1.Congress should grant U.S. citizens a right to information privacy by enacting the internationally acclaimed OECD Guidelines as a legal mandate with minimum statutory damages for violations.

2.Congress should establish a U.S. Privacy Commission to promote fair information practices in the United States, offer industry a mechanism to obtain assurances of compliance with statutory rights, and represent the interests of the United States at international policy making bodies.

Testimony of Joel R. Reidenberg Professor of Law and Director of the Graduate Program Fordham University School of Law 140 West 62^nd Street New York, NY 10023 <http://reidenberg.home.sprynet.com> before the

Subcommittee on Courts and Intellectual Property

Committee on the Judiciary United States House of Representatives Oversight Hearing on Privacy and Electronic Commerce May 18, 2000

Mr. Chairman and Members of the Committee,

I would like to thank you for the invitation to testify and to commend you for convening this oversight hearing on privacy and electronic communications.My name is Joel Reidenberg.I teach information technology law courses, including data privacy law, at Fordham University School of Law and also serve as the Director of the law school’s Graduate Program.I appear today as a scholar on data privacy law and policy and do not represent the views of any organization with which I hold affiliations.

My testimony will focus on the lack of citizen privacy in America today and will offer recommendations for legislative action that draw on my research concerning online privacy issues.[1]

In 1977, afterthree years of Congressionally mandated study, the U.S. Privacy Protection Study Commission, reported back to Congress that “neither law nortechnology now gives an individual the tools to protect his legitimate interests in the records organizations keep about him.”[2] Sadly,more than twenty years later, the Commission’s conclusion remains equally true today despite the rhetoric of self regulation, technological mechanisms and sectoral rights.Specifically, I would like to make four points:

1. Data stalking and information trafficking have become the norm in the United States.

2. Self regulation and technical mechanisms are inadequate to protect the inherently political right of citizens to informational privacy.

3. Congress should enact the internationally acclaimed OECD Guidelines as a legal standard and provide minimum statutory damages for misuse of personal information.

4. Congress should create an independent Data Protection Commission that promotes fair information practices in the United States, offers industry a mechanism to obtain assurances of compliance with statutory obligations, and represents the interests of the United States at international privacy policy making bodies.

Data Stalking and Information Trafficking in the United States

First, the state of Americans' data privacy is appalling.Data stalking and information trafficking have become the norm in the United States.Within the last eighteen months, Americans have been horrified to learn of Intel’s plan to impose a hidden digital fingerprint for the users of every Pentium III chip, of Microsoft’s equivalent to a digital social security number secretly emblazoned on files, of DoubleClick’s surprise matching of off-line data with hidden collections of online data, and of RealNetwork’s surveillance of music listeners.Despite these public scandals, even now, the current version of Microsoft’s Internet Explorer (Version 5.0) comes equipped with default settings that facilitate hidden surveillance of users and the currentversion of Netscape Communicator (Version 4.72) reports back to Netscape every time a user reads Messenger email.In effect, the tendency in the United States is to develop technology that increases data collection and decreases the transparency to citizens of such monitoring.

As a result of increased computing and communications power, previously unimaginable profiles of citizens are now readily available on the Internet.For example, Venture Direct, a New York based company, sells a list of fat black women who are offered as targets for self-improvement products.[3]Not to be outdone, Acxiom, a company unknown to the public at large, but holding dossiers on 160 million Americans boasted of its “new ethnic system .... identifying individuals who may speak their native language, but do not think in that manner.”Unless I am missing something, Acxiom is essentially offering a list of ethnic Americans who “speak foreign,” but “think white.”Within weeks of my publicizing this outrageous example at a meeting of the National Association of Attorneys General last September,Acxiom removed its full data catalog from the company’s web site.Now, the site merely offers “specialty lists” with a specific mention of the Hispanic market [4] and declines to state clearly that those on the list can even learn of the existence of their profile.[5]

These egregious practices in the business community are just a few examples that offend common decency and represent invidious stereotyping.While industry lobbyists like to say that such practices have not resulted in economic loss to individuals, this argument seriously misconstrues the harm to society from the loss of faith and confidence in the fairness of information practices.The very misuse of personal information is a harm to the individual citizen that calls for redress.

Existing legal rights in the United States simply do not respond to abusive data practices and the need for sanctions against the misuse of personal information.American law is sporadic, confused and wholly inadequate to protect citizens in the face of privacy-invasive technical advances and pervasive online commercial surveillance.The principal statutes protecting Americans' privacy in the context of electronic communications have simply notkept pace with private sector information processing developments.The Electronic Communications Privacy Act, the Telecommunications Act of 1996, the Cable Communications Policy Act of 1982, and the Video Privacy Protection Act each contain narrow data privacy provisions that do not cover the vast array of online activities.Indeed, Congress has granted drug abusers greater privacy protection than lawful users of the Internet.Even the recent law suits filed across the country in several of the more prominent data scandal cases are forced to rely on deceptive trade practice theories since basic privacy rights are not clearly established in either the common law or statute.

Inadequacy of Self Regulation and Technological Mechanisms to Protect Privacy

As U.S. industry moved into the business of information trafficking, American public policy decisions continually deferred to industry self regulation and technological mechanisms for fair information practices.The history of industry self regulation and technological privacy, however, demonstrates that these mechanisms have not and will not provide effective protection for citizens.These non-regulatory solutions may have been promoted with the best intentions of industry and, most recently, of the Clinton Administration.But self regulation and technical tools have proven to be little more than public relations and the avoidance of meaningful information privacy for citizens.

Privacy rights mark the boundary between totalitarian and democratic governance.Privacy is central to our freedom of association and our ability to define ourselves in society.These are basic political rights in a democracy and a fundamental American value.In contrast to the political nature of privacy, self regulation assumes that all privacy values can and should be resolved by a marketplace.Democractic societies do not , however, typically sell off the political rights of citizens.Indeed, Article 1, Section 1 of the California state constitution was amended by referendum to include express protection for privacy and to apply that protection against business gathering and use of personal information.[6]

Reliance on self regulation is not an appropriate mechanism to achieve the protection of basic political rights.Self regulation in the United States reduces privacy protection to an uncertain regime of notice and choice.As a set of privacy principles, this misses key elements of the package of universally recognized fair information practice principles such as data minimization, data access, and storage limitations.Self regulation also enables data collectors to change the rules after the data has been collected from individuals.As a practical matter, most web privacy notices are nothing more than confusing nonsense for the average American citizen.Policies are often found only through obscure links buried at the bottom of a web page and are routinely made ‘subject to change.’Once found, USA Today reports that a linguistic analysis of the policies of 10 major sites affected by data scandals shows that readers will not be able to understand the privacy statements withouta college education and many could not be understood without a post-graduate education.[7]In fact, privacypolicies are practically impossible to draft at a reading level that mostAmericans can comprehend.Self regulation, thus, denies the average American citizen an opportunity to make informed choices and reserves privacy for the nation’s college educated citizens.

The seal programs are not a substitute for clear independent legal recourse.Seals, at best, offer an incomplete response to the misuse of personal information.Seal programs are inconsistent on the substantive privacy standards that web sites should apply to personal information.Programs such as Truste omit key fair information practice standards from the minimum requirements of certification such as mandatory access to stored personal information.With the rare exception of the ESRB, seal programs do not require as a condition for certification that damage remedies be granted to the victims of information misuse.Seal programs are also unlikely to cover the vast majority ofweb sites.The two major seal programs, BBBOnline and Truste, collectively certify a minuscule fraction of American web sites.[8]Major sites such as Amazon.com do not even appear to participate.

Furthermore, seal programs narrowly restrict the scope of their certifications in ways that defy reasonable expectations of privacy.For example, Truste only certifies sites with respect to the information that “is used to identify, contact, or locate a person.”Yet, Business Week reports that sixty-three percent of Internet users were uncomfortable with web sites tracking their movements even though the sites did not tie the surveillance data with a user’s name or real world identity.[9]Seal programs tend only to apply to the collection of data during specific, narrowly defined interactions such as those with web sites.As a result, major data scandals involving Truste licensees such as Intel, Microsoft and RealNetwork turned out to be outside the scope of Truste’s certification.

Just as self regulation and seal programs are flawed, the promise of technology does not work by itself either.In a society where the typical citizen cannot figure out how to program a VCR, how can we legitimately expect the American public to understand the privacy implications of dynamic HTML, web bugs, cookies and log files?The commercial models, however, are predicated on “personalization” and “customization” using these technologies.

Technologies are not policy neutral.Technical decisions make privacy rules and, more often than not, these rules are privacy invasive.For technology to provide effective privacy protection, three conditions must be met: (1) technology respecting fair information practices must exist; (2) these technologies must be deployed and (3) the implementation of these technologies must have a privacy protecting default configuration.

The marketplace alone does not rise to these three conditions. One of the most celebrated technologies, P3P, has been on the drawing board since 1996.Indeed, pressure from European legal requirements was instrumental in moving the standard forward and in affecting the substantive privacy provisions.But, the standard is still only a proposal.Even if the standard is finalized this year, P3P will be useless unless incorporated in web browsers and widely adopted by web sites.And, even if P3P is incorporated in web browsers and widely adopted by web sites, the default configurations may still be set as a privacy-invasive implementation.And even if the default configurations are set to afford maximum privacy protection, P3P offers no means to assure that the practices of web sites actually conform to stated standards.To paraphrase Justice Potter Stewart, “I do not know it when I cannot see it.”

Average citizens are in no position to make judgments about the impact of these technologies on their privacy.Despite the widespread press reports about “cookies” technology and the routine deployment by web sites to track site visitors, only 40% of computer users had ever heard of a “cookie” and only 30% of computer users recognize that a cookie is used to track online habits.[10]

In short, self regulation and technology will not be adequate to assure the public’s right to privacy.

Enactment of the OECD Guidelines and Minimum Statutory Damages for Misuse of Personal Information

Congress needs to enact comprehensive legal rights for data privacy.Americans deserve a baseline of data privacy protection and our democracy requires a framework of consistent fair information practices across different types of uses of personal information and processing arrangements.The United States does not need to reinvent the wheel.The O.E.C.D. Guidelines on data privacy were inspired by the United States and endorsed by the United States.These internationally acclaimed Guidelines offer a full set of standards that provide for citizen protection while receiving praise for their sensitivity to business concerns.Congress should enact these principles as a legal standard and provide for minimum statutory damages in the event of violations.With basic rights and statutory damages, citizens will be able to vindicate their privacy without the need for intrusive government oversight.

The existence of a legal baseline in the United States will provide the necessary incentive to stimulate the rapid development and deployment of privacy-protective technologies.With legal accountability, industry will be unable to continue the current practices of data stalking and information trafficking and will have to implement fairly any new technologies that affect citizen privacy.

In the international economy, these legal rights are essential.The United States stands alone among industrialized democracies with its existing haphazard and weak data privacy rules.Although privacy began as an American concept at the end of the 19^th Century with Warren and Brandeis’ famous law review article,[11] the United States has lost its leadership role in defining privacy at the start of the 21^st Century.In contrast, the European Union through Directive 95/46/EC requires each of its member states to harmonize data protection rights for citizens at a high level with a complete set of legal standards.Other countries around the world including Australia, Canada and emerging economies in Latin America are turning to the European model of data privacy for guidance rather than the U.S. industry-driven model.Indeed, the World Trade Organizationtreaty expressly authorizes our trading partners to restrict data flows in order to protect the privacy of their citizenry.In the absence of stronger legal protection in the United States, US industry is vulnerable to data flow restrictions.The conflict with the European Union over trans-Atlantic data flows is a clear example.Despite the U.S. Department of Commerce’s assertions, the safe harbor negotiated with the European Union for data flows to US companies is far from certain to resolve the issue.Whether Europe accepts the deal remains to be seen and there are significant questions about the legality of the deal on both sides of the Atlantic.At the national level in Europe, data protection agencies have expressed substantial opposition to the safe harbor and they will still have considerable latitude in dealing with the United States.Ironically, should the safe harbor become policy, US companies would commit to treating European data in the United States with greater privacy than they would be required to treat the data of US citizens.

Establishment of a Data Protection Commission

Lastly, Congress needs to establish a Data Protection Commission.The implementation of privacy principles in the dynamic and complex online environment requires expertise, independent judgment and constant vigilance across disciplines and existing agency jurisdictional boundary lines.While the Federal Trade Commission and Peter Swire at the OMB have exercised important roles recently in promoting data privacy, their institutional missions are too narrow for this function.An independent commission offers critical guidance since citizens may undervalue the interests of industry and society at large to information flows and industry will undervalue citizen’s privacy.

The roles I propose for the Data Protection Commission are:

(1) to promote fair information practices in the United States through constant advice and publicity on privacy issues to Congress, industry and the public;

(2) to offer industry a mechanism to obtain assurances of compliance with statutory rights.Since the interpretation of any enacted data privacy rights will be context specific and may not provide sufficient certainty for industry, the Data Protection Commission should have the authority to issue safe harbor guidance like SEC no-action letters.Such approval would mean that specific practices conform to the legal obligations for the fair treatment of personal information.This safe harbor function should also allow the Data Protection Commission to approve technical protocols, default settings and implementations for their conformity to legal obligations; and

(3) to represent the interests of the United States at international policy making bodies.At present, the United States is irregularly represented at critical meetings where international privacy issues and policies are set that affect global data flows.

[1]See e.g., Joel R. Reidenberg, Resolving Conflicting International Privacy Rules in Cyberspace, 52 STANFORD L. REV. –(Forthcoming 2000);Joel R. Reidenberg, Restoring Americans' Privacy in Electronic Commerce, 14 BERKELEY TECH. L.J. 771 (1999) available at http://www.law.berkeley.edu/journals/btlj/articles/14_2/Reidenberg/html/reader.html; Joel R. Reidenberg & Paul M. Schwartz, ONLINE SERVICES AND DATA PROTECTION AND PRIVACY: REGULATORY RESPONSES (1998) available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/studies/regul.pdf>

[2] U.S. Privacy Protection Study Commission, PERSONAL PRIVACY IN AN INFORMATION SOCIETY 8 (1977)

[6]Hill v. NCAA, 865 P.2d 633 (Cal., 1994)(relying on the referendum ballot pamphlet in holding that the constitutional protections apply against non-governmental organizations.)

[7]Will Rodger, Privacy isn’t public knowledge: Online policies spread confusion with legal jargon, USA Today, May 1, 2000.

[8]See http://www.bbbonline.org/businesses/privacy/approved.html(visited May 15, 2000)(listing fewer than 500 web sites); http://www.truste.com/about/about_1000th.html (reporting on the 1000th seal approved by Truste in January 2000.)

[9]Business Week/Harris Poll: A Grrowing Threat, Business Week, March 20, 2000.

[11]Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890)