In 1977, the U.S. Privacy Protection Study Commission, reported to Congress that “neither law nortechnology now gives an individual the tools to protect his legitimate interests in the records organizations keep about him.” Sadly, more than twenty years later, the Commission’s conclusion remains equally true today despite the rhetoric of self regulation, technological mechanisms and sectoral rights.But, electronic communications make the stakes much higher for American citizens and the future of our democracy.
Data stalking and information trafficking are routine in the United States.Technologies of surveillance, data creep and commercial profiling create wide spread abuse of American citizens' right to privacy in personal information.Existing legal rights do not come close to protecting citizens against offensive data practices.
Self regulation and technical mechanisms are an inadequate substitute for legal rights.In a democracy, privacy is a basic political right that cannot be sold out in the marketplace.In the absence of legal standards, the history ofthe development and deployment of technical mechanisms does not demonstrate conformity to fair information practices.The failure to assure citizen privacy in America places the United States at odds with the rest of the world and jeopardizes US commercial interests in global data flows.
My recommendations are:
Mr. Chairman and Members of the Committee,
I would like to thank you for the invitation to testify and to commend you for convening this oversight hearing on privacy and electronic communications.My name is Joel Reidenberg.I teach information technology law courses, including data privacy law, at Fordham University School of Law and also serve as the Director of the law school’s Graduate Program.I appear today as a scholar on data privacy law and policy and do not represent the views of any organization with which I hold affiliations.
2. Self regulation and technical mechanisms are inadequate to protect the inherently political right of citizens to informational privacy.
3. Congress should enact the internationally acclaimed OECD Guidelines as a legal standard and provide minimum statutory damages for misuse of personal information.
Existing legal rights in the United States simply do not respond to abusive data practices and the need for sanctions against the misuse of personal information.American law is sporadic, confused and wholly inadequate to protect citizens in the face of privacy-invasive technical advances and pervasive online commercial surveillance.The principal statutes protecting Americans' privacy in the context of electronic communications have simply notkept pace with private sector information processing developments.The Electronic Communications Privacy Act, the Telecommunications Act of 1996, the Cable Communications Policy Act of 1982, and the Video Privacy Protection Act each contain narrow data privacy provisions that do not cover the vast array of online activities.Indeed, Congress has granted drug abusers greater privacy protection than lawful users of the Internet.Even the recent law suits filed across the country in several of the more prominent data scandal cases are forced to rely on deceptive trade practice theories since basic privacy rights are not clearly established in either the common law or statute.
Reliance on self regulation is not an appropriate mechanism to achieve the protection of basic political rights.Self regulation in the United States reduces privacy protection to an uncertain regime of notice and choice.As a set of privacy principles, this misses key elements of the package of universally recognized fair information practice principles such as data minimization, data access, and storage limitations.Self regulation also enables data collectors to change the rules after the data has been collected from individuals.As a practical matter, most web privacy notices are nothing more than confusing nonsense for the average American citizen.Policies are often found only through obscure links buried at the bottom of a web page and are routinely made ‘subject to change.’Once found, USA Today reports that a linguistic analysis of the policies of 10 major sites affected by data scandals shows that readers will not be able to understand the privacy statements withouta college education and many could not be understood without a post-graduate education.In fact, privacypolicies are practically impossible to draft at a reading level that mostAmericans can comprehend.Self regulation, thus, denies the average American citizen an opportunity to make informed choices and reserves privacy for the nation’s college educated citizens.
The seal programs are not a substitute for clear independent legal recourse.Seals, at best, offer an incomplete response to the misuse of personal information.Seal programs are inconsistent on the substantive privacy standards that web sites should apply to personal information.Programs such as Truste omit key fair information practice standards from the minimum requirements of certification such as mandatory access to stored personal information.With the rare exception of the ESRB, seal programs do not require as a condition for certification that damage remedies be granted to the victims of information misuse.Seal programs are also unlikely to cover the vast majority ofweb sites.The two major seal programs, BBBOnline and Truste, collectively certify a minuscule fraction of American web sites.Major sites such as Amazon.com do not even appear to participate.
Furthermore, seal programs narrowly restrict the scope of their certifications in ways that defy reasonable expectations of privacy.For example, Truste only certifies sites with respect to the information that “is used to identify, contact, or locate a person.”Yet, Business Week reports that sixty-three percent of Internet users were uncomfortable with web sites tracking their movements even though the sites did not tie the surveillance data with a user’s name or real world identity.Seal programs tend only to apply to the collection of data during specific, narrowly defined interactions such as those with web sites.As a result, major data scandals involving Truste licensees such as Intel, Microsoft and RealNetwork turned out to be outside the scope of Truste’s certification.
Just as self regulation and seal programs are flawed, the promise of technology does not work by itself either.In a society where the typical citizen cannot figure out how to program a VCR, how can we legitimately expect the American public to understand the privacy implications of dynamic HTML, web bugs, cookies and log files?The commercial models, however, are predicated on “personalization” and “customization” using these technologies.
Technologies are not policy neutral.Technical decisions make privacy rules and, more often than not, these rules are privacy invasive.For technology to provide effective privacy protection, three conditions must be met: (1) technology respecting fair information practices must exist; (2) these technologies must be deployed and (3) the implementation of these technologies must have a privacy protecting default configuration.
The marketplace alone does not rise to these three conditions. One of the most celebrated technologies, P3P, has been on the drawing board since 1996.Indeed, pressure from European legal requirements was instrumental in moving the standard forward and in affecting the substantive privacy provisions.But, the standard is still only a proposal.Even if the standard is finalized this year, P3P will be useless unless incorporated in web browsers and widely adopted by web sites.And, even if P3P is incorporated in web browsers and widely adopted by web sites, the default configurations may still be set as a privacy-invasive implementation.And even if the default configurations are set to afford maximum privacy protection, P3P offers no means to assure that the practices of web sites actually conform to stated standards.To paraphrase Justice Potter Stewart, “I do not know it when I cannot see it.”
Average citizens are in no position to make judgments about the impact of these technologies on their privacy.Despite the widespread press reports about “cookies” technology and the routine deployment by web sites to track site visitors, only 40% of computer users had ever heard of a “cookie” and only 30% of computer users recognize that a cookie is used to track online habits.
In short, self regulation and technology will not be adequate to assure the public’s right to privacy.
In the international economy, these legal rights are essential.The United States stands alone among industrialized democracies with its existing haphazard and weak data privacy rules.Although privacy began as an American concept at the end of the 19th Century with Warren and Brandeis’ famous law review article, the United States has lost its leadership role in defining privacy at the start of the 21st Century.In contrast, the European Union through Directive 95/46/EC requires each of its member states to harmonize data protection rights for citizens at a high level with a complete set of legal standards.Other countries around the world including Australia, Canada and emerging economies in Latin America are turning to the European model of data privacy for guidance rather than the U.S. industry-driven model.Indeed, the World Trade Organizationtreaty expressly authorizes our trading partners to restrict data flows in order to protect the privacy of their citizenry.In the absence of stronger legal protection in the United States, US industry is vulnerable to data flow restrictions.The conflict with the European Union over trans-Atlantic data flows is a clear example.Despite the U.S. Department of Commerce’s assertions, the safe harbor negotiated with the European Union for data flows to US companies is far from certain to resolve the issue.Whether Europe accepts the deal remains to be seen and there are significant questions about the legality of the deal on both sides of the Atlantic.At the national level in Europe, data protection agencies have expressed substantial opposition to the safe harbor and they will still have considerable latitude in dealing with the United States.Ironically, should the safe harbor become policy, US companies would commit to treating European data in the United States with greater privacy than they would be required to treat the data of US citizens.
(2) to offer industry a mechanism to obtain assurances of compliance with statutory rights.Since the interpretation of any enacted data privacy rights will be context specific and may not provide sufficient certainty for industry, the Data Protection Commission should have the authority to issue safe harbor guidance like SEC no-action letters.Such approval would mean that specific practices conform to the legal obligations for the fair treatment of personal information.This safe harbor function should also allow the Data Protection Commission to approve technical protocols, default settings and implementations for their conformity to legal obligations; and
(3) to represent the interests of the United States at international policy making bodies.At present, the United States is irregularly represented at critical meetings where international privacy issues and policies are set that affect global data flows.