1. MEMORANDUM
To:
From: Brian M. Berger
Subj: Privacy Update
Date: August 9, 2000
_______________________________________________________________________
_
This fall, privacy issues will continue to be a major concern for Congress and the
Administration, and will also most likely be an issue in the November elections. The
widespread uses of computers and access to the Internet have fueled these concerns.
While the preference until recently has been to allow the industry to self-regulate, there
are now several voices within the Administration and Congress that support more
aggressive privacy regulation, particularly in the area of financial information and
medical records. While it is unlikely that Congress will enact comprehensive privacy
legislation this year, many privacy advocates in the House and the Senate may attempt
(as some already have) to address this issue piecemeal by attaching privacy provisions to
other independent pieces of legislation, especially appropriations bills, that are moving
through the legislative process.
This memorandum focuses on some of the more recent developments in this area.
U.S. EXECUTIVE ADMINISTRATION
Federal Trade Commission's May 2000 Report on Privacy
In a report to Congress released earlier this summer, the FTC reversed its long-
standing position of supporting industry self-regulation and formally asked Congress for
new regulatory power over companies that engage in commerce over the Internet. The
Commission has proposed establishing standards in four areas: notice, choice, access and
security. Specifically, the FTC would like to be able to implement and enforce rules
addressing: (i) website notification to consumers about the use of personal data; (ii) the
privacy policy of the website; and (iii) the ability of consumers to access the information
that companies keep about them. The FTC also wants authority to regulate the way
information is passed to third parties and to have enforcement authority to penalize
companies that violate privacy rules.
The FTC recommendation is a controversial one -- issued by a 3-2 vote, with the
two Republican commissioners dissenting. Critics of the FTC's recommendation,
2. including the two dissenting commissioners, have stressed that hastily-drafted privacy
legislation or regulations could have negative consequences for the thriving Internet
economy by imposing heavy costs on not just technology companies, but on any
company that wishes to engage in commerce over the Internet. Ill-conceived legislation
could also stifle innovation and technological advances. The Administration has not
embraced the FTC's proposal, focusing instead on the issue of medical and financial
services privacy. Many members of Congress are reluctant to embrace the FTC's
recommendations and take up comprehensive privacy legislation. Soon after the FTC
issued its report House Majority Leader Dick Armey sent a letter to the FTC Chairman
questioning the departure from the industry self-regulatory approach.
Administration Privacy Proposal
Last Spring, President Clinton announced that the Administration would seek
comprehensive privacy legislation overriding the privacy provisions included in last
year’s financial services modernization legislation. The proposal would impose
substantial restrictions on the ability of financial institutions to share nonpublic personal
information internally or with third parties. Sen. Leahy (D-VT), ranking member of the
Senate Judiciary Committee, and Rep. LaFalce (D-NY), ranking member of the House
Banking Committee, have introduced the Administration privacy proposals. These bills,
S. 2513 and H.R. 4380, would allow consumers to "opt-out" of most information sharing
between companies, whether or not they are affiliated, and would impose additional opt-
in requirements for sharing sensitive financial and medical information.
Network Advertising Initiative
Last month, the FTC approved an industry self-regulation plan on online
profiling. The proposal was developed by the Network Advertising Initiative, which
includes 90% of the Internet advertising industry, in consultation with the FTC. Under
the industry proposal, sensitive information, such as Social Security numbers, sexual
behavior, and sensitive medical and financial information, would never be collected by
NAI members. In addition, Internet advertisers must now provide conspicuous notice to
users of their profiling practices and must also give users the opportunity to opt out.
Under the proposal, anonymous information cannot be linked to personally identifiable
data without consent. Finally, Internet advertisers would have to provide "reasonable
access" to consumers who wished to access the personally identifiable information that
had been collected about them. The agreement makes no attempt to offer a more specific
definition of reasonable access. Independent auditors will enforce this agreement.
While the FTC did lend its support to this agreement, it also stated that it will
continue to press for legislation in this area, because the agreement will not cover all
Internet advertisers. The FTC report stated the need for basic privacy protections,
focusing on the already-established FTC principles with regard to privacy (notice, choice,
access, security), as well as the need for an implementing agency to have enforcement
power. Commissioner Swindle dissented, arguing that legislation is overly burdensome
and unwarranted. Consumer and privacy groups denounced the agreement as not going
2
3. far enough. Industry argued that the 10% of Internet advertisers that do not fall under the
agreement would eventually be forced to comply due to pressure from the rest of the
industry and businesses on the web.
U.S. CONGRESS
Numerous members of both houses have introduced privacy bills during the 106th
Congress, and many of these bills have been the subject of hearings in front of a number
of different congressional committees. The following bills have seen the most recent
action.
H.R.4049 - The Privacy Commission Act
On June 29, the House Government Reform Committee favorably reported by
voice vote H.R.4049, the Privacy Commission Act. This bill would establish a
commission to study existing privacy laws and regulations, as well as industry efforts to
address privacy issues, and submit a report to Congress that identifies potential threats to
privacy and legislative recommendations. The bipartisan commission would have a term
of 18 months and be composed of 17 members: four appointed by the President; four
appointed by the Senate majority leader; two appointed by the Senate minority leader;
four appointed by the Speaker of the House; two appointed by the House minority leader;
and one chairperson jointly appointed by the President, the Senate majority leader, and
the Speaker of the House. The bill provides for a broad range of diverse backgrounds
from which commission members might be selected (including representatives from
government, media, the academic community, consumer groups, public policy groups,
and industry).
H.R.4049 would direct the commission to, through an examination of the
monitoring, collection, and distribution of personal information by government and
private individuals and entities, consider privacy issues and the appropriate balance
between protecting privacy and allowing appropriate uses of information. Specifically,
the collection of information pertaining to the following would be examined: medical
records, financial records, Social Security numbers, insurance records, education records,
and driver's license numbers. H.R.4049 would authorize $5 million for Commission
operations and would direct the Commission to conduct 10 field hearings.
During consideration of H.R.4049, the committee adopted an amendment offered
by Ranking Member Waxman (D-CA) that would add a congressional finding that this
bill is not intended to delay enactment of privacy protection legislation. Waxman also
offered an amendment to direct the federal financial institution regulatory agencies to
issue financial privacy regulations if Congress does not act in this area within three years
of the enactment of this bill. The amendment was ruled out of order when Rep. Walden
(R-OR) made a point of order that the amendment was not germane because it directed
agencies typically under the jurisdiction of the House Banking Committee to enact
substantive regulations involving financial services.
3
4. Hutchinson's staff had hoped the bill would go to the House floor before the
August district work period. However, it is the preference of the Republican Leadership
that the House take up the bill later in the session. Rep. Moran (D-VA), a lead sponsor of
the bill, along with Hutchinson, was recently quoted as saying that he believed the House
would consider the bill the second or third week after Congress returns from the August
recess. Sens. Kohl (D-WI) and Torricelli (D-NJ) have offered similar legislation on the
Senate side, S.1901, and Chairman Thompson (R-TN) of the Governmental Affairs
Committee has stated that he believes this legislation to be the most thoughtful approach
to handling the privacy issue. If either of these bills is to move, they will face opposition.
During subcommittee and full committee consideration of H.R.4049, Rep. Waxman
expressed the belief of many privacy advocates that an 18-month privacy commission
would delay important legislative action in the area of privacy, and that the commission
would be stacked with opponents of privacy legislation. The Administration has also
stated that it opposes the proposal, which it sees as a delaying tactic. In addition, Sens.
McCain (R-AZ) and Kerry (D-MA), the lead sponsors of a recently introduced online
privacy bill, have stated that they would oppose the bill which Kerry sees as an act of
"political gamesmanship."
H.R.4585 - The Medical Financial Privacy Protection Act
In June, Chairman Leach (R-IA) of the House Banking Committee favorably
reported his own bill, H.R.4585, the Medical Financial Privacy Protection Act, along a
mostly party line vote, with only four Republicans voting in favor of the bill. This bill
would require financial institutions to obtain consumers' consent (opt in) before
disclosing individually identifiable health information to third parties and affiliates. The
bill would also allow consumers to access and correct such information. In addition,
H.R.4585 would not preempt state privacy regulations, and during the markup, the
committee adopted an amendment offered by Ranking Member LaFalce (D-NY) that
would give citizens a private cause of action against companies that fail to comply with
the law. A couple of other controversial amendments that were added to the bill would
require financial institutions to get a customer's separate and specific consent with regard
to genetic information, reproductive health and substance abuse treatment. The
committee defeated an amendment offered by Rep. Inslee (D-WA) that would have
applied the opt-in provisions to cover financial information as well as medical records.
There is strong industry opposition to this bill, and these opponents have argued
that the language of the bill would grant consumers access to any information that the
bank has ever collected about them, whether or not it is health information. While
Chairman Leach stated his desire to move this bill along quickly, many observers
question whether H.R.4585 will ever make it to the House floor. Besides strong industry
opposition, the bill must now be sequentially referred to the House Commerce, Judiciary,
and Ways and Means committees. The Commerce Committee has until September 22,
2000, to consider this bill.
4
5. S.2107 - The Competitive Market Supervision Act
In July, the Senate Banking Committee marked up S.2107, the Competitive
Market Supervision Act. The issue of medical privacy had stalled the committee's
consideration of this bill, which contains a provision that would reduce securities fees in
excess of those required to fund the operations of the SEC. The committee voted down
an amendment offered by Sen. Shelby (R-AL) that would have prohibited financial
services institutions from buying or selling Social Security numbers. Sens. Dodd (D-CT)
and Johnson (D-SD) offered and withdrew an amendment to protect human genome
information (see Daschle Amendment below). Sen. Bryan (D-NV) did not offer a
financial privacy amendment to the bill, but he did state that he would object to any
unanimous consent proposal to bring up this bill on the Senate floor, unless he was
granted time to discuss his financial privacy amendment. In the end, Chairman Gramm
promised members a floor vote on a privacy amendment incorporating the Social
Security number and the human genome provisions, as well as his own medical privacy
language that would prevent financial institutions from using medical records when
considering customers' loan or credit applications. Gramm's bill is much less extensive
than the amendment that Shelby had originally offered that would prohibit financial
institutions from disclosing consumers' medical privacy information to affiliated and non-
affiliated third parties unless the institution obtains the affirmative consent of the
consumer (the consumer opts-in).
S.2928 - The Consumer Internet Privacy Enhancement Act
S.2928, sponsored by Sens. McCain (R-AZ), chairman of the Senate Commerce
Committee, Kerry (D-MA), Abraham (R-MI), and Boxer (D-CA), would require
commercial websites to notify users of the site's privacy practices in a clear and
conspicuous manner. This notification should be easily understandable and should
include the business' address and phone number. The site should also notify users of the
personally identifiable information that is collected and how the site operator uses this
information. S.2928 also requires websites to allow users to opt out of having their
personal information disclosed to third parties. The bill would preempt state laws on
online privacy, but would not affect medical or financial privacy laws or bills. Finally,
S.2928 would authorize the National Academy of Sciences to study the issues of access
and security on the Internet, as well as the distinctions between online and offline
information-collection practices.
At present there are differing industry views of this bill. While McCain noted that
AOL and Intel contributed to the drafting of the legislation, other technology
corporations such as Microsoft, IBM, and WorldCom are expected to oppose the
measure. In addition, the Chamber of Commerce opposes the bill because it fears a rush
to enact a one-size-fits-all bill at the end of the session will have unintended
consequences. Despite this opposition, McCain stated that he hopes that the Commerce
Committee could unanimously report his bill this year, but he also recognized that there
were members of his committee who support much more aggressive privacy regulations.
5
6. S.2448 - The Internet Integrity and Critical Infrastructure Protection Act
The Senate Judiciary Committee has postponed several scheduled markups of
S.2448, the Internet Integrity and Critical Infrastructure Protection Act. This bill would
expand the Justice Department's authority to fight cybercrime by establishing criminal
penalties for computer hacking and for transmitting fraudulent email. S.2448 would also
address the issue of online privacy by requiring a Web site to notify customers of the
site's privacy policy and allow customers the opportunity to prevent their information
from being sold to third parties.
At the latest Senate Judiciary Committee markup, Chairman Hatch, the sponsor of
the bill, noted that there were a number of proposed amendments to S.2448. He
postponed the markup with the hope that staff could work with sponsors of the proposed
amendments and see if some of them might be able to be incorporated in the underlying
bill before the markup. It is likely that privacy advocates will offer amendments to
extend the bill's privacy provisions when the committee considers the bill.
Senate Appropriations Bills
The Senate has debated a couple of privacy amendments to appropriations bills.
During floor debate of H.R.4577, the Labor/HHS/Education Appropriations bill,
Minority Leader Daschle (D-SD) offered an amendment to prohibit health insurers and
employers from discriminating against individuals because of the individuals' genetic
information. One provision of the amendment would have prevented the disclosure of
genetic information to health insurers, health insurance data banks, employers, and
anyone else who HHS deems through regulations has no legitimate need for such
information. Sen. Jeffords (R-VT) offered an alternative amendment that would prohibit
health insurance discrimination on the basis of genetic information. Jeffords amendment
also would require health insurers to provide clear and conspicuous notice to customers
of the insurer's confidentiality, or privacy, policy with regard to genetic information and
that health insurers institute safeguards to protect the confidentiality, security and
accuracy of genetic information. While most of the debate over the two amendments
focused on the fact that Daschle's amendment included employer genetic discrimination
and Jeffords' did not, Daschle did at one point state that another problem with Jeffords'
amendment was that it did not prohibit insurers from disclosing the results of genetic tests
without consent. Jeffords' amendment was adopted (58-40) after the Daschle amendment
was defeated (44-54). However, Daschle has said that he will continue to look for a
vehicle for this legislation. Incidentally, Rep. Slaughter (D-NY) has sought action on
similar legislation in the House, but Commerce Committee Chairman Bliley (R-VA) has
yet to schedule any action on the issue.
Sen. Boxer (D-CA) was successful in attaching medical privacy language to
H.R.4576, the Defense Appropriations bill. The amendment would prohibit the
Department of Defense from disclosing to anyone outside the Department, for any non-
national security or non-law enforcement purposes, an individual's medical records
6
7. without the consent of that individual. Appropriations Committee Chairman Stevens
accepted the amendment, which then passed by voice vote. However, during her
statement about the amendment, Sen. Boxer stated that all federal agencies, not just DOD
are adhering to the Privacy Act of 1974 which she called inadequate in protecting
privacy. She then stated her desire to amend all appropriations bills in this manner.
Stevens, however, indicated that he opposes a "piece by piece" amending of the Privacy
Act, and noted that DOD is unique in that there is no other agency that has access to the
medical records of the individuals employed by that agency on a scale with DOD.
In addition, Sen. Boxer attached an amendment to S.2549, the Defense
Authorization bill that would establish a Blue Ribbon Advisory Panel to study DOD
medical privacy policies and to make recommendations to Congress, the Administration
and DOD on how to ensure medical privacy. This amendment also passed by voice vote.
H.R.4857 - The Privacy and Identity Protection Act
In July, the House Ways and Means Subcommittee on Social Security reported by
voice vote H.R.4857, the Privacy and Identification Protection Act. This bill was
introduced by Reps. Shaw (R-FL) and Matsui (D-CA), the Chairman and Ranking
Member of the subcommittee. H.R.4857 is intended to address the problem of identity
theft by providing additional privacy protection concerning social security numbers.
Specifically, H.R.4857 would prohibit federal, state, and local governments from selling
Social Security numbers or from displaying Social Security numbers on public
documents or checks. The bill would also bar state motor vehicle departments from
displaying Social Security numbers on driver's licenses and other identification
documents. In addition, this legislation would restrict the private sector sale of Social
Security numbers, include Social Security numbers within the protection of the Fair
Credit Reporting Act, and prohibit companies from refusing to do business with
individuals who will not furnish their Social Security numbers.
At this point, it is unclear whether the full Ways and Means Committee is
expected to consider H.R.4857 sometime after the August recess. The bill has also been
referred to the House Banking, Commerce, and Judiciary committees.
Bankruptcy Bill
Sens. Leahy (D-VT) and Torricelli (D-NJ) have introduced legislation that would
prohibit the sale of personally identifiable information by a company that has declared
bankruptcy if such a sale or disclosure would violate the company's privacy policy. The
Senators introduced the legislation to address situations similar to that of Toysmart.com,
an e-commerce company that declared bankruptcy and subsequently offered its customer
databases for sale as part of the liquidation process. Toysmart.com had notified visitors
to the site that it would not disclose personally identifiable information to third parties,
and the FTC has subsequently filed suit against the company for fraudulent practices.
Sens. Leahy and Torricelli have stated their desire that this bill be included in the
bankruptcy conference report when negotiations on that bill resume, and Senate Judiciary
7
8. Committee Chairman Hatch (R-UT) has stated that he would not object to the addition of
the provision.
UNITED STATES/EUROPEAN UNION PRIVACY AGREEMENT
Last May, the Administration and the European Union negotiated a safe harbor
privacy arrangement that would allow U.S. companies to comply with EU data privacy
laws. In July, the European Commission, over objections by the European Parliament,
formally adopted this agreement that ensures that U.S. businesses are in compliance with
the EU's 1998 directive regulating electronic transfers of personal information to non-EU
nations. The Parliament had asked the Commission to renegotiate the agreement to force
U.S. companies to provide compensation to individuals who claim that their privacy
rights have been violated. The Commission, noting that the Parliament is just an advisory
body, assured the U.S. Commerce Department that the EU would implement the
agreement.
8