Privacy Law and Policy Reporter
Barbara S Wellbery
This is an edited version of a paper first given at the conference ‘E-privacy in the new economy’, organised by the Hong Kong Privacy Commissioner and held in Hong Kong on 26 March 2001. It is reproduced here by kind permission of the author and the Commissioner, Stephen Lau.
Legal and historical traditions have evolved quite differently in the US than in Europe. As a result, the US takes a different approach to privacy issues to the EU. The US legal tradition, rooted in concerns about governmental excesses, has led to a preference for decentralised authority, a reluctance to regulate the private sector absent demonstrated need, and generally greater concern about excess of government regulation than about private sector excess. While the US Constitution establishes certain privacy protections for individuals, such as the right to be free from warrantless searches, it does not explicitly protect information privacy, nor has any such right been inferred from the Constitution. In addition, a fundamental tenet of American democracy, the First Amendment to the US Constitution, requires a balance between the privacy rights of individuals and the benefits that stem from the free flow of information within and across US borders.
Accordingly, when the US adopted a comprehensive privacy law, the Privacy Act of 1974, it governed only the Federal Government’s use of citizens’ personal information. Other federal privacy protection statutes apply to specific government agencies or information, such as income tax and census data. Neither federal nor State governments, however, have adopted comprehensive information privacy protections affecting private sector data use. (Some State constitutions, such as those of California, Florida, and Hawaii, explicitly set forth a right to privacy without specifying any rights relating directly to information privacy.)
In contrast, the information privacy laws that govern the private sector in the US were adopted either because of specific instances of abuse, perceived market failure, or because particularly sensitive information and/or groups were involved. There is concern that information privacy issues differ so much across different industry sectors that a ‘one size fits all’ legislative approach would lack the necessary precision to avoid interfering with the benefits that flow from the free flow of information. For that reason, too, the US has adopted limited sector specific privacy legislation. As a result, a number of statutes cover the collection and use of personal information in specific contexts, such as children’s personal information, information collected by telephone and cable companies and credit bureaus, and financial, video rental and drivers’ license information. A brief review of three of these statutes underlines the point that privacy statutes in the US take different approaches and impose different schemes for protecting privacy depending on the circumstances.
Congress enacted the Fair Credit Reporting Act (FCRA) in 1970 to deal with widespread concerns about incorrect and widely disseminated consumer credit reports. The FCRA governs disclosure of consumer credit information by credit bureaus. It starts with the premise that widespread availability of correct credit information to parties with a real need for the information will benefit the US economy. For this reason, it provides consumers with a limited right to consent to the use of their personal information.
The FCRA imposes strict regulations on who may use the credit information and on ensuring that the information is accurate. It limits the disclosure of credit information to businesses with a legitimate need for the information and provides certain rights to consumers when credit information is used to deny them an important benefit. To help ensure accuracy, the FCRA requires that consumers have access to information maintained about them and sets out fairly prescriptive rules governing how access must be provided. The FCRA also requires that the recipients of credit reports be identified, prohibits the reporting of obsolete information, and provides a correction process for inaccurate or incomplete information. If a consumer is denied credit for personal, family, or household purposes or is denied employment where the denial is based on information in a consumer report, the entity receiving the report is required to notify the consumer and identify the credit bureau that furnished the report in question. The FCRA allocates enforcement responsibilities among a number of federal agencies, primarily to the Federal Trade Commission (FTC).
In October 1998, Congress passed the Children’s Online Privacy Protection Act. The law applies to operators of commercial websites and online services which collect or maintain information from website or service visitors and users, and prohibits the collection of information from children under the age of 13 without verifiable parental consent. It also provides for a safe harbour from privacy liability where companies adhere to a self-regulatory program approved by the FTC. The FTC, which was charged with enforcing developing regulations under the statute, issued implementing rules in April 2000.
These rules set out criteria for website operators and online services that are targeted to children or have actual knowledge that the person from whom they seek information is a child. They require notice of what personally identifiable information is being collected, how it will be used, and whether it will be disclosed. Subject to certain exceptions, a website must notify parents that it plans to collect information from their child and obtain parental consent before it is collected, used or disclosed. Conditions for information that is more than reasonably necessary may not be placed on a child’s participation in online activities. In addition, parents must be allowed to review information collected from the child, to have it deleted, and to prohibit further collection. Finally, companies must implement procedures to protect the confidentiality, security and integrity of personal information collected from children.
More recently, in November 1999, the President signed into law the Financial Modernisation Act. The Act’s primary purpose was to overhaul the US laws governing the financial services industry, but the legislation also increased the level of financial privacy protection afforded to consumers. The law requires financial institutions to clearly disclose their privacy polices annually, allowing consumers to make informed choices about privacy protection. Financial institutions must also inform consumers if they intend to share or sell consumers’ financial data either within the corporate family or to third parties. Consumers are entitled to choice if a financial institution plans to share information with unaffiliated third parties, subject to certain exceptions. Enforcement is allocated among federal functional regulators (for example, the Office of the Comptroller of the Currency, the Securities and Exchange Commission, and the Federal Reserve Board), the FTC and State insurance authorities. The legislation directs these agencies to prescribe regulations necessary for its implement-ation. Regulations have been finalised for all federal regulators. Businesses were required to be in full compliance by July 2001.
Without broad, multi-sector information privacy laws, information privacy protection in the US has in large part relied on voluntary adoption of self-regulatory codes of conduct by industry. These codes take as their point of departure the same guidelines on the protection of privacy and transborder flows of personal data adopted by the OECD as form the basis for the European Directive on Data Protection. As long ago as 1983, 183 US companies endorsed those guidelines. The US Government has also repeatedly endorsed these guidelines, most recently in October 1998, when the Clinton Administration reiterated endorsement of the guidelines as part of the Ministerial Declaration on the Protection of Privacy on Global Networks issued at the Ottawa Ministerial Conference.
Recent years have witnessed the growing importance of information privacy in the US and increasing concern, from both consumers and Clinton Administration officials, about whether such privacy is sufficiently protected. This concern has led to enactment of additional sector specific legislation. It has not, however, resulted in any significant movement toward a European regulatory approach or law. Rather, the emphasis has been primarily on adoption and implementation of more effective self-regulatory regimes to protect privacy —self-regulation with teeth.
Thus when, in 1997, the Clinton Administration released A Framework for Global Electronic Commerce, which examines the policy issues raised by the development of e-commerce, it noted the growing concerns about information privacy and recognised that, unless they were addressed, e-commerce would not develop to its full potential. The report specifically recognised the high value Americans place on privacy and recommended private sector and technological solutions to protect privacy. The report also identified several factors suggesting that adopting comprehensive legislation could harm the development of e-commerce at this time. The lack of national borders on the internet has heightened interest in self-regulation and technological solutions to problems generally and to privacy concerns specifically. On the internet, national laws are difficult if not impossible to enforce. In addition, since the internet and e-commerce are still rapidly evolving, any legislated approach is, at best, likely to be outdated as soon as it is adopted and at worst likely to stifle further development of these media. As a result the view taken in the report is that government should be a last, not a first, resort to fix problems. Accordingly, at the time the report was issued, the President directed the Secretary of Commerce and the Director of the Office of Management and Budget to encourage private industry and privacy advocacy groups to develop and adopt effective codes of conduct, industry developed rules, and/or technological solutions to protect privacy on the internet.
Subsequent annual reports on e-commerce issued by the Clinton govern-ment’s Administration have confirmed the preference for self-regulatory solutions to privacy protection. At the same time, the Administration has continued to recognise that sector specific privacy legislation may be appropriate in certain areas, such as where the information is considered highly sensitive, as is the case with children’s and financial information (as discussed above). The Administration has also repeatedly cautioned that if industry did not produce adequate privacy policies, government action will be needed to safeguard legitimate privacy interests.
Since the issue of the Clinton Administration’s landmark e-commerce report in 1997, industry has undertaken concerted efforts to create effective privacy protection via self-regulation. More than 80 of the largest companies doing business on the internet and 23 business organisations that represent thousands of other companies formed the Online Privacy Alliance (OPA) to promote privacy online. OPA developed guidelines for effective privacy policies, which outline protections for individually identifiable information in an online or e-commerce environment. OPA has also produced guidelines for effective enforcement of these policies.
Independent third party enforcement organisations such as the BBB OnLine, TRUSTe, and CPA WebTrust also provide independent third party enforcement regimes to promote compliance with information practice codes. The Council of Better Business Bureaus, a well regarded, non-profit organisation that helps to resolve consumer complaints, established BBB OnLine as a privacy program for online businesses. Businesses joining the program may display a seal or trust mark to notify consumers that their websites follow fair information practices — but only after they adopt privacy policies that comport with the program’s fair information practice principles and complete an assessment indicating that they have implemented those policies. Members must also submit to monitoring and review by BBB OnLine and agree to participate in a consumer complaint resolution system. The other enforcement programs include similar requirements and also include the display of a seal or trust mark to notify consumers. More than 1950 sites carry a privacy seal from a trusted third party and more than 1200 additional sites have applied for a seal from third party enforcement services.
The FTC Act provides the FTC with authority to seek injunctive relief against future violations as well as to provide redress for injured consumers. Furthermore, the FTC can impose substantial penalties where its orders are violated. The FTC’s (and other federal and State agencies’) authority to act against unfair and deceptive practices and willingness to use this authority to enforce self-regulatory policies helps to ensure the effectiveness of self-regulation in the US. All 50 States plus the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have enacted laws similar to the FTC Act to prevent unfair or deceptive acts. These are enforced by their Attorneys General, adding additional resources to government enforcement of self-regulation.
At the same time, there have been increasing calls for privacy legislation in the US. In May 2000, the FTC called for legislation to protect privacy online based on its most recent report, which identified problems of ‘free riders’ and poor quality privacy policies. The report stated that the number of websites with information disclosing policies had increased, but that the quality of these information practices fell short. In addition, the report noted that while the creation of the self-regulatory enforcement programs has been a positive development, the number of participants in these to date has been relatively small (8 per cent of a random sampling and 45 per cent of the most popular sites). In part because these enforcement programs have not been widely implemented, the FTC has concluded that such efforts alone are not sufficient for ensuring adequate protection of consumer privacy online.
Several members of Congress have also introduced privacy legislation to protect privacy, particularly in the areas of online privacy, electronic surveillance, and medical and financial recordkeeping. While many of these Bills are given little chance of passage, they indicate impatience with the pace of adoption and dissatisfaction with the quality of private sector codes of conduct. For example, in the first few months of this year alone, there have been at least 12 Bills proposing privacy legislation. These have ranged from the basic requirements, that disclosure must be provided with an opportunity to prohibit further interaction, to more stringent Bills requiring affirmative consent in advance to collect and disclose personally identifiable information. For the first time some industry officials are urging Congress to pass limited privacy laws. They are concerned that the lack of federal standards will lead to a confusing patchwork of State regulations.
For its part, the Clinton Administration saw substantial progress being made by the private sector although it also believed more needed to be done and more quickly. The new Administration, however, has yet to articulate its policies in this area and whether it will also encourage adoption by industry of effective privacy policies and technological solutions.
Although the privacy situation in the US is evolving, this much is clear: while the US is committed to ensuring personal privacy, it does so through a variety of means that reflect its deeply rooted tradition of enhancing the free flow of information and avoiding unnecessary government intervention in private affairs. In the first instance, the US relies on private sector self-regulatory efforts backed by government enforcement to ensure that companies implement their privacy policies. Government gets involved only where it determines that the privacy rights of individuals are not otherwise being sufficiently protected. The US approach to privacy relies on an amalgam of laws, codes of conduct and technology to provide effective privacy protection.
Given US legal traditions and history and the advantages of a self-regulatory approach to privacy in an information economy, the US is unlikely at this time to abandon its self-regulatory approach to privacy issues. Even if it were to adopt privacy legislation in new and different situations, it is highly unlikely that the US would adopt the type of overarching, comprehensive, highly regulatory and centralised approach to privacy that the EU has adopted.
Neither the EU or the US appears likely to change its approach to privacy protection significantly. Given these longstanding differences, many US organisations were concerned about the impact of the ‘adequacy’ standard on personal data transfers from the EU to the US. Many feared an interruption in data flows. Such interruptions across the board could affect as much as US$120 billion in trade each year and interfere with multinational companies’ ability to pay and manage their employees. It could also impact on the routine activities carried out by investment bankers and accountants and by pharmaceutical and travel companies. Others have dismissed fears of a complete interruption in data flows as unlikely, pointing out that it would be potentially devastating for both economies.
The more likely situation of limited data flow interruptions — involving one industry sector or, perhaps, one company — posed similar dangers, since it was feared that US reactions and European counter reactions could easily evolve into a trade war. Just the threat of action by European authorities has left US companies with a great deal of uncertainty. Alternative, ad hoc approaches available to satisfy the Directive’s ‘adequacy’ standard threatened to be expensive and time consuming and thus suitable for larger companies only.
Against the backdrop of these different privacy approaches and the serious consequences that could flow from them, the US and the EU took up the difficult challenge of bridging the differences in their respective approaches to privacy. Toward that end, in March 1998 the US Department of Commerce initiated a high level informal dialogue with the European Commission Directorate for Internal Markets to ensure the continued free flow of data. From the start, both sides recognised that any interruptions in transborder data transfers could have a serious impact on commerce between the EU and the US, and that they thus needed to begin with an acceptance of their differences and develop ways to bridge those differences. The two sides agreed on twin goals of maintaining data flows between the US and EU while maintaining high standards of privacy protection and worked to identify common ground on which to build a solution. The dialogue revealed that there is much common ground between the two sides on what constitutes effective privacy protection. Both the US and the European approaches, despite their differences, are based on the 1981 OECD Privacy Guidelines.
This dialogue led in late 1998 to a proposal of a safe harbour for US companies that adhere to a certain framework, the so called ‘Safe Harbor’ framework. The Safe Harbor framework is comprised of the Safe Harbor principles and frequently asked questions (FAQs). US companies adhering to the framework will be judged adequate and data flows to them from Europe will continue. The Safe Harbor principles more closely reflect the US approach to privacy, but at the same time meet the EU Privacy Directive’s requirements. The FAQs were developed to provide further guidance to US companies and to elaborate on how various issues, such as enforcement, will work. Both the principles and FAQs were developed in close consultation with the European Commission and the US public and both are considered integral to an ‘adequacy’ determination. Drafts of documents were posted for US public comment four times during the two year negotiation, and numerous meetings were held by US negotiators with consumer advocacy and industry groups to obtain their views on the draft documents.
In late 1998 dialogue between the US and the EU came to a standstill. The EU made a political commitment to the US not to interrupt data flows while the dialogue proceeded in good faith.
On 14 March 2000 the Department of Commerce and the European Commission announced that they had reached a tentative conclusion to the Safe Harbor dialogue. At the same time, the two sides agreed to continue their discussions with respect to the financial services sector, given the recent passage of the Financial Modernization Act (US) and the fact that the regulations had not yet been issued. On 31 May the EU member states voted unanimously to approve the Safe Harbor arrangement. After European Parliamentary review, the European Commission issued a determination finding the Safe Harbor arrangement adequate. On 1 November 2000, the Safe Harbor became operational, and companies began signing up.
The Safe Harbor will provide a number of important benefits to US firms. Most importantly, it will provide predictability and continuity for US companies receiving personal information from Europe. All 15 member states will be bound by the European Commission’s finding of adequacy. The Safe Harbor also streamlines the bureaucratic burdens imposed by the Directive, by creating one privacy regime applicable to US companies, rather than 15. It also eliminates the need for prior approval to begin data transfers to the US or makes such approval automatic. It offers a simpler and less expensive means of complying with the adequacy requirements of the Directive, which should benefit all US companies — particularly small and medium enterprises.
Organisations must comply with seven privacy principles and the FAQs to be compliant with the Safe Harbor. The principles require the following.
The FAQs provide further guidance that clarifies and supplements the Safe Harbor principles on issues such as access, publicly available information, and public record information as well as sector specific guidance for information processing by medical, pharmaceutical, travel and accounting firms. They also address how human resources information will be handled under the Safe Harbor.
Perhaps the most difficult difference to bridge in the Safe Harbor dialogue was the issue of enforcement. While the EU’s Working Group had already determined in the abstract that self-regulation was a valid means to ‘adequacy’, accepting the adequacy of a particular self-regulatory enforcement regime proved far more difficult. Adding to this difficulty, was the complexity of the multi-layered approach to privacy enforcement in the US, which relies on self-regulation, backed up by FTC enforcement, sector specific laws, and recourse to lawsuits.
As part of their Safe Harbor obligations, organisations are required to make available a dispute resolution system that will investigate and resolve individual complaints and disputes and procedures for verifying compliance. They are also required to remedy problems arising out of a failure to comply with the principles. Sanctions must be severe enough to ensure compliance by the organisation; they must include publicity for findings of non-compliance and deletion of data in certain circumstances. They may also include suspension from membership in a privacy program (and thus effectively suspension from the Safe Harbor) and injunctive orders.
As noted above, the dispute resolution, verification, and remedy requirements can be satisfied in different ways. For example, an organisation could comply with a private sector developed privacy seal program that incorporates and satisfies the Safe Harbor principles. If the seal program, however, only provides for dispute resolution and remedies but not verification, then the organisation would have to satisfy the verification requirement in an alternative way. Organisations can also satisfy the dispute resolution and remedy requirements through comp-liance with government supervisory authorities or by committing to co-operate with data protection authorities located in Europe.
Where an organisation relies on self-regulation to ensure privacy protection under the Safe Harbor, there must be a US agency (State or federal) with jurisdiction over the organisation that will enforce the Safe Harbor policies against that organisation. The agency must also be willing to take action under federal or State law prohibiting unfair and deceptive acts where the company fails to comply with the Safe Harbor or the organisation is not eligible to join the Safe Harbor. Depending on the industry sector, the FTC, comparable US government agencies, and/or the States will provide overarching government enforcement of the Safe Harbor principles. An annexure to the Safe Harbor principles will contain a list of US enforcement agencies recognised by the European Commission. Third party self-regulatory programs, (such as BBB On-line, TRUSTe, and WEBTrust) are also subject to enforcement under these unfair and deceptive practice statutes in many if not most instances if they claim to be enforcing the Safe Harbor framework for their Safe Harbor members but in fact do not.
If an organisation persistently fails to comply with the Safe Harbor requirements, it will no longer be entitled to benefit from the Safe Harbor. Persistent failure to comply arises where an organisation refuses to comply with a final determination by any self-regulatory or government body or where such a body determines that an organisation frequently fails to comply with the requirements to the point where its claim to comply is no longer credible. In these cases, the organisation must promptly notify the Department of Commerce of such facts. Failure to do so may be actionable under the False Statements Act (18 USC § 1001). The Department of Commerce will indicate on the public list it maintains of organisations self-certifying adherence to the Safe Harbor requirements any notification it receives of persistent failure to comply and will make clear which organisations are assured and which organisations are no longer assured of Safe Harbor benefits. An organisation applying to participate in a self-regulatory body for the purposes of re-qualifying for the Safe Harbor must provide that body with full information about its prior participation in the Safe Harbor.
This Safe Harbor arrangement has been called a major accomplishment for both the US and the EU. It comes at a time when trade disagreements rather than agreements between the US and Europe dominate the news. The framework has also been labelled a landmark accord for e-commerce. It bridges the different approaches of the US and the EU to privacy protection in a way that protects EU citizens’ privacy when it is transferred the US, maintains data flows, and creates the necessary environment for e-commerce. It will provide predictability for US companies. At the same time, the arrangement demonstrates EU recognition that a carefully constructed and well implemented system of self-regulation, as advocated by the Clinton Administration, can protect privacy. It is a creative and innovative vehicle, perhaps the first international framework to rely on the private sector for its implementation. It can thus serve as a model in other contexts as we seek to ensure the development of seamless global environment for electronic transactions.
The challenge in providing privacy protection in the information economy is to balance appropriately the free flow of information against the individual’s right to privacy so we do not jeopardise the benefits these new information technologies promise or trench on the First Amendment. Whether the Safe Harbor will provide that balance remains to be seen. Sufficient numbers of companies will have to join the Safe Harbor and consumers will have to feel comfortable with how their personal information is used and their ability to control its use, for the Safe Harbor to ultimately be judged a success.
Barbara Wellbery is a Partner in the Washington office of Morrison & Foerster LLP. She was previously Counsellor to the Under Secretary for Electronic Commerce in the US Department of Commerce. While there, she was the chief architect and a principal negotiator of the Safe Harbor privacy accord between the US and the European Union. The author would like to thank Rebecca Richards and Cynthia Rich for their valuable assistance on this article.
 The principles, FAQs and answers, as well as other Safe Harbor documents, can be located at <www.export.gov/safeharbor>.
 It is not necessary to meet the notice or choice principles when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organisation. The onward transfer principle, on the other hand, does apply to such disclosures.