Big Brother and the Marketing Giants: The Extent to Which Electronic Personal Information Should be Legally Protected
Privacy has long been a protected value close to the American heart. Our Founding Fathers enshrined some aspects of privacy in the Fourth Amendment to the United States Constitution. More recent jurisprudence has recognized a right to privacy in the way in which we live our lives. While not all aspects of what we do is protected under some form of privacy legislation, courts, legislators, and the public all understand privacy to be an important value protected by our government and laws. In the last few years, consumer groups have raised concerns about the adequacy of privacy protection on the information superhighway.1 These concerns have become more vocalized as the number of Internet users increases. This article explores the question of whether our privacy is adequately protected on the information superhighway. In order to do so, examination of jurisprudence and statutory frameworks is provided. Despite a variety of statutes, there is no completely encompassing umbrella to protect us from Big Brother and the Marketing Giants. Understanding this, some proposals have found there way to congressional committees. However, most of the legislation in the 104th Congress focused on sensitive information. Thus, even in the universe of proposals which have reached a legislative level, black holes still exist. However, the article also looks toward Canadian and European Union proposals regarding privacy on the information superhighway. These proposals do focus on an all-encompassing approach to the protection of personal data and information. Finally, conclusions are made which suggest the need for strong legislation to protect our privacy on the information superhighway.
I. The Emergence of 21st-century Privacy Concerns
The information revolution and all of its wonders has brought with it a number of resources which have bettered our society. However, as with any new era, there are issues and concerns needing to be addressed. One area of concern on the information superhighway is privacy. In this context, privacy still encompasses many issues. For example, the protest over the Communications Decency Act and the applause over the recent district court decision in ACLU v. Reno declaring the Communications Decency Act unconstitutional invoke issues of privacy.2 One question is whether the government be able to intrude into what one does in her own home. Obviously, the question is not new. However, the application of the question to electronic communications is novel. Today, the most worrisome invasion of privacy along the information superhighway involves the use of electronic databases.3 These databases may be compiled by collecting information through questionnaires and other solicitations on the Internet. More often, electronic databases contain information we naively believe to be sacred, hidden, and for our eyes only. These databases contain our driving records, credit history, marriage records, and much, much more. An individuals name and address could be on a report merely because she happens to live near the individual whose name was searched.4 These databases contain this personal information regardless of whether we have any knowledge that such records exist. More to the point, one can purchase personal information on any individual without the individuals knowledge or consent.
Perhaps no other recent event has generated more consumer outcry than the P-Trak database maintained by Lexis-Nexis. Specifically, many consumers became concerned when they learned that the P-Trak database provided names, social security numbers, addresses, prior addresses, and other personal information to paying customers. Lexis-Nexis has since discontinued its release of social security numbers. However, the database continues to provide significant amounts of information about individuals. This past Fall, consumers once again have protested the easy access of information from databases such as P-Trak. Although there is some consumer response which has encouraged congressional investigation, most consumers remain unaware that so many databases exist. However, consumers are becoming more aware of the dangers of electronic information databases through the news media. In recent months, the media has reported a number of individuals whose identity has been stolen. This theft of identity occurs when someone obtains an individuals personal information and uses this information to become the other individual. Often, the thief uses this identity to obtain charge cards and other financial credit. Before long, the individual whose identity has been stolen has a negative credit rating. The individual may also find herself wanted for criminal activity. Personal information which facilitates this theft is readily available through the Internet.
Where does the information come from? Surprisingly, many corporations are subtly collecting marketing information from children through the use of questionnaires and contest entry forms. Children are not the only victims. Adults often fall prey to contests and requests for information and thereby provide personal and private information to those organizations who collect data. This data is then used for a variety of purposes ranging from in-house marketing profiles to electronic databases sold to anyone able to pay the fee. These examples are a mere representation of the areas in which personal privacy on the Internet has become threatened. Certainly, the information stored in electronic databases do not always come from deceptive contest entry forms. Much of our financial data is collected through our creditors. When we apply for credit cards and are subsequently issued the card, we have agreed to company policies which report our history with that particular creditor to credit reporting bureaus. Phone numbers and addresses are culled from telephone books and directories. Many of the electronic databases are no more than electronic phonebooks. However, consumers have become frightened of the immediate accessibility of this information to most anyone. And yet, we must recognize in our pursuit of privacy protection that much of what is in electronic databases are legal in other forms.
Perhaps the most novel approach to collecting data has come through the tracking of mouse droppings. When one is on the World Wide Web (WWW), mouse droppings are left on each web page we visit and each option we click. These droppings are not yet readily traceable to an individual. However, the amount of information which is obtainable from the mouse droppings is amazing. As technology continues to improve, computers will be able to trace a mouse dropping to a specific individual and thereby obtain their name, phone number, address and much more. In fact, once a name is obtained, the remaining information is only a few clicks away. These revolutions in the marketing industry (and stalking industry) have increased the opportunities for private information to become accessible to organizations and individuals anonymously. Therefore, it should be no surprise that this has caused consumer outcry and has fueled discussions which have formed an international debate.
II. The Debate
As one can well imagine, not all parties agree on any one policy or position regarding the protection of personal information. The marketing giants have their interests in being able to collect and use information on individuals in order to market products. They claim that they are doing us a favor by providing services and products tailored to our interests. Consumer advocacy groups have challenged this position and encouraged the adoption of policies which enable consumers to choose whether they participate in marketing profiles. Big brother, or the government, has been more of an arbiter than anything else. However, the Executive Branch has argued for self-regulation while Congress has proposed legislation in certain areas. In recent months, the Judiciary has also been addressing aspects of privacy on the Internet. These groups are the major players in the privacy debate over personal information. While each organization within these groups differ to some degree on their positions, a general overview of the debate is possible.
This leads to questions the answers of which define certain positions within the privacy debate. Should a slip of paper included with a monthly telephone bill be adequate notice that an individuals telephone number will de distributed to electronic databases? Should notice be required before the collection of any information or before the use of collected information? Is notice required with regard to all information which may or may not be collected or only "ancillary"5 information. What is ancillary information? Who defines what a corporation or business needs to carry out "related purposes"? Should we suggest a definition of "related purpose"? If my telephone company offers me long distance, is in state long distance a "related purpose"? While it would be difficult, and not very helpful, to address each type of information or purpose, it is possible to be a bit more specific. What penalties will there be for reported and verified violations? Until a coherent policy is adopted either by the industry or promulgated by the government, the answers to these questions and any hope for agreement remains elusive.
Many advocates argue that consumer consent be obtained before information is collected and/or used. Depending on the position, this consent can either be implicit or explicit. However, the terms implicit and explicit have been incorporated into what is considered the crux of the "consent" debate: the "opt-in" and "opt-out" approaches.6 The "opt-in" approach suggests that the information cannot be used unless a consumer indicates her explicit approval for such use. However, once again, a question is whether this would apply before the information is even collected or whether explicit consent is required only to use of such information. If it applies to the use of information, is it applicable merely to specific purposes or does the consumer waive her rights to the use for unrelated purposes as well? The "opt-out" approach suggests that the consumer must notify the company or organization that she does not wish to have information collected/used about her. Does this assume the consumer will be notified as to what information is being collected and for what specific purposes it is being used? Should this notice be given before any information is collected/used? Or does the company merely have to inform within a certain period of time? Are we positive we wish to assume that all consumers are aware that particular information is being collected/used? While one may recognize that a long distance company is going to collect information on calls made, one may not realize for what limited purposes the company uses the information other than to provide the consumer with a monthly report. If the consumer decides to opt-out at a later time, how soon must the company collecting the information react? Will the consumer be able to request the destruction of information? As with notice, the answers to these questions help define the positions within the debate.
Different positions suggest the use of opt-in and opt-out approaches for different types of personal information. These types of information can be broken down into two basic categories. "Sensitive" information is usually understood to receive a heightened level of protection. However, there is no objective definition of what constitutes "sensitive" information and how it might be identified. Most of those involved in the privacy debate agree that medical information in some contexts is sensitive. If information is determined to be sensitive, does that warrant legislation for that particular category as has occurred with medical information? How does a category of information become sensitive? Should the determination be based on a poll taken every year which indicates the public concern about the privacy of certain categories of information? Should this determination be based on a percentage of the population? What should the percentage be? What if privacy concerns escalate to where all information reaches that percentage? Who will declare, "This is sensitive information"? While the definition of ancillary information is not adequate, it is basically that information which is not sensitive and which is peripheral to the purpose for which it was obtained.
Four categories of information have been recognized by some, if not all, as particularly sensitive.7 Medical information has long been thought to be sensitive and subject to heightened protection. This has been most recently evident in Congress where several pieces of legislation have been proposed.8 Information relating to, and obtained from, children is also considered in some groups to be sensitive. Should there be a rating system involved? Should parents have to give consent before any information is collected from children? Should there be any regulations on obtaining information at children designated web sites? Should industry be involved in protecting children's privacy interests or should it be left to the consumer to use available software?
Financial records have also received status among some as sensitive data. However, these same people point to existing legislation as evidence of adequate protection. Finally, voting records has recently become a category of information which has sparked consumer protest. There is some debate as to whether the use of voting records is legal or illegal. However, should there be structured violations for misuse of public records? As for public records, should there be limitations on information the government has on individuals? What about the restriction on FOIA requiring the individual's consent or 25 years after his/her death? As was mentioned earlier, there is no indicator of what categories of information may become or are now sensitive. The clearest indicator is consumer response.
B. The Debate
Consumer advocacy groups have been working hard to educate people about the new dangers to individual privacy ushered in by the information superhighway. In addition, they have represented the concerns of consumers to industry and government groups. Specifically, the Electronic Privacy and Information Center9 and the Center for Democracy10 have long pushed for legislation to control the collection and use of personal information. Yet, they have not been without opposition. Organizations representing the marketing industry have responded with arguments stressing the virtues of self-regulation.11 To some degree, the debate of protecting personal privacy on the Internet and electronic media has become a debate between legislative action and self-regulation. Unfortunately, the issue and the debate are no longer this simple.
Until recently12, the government approach has been one favoring self-regulation. While the Federal Trade Commission has held hearings on these issues, their position has been one of self-regulation and hands-off. The National Telecommunications and Information Administration (NTIA)13 has presented the Clinton Administrations vision as one of modified self-regulation. The NTIA argues that the industry should adopt an opt-out approach for most information collected through the Internet. This approach requires that notice be given consumers in order for them to have an opportunity to opt-out. In addition, consumers must opt-in before any organization can use sensitive information. Under this approach, the information collected can only be used for the purposes outlined in the notice given consumers. Yet, the NTIA suggests that government action will be necessary if a private framework is not forthcoming. In addition, the NTIA recognizes the need for consumer education. However, these suggestions are not provided in explicit detail.14
Regardless of whether an organization is arguing for legislative action or self-regulation, there are certain key elements common to most positions. First, there should be some form of notice to the consumer. That is, the consumer should be aware of what personal information is being collected and stored in electronic databases. Second, the notice must state the purposes for which the information is being collected and to what ends it will be used. Third, there should be some method by which consumers are able to remove any personal information from a database. Here, the positions disagree on whether the opt-in or opt out approaches should be favored. Finally, there should be some method by which the consumer can obtain, review, and dispute the information stored in an electronic database.15 Yet, many questions remain as to how a consumer would go about checking the accuracy of his or her information. In fact, there are some instances where disclosure of information to the individual may be harmful. For example, medical information may be more harmful if disclosed than if not.
III. Is Existing Protection Enough?
Much of the debate focuses on whether existing constitutional and statutory protection is adequate to protect the privacy interests of individuals and their personal information. The Supreme Court has not recently addressed these issues. And, when it has addressed issues relating to information and databases, no constitutional protection has been invoked. Congress, on the other hand, has responded to inadequate Supreme Court decisions by enacting legislation. Of course, some of the legislation was in response to consumer outcry or other extra-factors. Despite these responses by Congress, the statutory protections which do exist are not adequate to protect the interests of individuals at issue in this article.
A. Jurisprudential Recognition of Privacy Interests
The Supreme Court and many state courts16 have come to recognize a right to privacy. However, this right to privacy is not an enumerated right found in the Constitution. Rather, the Supreme Court has extrapolated this concept from surrounding provisions in the Constitution. Despite the recognition and expansion of this right to privacy in cases like Roe v. Wade17, the Supreme Court has been unwilling to extend this protection to information collected on individuals. In Whalen v. Roe18 , the Court held that government interests outweighed medical patients right to privacy. While the Supreme Court has not been receptive to viewing information and databases as protectable bastions of privacy, there are significant arguments which suggest this approach is not illogical. First, the recognized right of privacy has been recognized as applicable to the federal and state (through the 14th Amendment) governments. Therefore, absent state action, there is not much the courts can do. In addition, opponents of any restrictions on the collection and use of personal information argue that First Amendment interests are at issue. One commentator has suggested that credit reports do not achieve a protectable level of privacy interest. Specifically,
it has been determined that credit reports do not address a public concern and are, therefore, not protected by the First Amendment. The U.S. Supreme Court held, in a plurality opinion, that in order for commercial speech to be afforded full protection under the First Amendment, it must address a matter of public concern, and the "petitioner's credit report concerns no public issue. It was speech solely in the individual interest of the speaker and its specific business audience."(56) In this case, Dun & Bradstreet released an incorrect credit report to a client. Based on this report, the client denied credit to Greenmoss Builders. The report stated that Greenmoss had filed bankruptcy, which was untrue. Thus, the Supreme Court, in holding that credit reports are not the subject of public controversy, established a basis upon which to protect the privacy of purely private information of no public concern.19
Therefore, the Supreme Court nor many lower federal courts have addressed these issues in a positive fashion. When the courts have decided cases relating to some of these issues, the opinions have been less than favorable and have prompted Congressional action.20 In Fisher v. National Institute of Health, the U.S. District Court for the District of Columbia held that databases which contained information on authors of articles in medical periodicals are not records under the Privacy Act.21 However, the court suggested that if they were records under the Privacy Act, the databases would not necessarily fall under the library reference exception. While Fisher suggests some hope for favorable judicial response to these issues, it is far from apparent such response is forthcoming.
B. Statutory Protection
Unlike the Judicial Branch, Congress has throughout the years enacted legislation designed to protect privacy rights of individuals. The most relevant statutes relating to the protection of personal information are found in the Fair Credit Reporting Act (FCRA) of 1970 (15 U.S.C. 1681). The FCRA established procedures which credit reporting agencies must follow when handling consumers personal information. Congress found that [t]here is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.22 The purpose of the FCRA is to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information. . .23 In order to accomplish these goals, individuals must be provided access to the credit information and be able to challenge data thought to be erroneous. In addition, the organizations collecting the data must work to insure the accuracy of information collected. The FCRA also prohibits the reporting of obsolete (old) data, limits government access to the information, requires consumer disclosure of inquiries in most instances, and provides for civil penalties resulting from noncompliance. While the FCRA does not restrict non-credit-related information, much of the FCRA could be used as a model for other types of information. Indeed, similar legislation was enacted regarding educational records with the Family Educational Rights and Privacy Act of 1974.
Congress enacted legislation to protect individuals from the misuse of information by federal agencies. This legislation is known as the Privacy Act of 1974. However, the Act only applies to that information which is found in a system of records. The idea of a system of records is unique to the Privacy Act and requires explanation. The Act defines a record to include most personal information maintained by an agency about an individual. A record contains individually identifiable information, including but not limited to information about education, financial transactions, medical history, criminal history, or employment history. A system of records is a group of records from which information is actually retrieved by name, social security number, or other identifying symbol assigned to an individual.24 While the Privacy Act appears to cover a range of information types, the Act is limited to the collection and use of information by federal agencies. Therefore, the Act does not apply to private organizations or individuals.
In 1978, Congress enacted the The Right to Financial Privacy Act (12 U.S.C. 3401) after the Supreme Court decided United States v. Miller, 425 U.S. 435 (1976). In Miller, the Supreme Court held that a bank depositor has no legitimate expectation of privacy in the contents of checks and deposit slips held by a financial institution.25 The Act prohibits government officials from accessing individuals financial records held at financial institutions without the individuals consent or a judge issued court order. In addition, the Act limits the use of such information by federal officials to law enforcement purposes. Congress responded again to the Supreme Court in 1980. The Privacy Protection Act of 1980 was enacted in response to the Supreme Court decision in Zurcher v. Stanford Daily, 436 U.S. 547 (1978). In Zurcher, the Court held a search warrant could be used on non-suspect third parties and the news media. The Privacy Protection Act (42 USC § 2000aa) provided protection to the press and certain other persons not suspected of committing a crime with protections not provided currently by the Fourth Amendment.26 This protection extends to work product materials and documentary materials. But, the Act does not protect individuals and the use of their personal information. Similarly, the protections afforded individuals through the Electronic Communications Privacy Act of 1986 (18 U.S.C. 2510) are limited to government officials. While the ECPA requires a warrant for access to new electronic media, including cell phones, electronic mail, pen registers, computer transmissions of data or video, and voice and display pagers, Big Brother is not the only entity from which individuals need protection.
In response to the nomination hearings of Judge Robert Bork, Congress enacted the Video Privacy Protection Act of 1988. This legislation and subsequent act prevents video rental stores and video tape service providers from knowingly disclosing personal information without an individuals consent. However, does allow the disclosure of mailing list information (including subject matter of videos rented) as long as there has been adequate notice. Congress passed similar legislation applicable to the cable industry with the Cable Communications Policy Act of 1984. The Telephone Consumer Protection Act of 1991 (47 U.S.C. 227) directed the Federal Communications Commission (FCC) to promulgate rules relating to the restriction of certain uses of telephone equipment. While consumers gained some benefits from the rules, they do not relate to information stored in electronic databases. The Communications Assistance for Law Enforcement Act of 1994 expanded privacy protection of electronic information by requiring a search warrant to acquire such information. Finally, the Driver's Privacy Protection Act of 1994 was Congressional response to the misuse of DMV records. The Act restricts the access and use of records held by state departments of motor vehicles. Critics suggest that the exceptions to the Act create significant loopholes. Specifically, the Act allows private investigators to have access to these records. Ironically, it apparently was a private investigator who gained access to the records of the actress whose death prompted the legislation.27
Other statutory protections exist within Acts as peripheral provisions. For example, the Social Security Act prohibits the use of personal information for purposes other than those related to the program and the purposes for which the information was collected. Under 18 U.S.C. § 2702, a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service or which is carried or maintained on the service. Section 2703 requires the government to obtain a search warrant in order to access information in electronic storage held by an electronic communications service. There are more hodgepodge provisions which limit the use of information in specific regulatory contexts. They may limit the use of and access to information by government officials, but they do not address the concerns raised in this article. In addition, these do not provide broad protection nor do they suggest a encompassing approach to the protection of personal information.
Existing statutes do provide individuals with some modicum of protection. However, there are significant gaps which have not yet been adequately filled. Those who suggest that existing statutes provide adequate protection for personal information fail to realize the fallacy in their own argument. That is, most who suggest the adequacy argument also encourage self-regulation. If existing statutes were adequate protection, there would be no need for self-regulation. Despite this, many organizations argue this contradiction. However, if one recognizes that existing statutes do not provide adequate protection, the question then becomes what remedy is most likely to balance the interests in facilitating commerce of information while protecting the privacy of individuals.
IV. Proposals for Change
There are three groups from which proposals for change in privacy laws have recently come. Congress, in both the House and Senate, have proposed legislation protecting sensitive information. Likewise, government agencies have recently reversed previous self-regulatory positions and have suggested changes in existing statutes. Finally, foreign countries have also been grappling with these issues and some have adopted policies. While each proposal may be lacking something which is needed to adequately protect privacy interests in the information age, they do represent a step forward in that the government has recognized the need for promulgation and organizations have acknowledged the publics concern.
A. Proposed Legislation
Congress has had its own share of hearings and legislation relating to privacy on the Information Superhighway. While the 104th Congress proposed several pieces of legislation, it appears the 105th Congress will be more prolific.28 As consumer protest continues, there is no doubt legislators will respond to their constituents concerns. While Congress has recently introduced legislation which would provide broad coverage to consumers on information services,29 particular sensitive areas of consumer information have prompted most of the legislation proposed by Congress.30
Legislation has been proposed in both houses which would provide for greater protection of medical information. Congressman Gary Condit has re-introduced legislation designed to establish a federal code addressing information practices of health information.31 The legislation proposes a balance between a patient's privacy interests and societal interests in the essential use of data under controlled conditions. Under the bill, all loopholes are intended to be closed so that health information will be under the same set of rules wherever it may be in the health care system. Specifically, the legislation would: allow an individual access to his or her own medical records with exceptions for records which may endanger the individual; require information gatekeepers to provide notice of information practices, account for all disclosures, and establish security measures to protect the information; limit when and why a health information trustee may disclose an individual's health information; and, establish civil and criminal penalties for any violations and establish ADR procedures to resolve civil complaints.32
Congressman McDermott introduced legislation intended to protect the privacy of all medical information while focusing on genetics and computer technology.33 In part, the legislation was in response to weaknesses in other legislation. Specifically, McDermott suggested that under other legislation patients would not be notified about everything that happens to their medical information. Also, the patients would not always have control over who could get access to their medical information. In addition, concerns were raised over provisions in which would allow law enforcement officers and researchers to access an individual's medical records without authorization from the patient. Finally, other legislation would preempt state law which may provide greater privacy protection for individuals.34
In the Senate, legislation has also been introduced which is designed to protect the confidentiality of medical records.35 When the legislation was introduced, it would apply to any health organization that has any connection with health information of individuals. The legislation would prevent information from being disclosed without patient consent except for certain exceptions. These exceptions would include: oversight, public health, research, emergency situations, litigation where the patient is a party, and certain law enforcement purposes. As for state preemption, the legislation would leave intact stronger state laws but insure a minimum level of protection. Finally, patients would be able to access and correct any information they feel (and can prove) is incorrect.
Another sensitive area which has prompted Congressional response is that of information relating to children. A House bill was introduced in the 104th Congress which would criminalize the sale of personal information about children obtained without parental consent.36 In addition to requiring disclosure upon parental request of the source, the information, and the recipients to whom list brokers have provided data on children, the bill would also prohibit prison inmates from processing information collected on children. Adopting an Opt-in approach, the bill has obtained favorable responses from several consumer advocacy groups.37 However, some caution that the bill might fail a First Amendment challenge because criminalized speech must both urge a lawless act and the incitement of that act must be likely.38 Other organizations believe the bill goes too far by criminalizing the failure to disclose information. In addition, the bill would constrain consumer choice of childrens products and services.
The 105th Congress has responded to privacy concerns in a number of areas. With the attention being received by genetic coding and cloning, it is not surprising consumers are concerned over possible implications of these advances in genetic technology. Specifically, some are concerned that health insurance providers might use genetic information to determine predispositions toward certain diseases. Were this to occur, critics fear that insurance providers would discriminate against those predisposed to certain illnesses by refusing coverage or increasing premiums. The proposed legislation would prohibit such discrimination.39 Additionally, the Congress has proposed legislation to increase privacy protection of postal information,40 allow individual use of strong encryption techniques,41 and provide for stricter privacy and security procedures when federal Bureau of Investigation Records are requested and obtained by the White House.42 Congressional initiatives will continue to be introduced in response to consumer outcry and scandalized incidents of privacy violations. In fact, many argue that Congress is merely reacting to the advancement of technology and has not adopted a proactive response.43 Whatever the more likely catalyst for Congressional legislation, the number of and breadth of such legislation will continue to increase in the near future.
Not all proposed legislation would necessarily increase privacy protection of individuals. Critics complained that the 1995 welfare reform legislation would erode many of the existing statutory protections. Specifically, the ACLU and EPIC wrote a letter explaining that the welfare reform legislation would diminish protections available under the Fair Credit Reporting Act, the Right to Financial Privacy Act, and the Social Security Act.44 Similarly, a bill introduced into the House which would provide state and county prosecutors increased access to student records suggests a decrease in student privacy protection.45
Congress has also chosen to commission studies and reports. During the 104th Congress, the House Banking Committees Democratic staff released a report which called for Congress to pay close attention to consumer privacy protection in the financial services industry. The 104th Congress attached an amendment (2422) to the federal appropriations bill calling for the Federal Reserve System and Federal Trade Commission to form a commission to study whether the sale of consumer identification information poses risks of fraud and risk of loss to financial institutions.
B. Governmental Agencies
The Federal Trade Commission (FTC)46 has recently reversed its self-regulated approach to privacy concerns by recommending Congressional action. Specifically, the FTC has recommended that the Fair Credit Reporting Act (FCRA) be amended to protect elements of personal data.47 Specifically, the FTC suggests amended the FCRA to encompass non-credit-related information (ie identifying information). However, the Clinton Administration and the National Telecommunications and Information Administration (NTIA) continue to favor self-regulation.
C. Foreign Policies
As the information superhighway becomes a global information infrastructure,48 national policies and guidelines become less enclosed in a vacuum. Rather, the United States must look to the policies and guidelines which have been adopted or proposed elsewhere in the world. Particularly, the European Union has indicated that member countries are free to disavow doing business with countries which do not meet the EUs privacy standards. Thus, if the United States does not adopt a policy which meets at minimum the standards set by the EU, national corporations may unwittingly find themselves in a precarious trade situation.49 Privacy and the protection of personal data are not merely abstract issues isolated to those interested in computer and cyberspace law. Rather, these issues have come to play a role in commerce, international trade, constitutional analysis, and other areas where the legal profession has heretofore provided comment. Both the European Union and Canada have adopted or are near adopting guidelines on the protection of personal information and data protection.50
1. European Union
The European Union (EU) promulgated Directive 95/46/EC which directs member countries to adopt policies which comply with the EUs stated position on data protection. More than merely an internal document, the EU has provided its member countries and their resident corporations the potential for declining to do business with foreign corporations whose parent country has privacy standards below that of the EU. From the date of its promulgation, member states have three years to implement rules guaranteeing the protection of individuals with regard to the processing of personal data. The Directive was a compromise intended to provide protection for the privacy rights of individuals while allowing for the free movement of personal information. It states that there is an obligation to collect data only for specified, explicit, and legitimate purposes and for data to be held only if they are relevant, accurate, and up-to-date.51
The Directive identified six grounds for processing personal data. These include consent of the data subject, contract with the data subject, legal obligation, vital interest of the data subject, public interest, and the legitimate interest in processing data where it is not overridden by the interest of the data subjects.52 More importantly, the Directive grants rights to individuals with regard to the collection of their personal data. Specifically, individuals have the right to access their information. This access would include the information as well as the origination of the information. Individuals would be able to challenge any inaccurate information and a right of redress in the event of unlawful processing. This particular provision is much stronger than any U.S. government proposal. Finally, individuals would be able to prevent the use of personal information in certain circumstances and opt-out of direct marketing material. The Directive is quite powerful and when member countries do enact related laws, the United States will have a significantly less protective statutory framework. Many proponents of government promulgation suggest using the EU Directive as a model. However, others suggest that the EU and the U.S. have different philosophical backgrounds which preclude mirroring the Directives language.
The Canadian Standards Association released this past summer the "Model Code for the Protection of Personal Information".53 The Model Code is an expansion of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.54 As such, it was designed to accomplish four broad objectives: establish guidelines which will aid in the management of personal information; establish minimum requirements for the adequate protection of personal information held by those organizations which subscribe to the Model Code; inform the public of privacy concerns and how personal information should be protected; and establish standards by which the international community can judge the management and protection of personal information in Canada.55 The Code itself consists of ten guiding principles. These include: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and, challenging compliance.56
Most of the principles adopt a more liberal position. However, some of the principles reflect what most parties have implicitly agreed to in the United States. Specifically, an organization is accountable for its practices. The organization must identify the purposes for which the information is being collected and used. The consent principle appears to adopt both an opt-in and opt-out approach. That is, the individual most have knowingly consented to the collection, use, or disclosure of personal information before any organization may do so. In addition, organizations must make a reasonable effort for the individual to reasonably understand the nature of the request. Specifically, express consent should be preferred over any other form of consent when the information is sensitive. However, implied consent is acceptable when the information is less sensitive. The organization is limited to collecting, using, disclosing, and retaining only that information necessary for the disclosed purposes. The organization must insure accuracy and safeguards to protect the information in its databases. In addition, the organization must be open about its policies and provide access to individuals who inquire about their information. Finally, an organization must provide a method by which an individual may challenge the accuracy of the information.57
The CSA Model Code has obtained positive responses from the Canadian Bankers Association and the Canadian Life and Health Insurance Association. However, some concerns have been raised about implementation and enforcement. Despite these concerns, the Canadian federal government, through its Industry Canada and Department of Justice, are working on legislation based on the Model Code. The legislation is part of the government's response to the Canadian Advisory Council's Report on the Information Highway.
The collection, use, and dissemination of consumer and personal information is an issue which has become more salient during the past year. As citizens become aware of just how accessible information is on the Internet and other electronic databases, they will become more concerned about their privacy and demand more protection. Consumer advocacy groups have been arguing for legislative action for some time. Until recently most of the government has provided no more than a deaf ear. The Federal Trade Commission is now calling for amendments to the Fair Credit Reporting Act, but will this be enough? The Clinton Administration still argues for a self-regulatory approach that more than likely will fail to provide consumers with what they demand. Existing Supreme Court jurisprudence does not do much more than prompt Congress to act. Where Congress has enacted legislation, the protections afforded citizens and consumers fall short of an umbrella one can feel comfortable with in the rain.
This article has provided a background on the debate and a summary of the current State of affairs. Questions still remain unanswered as to what provisions will constitute an adequate policy. Certainly, legislation must be enacted to protect sensitive information. This would include comprehensive programs to protect medical, financial, and voting information. In addition, we must continue to protect our children as they move through the new electronic world. Parental consent should be required before an organization or individual solicits and collects information from children. Likewise, databases which contain information on children should be guarded at all costs. If we recognize that access to such information should be restricted, then prison inmates should certainly not have access to this information.58
Self-regulation may indeed work with certain kinds of information. However, consumers are not likely to be satisfied with self-regulation as a general approach to these issues. Indeed, due to the consumer response to P-Trak, the FTC and Congress have responded with legislative proposals. While courts have not been too receptive to protecting personal information, they have continued to recognize privacy interests on the Internet in other areas. Specifically, a federal court has recently held that America Online can ban junk e-mail and thereby relieve its customers of this incredible inconvenience.59 While Cyber Promotions will likely appeal, such judicial decisions to provide some hope for a brighter and safer information superhighway.
Even assuming a proposal is agreed upon by interested parties, what form of enforcement would be established? One example might be to advocate the establishment of a tort action for violation of privacy rights. This would not necessarily be government interference because if the industry will follow the guidelines it adopts, there should never be any problem. In addition, it is the consumer who will bring an action to recover the damages. Or, perhaps there should be penalties in the proposal which interested parties can agree upon. In this way, the industry accepts the payment of penalties upon violations and the government is not involved. Again, however, an enforcement safeguard should be proposed to satisfy some of the consumer groups who are distrustful of the industry. For the moment, the best remedy for protecting our interests on the Internet is to become aware of what interests are threatened. In this way, we can help educate others. In fact, this may be the catalyst which leads to broad encompassing legislation.
1 This article assumes a general knowledge of the information superhighway, the electronic frontier, the Internet, and computer networks. There will be broad discussions of these phenomenon but no detailed explanations will be provided.
2 ACLU v. Reno, 929 F. Supp. 824 (1996). The Communications Decency Act provided for immediate review by the Supreme Court. The hearing before the Court will be on March 19, 1997.
3 As alluded to, there are other privacy concerns. However, this article must limit its scope to the protection or personal data and information.
4 Today, $20 could buy quite a bit in terms of record searches. For an example of one companys offerings, connect to http://www.irb-online.com/servicesfull.htm#socsectrace; for free search services, connect to http://pages.ripco.com:8080/~glr/stalk.html .
5 See discussion below on sensitive and ancillary information.
6 During a discussion of this paper, a question was raised whether or not the opt-out or opt-in approaches might be extended to allow an individual to opt-out of credit reports altogether. Or, should credit reporting agencies obtain the consent of individuals before collecting and reporting data via the opt-in approach. While this author is intrigued by the possibilities of either approach, a thorough discussion is beyond the scope of this article.
7 While these categories encompass broad areas of information, FTC Chairman Robert Pitofsky has warned that the commercial distribution of sensitive personal information - such as social security numbers, mothers maiden names, prior addresses, and dates of birth - presented an undue potential for fraud. Electronic Information Policy and Law Report, Vol. 1, No. 24, page 605-606.
8 See discussion, infra, of medical legislation.
9 Connect to: http://www.epic.org . See also: NetAction and the Computer Professionals for Social Responsibility have issued a proposal which provides guidelines that might be used by principled institutions to guarantee proper respect for the privacy and dignity of employees, customers, and citizens. Many of the organizations involved in the debate have issued proposals and policy guidelines. However, a discussion of each proposal is beyond the scope of this article.
10 Connect to: http://www.cdt.org .
11 For example, connect to: Direct Marketing Association at http://www.the-dma.org
12 See III.B. infra.
13 Connect to: http://www.ntia.doc.gov .
14 Privacy and the NII. National Telecommunications and Information Administration. October 1995.
15 These provisions would be similar to those under the Fair Credit Reporting Act. An individual may obtain a copy of his credit report and check the accuracy of the information reported. He can also dispute the information reported. However, the difficulty in actually getting something removed from a credit report is quite high.
16 A discussion of state jurisprudence is beyond the scope of the article.
17 410 U.S. 113 (1973).
18 429 U.S. 589 (1977).
19 Petersen, Sandra Byrd. Your Life as an Open Book: Has Technology Rendered Personal Privacy Virtually Obsolete? Available at: http://polecat.law.indiana.edu/fclj/v48/no1/petersen.html.
20 See below.
21 934 F. Supp. 464 (1996).
22 Section 1681 (4).
24 HR 103-104, 103rd Congress, 1st Session (1993).
25 Petersen, Sandra Byrd. Your Life as an Open Book: Has Technology Rendered Personal Privacy Virtually Obsolete? Available at: http://polecat.law.indiana.edu/fclj/v48/no1/petersen.html.
26 S. Rep. No. 874, 96th Cong., 2d Sess. 4 (1980).
27 Peterson, supra.
28 While both the 104th and 105th proposed legislation is discussed below, the 105th Congress has introduced at least nine pieces of legislation relating specifically to privacy issues. However, there may be more provisions within other legislation relating to privacy concerns. A thorough analysis of this peripheral legislation is beyond the scope of this article.
29 H.R. 98, Consumer Internet Privacy Protection Act of 1997, 105th Congress, 1st Session.
30 Many states have introduced information within their own legislative bodies. An analysis of each state and the differences which might be present between each states legislative response is beyond the scope of this article. However, it is important to recognize that state constitutions and statutes may provide greater protection to individuals than does the federal Consttitution and statutes.
31 H.R. 435 "Fair Health Information Practices Act of 1995" was introduced into the House in January of 1995 by Representative Gary Condit (D-CA). The bill was refereed to the House Commerce Committee. In the 103rd Congress, the same bill had died with health reform. At the end of the 104th Congress, this legislation was still in committee. However, similar legislation has been introduced in the 105th Congress as H.R. 52, Fair Health Information Practices Act of 1997.
33 H.R. 3482 "Medical Privacy in the Age of New Technologies Act" which was referred to the Subcommittee on Government Management, Information, and Technology (Parent Committee: House Government Reform and Oversight Comm.). At the end of the 104th Congress, this legislation was still in committee.
34 While a brief discussion of state privacy laws was provided in III.B., a detailed discussion of state constitutional reaction to privacy issues is beyond the scope of this article.
35 S. 1360 "Medical Records Confidentiality Act of 1995" was introduced before the Senate in October 1995 by Senator Robert Bennett (R-UT). The bill has been referred to the Senate Labor and Human Resources Committee. At the end of the 104th Congress, this legislation was still in committee. Similar legislation has been introduced by Representative Horn in the House (the legislation specifically attacked by McDermott). It was circulated as a discussion draft entitled, "Health Information Protection Act". As Chairman of the House Subcommittee on Government Management, Information, and Technology, Representative Horn (R-CA) held hearings to discuss his proposed legislation on June 14, 1996.
36 H.R. 3508 Childrens Privacy Protection and Parental Empowerment Act (CPPPEA).
37 Electronic Privacy and Information Center, the Klaas Foundation, and Enough is Enough.
38 Electronic Information Policy and Law Report. Bureau of National Affairs.Vol. 1, No. 21, page 512.
39 H.R. 306, Genetic Information Discrimination in Health Insurance Act of 1997, 105th Congress, 1st Session (the Senate version of this legislation is numbered S. 89), H.R. 328, Genetic Information Health Insurance Nondiscrimination Act of 1997, 105th Congress, 1st Session (this legislation would amend the Public Health Service Act and the Employee Retirement Income Security Act of 1974), and H.R. 341, Genetic Privacy and Nondiscrimination Act of 1997, 105th Congress, 1st Session.
40 H.R. 49, Postal Privacy Act of 1997, 105th Congress, 1st Session (would amend Title 39, USC).
41 S. 376 Encrypted Communications Privacy Act of 1997, 105th Congress, 1st Session (A bill to affirm the rights of Americans to use and sell encryption products, to establish privacy standardsfor voluntary key recovery encryption systems, and for other purposes.)
42 H.R. 537, Background Security Records Act of 1997, 105th Congress, 1st Session (to amend the Presidential Records Act of 1978 and the Privacy Act). This legislation was introduced in response to the scandal involving FBI records and the Clinton White House Administration.
43 This is a debate which must await a different forum. Many argue that Congress should not legislate in the area of Internet policy-making. This stems from the historical independent nature of the Internet. On the other hand, there are some areas where abuses by organizations warrant consumer protection. In its quite interesting to note that many an advocate of either position will contradict herself depending on the area of legislation proposed. Indeed, this author is opposed to the Communications Decency Act but in favor of privacy legislation. The individual advocate must be able to articulate the philosophy which resolves in surface contradictions.
44 A Joint Letter from American Civil Liberties Union, the Electronic Privacy Information Center, and the U.S. Public Interest Research Group, November 15, 1995. Available at: http://epic.org/privacy/welfare/welfare_letter.txt.
45 H.R. 503, 105th Congress, 1st Session (The legislation would amend the General Education Provisions Act.)
46 Connect to: http://www.ftc.gov. Also, the FTC has a privacy mailing list at email@example.com.
47 The FTC has suggested protecting an individuals prior addresses, date of birth, social security number, and mothers maiden name.
48 It is interesting to note that much of what comes from the federal government now discusses the Global Information Infrastructure as opposed to the National Information Infrastructure.
49 It is ironic that the United States has fallen behind in the protection of individual privacy rights. We are no longer the revolutionary.
50 While other international organizations and countries may be in similar situations, only the EU/OECD and Canada codes are discussed in this article. In this authors opinion, these are the only two which have had/will have a significant impact on domestic policy discussions.
51 Data Protection: Protection of Personal Data Ensured at the EU Level. Avaliable at: http://www.cece.lu/en/comm/dg15/smn/data.html.
53 The "Model Code for the Protection of Personal Information" is the Canadian national standard on privacy. Developed by the Technical Committee on Privacy, the standard was prepared by the Canadian Standards Association and approved by the Standards Council of Canada. The Model Code is independent of the federal government and is a voluntary or self-regulatory standard for organizations. The term 'organizations' encompasses associations, businesses, charitable organizations, clubs, government bodies, institutions, professional practices, and unions. The Model Code is designed to be malleable in that organizations can adjust the code to fit with their specific circumstances.
54 While an analysis of the Organization for Economic Co-operation and Development (OECD) Guidelines is beyond the scope of this essay, the document can be obtained at: http://www.oecd.org/dsti/iccp/legal/priv-en.html.
55 "Model Code for the Protection of Personal Information. Canadian Standards Association. 1996.
58 Direct marketer Metromail is facing a class action law suit for using prison inmates to process personal information.
59 Cyber Promotions, Inc. v. America Online, Inc., 948 F. Supp. 436 (1996).
Copyright 1997 by Charles Lee Mudd, Jr.