Privacy in 99

PRIVACY BLOOMS IN THE SPRING OF '99

In the spring of 1999, perhaps for the first time ever, privacy became a major public policy issue, often pushing agenda items like education reform and environmental protection off the front burner.

One recent event, as much as any, captures the new privacy dynamic. On June 10, the House Commerce Committee added privacy language to the Financial Modernization Act that would revamp the financial services industry and reshape key relationships among banks, insurance companies and securities firms. The Commerce Committee language, if enacted, would give bank customers and other customers of financial institutions a right to opt-out of disclosures of their personal information to third parties and even to company affiliates.

The financial services industry, which has vigorously opposed legislation that would impose restrictions on the sale or use of customer information (while embracing important protections of this kind which are adopted voluntarily), reacted bitterly to the House Commerce Committee action. The Washington Post quoted Dan Zielinski of the American Insurance Association as saying that there is now "a willingness to walk away" from the Financial Modernization Act.

Privacy Clout in Washington
Walk away? Would the financial industries actually walk away from legislation in the works for over half a decade which would fundamentally reshape Depression-era U.S. banking laws? The notion that a privacy provision could interfere with legislative reform, much less constitute a deal-killer, would have been laughable six months ago and unthinkable even a month ago. But, by June of 1999, this is only one example – even if a marquee one – of privacy's new "swack" in the nation's capital.

During this remarkable Washington spring, financial privacy is by no means the only privacy headline. The Senate remains hard at work on perhaps the most intractable and important privacy issue – health privacy. In May and June, the Senate Committee on Health, Education, Labor and Pensions repeatedly postponed a mark-up of legislation in an effort to find a consensus position on omnibus health information privacy legislation.

Disputes roil on over law enforcement access to health information; private rights of action; disclosures without consent for health management purposes; employer use of health information; and preemption of state law, among others. What is remarkable is not that these fights have erupted (after all, health information privacy legislation proponents have been at work on this issue for at least 20 years). Rather, what is striking is that, under pressure from a new privacy imperative, real progress is actually being made and most observers think that there is at least a 50-50 chance that health information privacy legislation will be enacted before Congress adjourns in the fall.

Privacy Survey Gets Mixed Reviews
Online privacy also continues to capture public and congressional attention. In May, Georgetown University Professor Mary Culnan released the results of her much-anticipated website privacy notice survey. The results were good for the business community with just over 65% of the websites surveyed having a posted privacy notice. What followed however, was the classic "glass half empty/half full" debate. The business community, joined by at least some FTC spokesmen, praised the voluntary progress that companies had made in the approximately one year since the FTC survey had found relatively few websites with posted privacy notices.

Privacy advocates and, to some extent the media, questioned whether these website policies were merely "wallpaper" and that companies have failed to develop and implement meaningful and adequate privacy policies. Even some Republican members of Congress dismissed the results as not providing a basis for allowing the industry to continue to rely exclusively on self-regulatory privacy policy. Sen. Conrad Burns (R-MT) promised that he would continue work on his online privacy protection act, especially so that the act could deal with Internet "bad actors."

Protecting DMV Records
Even with all this extraordinary privacy activity, the spring '99 privacy-fest was not over. In mid-June, the Senate Appropriations Committee reported out a transportation appropriations bill which includes language that would effectively prohibit state Departments of Motor Vehicles (DMVs) from releasing virtually any personal information, including name and address; social security or drivers license numbers; or other identification information without first obtaining the consumer's express written consent. Reportedly, the language is aimed, in part, at addressing one of the more recent privacy crises – Image Data's effort to convince state DMVs to give up photographic information that could be digitized and made available to merchants in point-of-sale settings.

Nevertheless, in one keystroke, without hearings and without any notice to the numerous industries which depend on access to motor vehicle information for everything from motor vehicle recalls and the disclosure of safety-related products and services to insurance fraud, the Senate threatens to wipe out the carefully crafted compromises embodied in the 1994 federal Driver's Privacy Protection Act (DPPA). Whatever eventually happens in the transportation appropriations bill, the fact that the Senate included this language is sure to add fuel to the debate over access to personal information in public record repositories – a debate which the Vice President has pledged to lead.

The Big Picture
What does all this extraordinary activity mean? For the public and for audiences which have not followed the privacy issue, this all looks very new and bewildering. Responding to the events this spring, a June article in Business Week described privacy as "suddenly" a "hot button" issue.

P&AB readers, who closely track the privacy issue, know that privacy has been approaching the ignition point for several years. Several factors have combined to make the public more privacy-conscious than perhaps at any other time in our history. They include new advances in information technology – particularly those associated with the Internet; new business models reflecting an ever-growing "urge to merge"; and a seemingly never-ending series of "tin ear" governmental initiatives aimed at selling government employee information, enlisting banks to watch their customers or creating "Star Trek" type surveillance systems and databases.

The intriguing public policy question at this point is not whether the privacy landscape will change. It will change and, in fact, has already changed. It seems certain that important new privacy laws will be enacted; that effective self-regulatory initiatives will continue to emerge; and that the EU Data Privacy Directive and the international tide of privacy enactments will continue to push forward the adoption of U.S. privacy law and policy. The result for consumers will be more choice; opportunities to partner with businesses in voluntarily providing information in exchange for benefits and premiums; and for redress when things go wrong.

The critical question is whether the U.S. will be able to assimilate all of these new privacy protections and still preserve an economy and an environment in where personal information can be used effectively for risk management and to create and deliver better services for lower prices.

FINANCIAL PRIVACY
As already noted, financial privacy legislation has been the marquee privacy issue of the spring, attracting considerable attention from both the Clinton Administration and Congress.

The Administration
On May 4, the White House held a privacy event where President Clinton announced the Clinton-Gore Plan for Financial Privacy and Consumer Protection in the 21st Century. The Plan is based on the following five principles:

" Protect consumers' financial privacy
" Require additional information disclosures to consumers
" Increase efforts to prevent fraud and abusive practices
" Expand consumers' access to financial services
" Raise the level of consumer understanding of financial issues through improved consumer education.

Under the first principle, the Administration would require financial institutions to notify consumers about their information sharing and dissemination practices. Currently, there are no federal restrictions on the sharing of transaction or "first-party" information. The Administration will support legislation that allows consumers to control how their financial information is used and shared.

With the increasing numbers of mergers in the financial services sector, the Administration supports legislation that prohibits sharing of medical information among affiliates or with third parties, except in certain situations. The Administration also supports legislation to criminalize pretext calling and supports congressional efforts to give bank regulators broader authority to ensure compliance with privacy protections.

Other Administration Activities
In early spring, the Administration put into play the Vice-President's pledge made last year to give consumers greater protections for personal information and appointed Peter Swire as the Chief Counselor for Privacy.

The Administration plans to launch an Identity Theft Enforcement Initiative that will involve the cooperation of federal, state and local law enforcement agencies. As part of its Initiative, the Administration will form a public/private partnership in order to educate consumers on ways to protect against identity theft. The Initiative will reportedly include a national identity theft summit headed up by the Treasury Department. The Administration will also propose additional penalties for persons convicted of identity theft.

In April, the FTC filed its first case against a company for pretext calling. The FTC filed suit against Touch Tone Information, Inc. (Touch Tone), a Colorado company, after conducting a sting operation in which Touch Tone was caught using pretext calling to obtain financial information about an individual. The FTC alleged that Touch Tone's practices were unfair, deceptive and in violation of the FTC Act. (Congress is currently considering legislation to prohibit this practice.)

Touch Tone, motivated in part by the potential impact on the information broker industry, has decided to contest the allegations made by the FTC. Touch Tone will argue that the FTC's action is improper because Touch Tone has not misled any consumers, a necessary element of a case under the FTC's unfair and deceptive practices standard. To bolster its argument, Touch Tone will use the fact that the House Banking Committee has carved out an exception to the prohibition on pretext calling for licensed private investigators and their employees for the purpose of identifying assets of deadbeat dads when the Committee incorporated H.R. 30, the "Financial Information Privacy Act of 1999," into H.R. 10. The Coalition to Amend the Financial Information Privacy Act is lobbying Congress to further expand the exception. Touch Tone has received considerable support from the information broker industry.

In a speech before the Consumer Bankers Association on June 7, the Comptroller of the Currency, John Hawke Jr., was highly critical of the privacy practices of some in the financial services industry and warned that industry failure to address "abusive conduct creates a fertile seedbed for legislation." Hawke cautioned that the legislative "cure can be more painful [for industry] than the disease."

CONGRESSIONAL ACITIVITY
On April 28, Rep. Jay Inslee (D-WA) circulated a "Dear Colleague" letter seeking cosponsors for his "Banking Privacy Act" which would "give consumers the right to opt-out of any information sharing plan". Routine transactions and disclosures required to prevent abuses such as fraud would not be affected. Rep. Inslee formally introduced the bill, H.R 1929 on May 25.

Also on April 28, the Subcommittee on Finance and Hazardous Materials of the House Commerce Committee held a hearing on H.R. 10, during which Alan Greenspan, the Chairman of the Board of Governors of the Federal Reserve System, testified. When asked about the financial privacy language that was added to H.R. 10 during last month's markup by the House Banking Committee (see p. 3 of Vol. 6 No. 3 for details), Chairman Greenspan said that financial privacy issues present a difficult problem. The Subcommittee approved H.R. 10 on May 27 including privacy language that would require companies to notify customers of the companies' privacy policies and prohibit pretext calling.

The "Financial Services Modernization Act" (S. 900) passed the Senate, by a vote of 54 to 44 on May 6. During the full Senate debate, Sen. Phil Gramm (R-TX), Chairman of the Senate Banking Committee, proposed an amendment (Amendment No. 308) to add the "Financial Information Anti-Fraud Act of 1999" to the bill. The Financial Information Anti-Fraud Act:

" Prohibits the act of obtaining customer information from a financial institution under false pretenses
" Requires the Government Accounting Office to conduct a study on the success of the Financial Information Anti-Fraud Act and to consider whether additional legislation is necessary
" Requires the FTC to submit an interim financial privacy report
" Requires federal banking agencies to establish a consumer grievance mechanism.

The Senate approved Sen. Gramm's amendment, by a vote of 95 to 2. Sen. Paul Sarbanes (D-MD), Ranking Democrat on the Senate Banking Committee, supported the amendment but characterized it as "limited." He stated that broader financial privacy protections, such as those found in S. 187, his "Financial Information Privacy Act of 1999," must be enacted. The bill would give consumers control over sharing and disclosure of their financial information. Sen. Gramm agreed to hold Banking Committee hearings on financial privacy issues, the first of which was held June 9, signaling that the Committee and Sen. Gramm will likely accept some privacy protections for first party financial information.

White House Veto is Expected
The White House has indicated that the President will veto the bill because in its current form, it requires that cross-ownership of banks, investment firms and insurance companies be done through holding companies rather than operating subsidiaries. The White House also objects to language in the bill easing Community Reinvestment Act requirements. And, there have been reports that financial privacy issues could be a sticking point for the White House.

The full House Commerce Committee passed H.R. 10 after adding new and more stringent privacy provisions on a voice vote on June 10. The privacy language included was the result of amendments offered by Rep. Ed Markey (D-MA) and Paul Gillmor (R-OH). The bill, as passed by the Commerce Committee, would require financial institutions to give their customers the ability to opt-out of information sharing between financial institutions and their affiliates or third parties, including direct marketers.

The Committee also adopted, by a 25-23 vote, an amendment by Rep. Greg Ganske (R-IA) that would prohibit new financial conglomerates, created as a result of the bill's restructuring of the financial services industry, from sharing personal medical information with other companies. Most Committee Democrats voted against the Ganske Amendment, arguing that it did not go far enough to protect consumers.

Rep. Markey proposed an unsuccessful amendment which would have barred companies from sharing personal financial information without the consent of the individual to whom the information pertained.

HEALTH INFORMATION PRIVACY
Congress continues to work on passing health information privacy legislation this year.

Sen. Robert Bennett (R-UT) introduced S. 881, the "Medical Information Privacy Act of 1999" on April 26. The Bennett bill, which has considerable industry support, is the third major health privacy bill introduced in the Senate this year, following the earlier introduction of S. 573, the Medical Information Privacy and Security Act by Sen. Patrick Leahy (D-VT); and S. 578, the "Health Care Personal Information Nondisclosure Act," introduced by Sen. James Jeffords (R-VT).

The Senate Health, Education, Labor and Pensions Committee held its seventh hearing on heath information privacy legislation on April 27. Chairman Jeffords presided over the hearing with Senators Leahy and Bennett among the witnesses. The focus of the hearing was law enforcement access to personal health information, access for medical research, preemption of state law and the use of a consolidated authorization for payment, treatment and health care operations. Sen. Jeffords pledged to draw the best from each of the competing Senate proposals and to mark-up legislation in May. The Committee has scheduled a mark-up several times, but has been forced to postpone it amid disagreements over private rights of action, preemption and law enforcement access among other issues.

Rep. Gary Condit (D-CA) introduced H.R. 1941, the "Health Information Privacy Act" on May 25. The bill would restrict use and disclosure of personally identifiable health information, provide individuals with the right to access and correct their health information, and impose civil and criminal sanctions for violations of the act. It would permit private actions by individual's who are "adversely affected" by a violation of the Act.

The Health & Environment Subcommittee of the House Commerce Committee held a hearing on health information privacy on May 27. A wide range of issues were explored but the main focus was on how potential legislation may impact medical research and whether federal legislation in this area should completely preempt state law or serve as a "floor," while permitting states to pass more stringent measures.

ONLINE PRIVACY
In late April, the FTC issued its proposed regulations to implement the Children's Online Privacy Protection Act ("COPPA"). Under the proposed rules, websites that target children must obtain parental consent before collecting personal information from children under age thirteen. Parents will also have the right to decide whether information about their children may be disclosed to third parties and to prohibit future use and collection of information about their children.

On May 4, the Office of Comptroller of the Currency ("OCC") issued an advisory letter describing in general terms what the OCC believes are effective online privacy practices. The OCC states in its advisory that these examples are not to be interpreted as imposing new requirements on national banks but are intended to help national banks develop and implement their own online privacy policies.

Rep. Bob Goodlatte (R-VA) and Rep. Rick Boucher (D-VA) introduced their long-awaited Internet bills, the "Internet Growth and Development Act of 1999" (H.R. 1685) and the "Internet Freedom Act" (H.R. 1686) on May 6. The Goodlatte bill addresses digital signature and privacy issues. Title I authorizes the use of electronic signatures and gives them the same legal effect as written signatures. Title III requires Internet website operators to post a clear and conspicuous notice describing the site's policies regarding the collection, use and disclosure of personally identifiable information.

Rep. Goodlatte's staff has also told P&AB that the Congressman is considering whether he should draft additional legislation to protect online privacy.

On May 12, Professor Culnan released the results of the Georgetown Internet Privacy Policy Survey which found 65.7 % of websites (364 websites were randomly selected from the 7,500 most-visited websites) posted a privacy notice or an information practice statement. Of the surveyed sites, 9.5% were found to have "adequate" privacy policies (e.g., notice, choice, access, security, and contact information).

FTC Chairman Pitofsky had a very positive reaction to the results. He commented, "Online firms deserve considerable credit for making progress over the last year." However, FTC Commissioner Mozelle Thompson expressed concern that less than 10% of the surveyed sites had adequate privacy policies.

Staff for Sen. Conrad Burns (R-MT), who has taken a key role on online privacy issues during the 106th Congress, reacted to the results of the Georgetown Survey by saying that while the results showed progress, he will continue to try to move his Online Privacy Protection Act (S. 809) especially to deal with "bad actors." Privacy advocates expressed concern about the survey results and urged Congress to take legislative action.

The Online Privacy Alliance (OPA) concurrently unveiled the results of their survey of the 100 most-visited websites. The OPA Top 100 Survey found that 94% of the top 100 websites posted a privacy disclosure – an increase of 23% over last year. In addition, 21% of the sites collecting personal information address all of the four basic fair information practices. Members of the OPA stated that the results of both surveys demonstrated an improvement in online privacy protections.

Out of the governmental arena, during the first week of May, the Direct Marketing Association (DMA) announced that it had acquired the Internet Alliance. The Internet Alliance's membership includes America Online, Bell Atlantic, eBay, Microsoft, Netscape, Prodigy and USWest. Through its affiliation with DMA, the Internet Alliance can take a more active role on a variety of issues including privacy.

ENCRYPTION
During the first week of May, in what is being described as a "landmark decision," the Ninth Circuit Court of Appeals ruled that the Clinton Administration's executive order limiting the exportation of encryption (source codes) is unconstitutional because it violates the First Amendment. (Bernstein v. United States Department of Justice, (No.97-16686, D.C. No. CV-97-00582 (9th Cir. filed May 6, 1999).) Privacy advocates view the decision as a significant step toward eliminating encryption export controls. Privacy advocates are somewhat cautious, however, because they anticipate Supreme Court review of the decision.

During May both the House and the Senate scheduled hearings on pending encryption legislation. The House International Economic Policy and Trade Subcommittee held a hearing on encryption and high-tech security issues on May 18. The Senate Commerce Committee postponed a May 25 hearing on S. 798, the "Promote Reliable On-Line Transactions to Encourage Commerce and Trade (PROTECT) Act of 1999," introduced by Sen. John McCain (R-AZ).

On June 16, the House Subcommittee on Telecommunications, Trade and Consumer Protection Subcommittee unanimously approved H.R. 850, the "Security and Freedom through Encryption (SAFE) Act" which eases restrictions on the sale of strong encryption products in the U.S. and abroad.

DRIVER'S PRIVACY PROTECTION ACT
On May 17, the Supreme Court agreed to hear the case, Condon v. Reno, 155 F.3d 453 (4th Cir. 1998), which found the DPPA unconstitutional. Two other appellate courts, the Seventh Circuit and the Tenth Circuit, have upheld the constitutionality of the DPPA. The Supreme Court has, in recent years, struck down several federal statutes as unconstitutional infringements upon states' rights.

As already noted, the DPPA is also in play on Capitol Hill as a result of Sen. Shelby's sponsoring of a provision in the Department of Transportation appropriations bill. That provision would effectively prohibit the states from disclosing personal information in state DMV records without the express written consent of the individual to whom the information pertains. States that fail to comply would be ineligible to receive federal transportation funds. While the DPPA has over a dozen detailed exceptions where a state may choose to disclose driver's license information to third parties without consent of the individual, Sen. Shelby's language contains an exception only for law enforcement, which permits the disclosure of personal information in cases where failure to disclose the information "would hinder the ability of that law enforcement agency, acting in accordance with applicable law, to gain access to a driver's license or photograph of an individual."