the authority to promulgate regulations to implement the Act including regulations on notice, consent, access, confidentiality and security procedures, and safe harbors. The FTC would also have enforcement authority under the Act. Rep. Bruce Vento introduced H.R. 313, his "Consumer Internet Privacy Protection Act of 1999" on January 6. (During the 105th, this bill was numbered H.R. 98.) H.R. 313 regulates interactive computer services’ use of personally identifiable information. In particular, interactive computer services would be required to obtain a consumer’s prior written consent before disclosing personally identifiable information to third parties. Rep. Ed Markey is expected to introduce his Privacy Bill of Rights legislation shortly.

The 105th Congress enacted the Children’s Online Privacy Protection Act which restricts the online collection of information about children under age thirteen. In this Congress, we are likely to see a push to protect children’s privacy beyond the online world. Rep. Bob Franks (R-NJ) has already introduced the "Children’s Privacy Protection and Parental Empowerment Act of 1999" (H.R. 369). The bill would require list brokers — persons who sell mailing lists, computerized or telephone reference services, or databases — to obtain parental consent before selling personal information about children under the age of sixteen. List brokers would also be required to respond to requests from parents to identify the sources of personal information about their children; to disclose what information is being disclosed about children; to disclose the identity of recipients of the information; and to comply with parents’ requests to cease providing personal information about their children. In addition, persons who use personal information about children to offer a commercial product or service to a child would have to make similar disclosures to parents upon request.

Concern over widespread use of SSNs has prompted introduction of the following bills restricting the use of SSNs: Rep. Ron Paul (R-TX) introduced H.R. 220, the "Freedom and Privacy Restoration Act of 1999" on January 6. The bill would prohibit the federal government from using SSNs or any other identifiers that could promote or establish a national identification card. The bill does not address the use of SSNs by private sector organizations. Rep. Bob Franks (R-NJ) introduced H.R. 367, the "Social Security Online Privacy Protection Act of 1999" on January 19. Rep. Franks introduced a similar bill, H.R. 1287, during the 105th Congress. H.R. 367 would regulate the use of SSNs and other personally identifiable information by interactive computer services. Under H.R. 367, interactive computer services would be required to obtain an individual’s prior informed written consent before disclosing an individual’s SSN or other personally identifiable information to a third party. An "interactive computer service" is a service providing Internet access to multiple users via an online network. GAO Report The GAO released its long-awaited report on the use of SSNs in government and business in mid-February to Chairman of the Subcommittee on Social Security, Rep. Clay Shaw (R-FL). The subcommittee is expected to hold hearings on the retirement system, including the issue of SSN privacy. The GAO conducted research during 1998, which consisted primarily of interviewing government and business representatives. After describing federal laws and regulations that require and restrict uses of SSNs, the GAO report focuses on three industries that routinely use SSNs: (1) individual reference services; (2) financial services; and (3) healthcare services. The report also describes SSN uses by state taxing entities and departments of motor vehicles. These entities use SSNs for two primary reasons: (1) to locate records in order to maintain and update their records; and (2) to facilitate information exchanges with third parties. Use of SSNs in Business & Government The Individual Reference Services Industry— The report notes that the growth of the information broker industry has caused concern about the dissemination of personal information (e.g., SSNs) to third parties. Individual reference services may search their databases by SSN and/or they may provide SSN information in their reports to requesters. According to an information industry source, SSNs are more frequently found in public records than nonpublic records. Financial Services— Financial services businesses, such as banks and credit card companies, voluntarily include SSNs in the information they submit to consumer reporting agencies. The report emphasizes the importance of SSNs in identifying the correct consumer files, updating information in consumers’ credit files and retrieving consumer reports. Banks and credit card companies rely on consumer reports to provide credit services. Healthcare Services— The report describes the degrees to which health- care services rely on SSNs. Some healthcare organizations assign patients identifiers other than an SSN. Some health insurers, however, use the SSN (or a variation) as the patient identifier. The GAO concludes this industry section with the statement: "Officials in the healthcare industry expect their use of SSNs to increase." State Agencies— State agencies, such as those that administer taxes, provide public assistance and administer drivers’ licenses and motor vehicle registrations, utilize SSNs to administer their programs, for auditing purposes, and to ensure compatibility with the federal system. According to the GAO, both business and state government officials agree that new federal laws restricting use of SSNs would have a negative impact on their ability to perform routine internal activities. For example, credit bureaus may be unable to accurately post consumer information. Data exchanges might also be affected. The GAO noted that industry as well as state Departments of Motor Vehicles (DMVs) have voluntarily implemented protections for SSNs. The individual reference services industry principles are identified as an example, but the GAO did not comment on their effectiveness because the principles were not fully implemented until December 31, 1998.

Confidentiality of Drivers’ License Information
In January, plans by Image Data, a small New Hampshire company, to purchase drivers’ photographs from state DMVs resulted in harsh consumer criticism and state action. Image Data intended to create a database of digital photographs that retailers could use to combat identity theft. Colorado, Florida and South Carolina subsequently cancelled their contracts to sell drivers’ photos to Image Data. The episode has caused some state legislatures to review their laws regarding the sale of personal information. To complicate matters more, the Washington Post reported in February that Image Data received $1.5 million in federal funding and technical assistance from the Secret Service during 1998. Members of Congress who supported the funding and assistance envisioned that Image Data’s TrueID database would be used not only to reduce check and credit card fraud but also to combat terrorism, immigration abuses and other crimes involving identity fraud. Upon learning of this connection, some state officials felt that they had been misled. In response to recent events, privacy groups are calling on Congress to amend the Driver’s Privacy Protection Act (DPPA) to cover additional categories of information including drivers’ photographs. The federal circuit courts, however, continue to grapple with the constitutionality of DPPA. In mid-December, the U.S. Court of Appeals for the Seventh Circuit upheld the constitutionality of DPPA. The Seventh Circuit joined the Tenth Circuit in upholding the Act. By contrast, the Fourth Circuit struck down the Act after finding that it violated the Tenth Amendment.

On December 31, the Department of Commerce formally published its interim encryption rule (63 Fed. Reg. 72156) which updates the Administration’s policy on the exportation of encryption products to U.S. subsidiaries, insurance companies, health and medical end-users, online merchants and foreign commercial firms. While acknowledging that the Administration has provided some relief to industry and increased privacy protections by allowing the export of 56-bit encryption technology, the privacy community continues to criticize the Administration’s encryption policy for offering only limited assistance. Encryption legislation received serious consideration during the 105th; however, no bill was enacted. Encryption legislation will likely receive serious consideration again in the 106th. Bill Summaries Rep. Bob Goodlatte (R-VA) introduced H.R. 850, the "Security and Freedom through Encryption (SAFE) Act" on February 25. The bill was reported out of the Judiciary Committee on March 24. Senator Conrad Burns (R-MT) has said that he will reintroduce the Promotion of Commerce Online in the Digital Era ("Pro-CODE"). This bill, (S. 377 in the 105th Congress), would relax the current U.S. encryption export restrictions by prohibiting key-recovery and loosening export regulations.

Medical record privacy is a priority in the 106th Congress. Congress signaled its interest in protecting the confidentiality of medical information when the House Banking Committee included restrictions on affiliate sharing of medical information in its financial services modernization legislation. Under the 1996 Health Insurance Portability and Accountability Act, Congress has until this August to enact comprehensive health information privacy legislation. If Congress does not meet that deadline, the Secretary of HHS will have the authority to publish comprehensive regulations. In his State of the Union address, President Clinton reminded Congress of the August deadline — "Because Congress has given me the authority to act, if it does not do so by August, one way or another, we can all say to the American people, we will protect the privacy of medical records this year." On February 24, the Health, Education, Labor and Pensions Committee held a hearing on protecting the privacy of medical records. It focused on a Committee-requested GAO report examining privacy issues relating to health research. During the hearing, comprehensive health information privacy bills introduced in the 105th by Senators Jeffords, Leahy and Bennett were mentioned. The issue of preemption has become a sticking point for legislators. Bill Summaries Sen. Patrick Leahy (D-VT) and Rep. Ed Markey (D-MA) introduced companion bills (S. 573 and H.R. 1057, respectively) captioned the "Medical Information Privacy and Security Act." This bill provides individuals with access to their health information; ensures the privacy of healthcare related information; imposes criminal and civil penalties for unauthorized use of protected health information; and provides for the enforcement of these rights. Sen, Jim Jeffords (R-VT) introduced S. 578, the "Health Care Personal Information Nondisclosure Act." S. 578 ensures the confidentiality of medical records and healthcare related information. Sen, Bennett (R-UT) has not reintroduced his health information privacy bill — a bill that is well liked by industry. Genetic Privacy Legislation There is also likely to be activity during the 106th Congress on genetic nondiscrimination/privacy legislation. Rep. Louise Slaughter (D-NY) has reintroduced her "Genetic Information Nondiscrimination in Health Insurance Act" (H.R. 306). The bill would prohibit health insurers from discriminating against individuals based upon genetic information. During the 105th Congress, Rep. Slaughter’s bill had 210 bipartisan cosponsors in the House. Newly-elected Rep. John Sweeney (R-NY) has introduced a similar bill, H.R. 293.

Wireless Telephone Privacy During February, H.R. 514, the "Wireless Privacy Enhancement Act," received "fast track" treatment in the House. The bill would provide protection to the confidentiality of cellular telephone conversations by prohibiting the modification of wireless scanning devices. After hearings and Subcommittee and Committee markups in February, the House approved the measure by a vote of 403-3. Anti-paparazzi Legislation Rep. John Conyers (D-MI) introduced H.R. 97, the "Personal Privacy Protection Act" on January 6. This "anti-paparazzi" bill and similar bills introduced during the 105th, would impose criminal and civil penalties on an individual who, persistently follows another person causing that person to have a reasonable fear of bodily injury, in order to obtain a photograph or other physical impression of the person. The bill would also impose liability on persons who engage in tortious invasions of privacy in order to obtain a photograph or other physical image.