FC: What's the outlook for privacy laws in this Congress?

[Declan McCullagh <declan () well com>]

**********

From: "peter j gray" <japgray () email msn com>
To: "Declan McCullagh" <declan () well com>
Subject: Privacy Laws: Not Gonna Happen?
Date: Mon, 5 Mar 2001 09:12:21 -0500
Organization: Microsoft Corporation

Declan, your politech readers may be interested in my assessment of the
outlook for privacy legislation and regulation.

[attachment follows --DBM]

During the last two years, there was a flurry of activity on privacy in the 
U.S. Hundreds of privacy bills were introduced in Congress and the states 
to protect consumer investors, depositors and borrowers; employees; 
taxpayers; patients; motorists; students; users of the Internet, telephone 
and wireless devices; and others. Legislation attempted to deal with 
identity theft, misuse of Social Security numbers and other personal 
identifiers,  access to and use of financial, health and medical 
information, information sharing, collection and use of personal 
information via the Internet, and government surveillance. Media coverage 
of privacy topics was heavy. Consumer advocates pressed for increased 
privacy regulation, while industry groups argued in favor of 
self-regulation. But, except for the privacy provisions in the 
Gramm-Leach-Bliley Act, no significant federal legislation was enacted.



Will the next two years bring more privacy regulation or no major changes? 
While many privacy bills will be re-introduced, and some new ones filed, 
few of them are likely to be enacted. One law that might be passed would 
deal with protecting consumers who use the Internet. Both the House and 
Senate Commerce committees are attempting to fashion bipartisan legislation 
that sets a baseline for protecting consumers' online privacy that includes 
consumer notice, choice and information security. Companies that met basic 
self-regulatory standards for privacy protection would be protected with a 
"safe harbor" from federal regulation. But, it will be difficult to get 
consensus on consumer opt-in permission for use of sensitive personal 
information (i.e. financial and health records), consumer access to 
information in company databases, enforcement, and federal preemption of 
state laws.



While it's too early to tell how much importance the new Administration 
will place on privacy, President Bush has stated that companies should not 
use personal information without obtaining consumers' permission. The 
Administration is not inclined to support legislation that imposes onerous 
new privacy regulations on business. And, the new OMB is likely to adopt a 
more rigorous approach to proposed privacy regulations, and reject those 
whose costs exceed their benefits. The hold on implementation of the 
proposed medical privacy rules signals a willingness to challenge the 
status quo. But, the Administration may pay a political risk if it gets the 
reputation of being insensitive to privacy concerns.



Among the federal agencies, the FTC has taken the lead in regulating online 
privacy and in recommending new privacy protection legislation. But, the 
FTC's attempts to expand its privacy role may slow down when Chairman 
Pitofsky leaves office this summer, and is replaced by a Republican more in 
tune with industry self-regulation efforts. Instead of urging Congress to 
pass new privacy legislation, the FTC is expected to urge companies to 
adhere to industry best practices.



With Michael Powell as Chairman, the FCC is likely to take a softer 
regulatory approach towards telecommunications and Internet privacy, and 
this may have important implications for privacy regulations by other 
federal agencies. For example, the FCC rule requiring telecommunications 
carriers to obtain express consumer consent before sharing Customer 
Proprietary Network Information to cross-market other products and 
services, was struck down by the Tenth Circuit Court of Appeals last year, 
and the Supreme Court refused to hear the FCC's appeal. The Appeals Court 
found that the FCC's opt-in requirement violated the First and Fifth 
Amendments of the Constitution; that the FCC failed to demonstrate that the 
opt-in approach to consumer consent advances privacy; and that the FCC 
failed to fully investigate a consumer opt-out approach to privacy 
protection. Thus, the FCC may issue a more flexible rule, or it may scrap 
its attempts to revise the rule.



There is no industry consensus on the need for a federal online privacy 
law. Large trade associations are at odds. The U.S. Chamber of Commerce has 
announced its opposition to any federal online privacy legislation, because 
it is concerned about the potential impact on e-commerce of new 
restrictions on the use of information by businesses. However, the 3500 
member AeA (formerly the American Electronics Association), supports 
federally preemptive privacy legislation that includes consumer notice and 
choice, self-regulatory privacy codes and seal programs, parity of online 
and offline privacy protections, and FTC enforcement. A few large companies 
believe that a federal online privacy law will help overcome consumer 
concerns and encourage their use of e-commerce. Intel, Hewlett Packard and 
AOL-Time Warner are supporting minimalist federal online privacy 
legislation that includes notice and opt-out for consumers, plus some 
degree of federal preemption. But, Microsoft and many other companies that 
do business online prefer industry self-regulation, and the use of software 
tools that allow consumers to protect their own privacy, to legislation. 
The Privacy Leadership Initiative and the Direct Marketing Association hope 
to demonstrate industry willingness to self-regulate their privacy 
practices by agreeing to adhere to online information best practices. Other 
organizations, such as the Network Advertising Initiative, the Responsible 
Electronic Communications Alliance, the Cellular Telecommunications 
Industry Association, and the Wireless Advertising Association are urging 
their members to adopt a consumer opt-in approach to marketing and e-mail 
advertising.



Meanwhile, consumer advocates and privacy groups have petitioned the Bush 
Administration, Congress, the FTC and FCC, the NAAG and the NGA to adopt a 
"comprehensive framework for privacy protection" that includes consumer 
access to information, limits on information use, redress for improper use, 
notice, consent and security. These organizations also want Congress to 
establish a privacy commission to address emerging privacy issues; to limit 
consumer and employee surveillance and monitoring; to support privacy 
enhancements that limit the collection and use of personal information. 
They also favor strong, basic federal privacy standards that will allow the 
states to provide added protections.

Finally, European and other nations continue to impose privacy regulations 
on domestic and foreign companies that do business with their citizens. 
Despite the Safe Harbor (SH) agreement, designed to avoid the disruption of 
data flows between the U.S. and EU, few American companies are signing up 
to self-certify that they will comply with the requirements of the 
agreement. In addition, with little industry interest in the SH, there will 
be no incentive to expand the agreement to cover financial institutions and 
telecommunications companies. Unless a significant number of companies 
self-certify this year, the EU may decide to back out of the agreement and 
enforce its Data Protection Directive by blocking data flows between Europe 
and the U.S. (even though Germany and some other EU members are not yet in 
compliance with the Directive). Meanwhile, the EU plans to award privacy 
certification marks to company web sites that are in compliance with 
European data protection requirements. Canada, Argentina and Australia have 
recently enacted privacy laws that appear to satisfy at least some of the 
requirements of the European Data Protection Directive, and more countries 
are expected to follow suit.



In conclusion, despite continuing efforts to enact new online privacy 
legislation, lack of   consensus, and a more laissez faire approach to 
regulation by the Bush Administration, could result in a temporary 
stalemate. But, privacy is a politically popular issue for Congressional 
candidates in both parties, and the subject will probably heat up as the 
2002 elections near.


Peter Gray

<mailto:gray () washingtonword com>gray () washingtonword com





-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------