Has the Congress Lost Interest in Privacy?

From a privacy standpoint, the second session of the 105th Congress, thus far at least, is a slow starter. Because the truncated election year schedule calls for only 99 days of legislative activity, many members and staff are already predicting that little privacy work will be accomplished before Congress’ targeted early October adjournment.

Media and privacy advocates have privately complained that congressional prospects for privacy legislation should not be so dim because there is ongoing and intense media scrutiny of the issue; polling continues to show enormous public interest in privacy; and state legislatures are showing no such reticence in tackling privacy legislation.

Several factors seem to be at work:

• Viable political constituencies to support most types of information privacy legislation remain hard to find in Washington.

• As the states enact privacy legislation, the need for federal legislation diminishes and the impact of federal preemptive privacy legislation proportionately increases.

• The Clinton Administration’s well-orchestrated and increasingly focused campaign for a self-regulatory approach to privacy protection is having an effect on Capitol Hill.

• EU pressure on the U.S. to enact comprehensive information privacy legislation may be having a reverse effect. As President Clinton and Ira Magaziner articulate a U.S. policy based on self-regulation, Congress increasingly seems to view efforts at comprehensive privacy legislation as undercutting the Administration's foreign policy efforts.

• Congress seems to be genuinely perplexed over the Internet and how best, if at all, to proceed. Members of Congress from states with important high-tech and cyber-related industries, like California, face political peril in taking up the cause of Internet regulation, even in the name of privacy.

• While privacy is a pervasive and important public concern, absent a crisis, this concern seldom translates into congressional action. For example, the only privacy legislation passed so far by the 105th Congress has been IRS browsing legislation. This comes as no surprise after numerous, sensational stories of literally thousands of instances of IRS employees abusing the IRS information systems to scan personal information about neighbors and celebrities. The predicate for congressional privacy action, as long-time privacy leader Congressman Ed Markey has remarked, is a "Privacy Chernobyl."

• Industry efforts at self-regulation, even if sometimes spotty or tardy, have been sufficiently substantive to give the Congress pause before legislating. The Individual Reference Services Group (IRSG) Privacy Principles initiative, developed by industry working closely with the FTC, is the best and most prominent example.

For all of these reasons, the Congress, at least for the moment, appears willing to adopt a go-slow attitude on most privacy issues.

Privacy Activity in Washington, D.C.
Privacy & American Business is closely monitoring seven clusters of privacy legislation, all of which have already received at least some attention in the first session of the 105th Congress.

I. Health and Genetic Privacy

After a year-long rewrite in which Senator Robert Bennett (R-UT) and his staff heard from most interested parties, Senator Bennett announced that he will reintroduce comprehensive health information privacy legislation. Bennett’s bill joins health information privacy legislation already introduced by Gary Condit (D-CA), H.R. 52 and Pat Leahy (D-VT), S.1368.

The new Bennett bill will include several important industry-friendly changes. For example, the bill accommodates the use of an omnibus consent instrument to accompany health record information through the health care payment and management process, and new standards to facilitate use of health record information for research purposes.

Hard work lies ahead, however, in finding common ground among the insurance industry, the pharmaceutical industry, medical research organizations, health care payers, health care providers, and privacy and patient advocate organizations.

Senate Labor and Human Resources Committee Chairman Jim Jeffords (R-VT) who, in the last session, promised quick, priority action on health records privacy, has cautioned that while work began in February, legislative efforts may extend into 1999 and the 106th Congress.

A Health Privacy Alert...
The Congress has recently been reminded of consumer sensitivity over the privacy of health information. Media reports that at least two pharmacy chains had hired a marketing firm to send correspondence to their customers, reminding them to refill prescriptions or notifying customers of new prescription drugs, have caused an outpouring of consumer concern. Despite assurances by the pharmacies that strict confidentiality requirements were in place, the negative public reaction over the practice prompted both pharmacy chains to terminate the practice summarily.

Genetic Privacy
The Clinton Administration continues to call for quick Congressional action on genetic privacy.
Genetic privacy even received a coveted mention in the State of the Union Address. In late January, Vice President Gore also weighed in on the issue, announcing that the Administration is planning to send its own genetic privacy bill to Congress this year. The legislation reportedly would prohibit employers from discriminating against employees based on genetic information.

During the first session of the 105th Congress, Rep. Louise Slaughter (D-NY) and Sen. Olympia Snowe (R-ME) introduced the Genetic Information Nondiscrimination in Health Insurance Act (H.R. 306 and S. 89, respectively). Although this legislation is ready to go, there is a good deal of frustration about the way in which genetic privacy is being handled.

A genetic privacy bill is achievable politically but is probably unworkable and unwise substantively. Almost everyone agrees that genetic privacy is an indivisible, inherent subset of health information privacy and, ideally, should be addressed as a part of a comprehensive health privacy bill.

The "deadline" for legislative action on health information privacy legislation is July 1999, after which time the Kennedy-Kassebaum Act requires HHS to formulate comprehensive health information privacy regulations, assuming that the Congress has not adopted legislation. No one would be surprised if the Congress pushes hard up against this deadline.

II. Internet Privacy

There is no shortage of Internet-related congressional legislation. In the opening weeks of the second session, Congress had already held hearings on Internet indecency, Internet fraud, and Internet gambling. Internet legislation pending in the second session includes Internet commerce legislation and Internet taxation legislation.

Internet privacy, on the other hand, seems likely to escape legislative action. Bruce Vento (D-MN) has stated publicly that he will rewrite and reintroduce H.R. 98, a bill to prohibit Internet service providers from disclosing or using subscriber information for marketing purposes. Vento’s staff promises that the Congressman is still interested in a broader Internet privacy bill but is probably resigned to waiting until the 106th Congress before undertaking serious work on this complicated issue.

Meanwhile, of course, the Clinton Administration continues to emphasize that governmental regulation of privacy on the Internet and e-commerce should be a last resort, used only if and when it becomes clear that the private sector cannot develop effective voluntary privacy guidelines.

III. Social Security Numbers and Identification Information Fraud

The Congress has before it a slew of bills aimed at:

• restricting the sale and other nonconsensual uses of Social Security Numbers (SSNs)

• amending the Fair Credit Reporting Act to make identification information in credit reports subject to the FCRA’s privacy restrictions

• deterring and/or penalizing identification fraud.

A successful effort in December by the IRSG (a new and loosely configured association of companies which provide identification and location information, sometimes including SSNs) in developing self-regulatory privacy principles, including principles to restrict the sale and use of SSNs, knocked the wind out of much of this legislation. The FTC praised the IRSG Principles and has implicitly called on Congress to forgo legislating long enough to see if the Principles will work. Congressional leaders, including some who had introduced their own SSN and identification fraud legislation, also praised the IRSG effort.

Jerry Kleczka (D-WI) remains perhaps the most interested in moving SSN legislation, despite the IRSG Principles. His bill, H.R. 1813, would define a consumer report to include its identifying information and would prohibit the sale or exchange of SSNs without the individual’s consent. Kleczka is reportedly attempting to convince Jim Bunning (R-KY), Chairman of the Subcommittee on Social Security of House Ways and Means, to hold a hearing on the SSN privacy issue. Even if Kleczka is successful, legislative action on a SSN bill is not expected this year, absent some privacy-relevant crisis.

Perhaps the sole exception to this view centers on identification fraud legislation. At the request of several members of Congress, the GAO is conducting a study of the nature and frequency of identification fraud, and the instrumentalities used to accomplish this kind of fraud. In the Senate, Jon Kyl (R-AZ) has a bill that would create express and severe penalties for identification fraud (S. 512).

A Recent Privacy Backlash
Although media and public interest in privacy may not readily translate into a working majority supporting privacy-sensitive legislation, it can provide majorities to defeat legislation seen as a privacy threat. An incident that occurred in mid-February relating to SSNs is a good example.

The House voted down H.R. 1428 which would have authorized the states to use SSNs and the Social Security Administration’s database to verify eligibility for voter registration. Critics contended, among other things, that this access would violate privacy and provide a platform for the development of a national identification program.

IV. Financial Privacy

Early in the 105th Congress, Republican Banking Committee leaders in both the House and the Senate suggested that financial privacy might become a topic of interest. However, it has not.

The closest either of the Banking Committees have come to looking at the issue was a hearing conducted by Marge Roukema’s (R-NJ) Subcommittee on Financial Institutions and Consumer Credit in September. The Subcommittee reviewed a wide range of issues that day including website privacy notices used by banks and financial institutions and the affiliate sharing provisions in the Fair Credit Reporting Reform Act (FCRA).

While a few FCRA technical-type amendments could be enacted this year, Banking Committee sources do not expect that the committees will take on controversial or substantive FCRA issues, such as affiliate sharing. Some FCRA issues that may be addressed include relief from pre-employment adverse action notices for the trucking industry and other employers who do not always have face-to-face contact with applicants, as well as a relaxation of the restrictions on old criminal history information in consumer reports used for employment purposes. Certainly, the committees are not expected to take on broader financial privacy issues.

V. Children’s Privacy

There seems to be wide, if not deep, passionate support for legislation prohibiting use of children’s personal information for marketing purposes. Dianne Feinstein (D-CA), Barbara Boxer (D-CA), and Olympia Snowe (R-ME) have introduced S. 504, the Children’s Privacy Protection and Parental Empowerment Act. In the House, Bob Franks (R-NJ) has reintroduced H.R. 1972, his children’s privacy bill which received attention during the 104th Congress. The Clinton Administration has also signaled it would not oppose enactment of children’s privacy legislation. Perhaps all that children’s privacy legislation needs for enactment is the spark of some new controversy. The interesting question is whether, without that spark, the legislation will ignite prior to October adjournment.

VI. Telecommunications Privacy

Both Billy Tauzin (R-LA), Chairman of the Telecommunications Subcommittee of House Commerce, and Ed Markey (D-MA), ranking minority member of the Subcommittee, have introduced legislation addressing aspects of telecommunications privacy.

One part of Tauzin’s telecommunications privacy agenda is H.R. 2369, which would criminalize the use of scanners to capture cell phone conversations. That bill appears the most likely of any of the telecommunications privacy bills to see serious action. Markey’s own comprehensive and ambitious "Electronic Bill of Rights" (H.R.1964) is not expected to see any activity. Tauzin’s other, broader telecommunications legislation is tied to various other privacy issues, including SSNs, and is likely to be postponed pending assessment of the success of the IRSG self-regulatory principles.

FCC Requires Opt-In For CPNI
On February 19, the Federal Communications Commission (FCC) published its long awaited Customer Proprietary Network Information (CPNI) ruling. The FCC rule surprised the telecommunications industry by requiring that CPNI (information identifying who customers call and when they call, and the kinds of telephone services which customers have purchased, e.g. call waiting, caller ID, etc.) cannot be used by telephone companies for marketing new services to a customer unless the customer has first provided affirmative consent (an opt-in). Most of the industry had campaigned for an opt-out approach.

FCC Chairman, William Kennard is quoted in the Washington Post as saying: "Consumers will now control what the phone company can do with their personal information. They can be confident that personal information will not be used or sold by phone companies without their consent."

The FCC ruling grows out of the 1996 Telecommunications Reform Act which requires customer authorization for the use and disclosure of CPNI but is silent on the form that the authorization must take.

The FCC softened the blow somewhat by ruling that telephone carriers can use CPNI without customer permission if they are marketing an improvement of an existing product or service to a customer who has already obtained that product or service from them. In addition, when permission is required it need not be in writing but may be oral or electronic.

The FCC publication also asks for additional comment on three issues involving CPNI:

• whether a customer may restrict carrier use of CPNI for all marketing purposes

• what are the appropriate protections for carrier information and additional enforcement mechanisms which the FCC should consider

• what are the foreign storage and access to domestic CPNI.

The FCC CPNI ruling may be the first instance where a federal agency has required an opt-in instead of an opt-out for the marketing of personal information.

The FCC’s approach appears at odds with the Administration’s recent emphasis on finding self-regulatory and business friendly ways to protect privacy and not to artificially or inappropriately interfere with the marketplace. The FCC’s approach also appears at odds with the thrust of recent FTC privacy actions. The FTC, for example, has blessed the IRSG principles that give consumers the right to remove their personal information (opt-out) from non-public information products distributed by IRSG members to the general public.

The intriguing question from a privacy standpoint is whether the FCC’s CPNI rule will be confined to its facts or whether it will signal a shift away from opt-out and toward an opt-in approach. Most observers are betting that the FCC’s position will turn out to be an anomaly.

Celebrity Privacy
One other newsworthy privacy issue is receiving attention this session. Legislation designed to provide protection against persons who chase or follow others for the purpose of obtaining photographs for commercial purposes has been introduced. H.R. 3224, the "Privacy Protection Act," introduced by Rep. Elton Gallegly (R-CA) and the "Protection from Personal Intrusion for Commercial Purposes Act ," introduced by Senator Orrin Hatch (R-UT) and Senator Dianne Feinstein (D-CA) would provide such protection.