[House Hearing, 106 Congress]
[From the U.S. Government Publishing Office]




 H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF 
                           PRIVACY PROTECTION

=======================================================================

                                HEARINGS

                               before the

                 SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
                      INFORMATION, AND TECHNOLOGY

                                 of the

                     COMMITTEE ON GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED SIXTH CONGRESS

                             SECOND SESSION

                                   ON

                               H.R. 4049

  TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF PRIVACY 
                               PROTECTION

                               __________

                          MAY 15 AND 16, 2000

                               __________

                           Serial No. 106-204

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform

                              ----------

                   U.S. GOVERNMENT PRINTING OFFICE
71-178                     WASHINGTON : 2001


_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001


                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
STEPHEN HORN, California             PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida                PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia            CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana           ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
JOE SCARBOROUGH, Florida             CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South     DENNIS J. KUCINICH, Ohio
    Carolina                         ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia                    DANNY K. DAVIS, Illinois
DAN MILLER, Florida                  JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas             JIM TURNER, Texas
LEE TERRY, Nebraska                  THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois               HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                             ------
PAUL RYAN, Wisconsin                 BERNARD SANDERS, Vermont 
HELEN CHENOWETH-HAGE, Idaho              (Independent)
DAVID VITTER, Louisiana


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
           David A. Kass, Deputy Counsel and Parliamentarian
                    Lisa Smith Arafune, Chief Clerk
                 Phil Schiliro, Minority Staff Director
                                 ------                                

   Subcommittee on Government Management, Information, and Technology

                   STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois               JIM TURNER, Texas
THOMAS M. DAVIS, Virginia            PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon                  MAJOR R. OWENS, New York
DOUG OSE, California                 PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin                 CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
          J. Russell George, Staff Director and Chief Counsel
               Robert Alloway, Professional Staff Member
                           Bryan Sisk, Clerk
          Mark Stephenson, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    May 15, 2000.................................................     1
    May 16, 2000.................................................    93
Text of H.R. 4049................................................     2
Statement of:
    Belair, Bob, editor, Privacy & American Business; Mary 
      Culnan, professor, McDonough School of Business, Georgetown 
      University; Christine Varney, former Commissioner, Federal 
      Trade Commission; Solveig Singleton, Director of 
      Information Studies, CATO Institute; Ron Plesser, 
      legislative counsel, 1977 Privacy Commission; and Stanley 
      Sokul, member, Advisory Commission on Electronic Commerce..   115
    Hatch, Mike, Minnesota State Attorney General................    33
    Markey, Hon. Edward J., a Representative in Congress from the 
      State of Massachusetts.....................................   189
    Spotila, John, Administrator, Office of Regulatory Affairs, 
      Office of Management and Budget............................    17
    Stone, Robert, executive vice president, American Healthways.    41
    Veator, David, Office of Consumer Affairs and Business 
      Regulation, State of Massachusetts.........................    27
Letters, statements, etc., submitted for the record by:
    Belair, Bob, editor, Privacy & American Business, prepared 
      statement of...............................................   117
    Culnan, Mary, professor, McDonough School of Business, 
      Georgetown University, prepared statement of...............   126
    Hatch, Mike, Minnesota State Attorney General, prepared 
      statement of...............................................    35
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................    95
    Moran, Hon. James P., a Representative in Congress from the 
      State of Virginia:
        Prepared statement of....................................    61
        Prepared statement of Marjory Blumenthal, Director, 
          Computer Science and Telecommunications Board, the 
          National Academies................................... 55, 109
    Plesser, Ron, legislative counsel, 1977 Privacy Commission, 
      prepared statement of......................................   160
    Singleton, Solveig, Director of Information Studies, CATO 
      Institute, prepared statement of...........................   152
    Sokul, Stanley, member, Advisory Commission on Electronic 
      Commerce, prepared statement of............................   168
    Spotila, John, Administrator, Office of Regulatory Affairs, 
      Office of Management and Budget, prepared statement of.....    20
    Stone, Robert, executive vice president, American Healthways, 
      prepared statement of......................................    43
    Turner, Hon. Jim, a Representative in Congress from the State 
      of Texas, prepared statement of............................   108
    Varney, Christine, former Commissioner, Federal Trade 
      Commission, prepared statement of..........................   134
    Veator, David, Office of Consumer Affairs and Business 
      Regulation, State of Massachusetts, prepared statement of..    30
    Waxman, Hon. Henry A., a Representative in Congress from the 
      State of California, prepared statement of.................    99

 
 H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF 
                           PRIVACY PROTECTION

                              ----------                              


                          MONDAY, MAY 15, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Turner.
    Also present: Representatives Hutchinson and Moran.
    Staff present: J. Russell George, staff director and chief 
counsel; Heather Bailey, professional staff member; Bonnie 
Heald, director of communications; Bryan Sisk, clerk; Liz Seong 
and Michael Soon, interns; Kristin Amerling, minority deputy 
chief counsel; Michelle Ash and Trey Henderson, minority 
counsels; and Jean Gosa, minority assistant clerk.
    Mr. Horn. A quorum being present, this hearing of the 
Subcommittee on Government Management, Information, and 
Technology will come to order.
    At the request of the subcommittee's minority members, we 
will continue our April 12th examination of H.R. 4049, a bill 
that would establish a Federal commission to study privacy 
protection.
    [The text of H.R. 4049 follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.001
    
    [GRAPHIC] [TIFF OMITTED] T1178.002
    
    [GRAPHIC] [TIFF OMITTED] T1178.003
    
    [GRAPHIC] [TIFF OMITTED] T1178.004
    
    [GRAPHIC] [TIFF OMITTED] T1178.005
    
    [GRAPHIC] [TIFF OMITTED] T1178.006
    
    [GRAPHIC] [TIFF OMITTED] T1178.007
    
    [GRAPHIC] [TIFF OMITTED] T1178.008
    
    [GRAPHIC] [TIFF OMITTED] T1178.009
    
    [GRAPHIC] [TIFF OMITTED] T1178.010
    
    [GRAPHIC] [TIFF OMITTED] T1178.011
    
    [GRAPHIC] [TIFF OMITTED] T1178.012
    
    [GRAPHIC] [TIFF OMITTED] T1178.013
    
    Mr. Horn. At the subcommittee's first hearing on H.R. 4049, 
experts in the areas of medicine, finance, and Internet privacy 
shared their views on the many challenges involved in 
protecting privacy. Witnesses discussed their concerns about 
the increasing accessibility to personal information, such as 
medical records, Social Security numbers, and credit card 
records.
    Both today and tomorrow, the subcommittee will continue 
this discussion with people knowledgeable in privacy issues.
    I welcome our witnesses, and look forward to their 
testimony.
    Let me just explain how the panels work. We will be 
swearing in all witnesses today. We would like you to summarize 
your statements. We have read all of them, and we would like 
you to do that in 5 minutes. So we will now finish with the 
opening statements, and I will give you the oath when those 
statements are through.
    I now call on the gentleman from Texas, the ranking member, 
Mr. Turner, for his opening statement.
    Mr. Turner. Thank you, Mr. Chairman.
    This is the second of three hearings that we have had 
scheduled on H.R. 4049, and I want to thank the chairman for 
prioritizing the need to study this very important issue. There 
is no doubt that privacy is one of the top concerns of the 
American people and one of the most important issues facing 
this Congress.
    I am pleased to be a cosponsor of this legislation which 
would create a commission that will enable us to have a full 
and open discussion with the American people about privacy so 
we can address it in an appropriate manner. However, I do not 
want us to rush forward with the bill without proceeding 
cautiously and considering a number of issues surrounding the 
creation of this commission.
    I commend Congressman Hutchinson for his leadership on this 
very important issue. At our first hearing, witnesses raised 
questions regarding the relationship the commission's work 
would have with privacy efforts by other entities. 
Specifically, concerns were voiced as to whether the commission 
could serve as a delay to regulations, studies that are 
currently moving forward. For example, witnesses pointed out 
that a bipartisan congressional privacy caucus is currently 
pushing for passage of a financial privacy measure.
    Pursuant to the congressional mandate, the Secretary of HHS 
is now in the process of finalizing medical privacy 
regulations. Additionally, the Department of Treasury study on 
financial privacy regulations is soon to be completed.
    We have many issues that need to be dealt with immediately, 
and I was pleased to hear Congressman Hutchinson state that the 
intent of the bill was not to impede the progress of other 
regulations which may reach consensus during the commission, 
rather, to be used as a sounding board to those initiatives.
    Questions have arisen regarding the composition and 
expertise of members selected to the commission. Currently, the 
bill does not contain requirements regarding the qualifications 
of commission members. We need to ensure that an appropriate 
balance between all stakeholders in this issue is represented.
    Witnesses also questioned the scope of the commission's 
mandate, which currently is not set forth in the bill. We 
should be concerned about duplicating work which has already 
been done and consider whether it might be more productive for 
the commission to focus on specific privacy issues.
    In light of the concerns that witnesses raised at the first 
hearing, members of the past and present entities charged with 
studying privacy issues as well as Federal and State government 
representatives who have been active on privacy matters have 
been identified and asked to testify before this subcommittee. 
These witnesses are expected to address the types of expertise 
and background that should be sought in the commission members, 
the types of issues that should receive focus and the types of 
reviews that may be redundant.
    Again, I want to thank the chairman for holding the 
hearings; and I welcome the witnesses here today.
    Mr. Waxman also advises me that he appreciates you 
scheduling the hearings to ensure that the issues raised by the 
legislation receive careful consideration. Mr. Waxman sends his 
regrets. He is unable to be here today, but he plans to attend 
tomorrow's hearing and looks forward to receiving the testimony 
from today's hearing.
    The American people deserve to have their privacy protected 
in a correct and timely fashion. It is my hope that as a result 
of these hearings, we will be closer to that goal.
    Thank you, Mr. Chairman.
    Mr. Horn. We thank you. And now we have a member of the 
full committee who is the author of the legislation, the 
gentleman from Arkansas, Mr. Hutchinson, for an opening 
statement.
    Mr. Hutchinson. I thank the chairman, and I just want to 
take a moment to express my appreciation to you and the 
committee for scheduling a second day of hearings.
    During the last break, I believe it was, I received a copy 
of a letter from Mr. Waxman requesting additional hearings; and 
as one of the lead sponsors of this legislation I was delighted 
of his interest in it; and I appreciate the chairman scheduling 
this hearing so promptly to followup on Mr. Waxman's request.
    I also appreciate Mr. Turner, the ranking member, and his 
leadership on this issue which has been critical from the very 
beginning. It has been a goal to make sure that this is--
privacy is pursued in a bipartisan fashion, and the 
participation of Mr. Turner and the many Democrats who have 
joined on this legislation is important to its success and 
ultimate credibility.
    Mr. Turner outlined a number of concerns--I wouldn't say a 
number. There were serious concerns raised in the last hearing 
that are very legitimate in terms of we should discuss those 
and perhaps look at amending the legislation, if necessary, as 
we go through the markup process. It is certainly not the 
intent of the privacy commission to serve as a delay on other 
legitimate efforts to address privacy concerns. I have always 
viewed this as complementary. Whatever happens in other arenas 
on a smaller scale, it is important to look at privacy in a 
comprehensive way and in an ongoing way.
    Second, it was discussed about the diversity of the 
commission members, and certainly I believe that the point of 
authority should seek to ensure that membership of the 
commission will represent a diversity of views and experiences 
on the issues that they will address in terms of privacy, and 
that is important.
    So we are happy to work with those who are supportive of 
privacy--of the privacy commission to make sure that it is 
drafted in a fair manner and move this ball forward and protect 
privacy in a balanced way.
    Mr. Chairman, I thank you; and I look forward to the 
testimony of the witnesses.
    Mr. Horn. I thank the gentleman.
    Now if the witnesses will stand.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note that there are five witnesses 
that accepted the oath.
    The Honorable John Spotila is the Administrator of the 
Office of Regulatory Affairs in the Office of Management and 
Budget. Mr. Spotila.

STATEMENT OF JOHN SPOTILA, ADMINISTRATOR, OFFICE OF REGULATORY 
            AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET

    Mr. Spotila. Mr. Chairman and members of the committee, 
thank you for inviting me here to present the administration's 
views on H.R. 4049, the Privacy Commission Act.
    As Administrator of OMB's Office of Information and 
Regulatory Affairs, I care deeply about the protection of 
privacy. In 1998, OIRA took on enhanced responsibility for 
coordinating privacy policy throughout the administration. OIRA 
already had policy responsibility under the Privacy Act of 1974 
which applies to Federal Government systems of records. Now it 
plays a central coordinating role for privacy policy more 
generally.
    Last year OMB appointed its first Chief Counselor for 
Privacy, Peter Swire, to be the point person in this 
coordination effort; and Peter is here with me today and 
available if needed.
    The President and the Vice President are committed to the 
protection of individual privacy. As President Clinton said on 
April 30 when announcing his new financial privacy proposal, 
``From our earliest days, part of what has made America unique 
has been our dedication to freedom and the clear understanding 
that real freedom requires a certain space of personal 
privacy.''
    In studying the proposed findings for H.R. 4049, we find 
much common ground. We agree that Americans are increasingly 
concerned about the security and use of their personal 
information. We agree that the shift from an industry-focused 
economy to an information-focused economy calls for reassessing 
the way we balance personal privacy and information use.
    As Administrator of OIRA, I work extensively on information 
policy issues relating to computer security, privacy, 
information collection, and our transition to the electronic 
delivery of government services. In these and other areas, we 
are working hard to gain the advantages that come from new 
technologies while guarding against possible costs to privacy 
and security that can come from badly crafted uses of those 
technologies.
    In some areas, we already know that we must act swiftly to 
protect privacy and security. Indeed, the administration's 
biggest concern with H.R. 4049 is the risk that you highlighted 
earlier, the risk that some might use the commission as a 
reason to delay much-needed privacy legislation. We understand 
that supporters of H.R. 4049 have emphasized that it should not 
be used as a reason for delay, and we agree with that, but we 
are concerned that there are those that would oppose privacy 
reform who would prefer to have Congress study the issue 
indefinitely rather than take action. We cannot afford to take 
a year and a half off in protecting Americans' privacy. We 
believe that action is needed now in the areas of financial 
privacy, medical records privacy, and genetic discrimination.
    There have been extensive initiatives by the Federal 
Government since 1993 to study and take appropriate action in 
the area of privacy protection. Study of privacy was an 
integral part of the National Information Infrastructure 
project, sometimes called the ``information superhighway'' 
effort, with the issuance in 1995 by an interagency privacy 
working group of principles for providing and using personal 
information. This effort was led by OIRA--before I was there, I 
will admit.
    With the administration's support, Congress has passed a 
long list of privacy legislation. In my written statement, we 
provide details about these laws and other activities by the 
administration to protect Americans' privacy.
    My statement also explains the legislation that is now 
before the Congress to provide legal protections for three 
especially sensitive categories of personal information: 
financial records, medical records, and genetic discrimination.
    Let me turn again to the specifics of H.R. 4049.
    The administration does have concerns that the study 
commission might be used as an excuse for delaying needed 
activity in privacy protection, and we appreciate the strong 
statements we heard today that indicate that you agree that 
should not happen. These concerns would be especially acute for 
these important topics such as medical, financial, and genetic 
information. We know there has already been extensive 
discussion of these proposals, and we would not want to see 
further study duplicating the public examination that has 
already taken place without adding real value.
    We recognize that the Congress needs to make its own 
judgments on these matters, and we defer to it in its 
assessment of what it needs to inform those judgments. It seems 
sensible, however, to adopt a focused approach to exploring 
these topics. Ideally, any further study efforts should be done 
within a short timeframe and would build on, not duplicate, 
existing studies.
    If there were to be a commission, we should ensure that it 
focuses its efforts in an effective way. Casting too broad a 
net would delay the work of any new commission, with uncertain 
results. We note, for example, that the treatment of data 
collected on-line has been the subject of extensive hearings in 
Congress as well as public workshops, public comments, studies, 
and reports. The Federal Trade Commission is about to issue a 
major report. We recognize that this is a complicated area that 
requires careful evaluation and an understanding of new 
technology. It is not clear, however, that a commission lasting 
18 months will give decisionmakers the help they need in this 
area.
    Rather than have a commission pursuing a very broad set of 
topics, it might be more productive to have technology and 
policy experts address specific, emerging issues that have not 
yet benefited from much attention. One targeted way to study 
such issues might be to enlist the expertise of the National 
Academy of Sciences/National Research Council, which has 
already produced studies in areas such as cryptography and 
medical records privacy. We could call it in again on emerging 
areas of concern. These might be particularly appropriate for 
examining authentication technologies and their privacy 
implications and the topic of biometrics and privacy.
    For all of these reasons, we believe that there may be 
sound alternatives to a privacy commission. If legislation 
creating a commission does move forward, however, we do have 
some specific concerns about the method of appointment of 
commissioners, and the possibility that the current draft could 
lead to the release of classified information.
    We share with Congress a very strong interest in protecting 
privacy. We look forward to working with you to find suitable 
new ways to improve that protection. We understand the good 
intentions motivating the sponsors of H.R. 4049; and, despite 
our reservations about the specifics of this bill, we welcome 
the commitment to privacy protection that they seek to 
demonstrate.
    Thank you once again for the invitation to discuss these 
issues.
    Mr. Horn. We thank you for that very concise presentation.
    [The prepared statement of Mr. Spotila follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.014
    
    [GRAPHIC] [TIFF OMITTED] T1178.015
    
    [GRAPHIC] [TIFF OMITTED] T1178.016
    
    [GRAPHIC] [TIFF OMITTED] T1178.017
    
    [GRAPHIC] [TIFF OMITTED] T1178.018
    
    [GRAPHIC] [TIFF OMITTED] T1178.019
    
    [GRAPHIC] [TIFF OMITTED] T1178.020
    
    Mr. Horn. Our next presenter is David Veator, who is with 
the Office of Consumer Affairs and Business Regulation for the 
State of Massachusetts. Mr. Veator.

   STATEMENT OF DAVID VEATOR, OFFICE OF CONSUMER AFFAIRS AND 
          BUSINESS REGULATION, STATE OF MASSACHUSETTS

    Mr. Veator. Thank you, Mr. Chairman and members of the 
committee. My name is David Veator, and I am the general 
counsel for the Massachusetts Office of Consumer Affairs and 
Business Regulation. Our office is charged with the oversight 
of all State-chartered banks, insurance companies, most of the 
professional trades and the supervision of the State's consumer 
protection laws.
    Because issues of privacy are of growing importance both to 
consumers and the businesses that my agency regulates, our 
agency is the one in Massachusetts that has been tapped with 
supporting Governor Cellucci and Lieutenant Governor Swift's 
privacy agenda, and on behalf of them, I am pleased to testify 
in support of the privacy commission proposed in H.R. 4049.
    As this committee knows, privacy issues are now at the 
forefront of the national discourse. As we say in our prepared 
statement, the information age has brought many good things to 
people, but no silver lining is without its cloud. With the 
rapid growth in technology to collect and compile personal 
information, citizens face unprecedented threats to their 
personal privacy. One recent poll conducted by Lou Harris & 
Associates noted that 88 percent of Americans are concerned 
about threats to personal privacy and that 83 percent believe 
that consumers have lost all control over how companies collect 
and use their personal information.
    For a small fee there are companies that can collect more 
information than you would have believed about you and compile 
it and disseminate it, and one of the witnesses in this 
committee's last hearing demonstrated that in some detail.
    I am sure that each of the members of this committee is 
aware that this widespread perception of privacy abuse has 
already translated into action at the State and Federal level. 
Although this action has resulted in good legislation and 
improving industry practices, it is fair to say that our 
approach to privacy is disjointed and ad hoc. According to 
several commentators, between 2,000 and 3,000 privacy-related 
bills are currently pending in State legislatures. Many of 
these bills deal with multiple privacy issues. It would appear 
that this less-than-coordinated approach to privacy cannot be 
an efficient way to deal with the subject.
    Another problem with our approach to privacy to date has 
been a criticism that it is too sectorial, that is, different 
legislation tends to tackle privacy issues with respect to 
different industries. As a result, we have on-line privacy 
rules, privacy rules for brick and mortar companies, banking 
privacy rules, insurance privacy rules, and telecommunications 
privacy rules. Privacy in American Business reported that, by 
the end of 1999, 179 different privacy laws relating to health 
care had been enacted, as had 65 privacy laws related to direct 
marketing or telecommunications, 59 relating to financial 
services, 39 relating to insurance and 14 relating to on-line 
or Internet activity.
    This approach may have been workable in the past, but as 
the nature of our economy changes it may no longer make sense. 
For example, as the financial services industry has 
revolutionized and converged, several isolated privacy statutes 
that deal with banking or insurance or securities may no longer 
have much application.
    We think that the commission proposed by Congressmen 
Hutchinson and Moran is a logical way to approach the question 
of privacy. There are obvious advantages to taking a 
comprehensive look at the array of complex privacy issues such 
as financial privacy, identity theft, biometrics and children's 
privacy, etc.
    The most obvious benefits are the ability to take advantage 
of work that has been done both at the Federal level and at the 
various States and take advantage of nationwide expertise. I 
would like to offer the experience of Massachusetts.
    Shortly after their election, Governor Cellucci and 
Lieutenant Governor Swift convened a working group to examine 
the quality of life in Massachusetts. We were able to consult 
with privacy experts, local business leaders, and law 
enforcement, and shortly thereafter Governor Cellucci and 
Lieutenant Governor Swift filed a comprehensive bill on privacy 
that updated existing privacy laws to reflect the technological 
changes that have occurred since their inception and instituted 
new protections to address new technology. The intent of the 
bill was to empower consumers in the 21st century economy while 
continuing to allow Massachusetts business to flourish.
    I can also point to the experience of the FTC Subcommittee 
on Access and Security which recently reported to the FTC, and 
the FTC I think was able to develop a committee that provided a 
robust analysis precisely because it had many viewpoints from 
across the country on that committee.
    I would like to close by saying a few words about one 
State's view of the roles of both Federal and State examination 
of privacy.
    I think the States will continue to legislate and act to 
protect their citizens, but we believe that the Congress has a 
unique capacity to develop workable privacy protections. It may 
be that most States would prefer not to act unilaterally if we 
were assured that the Federal Government and private industry 
are striking the right balance between the need of businesses 
for information and the right of citizens to personal privacy.
    Indeed, a uniform approach to privacy confers two 
advantages from a State's point of view. It makes interstate 
commerce easier for businesses which only have to follow one 
set of rules rather than 50, and by establishing at least 
baseline standards for all States means that no State will have 
to potentially disadvantage its own economy by establishing on 
its own minimum protections for its own consumers.
    In closing, I would like to thank the committee on behalf 
of Governor Cellucci and Lieutenant Governor Swift for this 
opportunity to testify. We support H.R. 4049 as a means for 
taking, for the first time, a national approach to privacy in a 
new economy. As I indicated, our economy has undergone a 
technological revolution, and the way in which privacy catches 
up to this revolution will have important consequences for us 
as individuals and for our new economy.
    Thank you.
    Mr. Horn. Well, we thank you. That is very helpful 
testimony, and we always appreciate it from the State of 
Massachusetts. You are usually ahead of the rest of the country 
quite a bit.
    [The prepared statement of Mr. Veator follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.021
    
    [GRAPHIC] [TIFF OMITTED] T1178.022
    
    [GRAPHIC] [TIFF OMITTED] T1178.023
    
    Mr. Horn. Our next presenter is from another very 
progressive State and that is the State of Minnesota. We have 
the Attorney General from the State of Minnesota, Mike Hatch.

   STATEMENT OF MIKE HATCH, MINNESOTA STATE ATTORNEY GENERAL

    Mr. Hatch. Mr. Chairman and members of the committee, I 
have read the testimony that was presented at your prior 
hearing, and it is apparent that you have full grasp of this 
issue. You have examples of everything from perpetrators on the 
Internet taking photos out of yearbooks and putting them on 
pornography, displaying them out for the public. You have 
corporations asking self-insured administrators and even the 
government to draw profiles of their employees' health care and 
health conditions. You have telemarketing companies using bank 
data to target senior citizens, perpetrating financial fraud 
far beyond what was contemplated by enactment of the Vulnerable 
Adult Act.
    It is very plain that something ought to be done now by 
policymakers. My concern with regard to a commission and with 
all due respect for studying it, this is an issue that is the 
result of technology, but it is not the issue of technology 
itself. It can be addressed and ought to be addressed, and all 
too often in our society--and I am afraid that is the case 
here--commissions or task forces are appointed to delay, to try 
to escape an issue.
    Last year, Congress passed the Financial Services 
Modernization Act, and they lifted the Pandora's lid on 
privacy. They basically permitted banks to exchange information 
which under State law in most States fiduciary obligations 
would have prevented them or left them open to litigation for 
doing so. By opening that Pandora's lid, the playing field has 
changed so that now those institutions don't want to change. 
They have got it. Yet the public, by margins that were pointed 
out in poll after poll by the prior speaker, 85 percent 
strongly believe that action ought to be taken now.
    Congress lifted the lid last year. It ought to put the lid 
back on--and I am talking about financial privacy, health care, 
the Internet--and start addressing the issue. Don't study it, 
but move on it.
    Now, at the State level, we have several bills. We have 
gotten them through the Senate, and we are hopeful that we can 
get some bills through the House on this. We had over 100 
lobbyists representing, according to the chairman of the 
Commerce Committee in the House, 59 interests at one hearing, 
which is considerable for a State legislature. They are all 
opposed to any change, and what their cry was, ``leave it to 
Congress. Congress will change it. It is a Federal issue.'' And 
you know what is going to happen. You pass a bill having a 
commission, all 59 will be back. Let this commission come back.
    But every day that we delay we have another stakeholder on 
this privacy issue. More data is exchanged about each of us. 
More privacy is invaded, more stakeholders and more lobbying 
techniques will follow. It is important. It is an important 
issue. People feel strongly about it. If a privacy commission 
were established where something was stated very clearly that 
the States should move forward now, that Congress should move 
forward now, that would be one thing. But it is extremely 
important--I don't think we have done very much on this issue, 
contrary to perhaps some of the other speakers here, and I 
think the time is now for policymakers to stand up and have the 
courage to take on these interests and start enacting some 
legislation.
    Mr. Horn. I thank you very much for your presentation. You 
can probably look around behind you and see a lot of interest 
there, too.
    [The prepared statement of Mr. Hatch follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.024
    
    [GRAPHIC] [TIFF OMITTED] T1178.025
    
    [GRAPHIC] [TIFF OMITTED] T1178.026
    
    [GRAPHIC] [TIFF OMITTED] T1178.027
    
    [GRAPHIC] [TIFF OMITTED] T1178.028
    
    [GRAPHIC] [TIFF OMITTED] T1178.029
    
    Mr. Horn. We now have Mr. Robert Stone, who is the 
executive vice president of American Healthways. If you would, 
I would like you to explain what American Healthways is. I find 
it a rather unique operation.

 STATEMENT OF ROBERT STONE, EXECUTIVE VICE PRESIDENT, AMERICAN 
                           HEALTHWAYS

    Mr. Stone. Thank you, Mr. Chairman and members of the 
committee. Thank you for the opportunity to appear before you 
today.
    My name is Robert Stone, and I am executive vice president 
of American Healthways, the Nation's largest disease management 
organization. I am also a board member of the Disease 
Management Association of America.
    Today, American Healthways serves approximately 170,000 
people afflicted with diabetes, cardiac, and/or respiratory 
disease and the more than 30,000 physicians who care for them. 
My oral testimony today highlights the written testimony 
already submitted to you.
    How to protect individual privacy, particularly the privacy 
of personal health information, is extremely important. It is 
for this reason that we strongly support H.R. 4049. But in 
health care, perhaps more than any other area, balance is 
required. The proposed commission should therefore carefully 
weigh the protection of Americans from inappropriate uses of 
our personal information against the need to ensure access to 
that information for the effective provision of health care, 
particularly to the 50 million Americans with chronic disease.
    No one understands the need for this balance better than 
patients themselves. With her permission, of course, let me 
share my wife's perspective. Having had Type 1 diabetes for 24 
years, she frequently serves as my resident consumer expert. I 
asked her recently if her privacy would be violated if she 
received a letter from her health plan advising her of a 
program to help her better manage her diabetes; her response, a 
simple, ``Of course not.'' Without further prompting, however, 
she went on to say she would be outraged if she then received a 
letter from a pharmaceutical company, a medical device 
manufacturer, or other organization trying to sell her a 
product or service related to her diabetes.
    She recognizes, as do most consumers, that the motives 
behind the use of her personal health information in these two 
examples are clearly different. One is designed to help her, 
the other to sell her something by capitalizing on her illness.
    It is disease management programs that provide the 
coordination, integration, and management of care processes 
necessary to help people with chronic diseases more effectively 
control their illness; and by improving overall health status, 
these programs also reduce health care costs. This is not 
wishful thinking. An independent analysis of our diabetes 
program confirmed that costs with 7,000 commercial HMO members 
in seven different health plans were reduced 12.3 percent in 
the first year.
    Even better outcomes have been achieved and will be 
released shortly for more than 20,000 individuals participating 
in our program in four Medicare+Choice plans. Disease 
management programs depend on the free flow of patient 
information to provide the customized proactive interventions 
which make these results possible. First, however, this 
information is needed to identify and engage program 
participants. After all, if we can't find them, we can't help 
them.
    Our experience has shown if we depend on patient or 
physician referral as the entry mechanism, program 
participation levels are significantly lower--never greater 
than 30 percent, as compared to nearly 98 percent with a 
proactive engagement model--and the individuals who do elect to 
participate are the wrong ones, generally those who are 
relatively healthy, well motivated or who have good self-
management skills. The people who both need and could benefit 
the most, nearly two-thirds of the total, are left out and the 
clinical and financial benefits are lost.
    Is using personal health information to improve health 
status appropriate? Our plan customers, their members and the 
physicians in their networks must think so, since we have never 
had a single complaint in that regard. We have achieved that 
record through the use of stringent policies and procedures to 
ensure both confidentiality and security. The information to 
which we have access is never sold or disclosed to a third 
party, nor do we use our communications with participants or 
providers to advertise or market any drug, product or service.
    Unfortunately, there are companies that do, and those 
inappropriate disclosures should be prohibited. Providing 
guidelines to distinguish between legitimate uses of personal 
health information and significant abuses of confidentiality is 
a worthy role for the proposed commission.
    We would also ask that the commission be charged to issue a 
clear recommendation with respect to preemption. Currently, 
many State privacy laws directly conflict with each other, 
making it impossible for national employers in health plans, 
such as a Federal Express or a Cigna, to provide consistent 
programs to residents of different States. And as you know, the 
privacy regulations proposed by the Department of Health and 
Human Services, if and when issued, will not preempt State 
privacy laws. Only Congress can authorize preemption, and we 
urge that the creation of a single national standard be part of 
any further Federal legislation.
    Ultimately, whatever legislation emerges from Congress must 
not inadvertently bar the use of personal health information to 
support better quality care and lower health care costs. The 
proposed privacy commission can help ensure this outcome by 
providing a clear road map through the complex privacy maze and 
distinguishing between appropriate uses of personal health 
information like disease management and those uses that are 
purely commercial.
    Thank you for your time. I am pleased to answer any 
questions you may have.
    [The prepared statement of Mr. Stone follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.030
    
    [GRAPHIC] [TIFF OMITTED] T1178.031
    
    [GRAPHIC] [TIFF OMITTED] T1178.032
    
    [GRAPHIC] [TIFF OMITTED] T1178.033
    
    [GRAPHIC] [TIFF OMITTED] T1178.034
    
    [GRAPHIC] [TIFF OMITTED] T1178.035
    
    [GRAPHIC] [TIFF OMITTED] T1178.036
    
    [GRAPHIC] [TIFF OMITTED] T1178.037
    
    Mr. Horn. Thank you. That is very helpful and a different 
type of statement.
    We will now go to questions and answers. The Members here, 
we are going to limit each to 5 minutes, and we will rotate 
until you are all worn out, so it will keep it interesting with 
three of us here.
    I will start with the first gentleman, who is the author of 
the legislation, Mr. Asa Hutchinson of Arkansas, for 5 minutes 
on questioning the witnesses.
    Mr. Hutchinson. Thank you, Mr. Chairman. I want to 
recognize Mr. Moran who came into the room, my cosponsor on 
this, and thank him for his active participation and support 
for it. I do thank each of the witnesses for their excellent 
testimony and presentation and differing viewpoints on this 
subject.
    Mr. Spotila, let me start with you, expressing the 
administration's viewpoint, and thank you for emphasizing the 
common ground that we have sought.
    You mentioned the administration's work in this regard and 
that you don't want a commission just to duplicate what already 
is out there. You cited a number of different commissions. 
Let's see here--which is really the interagency privacy working 
group, and the ones that you have cited here are agency driven; 
am I correct?
    Mr. Spotila. They are either agencies themselves or 
interagency groups.
    Mr. Hutchinson. Which is very important. I make a 
distinction between a congressionally mandated approach to 
privacy versus an agency.
    Mr. Spotila. We do defer to a considerable degree to the 
Congress in whatever you believe is appropriate to help inform 
your judgment. Our concern is not delaying doing things that 
are needed now.
    Mr. Hutchinson. Your point is very well taken, and I would 
emphasize the same point that you just made, that the intent of 
this legislation is not to infringe upon the agencies as they 
move forward. In fact, it is not going to stop. You've got them 
moving forward into a final rulemaking position here long 
before the commission will render any results.
    Mr. Spotila. Clearly, we would continue to move forward in 
areas where we could. There are legislative proposals in front 
of the Congress that we think are urgently needed and so we do 
have some concern, if the Congress were to halt its action 
pending the report of a commission.
    We also were attempting to share some of our experience, 
and that is where we have found the greatest success has been 
in very focused, targeted efforts rather than broad ones. This 
is a huge topic. It is easy to be a mile wide and an inch deep. 
That is not very helpful.
    Mr. Hutchinson. I think part of your point is well taken. 
Let me just respond in a couple of ways.
    First, I think the work of the agencies is very important. 
They have a lot of expertise in narrowly starting targeted 
areas. So I think that is important. Again, I view this 
commission as complementary to that.
    Even if all of these regulations move forward without any 
controversy, would you agree with me, 3 years from now we are 
going to need to continue to review, whether through the agency 
or the legislative body, the issues of privacy?
    Mr. Spotila. Absolutely.
    Mr. Hutchinson. Again, you make the case just by that 
answer that it is an ongoing effort on privacy and there are 
things--I have cosponsored legislation that ought to be done 
now. But if everything on the table is adopted, we still need 
to have a comprehensive review of it, as well, would be my 
case.
    When was the last time, to your knowledge, there was a 
legislative effort/commission that reviewed privacy?
    Mr. Spotila. I don't recall one certainly in recent times. 
We can try to be more specific, but personally I don't recall 
one recently.
    Mr. Hutchinson. I would agree with you not in recent times. 
I wouldn't consider 1974 recent, particularly in view of the 
technological developments. I saw the 1974 legislative 
commission report, and it was talking about privacy in the 
Information Age. Well, the Information Age has dramatically 
changed since 1974. So there has been a lot of agency work, but 
not legislative work.
    You make the point that if the commission is adopted, that 
it should not be just going on and on without having anything 
accomplished in the short term. You mention that it should be 
done within a short timeframe.
    Do you believe that an 18-month commission is too long or 
too short?
    Mr. Spotila. I think that our concern is that the 
combination of a broad list of topics and an 18-month timeframe 
suggests that the commission will not be as helpful as you 
might like it to be; that targeted efforts that zero in on 
particular aspects of privacy with a shorter timeframe, that 
inform decisionmakers in concrete terms, will prove more 
useful.
    Mr. Hutchinson. I want to invite you because your point as 
a concern has been expressed by others. The broadness--there is 
some benefit because you are able to look at--rather than a 
sectorial approach, you can look at it in a comprehensive 
standpoint all across the line from on-line privacy, which 
transects everything from medical records to educational 
records, so there is some merit to that.
    Also there is the danger of the commission having too much 
to do and they don't know where to start.
    I would welcome your view as to ways that the commission 
can be pointed in the right direction; we would solicit your 
views on that. I would point out that the 18-months is the 
deadline, the drop-dead point. It is not just an ongoing thing, 
it is going to cease to exist after 18 months. And it also 
provides, if the commission deems it appropriate, they could 
issue a report before then if there are some urgent matters to 
address.
    Do you believe that it is appropriate that you have an 18-
month deadline, that you can't go on beyond that?
    Mr. Horn. We will have further rounds, but let's respond to 
that question, and then we move to Mr. Moran.
    Mr. Spotila. I think it is important to have some outside 
date, clearly. I think our instinct is that 18 months may be 
too long, but this is also related to the nature of the topics 
that it would be looking at. We would be happy to continue to 
work with the committee and with the Congress to try to refine 
these approaches.
    Mr. Hutchinson. Thank you.
    I want to assure the other gentlemen that I have additional 
questions. I was just taking them one at a time.
    Thank you, Mr. Chairman.
    Mr. Horn. I am now delighted to yield 6 minutes to the 
gentleman from Virginia, Mr. Moran. If you have an opening 
statement and you want to read some of it in, we will give you 
additional time.
    Mr. Moran. Well, thank you very much, Mr. Chairman. I will 
just make some introductory comments. The first comment, of 
course, is to thank you for having these hearings and to thank 
my cosponsor, Mr. Hutchinson, for his excellent leadership on 
this issue.
    We know that the loss of personal privacy is a cutting-edge 
issue and one of the topic issues that confront Americans 
today. Personal medical information that is kept, stored, 
transmitted, distributed to people without an individual's 
knowledge makes them vulnerable. We know that profiling has 
taken place among a number of electronic commerce companies, 
presumably for the benefit of their customers, but obviously 
for the benefit of companies and oftentimes without the 
customer's knowledge.
    But we also have to recognize that the reason--one of the 
reasons at least that the United States is the leading economic 
and social force in our global economy is because we have such 
a favorable regulatory environment, so new ideas, new ventures 
can sprout up, take form, and become successful.
    We don't want more regulation than is absolutely necessary, 
and I think the history of our economy has proven that that 
should be the way in which we ought to operate. But the U.S. 
Internet economy is now worth over $350 billion. I think we 
have about 72 million American adults using the Internet today, 
and those numbers are increasing; and as they increase, 
obviously privacy is going to continue to be an acute concern 
on the part of the people who use the Internet.
    So our conclusion, the reason why we came up with the bill 
is that we need a thoughtful, deliberative approach to a very 
complex subject. And that is what we try to do. Maybe we have 
too many members, but every group that I have talked to wants 
to be represented so that is why we have as many as 17 members. 
And if it is as difficult an issue to come to grips with and to 
come up with constructive recommendations, we want to give an 
adequate amount of time; and that is why we came up with about 
18 months.
    I know Mr. Hutchinson and Chairman Horn have had this 
experience, any number of companies coming to us and showing 
the technology that is developing, as we speak, that enables 
the industry to self-police itself, to self-regulate itself, 
but we still don't know what the proper role for the government 
is and it would seem that there is a critical role for the 
government to perform.
    So that is the environment in which we have this hearing.
    First of all, Mr. Chairman, I want to ask that two of the 
speakers who wanted to present their testimony, Willis Ware, he 
used to work with the RAND Corp., he has some very interesting 
testimony; and Marjory Blumenthal, who is the Director of the 
Computer Science and Telecommunications Board for The National 
Academies, both speakers wanted their statements included for 
the record so we ought to do that.
    [The prepared statement of Ms. Blumenthal follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.038
    
    [GRAPHIC] [TIFF OMITTED] T1178.039
    
    [GRAPHIC] [TIFF OMITTED] T1178.040
    
    [GRAPHIC] [TIFF OMITTED] T1178.041
    
    [GRAPHIC] [TIFF OMITTED] T1178.042
    
    Mr. Horn. Without objection, those statements will be put 
in the record. At the end of the hearing you might want to read 
some pertinent paragraphs.
    Mr. Moran. Thank you, Mr. Chairman. I wanted to make sure 
that I didn't forget, and I know that you keep the record open 
for a couple of weeks.
    [The prepared statement of Hon. James P. Moran follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.043
    
    [GRAPHIC] [TIFF OMITTED] T1178.044
    
    Mr. Moran. Now, the question that I was most interested in 
asking was, first of all, Mr. Spotila, who is--you represent 
the administration on the panel. We have had some prior efforts 
to come up with studies relevant to consumer privacy. I know 
with regard to medical privacy issues, HHS took up a major 
privacy regulation--effort, last year.
    Now, recommendations were made in September 1997, and a 
proposed rule was made in November 1999. I understand that 
HHS's efforts to examine medical privacy included a number of 
consultations with various Federal agencies, and any number of 
hearings as well; and the comments that they got were in the 
tens of thousands.
    Do you have any idea of the time and resources that were 
required by the Department of Health and Human Services when--
in their preparation for coming up with the regulations that 
were required in 1997, and which were finally issued last year? 
Do we have any idea of the cost that was encompassed by 
performing that task?
    Mr. Spotila. I don't have, offhand, a dollar aggregate 
cost. Clearly, there was a period of time when the agency was 
waiting to see if Congress would take action; and then 
certainly last year there was a major effort in which my office 
participated in working with the Department to prepare that 
proposed rule.
    There was a team working at HHS on this subject. They 
worked intensively on drafting the provision. The proposal did 
get something like 53,000 comments. You are correct, we 
received widespread public reaction to the proposal and, of 
course the Department is looking right now at trying to 
finalize that rule before the end of the year. If it is 
important, we certainly could inquire and provide for the 
committee whatever financial or economic estimates there might 
be from the Department as to what that aggregate cost would be.
    Mr. Moran. I think it would be an interesting 
consideration. And similarly, the legislation on financial 
services modernization required a similar type of study, and I 
think it would be useful to know the resources that are being 
required to conduct that study, as well, because both studies 
seem to be relevant to the subject at hand.
    Mr. Spotila. We can reach out and attempt to get that 
information and submit it to the committee.
    Mr. Moran. Thank you, Mr. Spotila.
    Mr. Horn. We will put that in the record at this point 
without objection. The 6 minutes plus I believe has expired. 
But we will get back to that.
    Mr. Moran. Thank you, Mr. Chairman.
    Mr. Horn. Let me get my 5 minutes in.
    Mr. Spotila, I am curious, what is your view of Mr. Stone's 
objection to the preemption of State law?
    Mr. Spotila. In general, we are deferential to State law 
and to the desire of States to have stronger privacy 
protections. That has been the approach we have engaged in, and 
we are sensitive from a federalism standpoint to that type of 
approach. We realize that there is benefit from having a common 
standard, and Mr. Stone was alluding to the difficulty that can 
occur if there is a hodge-podge of different standards that may 
not be consistent.
    So I think there is a need for balance. Our approach has 
been to try to zero in on things that we felt did have common 
application and that could form a basis, but not necessarily to 
preempt altogether an area where the States have strong 
interest and where they have had a historic activity.
    Mr. Horn. Well, there is no question that industry and 
other entities across America would like one policy and not 50 
policies. But I do remember in this room a few years ago when 
we had the frozen chicken hearing and that was because Tyson 
and whoever else was running the Department of Agriculture, so 
they had a softer freezing thing and California had a very high 
standard.
    I think it is still that way. California has a high 
standard, but they were preempted by the Federal Government 
with a weaker standard. So I wish you well when you are trying 
to get a higher standard, because I think that is what we ought 
to be moving for where we can, but we don't want to disrupt the 
whole economy in the process.
    I will be getting in, with some panels, the European 
situation where every country in Europe is supposed to be 
putting a privacy law on the books, and that will be a real 
problem for American industry, and I have talked to a number of 
presidents, prime ministers, defense ministers, foreign affairs 
ministers and urged them to get subcommittee--or 
subcorporations of European corporations and American 
corporations to give them some advice on the practical aspects 
of this.
    Has your office done any of this in relation to the 
Department of State?
    Mr. Spotila. We have had some contact. Peter Swire has had 
some coordination contact with European Union issues. In fact, 
he is something of an expert from his work in the world of 
academia.
    I would emphasize also that we strongly encourage self-
regulatory efforts. We do so not only because that is always a 
good thing to do but because very often with well-intentioned 
and interested private sector parties, we can come up with 
better and more sensible approaches. So our sense is that any 
approach, Federal or State, should allow substantial room for 
private, self-regulatory efforts as well.
    Mr. Horn. What evidence do you have that the commission 
could result in delays in the development of the privacy 
initiatives?
    Mr. Spotila. It is a general concern. We have seen some 
suggestions that people who oppose privacy reform would welcome 
any effort to add delay. My colleague from Minnesota was 
mentioning this: now you have a commission, why don't we wait a 
year and a half and hold up everything until the commission has 
reported?
    That is exactly what we think would be a mistake. I 
recognize that you emphasized that is not the intention here, 
but there is concern that there are those who might use it in 
that way. We have to be sensitive to that concern in 
considering any approach like this.
    Mr. Horn. Well, I would think with 17 people there, there 
could be a majority. I think if it is broadly spread out among 
the various interests and not just one interest or two 
interests, I would think that kind of dialog and discussion 
would be worthwhile. I think back to the Hoover Commission in 
the late 1940's and the early 1950's, and that made major 
proposals to the Federal Government and a lot of progress was 
made. And what I have found over the years, if you don't have a 
mechanism which brings people together, gets a consensus, that 
you are just going to be spinning the wheels in Congress, and 
you would be better off having a group of people, including 
experts and others, who just ask the question, ``Why? It sounds 
dumb to me, now explain it to me. If you go through that 
process, you are more likely to get legislation out of the 
Congress, I would think. But you might take a look at it.
    And then I guess I would ask you, Mr. Spotila, what section 
of the bill puts at risk the release of classified information? 
Where do you see that in the bill?
    Mr. Spotila. This was a relatively late concern that we 
received from the National Security Agency and the Department 
of Defense. Their concern was that some of the broader 
references to the commission getting information from the 
agencies failed to make a distinction as to the handling of 
classified information. So our sense is, that is something that 
bears further discussion. I would be happy to get back to you 
more specifically with that, although I don't have their 
specific recommendation for how that might be addressed. They 
certainly do feel there ought to be some specific approach to 
classified materials to the extent that they might be drawn in.
    Mr. Horn. Well, since Mr. Hutchinson is next with 5 
minutes, you might want to continue that discussion, and I am 
sure he has many more questions. We would like to know where he 
thinks this great power is found.
    Mr. Hutchinson. Thank you, Mr. Chairman.
    I would very much like to address a concern which has been 
raised on national security issue. That seems relatively simple 
to fix, but very important and it sounds like you have put out 
a request to different agencies, maybe responding to the 
commission idea and getting some feedback; and I would love to 
have the benefit of any concern, positive or negative, about 
the commission.
    Mr. Veator, thank you again for your testimony. If you 
would give my regards to Lieutenant Governor Swift, I enjoyed 
and appreciate her work on privacy. And one thing that struck 
me about your testimony is that you mentioned two or three 
bills are pending in State legislatures dealing with the 
privacy issue now. In your State of Massachusetts, have you all 
passed any substantive privacy legislation?
    Mr. Veator. I think that there are--the short answer is no, 
I think not in the last year or so. There are several bills 
that are quite close, working their way through the legislature 
relating to--primarily to medical and health privacy. There are 
two bills relating to financial service, primarily to financial 
services privacy.
    Mr. Hutchinson. Are you aware of some States that are using 
the commission approach to developing their own State policies 
on privacy?
    Mr. Veator. I am not aware of other States, just our 
experience where we tried to pull together as many people we 
could with diverse stakes, if you will.
    Mr. Hutchinson. General Hatch may be aware of that. Are you 
aware of any States, Mr. Hatch?
    Mr. Hatch. In Minnesota, we did try to appoint a task 
force. The problem is it ends up being, as you have indicated, 
a lot of interest groups. The purpose of a task force is to do 
one of three things: either find out the technology of an issue 
that we cannot as lay people figure out; second is develop, by 
consensus, on an issue that we cannot get people to agree; and 
the third is to avoid the issue altogether.
    In this case, there is no science. There is science creates 
the issue. The technology brings in part the issue, but it is 
not a hard one, a fundamental issue of privacy. It goes back to 
the beginning of this country and even further than that. It is 
a value issue. Restatement of torts, courts have covered it, 
statutes have covered it.
    It is not a consensus. We will never get a consensus on it. 
You have got too many companies that make exchange on the data, 
too much legal and I think questionable activity that goes on 
by the use of the information versus the fundamental right of 
privacy. So the third becomes the issue to defer.
    When we tried it, we quickly recognized that it doesn't 
work. You are not going to get a consensus on it. The first 
meeting we figured that out. It isn't going to occur.
    Mr. Hutchinson. Mr. Hatch, if I might follow on on some of 
your comments, I think you are right. I think a task force, or 
in this case a commission, can do a number of things. One is to 
help build a consensus. You also mentioned the possibility of 
delay. And again that is not the intent, nor do I think it 
should be the result. I think it can be a very positive thing. 
But a consensus to me is important.
    You have introduced legislation in your State of Minnesota 
addressing privacy, and I think specifically toughening up the 
opt-in on the financial records.
    Mr. Hatch. Right.
    Mr. Hutchinson. Has that passed?
    Mr. Hatch. It's passed one house and hopefully we have 2 
days left, we can get the other house to do it. But we have 59 
hurdles to overcome to get to those votes.
    Mr. Hutchinson. You have 59 hurdles in Minnesota. We have 
435 hurdles in the U.S. Congress. And so consensus is important 
for us to build as well. And I disagree, I think that, you 
know, you indicate that the American public either believe or 
don't believe or industry believes or don't believe. I think 
information is crucial. And I think that one of the things this 
commission provides is that you have hearings. And it's not 
just to receive information, but it's also an education 
process. People have a great understanding as to how privacy 
can be protected, but also that some exchange of information in 
terms of health records or health might be important for 
research.
    So information is valuable in building that consensus, and 
so I hope that that would be the goal of this commission.
    Mr. Chairman, you were generous to offer to put things in 
the record. It was pointed out by your staff that the committee 
received a letter from the office of the Attorney General of 
the State of Texas, and has that been made a part of the record 
yet?
    Mr. Horn. I was planning to make it at end of the hearing 
and quote various paragraphs.
    Mr. Hutchinson. Well, this is your thunder, but I was going 
to ask whether Mr. Hatch--General Hatch, if other Attorney 
Generals that you have talked to have looked at privacy in 
their States in terms of whether it should be the State level 
multitude of layers of privacy or whether there should be a 
national standard. Has that been addressed?
    Mr. Hatch. We've had discussions on it. I think it is safe 
to say that most, I won't say all, but many of the Attorney 
Generals are in agreement that it ought to be. It is a part of 
the police powers of a State and it ought to be addressed at 
the State level. It certainly ought to be addressed at the 
Federal level. I think the confidence level that Congress will 
address it is very low. We saw that with FSMA. The bill passed 
and it was basically dressed up as a basic privacy act, but it 
was a bank disclosure act. Banks have more authority to 
disclose information.
    Mr. Hutchinson. Are you speaking of the Gramm-Leach-Bliley 
legislation that provided for an opt-out provision?
    Mr. Hatch. Actually, it provided for, sir, a provision to 
trade information without an opt-out to any affiliate. It 
allows them to trade information without an opt-out to any 
other company for the sale of financial products, and then it 
defines a ``financial product'' very broadly. So it basically 
did little, if anything. There would be an argument that it 
tromped on the fiduciary laws that have been enacted and have 
been longstanding in many States.
    Mr. Hutchinson. I think my time has expired, Mr. Chairman. 
I was going to have Mr. Spotila respond to that from the 
administration standpoint, but I yield back to the Chair.
    Mr. Horn. Go ahead. We will give Mr. Moran extra minutes.
    Mr. Hutchinson. Mr. Spotila, do you believe that we should 
have Congress address further the Gramm-Leach-Bliley provisions 
that the Attorney General just referred to?
    Mr. Spotila. It is our position that the statute was a step 
in the right direction, but it did leave gaps that do need to 
be addressed.
    Mr. Hutchinson. And right now the administration is 
adopting the regulations to carry that out. There is 
legislation pending that would adjust that. It is my judgment, 
there--this legislation might move forward. And if it can, 
terrific, if you can build a consensus. But would a commission, 
though, looking at this from a substantive standpoint, look at 
the impact of your regulations that the administration is 
putting out and how industry is adjusting to that, getting 
consumer feedback; the commission would take that and make a 
recommendation from there. Would that not be helpful in 
building consensus to move forward?
    Mr. Spotila. Actually, this is an interesting point, 
because as I mentioned in my testimony, one of the areas we 
have a lot of concern is that the commission might be a reason 
for people not to take action on financial privacy legislation 
that we think is clearly needed after that statute. If that 
financial privacy legislation did move forward and the 
commission was now studying what, if anything else--assuming 
there was a commission--what, if anything else, was needed 
after that, without having delayed this process, the argument 
for it would I think be stronger than if it were to suggest 
that we should hold up completely financial privacy legislation 
and let the commission try to develop consensus and look at 
this in a couple of years.
    Our sense is that this is a more urgent priority and that 
part of the challenge here as the Congress considers this bill, 
is how it might form a mechanism or create a mechanism that 
would allow us to consider that longer view in studying these 
issues without paralyzing us in areas that are of real 
priority, where action is clearly needed and needed more 
swiftly.
    This is actually one of the most sensitive areas about the 
bill and one that gives us some discomfort for this reason.
    If I might add, as to your earlier question on the issue of 
classified information, the language in section 7(c), which 
indicates that the commission may secure directly from any 
department or agency information necessary to enable it to 
carry out the act, and that the head of that department shall 
furnish that information to the commission, is the language 
that the agencies specifically are concerned about because it 
does not differentiate whether that information is classified 
or not. And there is no provision here that indicates the 
commission is equipped to handle classified information.
    So that is the specific provision that we are concerned 
about. As to how, if at all, that could be refined, we would 
have to get back to you.
    Mr. Hutchinson. Thank you, Mr. Chairman.
    Mr. Horn. The gentleman from Virginia. We are going to 
start 10-minute rounds now. It is like a dance out of the 
1930's. So go ahead, my friend.
    Mr. Moran. Thank you, Mr. Horn. I don't want to put our 
witnesses through too long a marathon session. I will try to 
wrap up any further questions I have at least today in this 
round.
    Let me ask Mr. Spotila again, in light of the efforts that 
were made with regard to medical privacy culminating in the 
regulations in August 1999, and the financial services 
modernization effort that is currently being made, has OMB done 
any preliminary analysis as to what resources might be required 
to perform the kind of commission that we are talking about? 
Has there been any discussion in that regard?
    Mr. Spotila. I'm not aware of OMB having tried to estimate 
the cost of the commission. That's not necessarily something we 
would try to do. I'm sure if you would like us to, we could 
try----
    Mr. Moran. Have there been discussions at OMB as to the 
benefit of having a comprehensive study instead of the ad hoc 
reactive study as a result of legislation, whether it be in 
medical privacy or financial privacy areas?
    Mr. Spotila. There has been discussion not only within OMB, 
but within the administration on this issue of what I call the 
more targeted approach. When it works well, it is targeted and 
focused and very pragmatic, it doesn't, it is very ad hoc and 
kind of irresponsible. This is versus a broad approach which 
might be either visionary or a waste of time. We have had a lot 
of discussion about this.
    Our concern is, that if the commission is focused on too 
broad an area, than it won't produce much of value, and if its 
timeframe is too distant, it might not inform decisionmakers on 
matters that need more urgent attention. That is not to say 
that it is impossible for a commission to add value. That is 
not what we are saying at all. We do have concerns about how 
this balance might be struck, however, and concerns that the 
way the bill is crafted now, it might not be striking the 
balance correctly.
    Mr. Moran. Give me a moment to consider what you just said, 
that you might not be striking the balance correctly. I would 
not have been surprised if the administration had recommended a 
broad study so that it could make its recommendations in a 
consistent framework, particularly given the resources that are 
currently going into the information security effort, which is 
very much related to this.
    Mr. Spotila. Yes.
    Mr. Moran. And I know that those efforts are substantial. 
They are being coordinated--actually, we are trying to figure 
out the best place for it to be coordinated. But there is an 
office--you are involved in that coordination?
    Mr. Spotila. Yes, I am.
    Mr. Moran. And it would seem that when you make broad-based 
policy recommendations that are applicable to medical privacy, 
that there should be some consistency in terms of individual 
privacy with regard to financial services as well, and that 
would include profiling issues, the issues of shared 
information that enhance customer service.
    So I guess I was a little taken aback, or questioning at 
least, of the effort on the part of the administration to take 
a position that we need legislation immediately. And I'm 
referring to the President's recent speech that protected 
people's privacy without having a good idea of how it is that 
you want to do that beyond what was included in the medical 
effort that HHS conducted. In terms of financial services, we 
haven't done it yet. I mean, we've got legislation. Regulations 
haven't actually been issued. And my interest is in trying to 
keep the issue from being politicized and to put forward 
legislation that not only stands the test of time, but has some 
consistent principles that are applied broadly, whether it be 
in medicine or financial services or in any other area of 
electronic commerce and communication.
    But I'm not lecturing you. I just wondered--do you have any 
comments on that before I go on?
    Mr. Spotila. Again, when I talked about striking a balance, 
what I meant to say was that we see pressing needs in the area 
of protecting privacy, financial records, medical records, 
genetic discrimination. There are pending legislative proposals 
in front of the Congress that we believe are well conceived and 
well drafted. They could perhaps be refined further, but they 
are good pieces of legislation and we do not want to see those 
bills frozen because a commission is set up to look at the 
whole subject of privacy in all of its ramifications.
    Now, having said that, that does not mean that we don't 
share your sense that privacy is important and that we need to 
study it in a comprehensive way and that we will need to be 
doing this over a period of time.
    Mr. Moran. And that we need some consistent principles in 
the projection of government policy.
    Mr. Spotila. Exactly.
    Mr. Moran. Mr. Chairman, I'd like to ask of the three other 
witnesses your expectation and recommendations with regard to 
the issue of whether this commission should deal with State 
legislation in terms of a Federal floor and what the downside 
of doing that would be. Of course, the other alternative is to 
simply preempt State legislation with Federal legislation and 
there is precedent for doing both.
    Maybe we can ask Mr. Veator and then Mr. Hatch and Mr. 
Stone.
    Mr. Veator. Thank you, Congressman. We obviously generally 
do not like to have our efforts preempted. On the other hand, I 
think that is one of the issues that the committee will have to 
look at as to whether or not preemption, whether it is a floor 
or overall preemption, should be applied differently to 
different levels--excuse me different areas. To the extent that 
we are talking about criminal statutes, that is traditionally 
within the police powers of the State, then you may not want to 
preempt those kinds of things.
    On the other hand, financial services seem to be 
increasingly, national if not international, so some level of 
preemption may be more appealing. Oddly enough, health care and 
health information, insurance companies that provide or pay for 
health care generally are still licensed on a State-by-State 
basis, so it may make sense for States to retain the ability to 
legislate in those areas.
    Mr. Moran. Would you narrow the scope of the commission to 
what States--other State studies have done? Have you considered 
that?
    Mr. Veator. I don't--at some point, obviously, the 
commission would want to figure out what needs to be looked at, 
because as I think one of the witnesses said, privacy is 
pervasive in every area and the things you keep hearing, again, 
are financial services, health, identity theft, personal 
security, that is sometimes threatened by the dissemination of 
our information. I'm not so sure that the commission needs to 
narrow its inquiry. In fact, I think one of the things that the 
commission would have to do is see how all areas of privacy are 
becoming increasingly related as industry converges as we go 
on-line and information becomes more and more available.
    Mr. Moran. Thank you. Mr. Hatch.
    Mr. Hatch. Sir, I think that certainly with the Internet 
you're dealing more with interstate commerce, and I think a 
Federal approach to it would probably be best. With regard to 
banks, insurance, the type of issues that have--medical, I 
think the States certainly ought to be able to exercise their 
police power. Once again, I'm not excited about the idea of a 
commission. I just have bad vibrations about it, and in the 
sense that I'm afraid that it's going to be used just to delay 
action by policymakers.
    And for what it's worth in terms of coming up with 
consistent principles, I would recommend to Congress to look to 
the restatement of torts on privacy. I mean, it has a very 
long-debated, researched application of the law. The problem is 
it doesn't--they have great principles, but nobody ever 
anticipated the change in technology in terms of the speed with 
which information is exchanged. But the principles are still 
the same. It is a balance: your expectation of privacy versus 
the right to know.
    Mr. Moran. That's the point we make that things are 
happening so fast that self-regulatory capacity seems to be 
developing. Mr. Stone.
    Mr. Stone. Thank you, Mr. Moran. I think that while the 
concept of a Federal floor and individual State regulation or 
legislation has some appeal, I think what we are going to be 
left with is the same patchwork quilt of legislative and 
regulatory requirements that we currently run the risk of 
facing today. And as the chairman mentioned a few moments ago, 
one of the issues that we have to deal with is where do you set 
the standard for Federal preemption?
    I think it is important to recognize that what we are 
talking about here, at least from the perspective that we are 
here today, is first and foremost people and their health. And 
there is no standard essentially high enough that could be set 
in protecting that.
    On the other side of the coin, though, we've heard that we 
have 2,000 to 3,000 pending privacy bills in State 
legislatures, which makes my blood run cold in terms of trying 
to provide services on a national basis. If you're an employer, 
like a Federal Express with employees in all 50 States, Puerto 
Rico, and in the District, and you want to provide a proven, 
comprehensive health program to those employees, if you run 
into the situation where you're able to do that in one 
jurisdiction but not able to do that in another, there are 
obviously some real problems.
    I think 50 years ago, health care was very local. You had a 
local physician, you had a local hospital, you never went 
outside of town, maybe to the nearest big city for your health 
care. I don't think that's true today. I think if any of you 
gentlemen found yourself in need of hospitalization or health 
care services here in the District, you would like that 
institution and those caregivers to be able to communicate with 
your caregivers in your home States. And it is not atypical 
today for people to travel many States away for health care and 
for us to be dealing with, because of technology and just 
because of the aggregation of services, a provision of services 
from people in States different than where the patient may 
reside.
    I suggest that that is a pretty good picture of what the 
framers had in mind when they were talking about interstate 
commerce, and I don't think that it is true today as it was 
several years ago that health care is entirely local and 
constrained within the boundaries of the State in which the 
patient may reside or in which they may be living at the time 
that they're receiving care.
    So I would urge, again, for consideration of Federal 
preemption, set the standard as high as consensus of you and 
your colleagues will allow to protect both the rights of 
privacy, the need for confidentiality and the ability to 
provide services to the people of America.
    Mr. Moran. Thank you. Thank you, Mr. Chairman.
    Mr. Horn. I thank you, and will now go at a few other 
questions that are somewhat generalist. Mr. Spotila, the 
thought is that in view of the recent attack on the Federal 
computer systems, what is the Office of Management and Budget 
doing to ensure the security of the personal information that 
is stored on government computers? And obviously that is a 
major problem. We can do all the legislating we want to have 
privacy, but if somebody can get access regardless of that, 
what are the plans in that area the administration has?
    Mr. Spotila. We have been giving this area priority for 
some time now. And let me begin by saying that although we are 
greatly committed to this, and are of the belief that we 
currently offer good protection to that data, we also 
understand that the security threat is an ongoing challenge and 
that there is never a final answer here; that there is a need 
to continue to maintain and upgrade security as one goes 
forward in light of changes in technology and changes in the 
possible threat.
    We have been working at the Office of Management and Budget 
with all of the agencies to improve their approach to 
information security. We have put out best practices and sets 
of principles. We have integrated the need to consider 
information security planning into their information technology 
planning in the budget process. There was significant 
improvement last year and the Director this year has given new 
guidance to the agencies so that this will be rolled into the 
budget process from the very beginning, going forward.
    We think that's extremely important. What we have said, 
that security is not an add-on, and that one must approach 
information security in an integrated way from the very 
beginning as technology planning is done, reflects the best 
advice of GAO and certainly our best thinking as well.
    We are working, in addition to that, with our security 
agencies, with the law enforcement agencies and with the 
President's advisor on counterterrorism so that we can support 
initiatives in that area.
    This will be an ongoing challenge, and we certainly look 
forward to working with you and this committee as we go forward 
in this area.
    Mr. Horn. In your testimony, you mentioned the Health 
Insurance Portability and Accountability Act of 1996, and you 
quote Assistant Secretary of Health and Human Services, 
Margaret Hamburg, as to believing that legislation is the only 
way to ensure health information privacy.
    Has--and that's the bottom of page 4 of your testimony. And 
the question would be, has the Department explored other 
alternatives?
    Mr. Spotila. Well, among other things, the Department is 
working on finalizing the health privacy regulations that we 
referred to earlier. It will be issuing a rule this year that 
we think will be very constructive. We are just concerned that 
the enforcement powers that are available under existing law 
are not as effective as they should be and that Federal 
legislation is needed so that anyone who would misuse personal 
health information would be subject to accountability. It is 
really a matter of building on some of the positive steps that 
have taken place in the past, including these rules that will 
be coming out this year, and filling in other gaps.
    Mr. Horn. Is there any thought as to the type of penalty 
that might apply at this point?
    Mr. Spotila. Well, there has been a variety of testimony on 
what new legislation in this area might look like or what it 
ought to look like. We think it is necessary to set the 
standard correctly first, and then to address penalties. I 
think that we have to fill the gaps and make it clear that we 
recognize the sensitivity of health records, that we think that 
the individual should have some control over how those health 
records are used and that they shouldn't be used without 
consent. These principles are vitally important and there are 
some gaps in terms of how they are applied.
    The specific penalty could vary. I think the notion that 
we've set those standards and that we've tried to address those 
gaps is the most important principle.
    Mr. Horn. Now, has the administration already come up with 
that in the draft of the Health and Human Services--or do you 
have other drafts going with the principal idea?
    Mr. Spotila. There is, as I mentioned, a proposed rule that 
went out for comment that got 53,000 comments. The Department 
is working on finalizing that rule. It is a huge task. 
Reviewing all of those comments and taking them into 
consideration will be very time consuming. Our timeframe on 
that is to get the rule out this year. The possibility of 
future legislation is something that could be looked at.
    Mr. Horn. We've got fiscal years, we've got calendar years. 
Which year?
    Mr. Spotila. I'm referring to calendar year 2000 for 
getting the rule out, with the proviso that we would like to do 
it as soon as it could be done. I don't mean to suggest that it 
will be the last day of the calendar year.
    Mr. Horn. I wanted to know if it was the midnight judges' 
technique.
    Mr. Spotila. We would very much like it not to be. Part of 
a responsible approach to a rule like this is to consider 
seriously those comments that members of the public made and to 
take them into account and address in the preamble to the rule 
what the Department believes about those comments. When you get 
53,000, that's a big job. So we are trying to get it right. We 
are trying also to be fair and proper in the process. So it 
will be time consuming, but we think the rule will be a good 
one when it comes out.
    Mr. Horn. One of the arguments against developing a new 
privacy commission is the potential that old work will be 
duplicated. I just want to ask you if you and your staff and 
the HHS staff, have they looked at other commission studies at 
the State level and individuals in Washington think tanks? And 
what kind of help have you relied on?
    Mr. Spotila. We have attempted--and the Department, 
obviously has had the lead here--we have attempted to draw on 
all of those studies and all of the information that we know 
of. So that would include those to which you refer. That in 
going forward in setting up a sensible rule, we could take into 
account that wisdom.
    The comment about the commission or concern about the 
commission is that it's important that any future effort that 
studies the privacy area should also build on what has gone 
before and that should be a guiding principle.
    Mr. Horn. Moving to Mr. Veator, in your testimony you 
mentioned that businesses were taking steps to protect private 
information. Could you sort of describe the Massachusetts 
experience and what is happening in that area and what 
companies have been successful?
    Mr. Veator. Well, since finalizing our legislation, we have 
had the opportunity to meet with a number of businesses who are 
either happy or concerned at different levels by it, and we 
have had the opportunity to learn what their privacy protection 
policies are. And I note that I think that the FTC sweeps Web 
sites. Web sites with privacy protection policies have gone 
from something like 14 percent to 56 percent in the last year. 
So I think more and more companies are aware, especially on-
line, that they need have some sort of privacy protection right 
up front.
    Mr. Horn. Now, as I understand it, the Massachusetts 
Lieutenant Governor has taken an active role in the issue of 
privacy as a member of the Federal Trade Commission study on 
privacy. So you found that to be helpful, I take it?
    Mr. Veator. I think it was both helpful and informative as 
to how a commission approach really could be very helpful. The 
particular FTC committee was on providing consumers with access 
to their personal data on-line and ensuring security of that 
data at the same time. The committee managed to get 40 
representatives, approximately, from industry, privacy advocacy 
groups, from around the country, and the depth and wealth of 
information I think that was available in the room when those 
people met and on lots of conference calls was instrumental in 
putting together what I think is a very robust analysis of 
security and access.
    Mr. Horn. Mr. Stone, I'm curious; in your testimony you 
discuss the positive effects on disease management when medical 
records are accessible to companies such as American Health 
Ways. Now, beyond the patient's name and the physician's 
diagnosis, what kind of information do these companies really 
receive? Is it address, Social Security number, entire medical 
history or what?
    Mr. Stone. Mr. Chairman, it's the entire medical history, 
both past and going forward, that is received and used by a 
disease management organization. I think that recognizing we 
are dealing with a chronic disease population, it's problematic 
to think of the use of information in an episode-of-care kind 
of fashion that permeates so much of American medicine. In 
order to help people with chronic diseases who are ill from the 
day they're diagnosed and until the day that they die, we need 
to know how to work with them and their physicians in order to 
develop and implement care plans that are responsive to the 
changes in their condition over time.
    So we start out with a complete medical record consisting 
of claims information, the insurance company; pharmacy 
information, the pharmacy benefits manager; lab information and 
any information which we can get--which proves to be difficult 
sometimes because physicians are still pretty much on paper 
processes in their office--and information from the patient. As 
this information is updated over time, the patient's 
stratification within the system will change and the 
interventions which are provided in support of their self-
management efforts and in support of their physician's care 
plans will change as well.
    So it becomes a rather comprehensive clinical and financial 
database of information with respect to each of the patients 
that are in the program.
    Mr. Horn. Mr. Stone, are there other companies such as 
yours?
    Mr. Stone. Yes, sir, there are.
    Mr. Horn. How many are we talking about?
    Mr. Stone. Well, the current count is somewhere around 170. 
I would suggest that a number of those organizations, however, 
are claiming to provide disease management services in order to 
take advantage of some of the protections that have been 
afforded them under the HHS proposed regulations and which were 
even included in Senator Jeffords' bill on privacy which did 
not emerge from committee last year. And one of the things that 
we hope that Congress and/or this commission can do is begin to 
draw the distinction between those disease management efforts 
which are legitimately aimed at improving individuals' health 
and those that are masquerading as a way to offer that 
chronically ill population something for sale.
    Mr. Horn. So disease management would be a generic term, 
then, for describing the 170; is that correct?
    Mr. Stone. Yes, Mr. Chairman.
    Mr. Horn. Do you know of any examples where other firms 
than your own have violated a commonsense standard of privacy?
    Mr. Stone. I can't say specifically. I think that if the 
committee were to look at the broad variety of organizations 
that are claiming to provide disease management services, and 
the broad variety of the scope of services that are being 
offered, staff might very quickly be able to identify segments 
of the disease management industry that might fall into that 
category.
    Mr. Horn. Let me ask you this. We have in this country a 
traditional checks-and-balance system, and on the health side 
you have got outside company inspections. And groups that do 
this are Veterans Administration, hospital consultants, and so 
forth. And what other balances do you see to try and keep 
privacy sacred, if you will, if the individual wants that?
    Mr. Stone. Well, if I understand your question correctly, 
Mr. Chairman, I think that it's important to recognize that 
disease management as a concept is only 6 or 7 years old, and 
has made significant strides toward professionalization and 
self-regulation over the last year to 18 months. I fully 
anticipate that within the next year to 18 months, we are going 
to see emerge accrediting programs for disease management 
organizations. I know that such programs are under 
consideration by the Joint Commission on Accreditation of 
Health Care Organizations, URAC and NCQA, among others, and I 
think those are going to come into play in the relatively near 
future. I think clearly that kind of good housekeeping seal of 
approval will go a long way to assuring patients and physicians 
and health plans that the information being received by 
organizations with that kind of accreditation has met a certain 
set of standards.
    In the interim, the industry has--is working on its own 
statement through the Disease Management Association of America 
on privacy, on the minimum standards that should be in place, 
and I think that we are going to see not only the accreditation 
process develop but a rapid shrinking of the number of 
organizations offering disease management services as those 
industry efforts for self-regulation take hold.
    Mr. Horn. Now, remind me on that. In your testimony it 
seems to me there is real concern about State privacy laws that 
inhibit people from getting the treatment they need. How 
serious a situation is that and should that be Federal 
preemption?
    Mr. Stone. Well, I think, fortunately, the States have been 
relatively slow to the legislative process. There is State law 
in California which was passed at the 11th hour in their last 
legislative session which is currently going under emergency 
remediation because of the essentially chilling impact it had 
on the delivery of disease management service.
    I think everybody is familiar with the effort in the State 
of Maine last year which, while well-intentioned, prevented 
clergy from visiting people in the hospital because the 
hospital couldn't tell the clergyman whether the patient was 
actually there.
    Mr. Horn. I thought the flowers example was particularly 
upsetting.
    Mr. Stone. Massachusetts has legislation pending. Texas has 
legislation pending. Florida has legislation pending. Certainly 
three bellwether States in terms of health care regulation.
    All of which was modeled after the California bill which 
managed to pass, and the industry association is also lobbying 
hard in all of those States, pointing out that the California 
bill is about to be repealed, at least as it relates to disease 
management.
    I think that to the extent that the organizations who are 
providing these services on behalf of health plans, their 
members and physicians recognized, again, that this is people's 
health we are talking about, the issues become fairly 
straightforward. It's when you fall over the line into the 
provision of health care services or would-be provision of 
health care services in support of commerce or some other 
product or service that the abuses that we've all heard about 
come to pass.
    Mr. Horn. Attorney General Hatch, does Minnesota have a 
Freedom of Information Act?
    Mr. Hatch. Yes, sir, we call it the Data Practices Act; but 
yes, sir.
    Mr. Horn. Has the impact of privacy laws--or would it be, 
in your mind--in any way change the Freedom of Information Act 
or would the State have to change it if they had a privacy law?
    Mr. Hatch. No, sir. We took--at least the way we're 
approaching it is we take one segment of society, take it issue 
by issue: banking, financial data, versus health data versus 
government data. And oddly enough in Minnesota and I think most 
States and certainly in the Federal Government, the issue of 
government data has been with the Freedom of Information Act 
and the Data Practices Act has been debated and there are 
statutes in place. There is some effect on government data in 
Minnesota with regard to the Shelby amendment on driver's 
licenses. We are having a debate on that issue. But pretty much 
government information is leaving it alone in terms of what the 
Data Practices Act contains, which parallels very closely what 
goes on at the Federal level.
    Mr. Horn. Well, let's hear about the Federal level. Mr. 
Spotila, how much, if any, would be a problem with, say, the 
HHS privacy regulations which are out there now and the Freedom 
of Information Act? Is there a problem there, and has anybody 
between Justice and your office thought through those problems?
    Mr. Spotila. Our sense is that there is not a problem, that 
the Freedom of Information Act has always allowed for the 
protection of private information of the sort that we are 
talking about, individual information.
    In terms of what the HHS rule will look like as a final 
rule, that is still in the course of development. We're 
certainly sensitive to not creating a problem with the Freedom 
of Information Act; that would be something that we are always 
going to be careful about.
    Mr. Horn. Do any of you see any problems here that we 
haven't brought up yet that you'd like to raise and maybe did 
not raise in your own statements? Do you have something, Mr. 
Spotila?
    Mr. Spotila. Nothing else, other than as I mentioned, that 
we welcome the good intentions that are reflected in this bill 
and would look forward to working with the committee further.
    Mr. Horn. Getting back to Mr. Hatch a minute, in your 
testimony you talked about the need for the States to take 
action on the issue of privacy. Our staff has talked with 
people from the Mayo Clinic and the University of Minnesota. 
They discussed their concerns with privacy legislation 
initiated in the Minnesota legislature saying the opt-in policy 
was not successful for them.
    Mr. Hatch. Sir, what that relates to is it is a separate 
bill. In Minnesota, health data is transferred to the 
government without your permission; all patients without 
permission, without knowledge. And what I proposed is a bill 
saying at least you ought to get the consent of the patient. 
Center for Disease Control, Mayo Clinic and everybody else does 
it.
    I am surprised that all of the health information, at least 
health data is being transferred to the Minnesota Department of 
Health Data Institute without even the knowledge of the 
patients, and there are a number of issues that will be coming 
out with regard to how that information is being used.
    In that case, there were physicians at the Mayo Clinic who 
were on the Health Data Institute who opposed it even though 
only 60 percent of the--a little more than 60 percent of the 
patient data that is being sent, again without knowledge, 
people who are charity cases, people who pay cash, people that 
go in for certain types of, say, cosmetic surgery surgeries 
that are not covered by an HMO or insurer, are not transferred. 
So actually, statistically, the information is not as credible 
as a process where you do get the consent of a patient, simply 
because 97 percent of them will consent to it. In this case it 
is about 60.
    I don't oppose having the information sent to the 
government as long as you don't have a patient's name and 
Social Security number attached to it. And there have been 
examples of leaks; you mentioned yourself, sir, with regard to 
government data being transmitted inadvertently. We had 
examples in Florida of lists and certainly we have other 
statutes that require listing of epidemics--epidemiology with 
regard to transferable diseases. But they did disagree with the 
idea that the patient ought to have to give consent because 
their data is being sent.
    Mr. Horn. Has there been any effect on the quality of 
medical research to your knowledge?
    Mr. Hatch. No.
    Mr. Horn. Here people would argue the Shelby amendment is a 
problem.
    Mr. Hatch. Your Honor, in Minnesota the Department of 
Health has never issued any studies. They gather the data but 
no studies have ever been issued. And, indeed, if they did, 
given the fact that only 60 percent of the data is being 
transmitted, it is probably less credible than the research 
facilities that do get patient consent. They get about 97 
percent data response.
    My beef with that is simply that you ought to at least 
notify the patient. When you walk into a hospital you have to 
sign three times. One of them is a consent form that basically 
allows a transmission. It seems to me before it goes to the 
government, there ought to be some acknowledgment by the 
patient that it goes. Either that, or you can send the data, 
but just don't send the patient's name with it. Give it a code. 
That was my beef.
    Mr. Horn. In other words, your State health department 
could collect this data but would not need to have the address 
and the name of the person that is the result of that data?
    Mr. Hatch. Sir, yes, and my proposal did not pass. So 
that's the one that did not get enacted.
    Mr. Horn. How about it, Mr. Stone? How much of a difficulty 
would that be with, say, the management--disease managment 
companies?
    Mr. Stone. I think, Mr. Chairman, there are significant 
differences between research which requires aggregated data but 
does not require, as General Hatch suggested, patient names and 
identifiable information for the analysis on that data to be 
carried out, and for activities that are in the stream of 
delivering health care services, which is where our industry, 
our company, HHS, Senator Frist and Breaux and the President 
have all put disease management as part of the treatment side 
of medicine.
    And to do treatment effectively, you need to know who you 
are talking to and where they live and how to contact them so 
that you can have intermittent actions, whether those be face 
to face, phone, Internet or whatever, with those individuals in 
order to further their care.
    Mr. Horn. But does the patient know that this personal 
information is being released to you?
    Mr. Stone. I would say probably not, since in our case, 
anyway, all of our programs are private labeled for the insurer 
who is our customer. So the patients and their physicians are 
advised of a new diabetes program for Cigna Health Care. The 
patients are given an opportunity, in our model specifically, 
to opt out of participating in that program. Less than 2 
percent do. And if they don't, they begin to receive 
interactions as if our personnel were Cigna's personnel. So I 
doubt that they know that it's coming from American Health 
Ways.
    Mr. Horn. Now, you operate in all 50 States or what?
    Mr. Stone. We're currently operating, I think, in 33 
States.
    Mr. Horn. In 33 States; is there any way that employers, 
insurance companies, could get those lists of yours with, say, 
diabetes or cancer or whatever?
    Mr. Stone. Other than the insurance company that we are 
providing the program for? I guess there is, given the ability 
to tap into electronic data systems. But it would be extremely 
difficult since we are not using the Internet, we are operating 
on a closed network at the moment and we are transferring 
information back and forth with our insurance plan customers on 
a weekly or monthly basis.
    Mr. Horn. Well, what kind of data could you find in a small 
Minnesota town, let's say, where you have got 200 people and 
Olie is 57 years of age, you don't need his name, everybody in 
town knows he's 57. Isn't that a worry for you? I think it is 
for a lot of people who say, gee, the boss is going to hear 
that I've got this disease and there goes my pension.
    Mr. Stone. I think that the issue you're raising Mr. 
Chairman, is a very real issue. Most of the companies that we 
have talked to do not want to know, and create some very 
serious iron walls between their H.R. functions as it relates 
to their employees and those individuals in the organization 
who may have personal health care information and the review, 
hiring, firing processes of the company.
    We do not provide information back to an individual's 
employer. Our exchange is strictly limited to the health plan 
that has hired us to work with their members and their 
providers for the delivery of disease management services. So 
it is a very tight network.
    Mr. Horn. Well, could that health plan just cancel them 
like that? I find health plans aren't exactly easy to deal 
with.
    Mr. Stone. Without meaning to, obviously, to step on our 
customers' toes, again, I guess that's certainly possible. I 
think what's happened in the health plan industry--and I would, 
you know, defer to their industry association for more detailed 
response--that they have recognized finally that the days of 
riding the utilization review and contracting horses to margin 
are over. And with somewhere between 10 and 15 percent of all 
their members having chronic diseases, with all of us getting 
older, and therefore sicker, health plans have begun to realize 
that if they are going to ever return to any kind of reasonable 
margin level, they are going to have to take care of patients. 
And the basic premise underlying all disease management is that 
healthy people cost less.
    Mr. Horn. Now, you work with university medical researchers 
on a lot of your work?
    Mr. Stone. No, we don't.
    Mr. Horn. You don't?
    Mr. Stone. No.
    Mr. Horn. So there aren't any studies being done, then, as 
to the success or not success?
    Mr. Stone. Well, in fact, there are. In 1998, there was a 
study released by the Lewin Group, Dr. Rubin was the principal 
author, former assistant Secretary of HHS, which validated our 
outcomes for our diabetes program for 7,000 commercial members 
in HMOs. And as I alluded to in my testimony, next week we will 
be releasing a similar study on 20,000 HMO members in Medicare-
Plus Choice plans.
    So despite the fact that we are a commercial venture, we 
are fully prepared and have always been prepared to put our 
results out there to stand the scrutiny of public and 
scientific review, and in the hope that people will come to 
recognize that these kinds of programs do improve health, do 
create satisfied consumers and providers and save significant 
amounts of money.
    Mr. Horn. Let me round that one out. When an organization 
or a company such as yours or other types in medical research 
receive public money for, say, research, does the taxpayers or 
the government at all levels have access to private records 
used in a publicly funded study? I would be interested in what 
you all think on that one.
    Mr. Stone. I don't know that I have the expertise to 
respond to that. I do know that 2 years ago we entered into an 
agreement with NIH to provide them with blinded aggregate data 
from our database. And it is now the largest single database on 
diabetes in the country. NIH was perfectly happy to take that 
data in a blinded format without any patient identifiers on it. 
Although I have to admit in 2 years they have never once asked 
us for anything.
    Mr. Horn. Mr. Hatch.
    Mr. Hatch. The issue I was going to advise in private 
practice as a lawyer--I represented insurance companies and 
third-party administrators as well as some patients, actually, 
but the third-party administrators of self-insured plans all--I 
shouldn't say all, but most at one time or another do get a 
request from an employer with regard to issues concerning 
health care. They were uniformly advised you have ADA issues 
here; don't recommend that you be doing this. On the other hand 
they are telling me: That is easy for to you say, but that is 
my largest client.
    And I recall vividly, one being a trucking company, 
requests the copies of anyone having chemical dependencies. The 
issues here--this is the other side of it. The public, if 
you're a patient and you're aware that that data is going to be 
transmitted beyond the doctor, you won't get treatment. I will 
not go in for chemical dependency treatment if I know that my 
employer will find out. Or as an Attorney General, if the 
voters would find out, maybe it is something that I want to 
keep confidential.
    Too many areas, venereal diseases, there are too many 
issues that crop up in our lives. But if I know that that is 
being transmitted, that is going to interfere with the 
physician's ability to treat the patient.
    And I don't have any problem with aggregate data, even with 
patient identifier data if the patient signs off, gives a 
consent. And my understanding is that roughly 97 percent of the 
public will give consent on that, at least participated in that 
decision.
    Mr. Horn. Mr. Veator.
    Mr. Veator. We currently have a bill in front of the 
Massachusetts Legislature relating to just that question. And I 
think the issues have come down to the same, which is how do 
you ensure or motivate the use of aggregated, deidentified 
data, and then how do you protect people who want medical 
services and at the same time are aware that either through 
sharing information by insurance companies between either 
health care insurers or life insurers, how you get medical 
services when they're worried about that data being 
disseminated, properly, as it turns out in many cases. Those 
are the issues I know that the Massachusetts Legislature is 
dealing with now.
    Mr. Horn. In your research on that, in Massachusetts, are 
there a number of States doing the same thing?
    Mr. Veator. I think so. I know that California, for 
example, has either enacted or has something pending along 
those lines.
    Mr. Horn. Let me ask you, Mr. Spotila, what's the Federal 
Government's position on this?
    Mr. Spotila. There are two aspects I would point out. Aside 
from this issue of aggregate data versus treatment information, 
we are also aware that the Centers for Disease Control and 
perhaps other public health agencies might have access to 
information about medical conditions. But they have handled 
that information in accordance with the Privacy Act and other 
confidentiality restrictions. There's always a need for balance 
between proper use and privacy.
    The proposed rule that the Department of Health and Human 
Services has put out on health privacy also deals with this 
subject. We are likely to see an addressing of it in the final 
rule either through the setting of criteria or insistence that 
the identification tags be removed from some of that 
information.
    It's an important question. It's very much on everyone's 
mind, and we are trying to strike the right balance to make 
certain that we don't lose some of the advantages, whether it 
be improved treatment or public health response, as we take 
better steps to protect individual privacy.
    Mr. Horn. Let me move back to Attorney General Hatch now. 
In your testimony, you mentioned how you took legal action 
against the U.S. bank for selling personal information to 
marketing companies such as Member Works Incorporated. I'm 
curious, what additional actions did the Minnesota courts take 
to protect the interests in personal privacy?
    Mr. Hatch. The courts or the legislature? The courts?
    Mr. Horn. The courts.
    Mr. Hatch. Well, both cases settled, so they did not go any 
further than that. I think there's still a class action that's 
pending in the private side of it.
    In the U.S. bank case, the bank did agree to prohibit--to 
not agree to any distribution even with consent, basically. 
They cannot distribute information to third-party marketers. 
They can distribute to affiliates on an opt-out. So it is--
oddly enough, that bank is probably working under stricter 
guidelines than any other bank in the country right now.
    The Member Works we did settle. The allegation there was 
essentially they took the data, including the date of birth, 
and basically according to the audiotapes of the supposed 
consent, our estimate is roughly half never agreed to any 
acquisition. While we did not have statistics on it, I was 
surprised at the age of people; it could be that they're the 
only ones home that are answering the phones; could be they are 
the ones that are most vulnerable to a direct sales pitch. But 
it may also be that companies are targeting that group, and I 
don't know. But we will have more knowledge on that I think by 
year end as we're gathering through it and looking at other 
cases.
    But it appears that, you know, the financial data, two-
thirds of fraud basically is directed against senior citizens, 
No. 1, because they've got the money, it is their nest egg; and 
No. 2, they are perhaps more trusting, more vulnerable.
    And financial data in the wrong hands is very--can be very 
dangerous. And the courts have not gone further, but other than 
that, we do have class actions pending.
    Mr. Horn. We have another few hours this week, not for your 
panel, but for the panel on Tuesday and we will set up another 
panel, panels one and two, on the Tuesday one, and then we will 
have a hearing later in the week on a related subject, which 
involves Social Security in relation to privacy and the numbers 
thereof.
    So what I'm going to do today is just thank you all, 
because you have given us a number of vital perspectives that 
we really need, and we hadn't thought about. So I am most 
grateful to you for the testimony you have given to us.
    And I do want to thank the staff for putting this together 
and that is J. Russell George, the staff director and chief 
counsel for the Government Management, Information, and 
Technology Subcommittee; and then on my left, your right, 
Heather Bailey is the counsel for this hearing. Bonnie Heald, 
director of communications back there next to Mr. George; Bryan 
Sisk, the clerk; and Liz Seong, is an intern; and Michael Soon, 
intern. And then Trey Henderson is counsel for Mr. Turner, the 
ranking member, and the minority; Jean Gosa is minority clerk. 
And we have today Doreen Dotzler and Joe Strickland as the 
court reporters.
    And I will now read the statement from the Attorney General 
of the State of Texas and put that in the record.
    I don't know if the Attorney General is Democrat or 
Republican. You might know.
    Mr. Hatch. He's a Republican.
    Mr. Horn. He's a Republican, OK. Because I know the 
Governor has a lot of Democrats in the State government, so I 
did not quite know whether this was one of the Republicans that 
got in. But his letter is very interesting. He said--this is 
John Cornyn, Attorney General of Texas. He says:

    I want to express my support for the privacy commission, 
H.R. 4049, under consideration by our committee here. And this 
legislation proposes the creation of a privacy commission that 
will undertake a comprehensive study of the issues relating to 
the protection of individual privacy and the appropriate 
balance to be achieved between protecting individual privacy 
and allowing appropriate uses of information.
    With the advent of the Internet and the information era, 
privacy has become a central issue for American citizens, 
industry and policymakers. As consumers are becoming more aware 
of the personal information that is being collected and used by 
on-line companies, their concern about individual privacy is 
growing.
    The technology industry is also focused on the privacy 
issue. Recognizing that the future of the Internet depends on 
consumer confidence, the technology community has taken 
laudable steps to develop self-regulatory standing programs to 
build consumer trust in the new medium. The erosion of the 
consumer trust poses a serious threat to personal privacy and 
the future success of e-commerce and thus creates the need for 
government to consider appropriate steps for the protection of 
consumer privacy.
    At the same time, however we must find a way to protect 
consumer privacy without stifling growth and innovation in the 
rapidly changing world of cyberspace. I believe the 
establishment of this commission is a step in the right 
direction toward achieving this balance.
    Over the past few years, privacy initiatives have cropped 
up across the country. The Federal Government, States, the 
private sector, industry groups, and consumer groups have all 
formed working groups to study the issue. None of these 
initiatives, however, appear to be taking the coordinated 
global approach proposed by the Privacy Commission Act.
    Because the Internet has no boundaries, it is imperative 
that Federal, State and local efforts to protect privacy and 
encourage the growth of the new economy be coordinated. 
Government, industry and consumer groups need to work together 
to help define their appropriate roles in achieving a balanced 
solution to the privacy problem. State attorneys general have a 
unique perspective to share in this debate because we are 
responsible for protecting consumers' rights in 50 States.
    As the Attorney General of Texas, I am deeply concerned 
about the privacy issue. In particular, I am concerned about 
protecting children's privacy and maintaining the 
confidentiality of sensitive medical and financial information. 
In Texas, we are currently studying our laws to determine how 
we can best protect consumer privacy while still encouraging 
the growth of e-commerce.
    My office has created an Internet bureau that will protect 
consumers' privacy on-line in addition to fighting cybercrime. 
Over the last month, I have met with numerous members of our 
very large and growing technology community in Texas. I have 
gained an understanding of the industry's concerns and its 
efforts to regulate itself in the privacy arena. In Texas, we 
are working to protect consumers while fostering the growth of 
technology businesses.
    Because I believe the proposed privacy commission will help 
coordinate the efforts and perspectives of all of us involved 
in the privacy debate, I encourage your subcommittee to support 
the proposed Privacy Commission Act.
    Thank you for your consideration of my views. I 
respectfully request this letter be submitted for the record.

    We thank you; and we thank Attorney General Hatch; and we 
thank you, Mr. Veator, on the State perspective; and we thank 
you, Mr. Stone, on the very interesting and unique model that 
is going on in disease management. And we thank you, Mr. 
Spotila, for giving us the broad view of what is going on in 
the Federal Government. Thank you very much for coming.
    Now, the Democratic staff and the Republican staff might 
have additional questions, and if you don't mind we would like 
you to respond to them because Mr. Turner had to go out for a 
very important meeting. He might well have some questions, and 
we would appreciate it if you would give those answers. We will 
put them in the record without objection at this point.
    At this point, we are recessing until Tuesday at 2 p.m. to 
continue the rest of the panels, and that is in room 2247. The 
full committee, I believe, is in here. It will be in room 2154. 
The full committee is not meeting.
    With that, we are adjourned.
    [Whereupon, at 4:03 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T1178.045

[GRAPHIC] [TIFF OMITTED] T1178.046

[GRAPHIC] [TIFF OMITTED] T1178.047

[GRAPHIC] [TIFF OMITTED] T1178.048

[GRAPHIC] [TIFF OMITTED] T1178.049

[GRAPHIC] [TIFF OMITTED] T1178.050

[GRAPHIC] [TIFF OMITTED] T1178.051

[GRAPHIC] [TIFF OMITTED] T1178.052

[GRAPHIC] [TIFF OMITTED] T1178.053



   H.R. 4049, TO ESTABLISH THE COMMISSION FOR COMPREHENSIVE STUDY OF 
                           PRIVACY PROTECTION

                              ----------                              


                         TUESDAY, MAY 16, 2000

                  House of Representatives,
Subcommittee on Government Management, Information, 
                                    and Technology,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2 p.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn, Turner, and Waxman (ex 
officio).
    Also present: Representatives Hutchinson and Moran of 
Virginia.
    Staff present: J. Russell George, staff director; Bonnie 
Heald, communications director; Heather Bailey, professional 
staff member; Bryan Sisk, clerk; Liz Seong and Michael Soon, 
interns; Phil Barnett, minority chief counsel; Kristin 
Amerling, minority deputy chief counsel; Michelle Ash and Trey 
Henderson, minority counsels; and Jean Gosa, minority assistant 
clerk.
    Mr. Horn. A quorum is present. We have a vote on the floor, 
and we will be in recess until 20 after 2. We're in recess.
    [Recess.]
    Mr. Horn. A quorum being present, this hearing of the 
Subcommittee on Government Management, Information, and 
Technology will resume.
    The subcommittee is continuing its examination of H.R. 
4049, a bill to establish a commission on the comprehensive 
study of privacy protection.
    Yesterday the Honorable John Spotila, Administrator of 
Regulatory Affairs at the Office of Management and Budget, 
testified about the efforts being taken by Federal agencies to 
protect private information against inappropriate disclosure.
    Minnesota's Attorney General Mike Hatch and Mr. David 
Veator, from the Massachusetts' Office of Consumer Affairs and 
Business Regulation discussed the complexities of attempting to 
craft appropriate State legislation.
    Our fourth witness was from the private sector and 
discussed why such legislation is necessary. Mr. Robert Stone 
is the executive vice president of American Healthways, a 
company that provides disease management programs to about 
170,000 people enrolled in health maintenance organizations. 
His company sets up treatment plans for patients with chronic 
illnesses. Mr. Stone testified that in many States HMOs share 
their patients' medical records with disease management 
companies such as American Healthways, even though most 
patients are unaware that a third party is viewing their 
personal records.
    With that, we will proceed with the panels today, and we 
will begin with panel one for Tuesday. Mr. Belair I see is 
here, editor of Privacy & American Business; Dr. Mary Culnan, 
professor, McDonough School of Business, Georgetown University; 
Christine Varney, former Commissioner, Federal Trade 
Commission; and Solveig Singleton, Director of Information 
Studies at the CATO Institute; Ron Plesser, legislative 
counsel, 1977 Privacy Commission, and Stanley Sokul, member of 
the Advisory Commission on Electronic Commerce.
    Let me explain how the subcommittee works. We work 
essentially that once--we're going right down the line, and 
your statement is fully put in the record. We'd like you to 
summarize it in 5 minutes so we can have a dialog between the 
Members here and the other witnesses so we get something from 
that besides simply a written paper. In the case of government 
agencies, usually the person's never written the paper, but 
you're different, and I know you struggled over it probably 
like all of us when we are in the private sector.
    So we will also have panel two today, the Honorable Edward 
Markey, Member from Massachusetts; the Honorable Joe Barton, 
Member from Texas; the Honorable Jim Greenwood, Member from 
Pennsylvania, and they will join us on panel two.
    So we think we are without a lot of votes to disrupt us 
today, but that's democracy, so we have to do that. It's always 
a pleasure to take a walk anyhow around here.
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.054
    
    [GRAPHIC] [TIFF OMITTED] T1178.055
    
    Mr. Horn. So we will begin, then, with, besides my opening 
statement, I believe the gentleman, the ranking member on the 
full committee, Mr. Waxman for an opening statement.
    Mr. Waxman. Thank you very much, Mr. Chairman. I want to 
commend you for holding hearings today and yesterday on H.R. 
4049. I regret I was unable to attend yesterday's session due 
to a preexisting schedule conflict. I was flying back from Los 
Angeles. You know how that is, Mr. Chairman. But I understand 
the session was informative.
    H.R. 4049 proposes a $2.5 million privacy commission to 
study a wide range of very complex issues that affect a 
tremendous number of stakeholders. It is important to examine 
this proposal carefully and ensure that those with relevant 
expertise and experience have had a chance to review it, and I 
appreciate that you facilitated that process with this week's 
hearings.
    The schedule the subcommittee has set for moving this 
legislation forward, however, may be self-defeating. Many of us 
want strong privacy legislation, but the rushing pace we are 
following with this bill may result in legislation that is 
counterproductive to privacy efforts. H.R. 4049 was introduced 
at the end of March. The subcommittee announced last week that 
it is interested in having a markup by next week. This 
intention to mark up this bill by next week was announced 
before the subcommittee even heard from the many experts that 
are coming before us this week, and as we saw from testimony 
and statements provided yesterday, the bill poses numerous 
issues that require careful thought. I fear that by rushing, we 
could foreclose the opportunity to design a commission we can 
be confident would be an effective use of taxpayers' dollars. 
It would be ironic if those arguing for a deliberate, thorough 
commission review of privacy issues do not give deliberate, 
thorough consideration to issues relevant to establishing such 
a commission.
    I think it's worthy noting that the pace in which the 
committee is moving on this proposal to study privacy stands in 
stark contrast to the complete lack of attention the committee 
has paid to legislation that would actually establish privacy 
protections. For example, in May of last year, Mr. Condit, 
myself, Mr. Markey, Mr. Dingell, Mr. Turner, and many other 
colleagues on this committee and others introduced legislation 
that would establish comprehensive privacy protections for 
individuals' medical records. That bill was referred to this 
very subcommittee, yet 12 months later there's been no 
consideration whatsoever of that bill or other medical privacy 
proposals that have been referred to this subcommittee.
    As we examine the merits of H.R. 4049, it's imperative that 
we remember that Congress has a responsibility to do more than 
request the study of privacy issues. Congress should act 
immediately to address serious privacy concerns in several 
areas. For example, many individuals currently are withholding 
medical information from their health care providers, even 
avoiding medical care for fear of privacy violations.
    Years of congressional hearings and study by governmental 
and nongovernmental entities have provided us with more than 
sufficient information to take action to enact comprehensive 
medical privacy protections. Congress also must ensure that 
adequate privacy protections apply to individuals' financial 
information.
    One of the questions that has arisen about the Privacy 
Commission proposal is whether a commission would delay ongoing 
privacy initiatives. I understand the proponents of the 
legislation have emphasized that this measure is intended to 
complement, not delay, ongoing efforts. However, I think that 
an April 17, 2000, editorial in the Life and Financial Services 
edition of the National Underwriter magazine provides insight 
into this issue. The editorial chides the Financial Services 
Coordinating Council, which represents insurance companies and 
securities firms, for failing to endorse H.R. 4049, arguing 
that, ``by not lending its considerable weight to the effort to 
enact the bill, FSCC may be missing a golden opportunity to 
forestall highly restrictive privacy measures that will be 
introduced both in Congress and in State legislatures around 
the country.''
    The editorial further stated, ``If the financial services 
industry can make a strong economic case for the consumer 
benefits of information-sharing, the bipartisan Commission 
proposed by Representatives Hutchison and Moran provides the 
best forum to do it. Moreover, the presence of such a 
commission will provide a strong argument for Congress and the 
State legislators to wait for the results before enacting 
highly restrictive privacy legislation.''
    This editorial underscores that despite the best intentions 
of the proposal's authors, others may well want to use it to 
impede privacy protection efforts.
    If we are to move forward with H.R. 4049, we must ensure 
that any privacy commission created is structured so that its 
deliberations will involve consensus-building instead of 
divisiveness, and so that members on the Commission have 
appropriate expertise and experience. Further, the Commission's 
resources and powers must be consistent with the mandate it is 
expected to carry out.
    In this week's hearing on the bill, we are receiving 
testimony from individuals who have been involved with the 
study of privacy or who have worked on privacy initiatives. 
These witnesses can help us better understand the issues 
relevant to constructing an effective commission. I look 
forward to the testimony of today's witnesses.
    I want to note that in addition to statements submitted 
yesterday for the record, I've received comments on this bill 
from privacy consultant Robert Gelman and would like to enter 
his statement into the record. I also request that we keep the 
record open for 2 weeks.
    Mr. Horn. Without objection, that will be put in the 
record.
    [The prepared statement of Hon. Henry A. Waxman follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.056
    
    [GRAPHIC] [TIFF OMITTED] T1178.057
    
    [GRAPHIC] [TIFF OMITTED] T1178.058
    
    [GRAPHIC] [TIFF OMITTED] T1178.059
    
    [GRAPHIC] [TIFF OMITTED] T1178.060
    
    [GRAPHIC] [TIFF OMITTED] T1178.061
    
    [GRAPHIC] [TIFF OMITTED] T1178.062
    
    [GRAPHIC] [TIFF OMITTED] T1178.063
    
    Mr. Waxman. My second request is that we keep the record 
open for 2 weeks so that others with expertise and interest in 
these issues may also submit their comments.
    Mr. Horn. Well, let's try with 1 week, and if there's still 
some more, because I wouldn't want us to adjourn too much and 
not get this done. As you say, this is a very important issue, 
and we've been trying to get a number of people to do something 
about it. So that's why these hearings. We've got another 
hearing this week, and everybody is welcome.
    Mr. Waxman. Mr. Chairman, you're willing to have 1 week for 
anyone to submit their comments for the record?
    Mr. Horn. Yes, and if there's others, we'll work it out. We 
don't really need a rule on it. We'll just put it all in the 
record.
    [The prepared statements of Hon. Jim Turner and Ms. 
Blumenthal follow:]

[GRAPHIC] [TIFF OMITTED] T1178.064

[GRAPHIC] [TIFF OMITTED] T1178.065

[GRAPHIC] [TIFF OMITTED] T1178.066

[GRAPHIC] [TIFF OMITTED] T1178.067

[GRAPHIC] [TIFF OMITTED] T1178.068

[GRAPHIC] [TIFF OMITTED] T1178.069

    Mr. Horn. The gentleman from Arkansas. Thank you. The other 
member from the full committee. We're always glad to have you 
here.
    Mr. Hutchinson. Thank you, Mr. Chairman. I want to express 
my appreciation to the ranking member of the full committee, 
Mr. Waxman, for his thoughtful letter that he sent after the 
first round of hearings.
    As everyone knows, this is the third day of hearings on 
this particular Privacy Commission proposal, and I think it is 
good for America. It's certainly good for this Congress to hear 
from such distinguished experts on the issues of privacy and to 
learn the history of what we've done from a legislative 
standpoint on the issues of privacy and what we need to do, and 
Mr. Waxman's letter certainly provoked 2 more days of hearings, 
which is exactly what we need, and I think it has been very, 
very instructive. So I was pleased that the chairman responded 
to that request from Mr. Waxman by scheduling yesterday's 
hearings and today's as well.
    I did want to respond to a couple of the remarks of the 
ranking gentleman who mentioned that he was concerned that we 
would rush to markup on this bill, a commission bill. Of 
course, we've passed legislation out of the House in terms of--
even though it didn't come into law, we passed a commission for 
studying campaign finance laws. We've had a Medicare 
commission. So the structures of commissions have been on the 
table for some time. But I think it is important that we get 
the broadest range of input as possible, and I would solicit, 
Mr. Waxman, any suggestions that you have. We've been in 
contact with your staff, and we would certainly love your ideas 
on how this legislation can be improved.
    But I think there is a concern in terms of the markup. This 
is May, and this legislative year consists of June and July. 
We're out August and in September, and then it's gone. And in a 
puff of smoke we're out of here, and it's going to be very 
difficult even on a fast track to get legislation through the 
House and Senate. And for that reason I would hope that we will 
continue to move forward this proposal as well as other 
proposals that have a consensus in this body in terms of 
privacy. And I think it would be regretful if we went home the 
end of this year and told the American people we did nothing on 
privacy. So I hope that we can.
    I'm glad the agencies are moving forward. Whatever happens 
in terms of the agencies, whatever happens in terms of other 
legislation, it's important that we continue to study this in a 
thoughtful and comprehensive manner. This mission is designed 
to complement, complement other issues that are out there and 
not to be exclusive. I just want to assure the ranking member 
that that is my intent, and I hope everyone in Congress looks 
at it the same way.
    With that I'll be happy to yield and look forward to the 
testimony of the witnesses.
    Mr. Horn. If the witnesses will stand and raise their right 
hands to affirm the oath.
    [Witnesses sworn.]
    Mr. Horn. The six witnesses did affirm. The clerk will note 
that, and we'll proceed with panel one. The first one is Bob 
Belair, editor, Privacy & American Business. Glad to have you 
here.

STATEMENTS OF BOB BELAIR, EDITOR, PRIVACY & AMERICAN BUSINESS; 
     MARY CULNAN, PROFESSOR, McDONOUGH SCHOOL OF BUSINESS, 
 GEORGETOWN UNIVERSITY; CHRISTINE VARNEY, FORMER COMMISSIONER, 
   FEDERAL TRADE COMMISSION; SOLVEIG SINGLETON, DIRECTOR OF 
 INFORMATION STUDIES, CATO INSTITUTE; RON PLESSER, LEGISLATIVE 
 COUNSEL, 1977 PRIVACY COMMISSION; AND STANLEY SOKUL, MEMBER, 
           ADVISORY COMMISSION ON ELECTRONIC COMMERCE

    Mr. Belair. Thank you, Mr. Chairman. Let me commend you and 
the members of the subcommittee, and Mr. Hutchison and my 
Congressman Mr. Moran for your leadership on this bill. I'm 
delighted to be here. I think I can catch you up a bit in terms 
of time. I appreciate your rescheduling me from yesterday when 
I couldn't make it to today, and mindful of that and the big 
panel, I'll be very, very brief.
    Let me just say first in response to Mr. Waxman's comments, 
Privacy & American Business, we are not for delay. We have 
supported health information privacy legislation. We have 
supported other types of legislation when we think that that's 
the right response and when we think it's ready. We will 
support this legislation and the establishment of a commission 
in one of our upcoming editorials. We will lay that out. And 
we'll address our view that this will not lead to delay, as Mr. 
Hutchison indicated, obviously.
    And you folks know better than I do we're at the end of 
this Congress. It's going to be very, very difficult to get 
substantive privacy legislation through in this Congress. 
Obviously it takes time to organize a new Congress, and your 
bill does provide for interim reports as well, I'm sure, as 
other kinds of periodic reports to the Congress as necessary. 
We don't view it as delay. We view it as a very appropriate 
opportunity to think comprehensively about the privacy issue.
    And very briefly let me just say that we support the 
legislation, and we support the concept of a new privacy 
commission for three reasons. First of all, the activity with 
respect to privacy rights now is extraordinary. It is truly 
unprecedented. One example I think is dramatic. Last cycle, the 
1999 cycle for State legislatures, we tracked over 7,000 
privacy bills. That's one out of every five bills introduced in 
the State legislatures. Obviously there's intense regulatory 
activity at the State level behind that. There's intense 
activity here. We don't want to slow that down, but on the 
other hand we think that it's important to take a look at what 
that legislation is and what it will do, what the consequences 
and the unintended consequences are.
    Second, the underlying developments that are fueling the 
privacy debate are changing extraordinarily rapidly. The self-
regulatory environment changes. The technology environment 
changes. I think if you would have asked folks in this room 3 
years ago to define ``cookies,'' you would have gotten a 
definition that today we would snicker at and think is very, 
very naive. The international environment is changing and is 
uncertain. The business models that have fueled the privacy 
debate, affiliate sharing, personalization, these, too, are 
terms that I don't think you would have heard in public debate 
3 or 4 years ago. It's critical that we sort this out.
    Finally, third, although we've all worked very hard at 
privacy, and for many of us for a long time, there is an awful 
lot, in fact, we don't know. The Internet privacy threat is 
new, and the dimensions of that threat as well as the 
consequences of regulating the Internet have an enormous number 
of uncertainties. The public records debate is very important, 
and what impact on the marketplace and on public safety 
restrictions on public records could have in the name of 
privacy is critical.
    Obviously we don't yet know what the impact of the 
Children's On-Line Privacy Protection Act is going to be or the 
impact of Title V, the privacy provisions in last year's 
Graham-Leach-Bliley bill. We don't even know--and certainly not 
in a careful sense--when opt-out and a robust notice makes 
sense versus when we ought to do opt-in. And if you look at the 
factors that have been the pivot points for the privacy 
legislation to date, sometimes it's subject matter such as in 
financial or medical legislation. Sometimes it's the source, 
such as legislation that would regulate access to motor vehicle 
records. Sometimes it's the use that is the key determinant, 
such as FCRA. Sometimes it's the type of consumer, such as 
COPPA. Sometimes it's the amalgamation such as the number of 
bills that would address amalgamating offline and on-line 
information.
    We still have debates about whether the U.S. traditional 
approach, a sector-by-sector approach, makes sense. We have 
debates about a privacy regulatory agency, and it's worth 
noting that while we have been having that debate, the FTC--and 
I used to be at the FTC, and one of my colleagues, of course, 
on the panel is a former Commissioner--the FTC has done a lot 
of good stuff, but the truth is they have emerged as the 
Nation's privacy regulatory agency. Maybe that's OK, but it's 
been done without a debate, without consideration.
    Preemption remains an issue, and let me just close by 
saying we really are at a juncture in the road. It's going to 
change dramatically over the next few years. We need to figure 
out a way to protect privacy, but also make sure that we use 
personal information effectively for public safety, to deliver 
goods and services to consumers for research, to personalize 
the marketplace, which is going to be such an important 
economic stimulator so the stakes are high. Let's do it right, 
and I applaud the subcommittee, and I applaud the sponsors of 
the legislation and will continue to be supportive. Thank you.
    Mr. Horn. Well, I thank you. You did a fine job of summary, 
and you did it under 6 minutes. So thank you.
    [The prepared statement of Mr. Belair follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.070
    
    [GRAPHIC] [TIFF OMITTED] T1178.071
    
    [GRAPHIC] [TIFF OMITTED] T1178.072
    
    [GRAPHIC] [TIFF OMITTED] T1178.073
    
    [GRAPHIC] [TIFF OMITTED] T1178.074
    
    [GRAPHIC] [TIFF OMITTED] T1178.075
    
    [GRAPHIC] [TIFF OMITTED] T1178.076
    
    Mr. Horn. Dr. Culnan.
    Ms. Culnan. Thank you, Chairman Horn. Thank you for 
inviting me to testify. I also want to thank Representative 
Waxman for his interest in support of this issue, and to 
Representative Hutchison for introducing the legislation.
    My name is Mary Culnan, and I'm a professor at Georgetown 
University, where I teach electronic commerce. I also bring 
additional background to this panel as I have served as a 
Commissioner on the President's Commission on Critical 
Infrastructure Protection, and I also finished just this week 
serving as a member of the FTC Advisory Committee on Access and 
Security.
    I also support the establishment of a privacy commission. 
Bob Belair did an excellent job of summarizing some of the 
issues that commend the establishment of such a commission. I 
don't think anyone could have foreseen in 1977 the changes that 
the personal computer and the Internet would bring in our work 
lives, our home lives and in the world in general today. So I 
think it's time to revisit these issues on a broad, 
comprehensive scale, because most of our legislative efforts 
have been sectoral.
    I only want to address two primary concerns I do have about 
the legislation, and I raise some other issues in my written 
testimony. The first issue is that H.R. 4049 doesn't specify 
any criteria for the Commission to use in performing its 
evaluation, and I think this is a major shortcoming. Since the 
PPSC issued its report in 1977, fair information practices have 
emerged as a global standard for striking an appropriate 
balance between protecting individual privacy and allowing 
appropriate uses of information for a lot of the purposes that 
Bob Belair described.
    There is not consensus on how to implement fair information 
practices, but there is a consensus that they are global 
standards, and I believe the Commission's findings and 
recommendations should be based on the extent to which fair 
information practices have been implemented across the domains 
of the Commission's work. They should also be used as criteria 
to evaluate the current efforts that have been undertaken to 
protect privacy that are specified in the legislation both in 
the private sector, the Federal Government, and in the States.
    My second concern is that of a taxpayer, since I will be 
helping to fund the Commission. I think the legislation defines 
an ambitious agenda for the Commission. I have some concerns 
that the Commission will be able to complete its work in the 
time specified, given that it's required to hold so many 
hearings. I believe the number is 20. While public hearings are 
an important way to gather information and to make the 
Commission's work accessible to the public, many privacy issues 
are complex, and public hearings are not necessarily the most 
effective forum to sort these issues out in detail. When I 
served on the PCCIP, we held one half-day public hearing in 
each of five regions of the country. We also had meetings with 
business executives, academics, and government officials in 
each city. We held a number of conferences and workshops, and 
we were briefed by a wide range of individuals and 
organizations. Overall we had contacts with more than 6,000 
associations, corporations, government agencies, and 
individuals.
    I think the Commission will need to use a variety of 
methods, including public hearings, for gathering information. 
Since the commissioners are going to be serving without pay, 
the legislation will need to better balance the time demands of 
serving on the Commission with the demands of the 
Commissioners' existing job responsibilities. They will be able 
to do much of their work electronically, but they will also 
need to meet in person to take testimony, for briefings and to 
deliberate. There should be at least one hearing in each region 
of the country, but given there is probably an upper limit on 
the amount of time people can devote, I think the Commission 
should decide what methods will best help make its members able 
to complete their work.
    And then finally I would like to second Representative 
Waxman's call about appointing people to the Commission who can 
work together and promote a consensus, because these issues are 
very difficult. It's very important that the Commission 
represent a range of expertise and perspectives. Otherwise its 
results will not be credible. But if the people--if it's a very 
fractious group, also they won't be able to work together to 
promote a consensus, and I think that's awfully important.
    So I want to thank you again for inviting me to testify, 
and I look forward to your questions.
    Mr. Horn. Thank you very much. You did it all within 5 
minutes. So thank you. I didn't know professors could speak in 
less than 50-minute modules. Since I am a professor, I have 
great difficulty with this committee. Thank you very much.
    [The prepared statement of Ms. Culnan follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.077
    
    [GRAPHIC] [TIFF OMITTED] T1178.078
    
    [GRAPHIC] [TIFF OMITTED] T1178.079
    
    [GRAPHIC] [TIFF OMITTED] T1178.080
    
    [GRAPHIC] [TIFF OMITTED] T1178.081
    
    [GRAPHIC] [TIFF OMITTED] T1178.082
    
    Mr. Horn. Now Ms. Varney, former Commissioner in the 
Federal Trade Commission.
    Ms. Varney. Thank you, Mr. Chairman, Mr. Hutchison, Mr. 
Waxman. Thank you very much for inviting me to testify this 
afternoon on H.R. 4049, the Privacy Commission Act. My name is 
Christine Varney. I'm currently a partner at Hogan & Hartson, 
and where I chair the Internet Practice Group, and I have 
served on the Federal Trade Commission from 1994 through 1997, 
I believe, and did extensive work on privacy while at the 
Commission.
    With your permission, I have submitted for the record 
extensive descriptions of fair information and privacy 
practices that can be used for future reference, but I would 
like to take a few minutes to discuss the bill.
    As you know, privacy is not a new issue. As I think you 
have heard from other panelists, here in the United States we 
have a long history of examining the rights of Americans to be 
free from unwanted and unwarranted intrusions, including the 
collection, use of personal information about them without 
their knowledge or consent. What is new, however, is that in 
the information age, the ease with which information about 
individuals can be gathered, aggregated, and disseminated is 
unparalleled. There are virtually no costs or meaningful 
economic barriers any longer to gathering extensive information 
about individuals and using it for any purpose whatsoever.
    This trend has not gone unnoticed by the American public. 
In survey after survey, Americans are regularly responding that 
privacy is their No. 1 concern on the Internet. However, this 
concern goes beyond the Internet. Although the Internet make it 
is easy to collect, aggregate and transfer information, privacy 
concerns don't stop in cyberspace. As you know, there has been 
concern around the use of personal information and potential 
for abuse of that information for quite some time. Indeed, 
Congress has already enacted several laws that deal with or 
touch upon the use of personal information, including, to name 
just a few, the Fair Credit Reporting Act, the Children's On-
Line Privacy Protection Act, the Financial Services 
Modernization Act, the Electronic Funds Transfer Act, the 
Electronic Communications Privacy Act, the Drivers Privacy 
Protection Act, the Telephone Consumer Protection Act, the 
Cable Communications Policy Act, the Video Privacy Protection 
Act, and I could go on.
    There are also a myriad of State law protections in place. 
What is missing, in my view, is a comprehensive and thoughtful 
review of the old and new laws and their effectiveness in the 
information age. Therefore, I wholeheartedly support the 
proposals in H.R. 4049 to create a privacy commission. I think 
Dr. Culnan has raised some serious concern about how to 
structure the Commission.
    Let me say a few more words about commissions, having been 
a Federal Trade Commissioner. As we have seen with other 
commissions, the work and the results of the Commission can be 
directly attributable to the composition of the Commission 
itself. Should this Commission be established, I would urge 
that all of those who have the ability to appoint Commissioners 
consider the commitment of a potential appointee to reach 
consensus as opposed to furthering an agenda. The issues are 
complex, and the solutions must be equally comprehensive. Those 
who have sat before you and talked about self-regulation as a 
failure and legislation as the answer, or self-regulation as a 
panacea and legislation as repugnant are, in my view, clearly 
missing the point.
    The point in the information age has to be how can American 
consumers, whether they are consuming medical information and 
services, financial information and services, or other 
commercial information, protect themselves and their privacy 
desires? In some instances there will be technological 
solutions. In some instances there will be best practices, and 
in other instances there may be loopholes in existing law that 
need to be closed or absence of law altogether.
    Too often the privacy debate has been polarized between 
those who wish to prohibit the use of personal information for 
any and all purposes and those who wish to exploit the use of 
personal information for any and all purposes. Neither of these 
postures addresses the increasing concerns of Americans 
regarding protection of their personal privacy while allowing 
for its beneficial use. Neither of these positions, frankly, 
can bring a balanced, economically viable and societally 
appropriate conclusion to the privacy debate.
    Thus I would urge that this Commission be created, but that 
the goal of the Commission be clearly articulated as suggesting 
to the Congress a legal framework that balances both the 
economic benefits of the free flow of information with the 
rights of individuals to maintain their own preferred zones of 
privacy through whatever means makes sense in any given 
situation, be those means technological, legal or otherwise.
    What will not advance the protection of privacy in the 
information age is a deadlocked Commission with a faction 
opposed to any meaningful use of information and a faction 
opposed to any meaningful limits on the use of information.
    Thank you very much.
    Mr. Horn. We thank you. That's a very helpful statement, 
and you're well within time.
    [The prepared statement of Ms. Varney follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.083
    
    [GRAPHIC] [TIFF OMITTED] T1178.084
    
    [GRAPHIC] [TIFF OMITTED] T1178.085
    
    [GRAPHIC] [TIFF OMITTED] T1178.086
    
    [GRAPHIC] [TIFF OMITTED] T1178.087
    
    [GRAPHIC] [TIFF OMITTED] T1178.088
    
    [GRAPHIC] [TIFF OMITTED] T1178.089
    
    [GRAPHIC] [TIFF OMITTED] T1178.090
    
    [GRAPHIC] [TIFF OMITTED] T1178.091
    
    [GRAPHIC] [TIFF OMITTED] T1178.092
    
    [GRAPHIC] [TIFF OMITTED] T1178.093
    
    [GRAPHIC] [TIFF OMITTED] T1178.094
    
    [GRAPHIC] [TIFF OMITTED] T1178.095
    
    [GRAPHIC] [TIFF OMITTED] T1178.096
    
    [GRAPHIC] [TIFF OMITTED] T1178.097
    
    [GRAPHIC] [TIFF OMITTED] T1178.098
    
    Mr. Horn. And now our next individual is Solveig Singleton, 
director of information studies for the CATO Institute.
    You might tell in a little description what the CATO 
Institute is.
    Ms. Singleton. Sure, I will. Thank you, Mr. Chairman.
    I'm Solveig Singleton, director of information studies at 
the CATO Institute, which is a free market or libertarian think 
tank based in Washington, DC. My area of expertise includes the 
Internet and telecommunications regulation. My testimony today 
is intended to illustrate how a privacy commission as proposed 
in H.R. 4049 can be of help to Congress in understanding 
privacy in the big picture in this country.
    There are many privacy issues that come before Congress 
piecemeal, and Congress is well-adapted to hearings on specific 
topics like medical legislation or financial privacy and so on, 
but Congress rarely has the leisure to sit back and consider a 
comprehensive view of privacy overall across the economy.
    Let me talk now a little bit about one of the questions I 
think would be important for the Commission to consider. I 
think the Commission could play a vital part in increasing 
Congress' understanding of how the increased use of government 
databases, new surveillance techniques and so on ultimately 
will affect the relationship between the U.S. citizens and 
their government.
    Just in the past decade alone, we've had several new 
Federal databases created. I'll just run down some of these 
quickly. There's a National Directory of New Hires intended to 
enforce child support orders, but, of course, everybody ends up 
in it, not just parents. There's a new employment database for 
the Workforce Investment Act, a national medical database with 
proposed unique health identifiers, and there's a National 
Center for Education Statistics. On top of that, there's been 
various proposals for monitoring and tracing citizens' 
activities such as FIDNET, Federal mandates for driver's 
licenses, and an employment eligibility confirmation pilot 
proposal from the Immigration and Naturalization Service.
    Now, each of these databases and each of these proposals 
comes along with good intentions, but the concern overall is 
that ultimately what we may see in this country is the right to 
work, the right to travel, the right to seek medical attention, 
the right perhaps to consult a lawyer in confidence, that these 
things are gradually transformed into privileges that are 
enjoyed only by those people who have their paperwork in order. 
And most Americans, I think, have better things to do than 
wanting to be thinking about whether their paperwork is in 
order all the time. People lose things, mistakes are made by 
clerks and so on. So I think a privacy commission would be 
ideally situated to look at these developments in the big 
picture.
    Second, I think a commission could add substantially to 
Congress's understanding of the use of information about 
consumers by private sector businesses. Now, those of you who 
have heard me testify on Internet privacy will know I think 
many concerns about business use information are overstated. I 
basically think private businesses, they are either going to 
sell you something or not sell you something. I think that when 
it's a legitimate business that consumers need to be protected 
from, that the need for protection for consumers is fairly 
limited. But nevertheless, new technology makes people uneasy, 
and there's a danger that Congress will face tremendous 
pressure to move forward on privacy before they entirely 
understand the economic consequences of regulation.
    In particular there's been a lot of opinion, including my 
own, brought forward in testimony, but very little actual 
factual information about the way information is used in the 
economy, what it means to businesses in terms of keeping costs 
down, what it means to consumers in terms of getting 
information about new products, new businesses, new services, 
and in particular there's little hard information about the 
impact of privacy regulation on small businesses including 
Websites, startups of any kind, charities and grass-roots 
political groups, many of whom trade actively in lists of 
information about donors or subscribers in order to get their 
foot in the door of civil society.
    Third, a really critical issue, and where there is a real 
danger to consumers, is in the area of fraud and identity 
theft. There's some serious questions that need to be asked 
about the best approach to fraud and security issues. Is it to 
have less information circulating through the economy as a 
whole, or is it, in fact, to have more information about people 
of a kind that is easier to verify, such as digital signatures? 
In some cases the use of biometric identifiers like 
fingerprints might be appropriate. And finally, I think the 
most important question of all is how can law enforcement be 
more effective in enforcing existing laws against fraud and 
identity theft? A lot of these questions may be enforcement 
questions rather than questions of new laws or new policies 
being needed.
    So to conclude and second the comments of some of the other 
panelists, I note that I think the proper role of the 
Commission would be to provide balanced and objective analysis 
and scholarship to fill gaps in our understanding of the 
complexities of privacy. I think in particular it might be 
valuable to have the Commission have the authority to contract 
with a group--a reputable group, an independent group of 
economists to come up with something like a cost-benefit 
analysis of different types of proposed regulation.
    With that I conclude.
    Mr. Horn. We thank you. Those are some very helpful 
suggestions.
    [The prepared statement of Ms. Singleton follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.099
    
    [GRAPHIC] [TIFF OMITTED] T1178.100
    
    [GRAPHIC] [TIFF OMITTED] T1178.101
    
    [GRAPHIC] [TIFF OMITTED] T1178.102
    
    [GRAPHIC] [TIFF OMITTED] T1178.103
    
    [GRAPHIC] [TIFF OMITTED] T1178.104
    
    Mr. Horn. Mr. Ron Plesser is legislative counsel to the 
1977 Privacy Commission. Mr. Plesser.
    Mr. Plesser. I think I was general counsel, but ``was'' 
rather than ``is.''
    Good afternoon, Mr. Chairman, members of the committee, and 
thank you very much for the opportunity to appear before your 
subcommittee as it examines the creation of a commission for 
the study of privacy protection. My name is Ronald Plesser, and 
I'm partner in the law firm of Piper Marbury Rudnick & Wolfe, 
and I chair their Electronic Commerce and Privacy Group. I 
served as general counsel for the Privacy Protection Study 
Commission for the entire life of the Commission from 1975 to 
1977, and most recently I've served along with Mary Culnan on 
the Federal Trade Commission's Advisory Committee on Online 
Access and Security.
    I'm pleased to appear before you today to share my 
experiences as a staff member of the first and only Privacy 
Commission and to comment on H.R. 4049 and the potential 
establishment of a new privacy commission.
    Created by the Privacy Act of 1974, the Privacy Protection 
Study Commission was directed by Congress to make a study of, 
quote--study of the data banks, automatic data processing 
programs, and information systems of governmental, regional, 
and private organizations in order to determine the standards 
and procedures in force for the protection of personal 
information. The Commission also sought to examine the balances 
between legitimate and at times competing interests of the 
individual, the information system and society in general.
    I would like to point out, as I think others have, that we 
issued our report in 1977, which actually was the first year 
that the personal computer was commercially available. So 
there's obviously been a world of development and shift since 
then, but I think their basic principles may have stayed more 
the same than we could have imagined. The Commission 
recommended ways of providing additional protection for the 
privacy of individuals while meeting society's legitimate need 
for information.
    The Commission based its recommendations on the conclusion 
that effective privacy protection must have three concurrent 
objectives: one, minimize intrusiveness in the lives of 
individuals, and this relates really to a large extent to 
government issues; maximize fairness in institutional decisions 
made about individuals--this is the famous fair information 
practice principles; and provide individuals with legitimate, 
enforceable expectations of confidentiality.
    One of the critical findings of this report was that 
privacy needs to be addressed on sector-specific basis, given 
that there are different concerns raised by different 
information systems. The Commission felt that the historic 
development of privacy protection as well as the then current 
realities required that each be dealt with separately.
    The Commission explicitly rejected a proposal for an 
omnibus privacy statute establishing government authority to 
regulate the flow of all personal information. This rejection 
was based on several considerations, including the danger of 
government control over the flow of both public and private 
information, the greater influence on the private sector than 
the public sector of economic incentives that encourage 
voluntary compliance with principles, and three, the difficulty 
of legislating a single standard for widely varying 
recordkeeping practices in the private sector.
    I would like to highlight a few areas of the particular 
bill you're looking at that I believe could pose obstacles to 
the effective service of a commission based on my practical 
experience. First, the Commission envisioned by the bill is 
comprised of too many members. It was critical that there were 
seven members of the Commission as compared to the 17 
recommended by H.R. 4049. Broad representation of various 
interests on the Commission is an important goal. However, for 
management reasons and to enable group consensus, it is 
important that the Commission be limited to a smaller number.
    The second point, the Commission's effort needs to be 
sufficiently funded to allow for careful, balanced 
investigation. H.R. 4049 allocates $2.5 million in the year 
2000, and you may be interested to know that that's exactly the 
same amount of money that the Privacy Commission got in 1974, 
and while we, I think, felt that was a fully sufficient amount 
of money back in 1974, we had 60-some-odd days of hearings and 
other stuff. I think that amount is woefully inadequate for an 
adequate study today.
    I've hit my time, and I wondered if I could have just 
another minute to say that I think there are competing reasons 
for and against the Privacy Commission. On one hand, I agree 
with what everyone has said about the complexity of the issue 
and that it needs additional study. Whether that initial study 
has to be done by a new independent commission, or it can be 
done by existing authorities I think is an issue.
    I'm also concerned--I was very involved with the Children's 
Online Privacy Protection Act representing several clients, and 
I think we came out with a very balanced piece of legislation 
that was supported by government, public interest groups, the 
private sector and, of course, Congress. I wonder if we could 
have developed something as carefully tuned and balanced as a 
result of a commission process, or if it worked just as well by 
having inquiry by Congress without having the added kind of 
exposure and publicity that would be involved in a commission. 
I think there are positions on both sides of it. I certainly 
support Christine Varney's point of view on the need to have a 
commission, but I think we should look at it very carefully as 
we go forward. Thank you.
    Mr. Horn. Thank you very much. Those are very helpful 
suggestions.
    [The prepared statement of Mr. Plesser follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.105
    
    [GRAPHIC] [TIFF OMITTED] T1178.106
    
    [GRAPHIC] [TIFF OMITTED] T1178.107
    
    [GRAPHIC] [TIFF OMITTED] T1178.108
    
    [GRAPHIC] [TIFF OMITTED] T1178.109
    
    [GRAPHIC] [TIFF OMITTED] T1178.110
    
    Mr. Horn. Our last witness on this panel is Stanley Sokul, 
member of the Advisory Commission on Electronic Commerce. Why 
don't you tell us a little bit about that advisory commission.
    Mr. Sokul. Thank you. Thank you for inviting me to testify 
today. As you noted, I served as a member of the Advisory 
Commission on Electronic Commerce, which studied the issues 
surrounding Internet taxation. We issued our report on April 
12, and our tenure expired on April 21.
    I'm here primarily to urge you not to neglect the privacy 
implications of Internet taxation, but would also like to offer 
some suggestions on a potential privacy commission based on my 
Tax Commission experience.
    If a commission on privacy is created, I hope the 
subcommittee will consider an issue that the Tax Commission 
uncovered but did not resolve. In order for States to 
effectively collect taxes on Internet sales transactions, the 
sales need to be identified on an individual basis. Such 
government tracking of consumers' Internet purchases could have 
significant privacy ramifications. The most striking example 
involves the types of privacy invasions that would have to 
occur for States to track and tax the purchase of digital 
goods.
    The Internet privacy debate generally focuses on the 
activities of private entities, how companies compile on-line 
purchase information and even track Web surfing for commercial 
purposes. The debate revolves around the nature and extent of 
consumer access to and control over the collection and use of 
such information; for example, should an opt-in or opt-out 
requirement be imposed on Internet data gathering and sharing.
    In contrast, imposing a national system to collect State 
sales taxes raises the specter of the government tracking 
individual purchase information. In this environment, the 
consumers would have no control. The only way for consumers to 
opt out of the government tracking their purchase activity 
would be to forego the Internet purchase altogether.
    During the Tax Commission process, the State and local 
organizations proposed a Streamlined Sales Tax System for the 
21st century. This system would insert a new layer of 
requirements into electronic sales transactions, a national 
clearinghouse or database, to track Internet purchases so the 
proper tax could be calculated, levied, and remitted to the 
proper jurisdiction. This proposal raised some significant 
privacy concerns, and ultimately the States stopped advocating 
the system as a solution, at least before our Commission.
    The effects a new Internet sales tax collection regime 
would have on consumer privacy and thus Internet commerce 
remain unexplored. Confronted with many concerns but few 
details, the Tax Commission adopted a resolution I authored to 
recommend that Congress study the privacy implications of 
Internet taxation very carefully. It was one of the few items 
that attained a two-thirds supermajority vote to constitute a 
formal recommendation to Congress. We recommended that Congress 
explore privacy issues involved in the collection and 
administration of taxes on e-commerce, with special attention 
given to the repercussions and impact that any new system of 
revenue collection may have upon U.S. citizens.
    Accordingly, because the Privacy Commission may be a key 
vehicle through which Congress explores Internet privacy 
issues, I would urge that the privacy implications of Internet 
taxation be added to the Commission's agenda.
    Finally, I would like to comment briefly on two problems 
that the Tax Commission confronted. First, our Commission lost 
nearly half of its 18-month tenure due to an appointment 
controversy. The statute required equal representation from 
State and local interests and business interests and gave the 
House and Senate leaders a fixed number of appointments. When 
all the appointments were announced, a statutory balance had 
not been achieved, and the imbalance took 8 months to sort out.
    H.R. 4049 as presently written provides leadership with 
specific appointments, but does not specify that certain 
interests must be represented on the Commission. If the 
subcommittee ultimately decides to list different interests 
that should be represented, I would suggest that you carefully 
account for what will occur if the initial round of 
appointments fails to fulfill the representational 
requirements.
    Second, the Tax Commission operated under a two-thirds 
supermajority requirement to report findings and 
recommendations to Congress. H.R. 4049 presently contains only 
a simple majority requirement. I would urge you to consider a 
supermajority provision. While the Tax Commission did not 
ultimately achieve a two-thirds result for the bulk of its 
report, and that failure created some controversy, I believe 
still that the requirement created a healthy dynamic within the 
Commission that encouraged the opposing interests to work 
together. However, if you institute a supermajority provision, 
the statute must be clear that a lack of one does not negate 
the need to file a report.
    Thank you again for the opportunity to testify, and I'll be 
happy to answer any questions.
    Mr. Horn. Well, thank you.
    [The prepared statement of Mr. Sokul follows:]

    [GRAPHIC] [TIFF OMITTED] T1178.111
    
    [GRAPHIC] [TIFF OMITTED] T1178.112
    
    [GRAPHIC] [TIFF OMITTED] T1178.113
    
    [GRAPHIC] [TIFF OMITTED] T1178.114
    
    [GRAPHIC] [TIFF OMITTED] T1178.115
    
    [GRAPHIC] [TIFF OMITTED] T1178.116
    
    Mr. Horn. And we will now go to questions, and we'll start 
with--we're going to do it 5 minutes each side, everybody, so 
we all get into this and rotate it a few times. So I'm going to 
yield my time to the gentleman from Arkansas Mr. Hutchison, 5 
minutes.
    Mr. Hutchinson. Thank you, Mr. Chairman. I want to thank 
each of the witnesses. That was outstanding testimony, very 
thoughtful, and with your background and expertise, I think it 
is very helpful to the committee.
    First, Mr. Belair, I don't think you recounted a little bit 
of your background on privacy. Could you do that for the 
committee? I know it's in your written material, but could you 
elaborate?
    Mr. Belair. I'm happy to do it. I'm editor, along with Alan 
Westin, which--of Privacy & American Business, which is a not-
for-profit, privacy-friendly, business-sensitive publication. I 
also have a privacy consulting firm with Alan Westin, and I'm 
partner in a law firm, Mullenholz, Brimsek & Belair, and my 
practice there is all privacy-related. I was deputy general 
counsel of the White House Privacy Committee in the Ford 
administration. I said that the other night at the supper 
table, and one of my teenagers said, the Ford administration, 
God, you're old, and I guess that's probably right. I've also 
been the general counsel of the National Commission on the 
Confidentiality of Health Records and represented a number of 
other both public sector and private organizations.
    Mr. Hutchinson. I think that's extraordinary background, 
and your testimony was that you supported the Privacy 
Commission creation.
    Mr. Belair. That's correct. I think it's--I not only 
support it, I think it's really just the right thing at the 
right time. I think it's critical.
    Mr. Hutchinson. Dr. Culnan, you have raised some good 
points. I thank you for your support for the legislation as 
well, but you raised the concern about balancing the 
Commission, and you heard the comments from our last witness. 
Could you help us here as to what your suggestion is on how to 
balance the Commission? Let me tell you, first of all, some of 
the thinking in this that, one, it should be balanced. It's 
very important, and we want to get people who are open-minded 
and can promote a consensus. The option is, you know, to 
specify who all should belong to it or leave it to the 
political process, the people who are appointing, that you are 
going to pressure them, we are going to pressure them to 
appoint balanced people. I am open to any suggestions, but that 
was the thinking.
    Ms. Culnan. I think I would be against sort of a rigid set 
of standards saying you have to have X number of people that 
represent a certain point of view, but there might be a 
statement in the legislation that encourages or advises, I 
believe, the different people who are appointing Commissioners 
to consider diversity of perspectives in terms of doing that. 
One reason is because if it turns out the entire Commission is 
tilted toward a particular point of view, it will not have a 
lot of credibility, and there will be a lot of fighting and 
yelling about the kind of things that go on when you don't have 
multiple views reflected.
    I also want to second Mr. Sokul's point about the 
appointment process. The commission I was on, a lot of people 
got tangled up in the appointment process, and I think that can 
do great detriment to the Commission if people don't get 
appointed quickly and get brought on board and the Commission 
gets off and running. We had to have half private sector and 
half Federal Government commissioners, and it took quite a 
while to locate the private sector people who were willing to 
serve.
    Mr. Hutchinson. It shouldn't be as problematic if you do 
not specify all of the backgrounds necessary. I agree with you, 
and we've already half drafted some language that would talk 
about the broad interests that should be represented on it and 
the diversity of opinion reflected. I know I've raised--Ms. 
Varney, do you have any comment on this, and I also wanted to 
ask you specifically about your goal--or your statement that 
the goals of the Commission should be clearly articulated. Help 
me out here, again. The written copy I have did not elaborate 
all the things that you said so well.
    Ms. Varney. Well, I can give you this as well. I guess my 
concern, Congressman, is that the privacy debate has generally 
been very polarized. There are a lot of thoughtful people, 
including people that you've heard from today and yesterday and 
will be hearing from, who really are looking for a balance.
    What I would hate to see in the Privacy Commission is this 
division, this continued polarization. So if I could put my 
desires in writing in a preamble, it would be to really give 
the Commission guidance that its goal is to recommend to the 
Congress a comprehensive approach to privacy that balances the 
economic benefits of the free flow of information with the need 
for citizens to be able to protect their own personal privacy 
preferences.
    Mr. Hutchinson. You think that language would be 
sufficiently instructive to the Commission?
    Ms. Varney. I think it would help, because I think what we 
have seen in the privacy debate, this sort of view--a very 
stark view that either the use of information without very 
aggressive, very explicit consumer or patient or individual 
written affirmations and consents ought to be prohibited, and 
on the other side we've seen this view that all information 
flow in the commercial arena has some benefit, and therefore, 
anything that inhibits it is bad. That has really, in the short 
time I've been doing this compared with my colleagues--I only 
started dealing with this in 1994--that has really driven much 
of the debate. You don't find a lot of balance.
    Mr. Hutchinson. My time has expired. Thank you, Mr. 
Chairman. Thank you.
    Mr. Horn. We thank you.
    Now I yield to the ranking member on the subcommittee who I 
believe will yield to the ranking member on the full committee.
    Mr. Turner. Thank you, Mr. Chairman. As you know, Mr. 
Waxman, our ranking committee member is here with us. Mr. 
Waxman has taken a great deal of interest in the subject of 
privacy, particularly in his work to try to establish 
protection of health information for all Americans, and I want 
to yield to him or ask the Chair to yield to him for the 
beginning of our round of questioning.
    Mr. Horn. You can yield to him. Go ahead.
    Mr. Turner. Mr. Waxman.
    Mr. Waxman. I thank both of you for allowing me to question 
the panel.
    I want to thank the members of the panel for your 
testimony.
    Mr. Plesser, let me start with you. You testified that you 
think 17 Commissioners is too great a number for reaching 
consensus. Do you have any recommendations on what would be an 
appropriate number of Commissioners to have and how to ensure 
that appropriate stakeholders are represented?
    Mr. Plesser. I was looking at it from the perspective of 
staff working with diversity. You have to understand that 
unlike a congressional committee, those members would not have 
their individual staffs. So all of the kind of briefing, just 
the mechanics of briefing and working with people to get them 
up to speed, to make the decisions to have 17 is quite a lot. I 
would think that single digit, 7, 8, 9, you have to decide the 
odd-even issue, but I would think something under 10.
    I think the question of balance, frankly, being on the FTC 
Advisory Committee, I think you've got to go to 40, probably to 
the size that that went to, to make sure you had somebody from 
every sector, and even in that advisory committee that was 40, 
I think there probably were some people and some interests that 
felt that they weren't represented.
    I think you really have to do what Christine has suggested, 
which is try to get some very well-balanced, centered people in 
the group, whether or not--you don't maybe try to get somebody 
from the consumer group and the business group and this group, 
but get people--certainly some academics, some people who have 
been thoughtful on the issue, and I think more kind of 
representatives more like we expect our Congress people to 
exercise good judgment rather than come from a specific point 
of view. But I think if you try to do 17, I just think we 
also--let's stay and talk about what happened at the Internet 
Tax Commission, but I think that when you have that large a 
commission representing specific points of view, it's going to 
deadlock, particularly in the situation where there's a 
supermajority vote.
    I agree with Stan, I think supermajority is good, but 17--
I'm a lawyer, but a lot of what I do is run coalitions, and 17 
is a lot of people to get a good result with.
    Mr. Waxman. I noticed other members of the panel are 
shaking their head in the affirmative, so they seem to agree 
with you about the size.
    Let me ask you about the resources for such a commission. 
Dr. Willis Ware served as vicechair of the 1975-77 Privacy 
Protection Study Commission for which you were general counsel; 
stated in written testimony to the subcommittee that the 
Commission spent over $2 million, but just the effects of 
inflation over 25 years would make a realistic funding more 
like $4 to $5 million.
    You mentioned in your testimony the importance of ensuring 
that the Commission would be provided sufficient resources. 
What do you think would be appropriate to meet the needs of a 
proposed privacy----
    Mr. Plesser. I'm totally unfamiliar with the current 
policies of GSA and how much space costs. That was an issue 
that shocked us, frankly, back in 1974 where a good part of our 
budget had to go to rent. I think the overhead issues like that 
I don't think any of us really think about. I think we had to 
rent furniture or had some furniture charge. The government was 
very helpful in that we got a lot of people from different 
parts, HHS, HEW back in those days. We got a lot of loaners, 
and that helped us expand and encouraged the Commission to have 
loan personnel from certainly on medical records, to have some 
HHS people and stuff like that is very helpful and critical to 
the Commission.
    I always agree with Dr. Ware, and so if he says $4 to $5 
million, that sounds right, but I think my point is that there 
has to be some really serious fact-finding, some balanced 
hearings, an opportunity, as Mary suggested, for a lot of 
people to input. I want a smaller number of Commissioners, but 
I sure want it to have maximum outreach, and I think if you 
keep the funding down too low, which gets a lot of press 
releases and not a lot of careful investigations, I think 
you're either in it or not, but I think it would be difficult 
to cheap out.
    I agree with Willis that 1974 and the year 2000, to fund 
something at the same level is not realistic on inflation.
    Mr. Waxman. My time is up. I had other questions, but we'll 
get that to another round.
    Mr. Horn. You may ask one more question.
    Mr. Waxman. Let me ask Dr. Culnan what her thoughts are 
about the sufficient resources to meet the mandates of this 
bill, and what do you think we need to do to attract the high 
caliber of personnel--not personnel to work on it, but the 
members who actually serve on a commission?
    Ms. Culnan. The issue is can people balance--they must feel 
committed to serving on such a commission. Certainly if I were 
invited, I would make every effort to serve because it would be 
a tremendous honor to be asked. People need to feel, I think, 
that it's going to be an important, substantive commission that 
is going to yield a report that people are going to listen to; 
that it will be of the same stature as the 1977 report. That is 
an evergreen report. People still read and refer to that today 
23 years later even though the technology is very different.
    I also agree with Ron Plesser about appointing people who 
themselves represent balanced interests, which is probably a 
good way to deal with the diversity issue, as opposed to having 
people that have their feet planted in a particular point of 
view and are likely to dig in.
    Mr. Waxman. Also people who are not going to give up their 
day jobs, because they are not going to be paid to serve on 
this. Is that going to be a problem for some of the people?
    Ms. Culnan. It may be a problem depending on the time 
constraints. If the 20-hearing rule is still in effect, and the 
Commissioners are supposed to fly around the country, that's 
going to take an enormous amount of time, and people will be 
probably giving up 1 or 2 weeks a month of their time to do 
this, let alone they also need to meet face to face to 
deliberate. They do need to have a chance to absorb testimony 
and information from a wide variety of experts and point of 
views and should use whatever is the best way is to do this.
    I would also say even if you were to pay people, it's very 
difficult to find people who can take 18 months off from their 
job, people who are willing to step off the fast track, and so 
I don't think that would necessarily be the solution either.
    Mr. Waxman. Thank you.
    Thank you, Mr. Chairman.
    Mr. Horn. We'll go to 6 minutes now for everybody.
    Dr. Culnan, I'm curious. In your testimony you bring up the 
fact that there are few laws that protect personal information 
on Web databases. In your studies of the fourth amendment, what 
type of legislation do you think is needed for the Web 
databases?
    Ms. Culnan. I have not studied this yet, but it--people 
have raised this as an emerging issue in the future that we 
need to look to. One of the issues I raised in my testimony is 
that we be sure not to try to understand what may happen in the 
future by looking in the rear-view mirror, and cited the issues 
related to balancing national security interests versus civil 
liberties in the area of protecting critical infrastructures 
and the issues that when people put their personal information 
in a database that's not stored on their personal computer, but 
is on somebody else's server, that is raising new issues that 
haven't been addressed, and hopefully the Commission would look 
to some of these future and emerging issues as well as the 
issues we're grappling with today.
    Mr. Horn. Do you or any of the other presenters know people 
that are working on the fourth amendment issue?
    Ms. Culnan. The Center for Democracy and Technology is very 
interested in this issue, and they are the ones who have 
brought it to my attention.
    Mr. Horn. Let me move now to Mr. Belair. I've had an 
interest in the European situation for a number of years. I've 
been on the delegation of the Congress to the European 
Parliament, and we went over there just at the time when the 
Parliament had asked all the member countries to develop a 
privacy law. And the ones in the Polish Government had worked 
with us over here, and I'm sure they worked with some of you 
because they are very interested in what Americans develop in 
this area. And I was just curious what you feel, Mr. Belair, as 
to the impact of those policies on commerce, be it an American 
going to Europe or Europe going to America. I know they have 
got a moratorium on it for a while, but some of them in draft 
seem to be fairly rigid.
    And I had suggested, because we happened to be visiting 
with the President and Prime Minister of France and Poland, I 
suggested that they put together a commission, in the case of 
Poland, of Polish companies that operate with subsidiaries in 
the United States and then same with America and American 
companies that operate in Poland; same with the President of 
France. They thought that was a fairly good idea to get some 
feeling as to what this really means when you have to relate it 
to industrial data moving across the Atlantic, and I wondered 
what you could educate us on, and do you feel that's a real 
problem? Will it become simply a nontariff trade barrier, for 
example?
    Mr. Belair. Certainly has that potential. As you know, the 
Department of Commerce has been at work with the EU to agree on 
safe harbor accords, and they are close. Of course, they've 
been close now for many, many months. Assuming that safe harbor 
is negotiated, then I think we'll see some fascinating impacts 
here as companies have a limited amount of time to decide 
whether they are going to subscribe to those safe harbor 
accords.
    One of the things that the safe harbor accords do is bust 
through the sectorial industry-by-industry approach that we 
have always had and apply fairly generic privacy rules across 
the whole range of personal information.
    That's No. 1.
    No. 2, are we going to see a bifurcation where we've got 
some data that is subject to the safe harbor accords, namely 
data that's moved over from Europe, and then a second set of 
data that's domestic data that doesn't enjoy that kind of 
protection, or are we going to end up, as many of us think, 
with one approach, a global approach really, dictated to us by 
the Europeans?
    Third, and then I'll stop, although obviously it's a topic 
that we could talk about for a long time, and that is that the 
Europeans clearly have not thought through what the impact is 
of the application of their rules in an on-line environment. 
They would argue, for example, that even a United States 
citizen who happens to be in France on a business trip and then 
pulls up on his screen a United States Web site and engages in 
some kind of a transaction that generates personal information, 
that information is subject not to United States law, but 
that's subject to the EU directive and, in this example I've 
just given, the French national law.
    So it certainly does hold the potential for having an 
adverse impact on trade. I think--it's one of the things--the 
reason I mentioned it is I think it still remains to be seen 
how that sorts out.
    Mr. Horn. I know there are scholars at the Brookings 
Institution that are working on this. Do you know where 
scholars are providing some initiative and some analysis of 
these different policies that are evolving in legislative 
committees in Europe? What's the best shot we can get from 
people in that area?
    Mr. Belair. I think you're right, there's an awful lot of 
work and an awful lot of focus for a lot of groups back here 
and a lot of groups over there. Privacy & American Business, 
just to do a commercial since the segue is there, has a Web 
site, PrivacyExchange.org, and on that Web site is all of the 
latest information about the EU directive, about the national 
laws, about other national privacy laws, about the safe harbor 
accords, and we update that almost on a daily basis.
    Mr. Horn. Mr. Belair, is there a negative effect on the 
future legislation with regard to public records and with 
respect to the Freedom of Information Act among others and the 
Electronic Freedom of Information Act? And we asked that 
yesterday, and I'm just curious if any of you have feelings on 
that, but we'll start at this end.
    Mr. Belair. I do. I think the public records debate, which, 
as you know, the Vice President announced a couple of summers 
ago that he was going to lead, is an extraordinarily important 
public discussion. Personal information is available in public 
record repositories for a reason, public safety reasons, 
reasons that have to do with the operation of governmental 
agencies, the fairness involved in giving individuals who have 
availed themselves of governmental resources for a license for 
some other kind of a benefit or a status, letting their fellow 
citizens see who they are and what kinds of resources they are 
using.
    There are a lot of very important public purposes that are 
served by access to public records. Now that these records 
increasingly are automated and are commercially available, 
we're faced with a decision that we weren't faced with 10 years 
ago, and that is do we really mean that we want this 
information to be fully and effectively and conveniently 
public. The answer is--surely isn't to throw it out and close 
down the records as we started to do with motor vehicle 
information. The answer is the kind of balance we've been 
talking about on this panel, figuring out, and I would hope 
your Commission--I hope the Commission would tackle this--
figuring out what are the public values served by the access 
and what kinds of privacy threats are incurred and then 
striking a balance.
    Mr. Horn. Dr. Culnan, you agree with that statement?
    Ms. Culnan. In part. I think the public record issue is one 
of the really difficult ones that merits an expansive public 
conversation. The Internet has really changed the way public 
records are now accessible to anyone for any purpose. I worked 
on the Drivers Privacy Protection Act, Mr. Moran's bill, in the 
House and testified at the Judiciary hearings on that bill 
before it was passed.
    I think the issue that concerns people is not that their 
information is used for the purpose for which it was provided, 
to drive a car, to register a car, to get a license to be in a 
profession, or to fish or whatever, it's that the information 
is available to anybody for any purpose, and in privacy, a 
distinction is made between compatible and incompatible uses of 
information or between the reason the information was collected 
versus secondary uses, and I think the issue is how do you make 
the information available for the purposes for which it was 
collected, be they public service or public safety or other 
types of important reasons and not allow them to be used for 
marketing and people looking up other people's information out 
of curiosity, which really has nothing to do with why the 
information was collected, and which is the source of the 
privacy concerns.
    Mr. Horn. Ms. Varney, do you agree with that?
    Ms. Varney. I agree with Dr. Culnan, but I'd modify her 
last point where she said not allow the information to be used 
for other purposes. I would say not allow the information to be 
used for other purposes without consent.
    Ms. Culnan. I would modify my statement to agree with that. 
Choice.
    Mr. Horn. Explain that a little more, because you talk 
pretty fast, so let's slow it down and tell us what is your 
real wording here.
    Ms. Varney. My real wording is I do agree with what Dr. 
Culnan said as she has now modified it. The balance between the 
use of the information for purposes that it was provided and 
intended to be used for and other uses, and I don't think that 
we want to put a blanket prohibition on other uses. I think we 
need to look at what are the other uses and what is the correct 
level of choice that an individual needs to be able to exercise 
over what may be called unrelated or incompatible uses.
    When you go--I don't know if you ever used this example, 
Mary, but when you go and get your driver's license, and you're 
5-foot-4, and you put your weight in, and all of a sudden if 
you weigh a fair amount, you may be getting mailers from the 
Large and Heavy Dress Shop. That's not why I gave my weight 
information for the Drivers Protection Act. However, I might 
consent to the use of information if I'm 4-foot-10 because I 
like to get catalogues for petite clothes. They are hard to 
find.
    So I think what you have to do, Mr. Chairman, is continue 
to weigh in this debate what are the reasonable expectations of 
the consumer, what are the economic benefits, and what are the 
economic costs, and where do you--where can you empower 
consumers to make their own choices and where can't you. And 
the where can't you is where law needs to come in.
    Mr. Horn. Your dilemma would make a good Cathy strip.
    Ms. Singleton, what would you add to this?
    Ms. Singleton. I'd question again the idea that marketing 
uses should be presumed to be illegitimate. I think you have a 
lot of existing businesses that are currently using public 
records as a part of making goods and services available to 
consumers, and it's particularly important for companies 
offering financial services. Risk assessment is a large part of 
their business, and they need information to do that 
effectively.
    What I would suggest is an alternative approach to the 
public records problem, which is to focus on it as a security 
issue, and that is to figure out ways to make sure that the 
information can be in the hands of legitimate users whether 
it's a business, trying to sell a product, or somebody looking 
for their lost child or something like that, and yet keep it 
out of the hands of people who will use it to do really serious 
harm, such as stalkers and so on.
    Mr. Horn. Mr. Plesser, how about you?
    Mr. Plesser. I think I would go back to agreeing with Mr. 
Belair, and just to reinforce that, I think there are public 
record systems whose very purpose of collection is disclosure. 
Real estate records have been collected by counties in the 
United States since the beginning of government for the purpose 
of disclosing ownership and who owns what, and it's been very 
critical in the Midwest and other areas. People are concerned 
about false ownership or use of nominees and all of that stuff, 
environmental issues.
    I don't think we can question each use. Where the system of 
records was collected for the purpose of disclosure with UCC 
filings, real estate filings, things like that, I think it is 
critical to have those remain open to the public. If they are 
now more efficiently distributed, then that's the society that 
we live in. I think to restrict them to say that you can only 
use--only licensed real estate agents can get real estate 
records would really be a travesty and would really potentially 
start to allow for some of the record control issues that we 
don't like. And one of the reasons why we've rejected the 
European system is because we don't want that kind of 
oppressive government control. And if government records are 
not open, even ones that have individual records, I think it 
would really threaten the concept of the freedom of information 
that you, Mr. Horn, have been very effective in the last number 
of years in protecting in electronic format, and I would urge 
you to continue to do that.
    Mr. Horn. Mr. Sokul, last response to this question, and 
then we'll escalate to 12-minute rounds.
    Mr. Sokul. I just have a brief comment. My concern is more 
along the lines--goes more toward the collection of new 
information and in particular for tax purposes. I think that 
privacy is going to be the sleeping giant and probably the 
ultimate Achilles heel of what the States want to do in the 
Internet tax arena. There is also a balance that comes into 
play in terms of invasiveness and intrusiveness and what the 
country will count for its tax collection.
    Mr. Horn. I thank you all for answering that question. It 
will be very helpful to us in a report to the full committee.
    I now yield 13 minutes to the gentleman from Texas Mr. 
Turner.
    Mr. Turner. Thank you, Mr. Chairman. I want to revisit this 
subject of the comp decision of the Commission. I have 
cosponsored this bill because I feel that we have an issue on 
our hands that is of such importance and is changing so rapidly 
that the American people need to have discourse and dialog 
about it. And this Commission is one way to generate that kind 
of discussion, but I do think it's important to think about who 
would serve on this Commission.
    I noticed, Ms. Singleton, in your statement you said that 
we should write specific membership requirements into the bill 
in order to avoid what you call the usual suspects with an 
agenda as Commission members. I might ask you to tell us what 
you meant when you said that the usual suspects, and then 
perhaps offer to us the type of individuals that perhaps should 
serve on this Commission. You seem to emphasize the importance 
of fact-finding, even suggesting that perhaps the members of 
the Commission should not suggest policy or make policy 
suggestions, but rather be more fact-finders. I think there had 
been uniform agreement--I saw the heads nodding a minute ago--
17 might be too many, but if we're going to have a discussion 
like this, we need all the stakeholders at the table.
    Perhaps we could start with you, Ms. Singleton, and respond 
to my question and then offer your suggestions on what the 
Commission should look like, what type of individuals, what 
background, and then I'll ask all the rest of you, and maybe we 
can get a nice long list of the type of people who need to be 
at the table.
    Ms. Singleton. I don't have some of the same experiences 
that some of my fellow panelists do with actually being on a 
commission. Let me try to clarify, first of all, what I said in 
my written statement.
    I think the emphasis of the Commission should be rather 
than replicating a lot of the testimony that has already been 
generated in privacy debates and privacy legislation, should be 
to focus on things that are unknowns, that there's very little 
information about already. And I think in particular it would 
be very beneficial to have a lot of hard economic information 
there about, for example, the way small businesses use 
information, the way nonprofits use information, that kind of 
information. And so I think from my standpoint, it would be 
very important to have one or two economists represented on the 
Commission; I mean actual full-bore professional economists, 
not lawyers who have clerked for judges who were economists.
    Perhaps when I talk about the usual suspects on the panel, 
I'm excluding myself more than anything because I'm not an 
economist.
    Mr. Turner. You're talking about lawyers as the usual 
suspects?
    Ms. Singleton. That would be me, yeah.
    Mr. Turner. One or two economists. So obviously the 
collection of the economic data you're talking about could be 
done by staff, but you think we need someone with a background 
in economics to be able to interpret it?
    Ms. Singleton. Yes. I think that would be very helpful. I 
think it's unreasonable that the Commission itself would 
actually do the economic study. I think it would be more likely 
that they would contract out with an independent firm that does 
that kind of thing as a matter of course.
    Mr. Turner. Let me just go down the panel because I'd like 
to have your suggestions on what kind of individual, what 
background an individual should have, what training and also to 
think in terms of the broad range of individuals that should be 
heard from if we expect to have a full dialog on this issue. 
Let's start with Mr. Belair.
    Mr. Belair. I think you're wise to go back to it. I think 
it's a key issue, and it's a hard issue. I could probably 
answer it better in terms of who shouldn't be on there.
    I had the experience of being the reporter for the National 
Conference of Commissioners on Uniform State Laws on their 
health information privacy bill, and they pride themselves on 
bringing to the table smart people who know nothing about the 
area, who come at it absolutely clean. I can tell you that that 
didn't work in the privacy area, and it seems to me with an 18-
month run here and a huge agenda, it won't work.
    I've also had the experience recently of chairing an effort 
to bring together experts on criminal justice privacy, and we 
brought folks to the table with real agendas, real 
stakeholders. The discussion was terrific, but we ended up of 
necessity having to make the recommendations very generic and 
very vanilla because we simply couldn't reach a consensus 
otherwise.
    I guess I wouldn't bring to the Commission table folks who 
come really locked into a particular agenda or point of view 
because then you're obligated to bring in their opposite 
numbers, and there's no way you're ever going to get any kind 
of a consensus.
    I think probably Solveig has got the right idea, bring 
people who have got some understanding and background with 
privacy with particular areas of expertise, economics, law, and 
we can all think of some other areas that would be important to 
have there.
    Ms. Culnan. I would agree that in the interest of getting 
the Commission up and running quickly, it's important to have 
people who are familiar with the privacy issue and have thought 
about it and been involved in some of the previous discussions 
about this. I think you should strive to bring people in who 
are independent and open-minded to the extent that they can be, 
and I would also argue in favor of selecting people that 
represent different areas of subject expertise. And in 
particular somebody with a technology background would be very 
important because the technology is changing so quickly. It 
would probably be useful to have someone who understands the 
law, but you don't necessarily have to have a lawyer.
    Ms. Varney. I would agree entirely. Seven to nine 
Commissioners who are viewed as independent and not beholding 
to any particular commercial or advocacy interest, with 
particular subject matter expertise in economics, technology, 
law, finance, and health information.
    Mr. Plesser. I brought with me a relic, which is the report 
of the Privacy Protection Study Commission that we issued in 
1977, and I looked at the front page, and it occurred to me 
that it might be helpful for this conversation for me to just 
give you a quick rundown of what the backgrounds of the members 
of the Commission back then were, because I think it really 
did--whatever people say of the Privacy Commission, I think it 
worked. People got together, they got along, and I think there 
was consensus.
    David Linowes was the chairman of the Commission. He was a 
very experienced CPA, brought to the discussion a lot of 
expertise and that was very important. He was also a professor 
and a businessman.
    Dr. Willis Ware, who was vicechair, was mentioned before, 
was probably the leading technologist at the time. He was an 
expert for Moran Corp. and was considered, I think, the leading 
computer scientist in the United States at the time. Certainly 
I would say what Christine said about the importance of having 
really a world-class technologist. He was that.
    William O. Bailey was the president of Aetna, major 
businessman, CEO, major responsibilities, who did spend a week 
a month or--the requirement.
    Then we had Barry Goldwater, Jr., and Ed Koch, two 
Congressmen who were very committed to the issue, and I see my 
friend Ed Markey behind me, and the parallels remind me. But 
the issue of having two Congressmen actually were effective. 
They really brought a real sense of reality and realism. I'm 
not suggesting that that necessarily be done, but I think they 
were very effective members.
    And there was Robert Hennason, and this is an important 
category. He was a State Senator, and so we had the input, and 
he had actually worked on Minnesota privacy code, so we had the 
experience of somebody who really had worked with and 
understood State problems.
    And then finally we had William Dickinson, who was a 
retired editor of the Philadelphia Inquirer, and it was 
critical, I think very helpful, to have somebody with that kind 
of a free press, open communication background.
    So there was a balance in here from kind of professions and 
general point of views. There was nobody, with the exception of 
maybe Mr. Bailey, that you could say was an industry rep or an 
anti-industry rep. Everybody else brought to it, I think, a 
balance of professions, and I would suggest that the idea of 
having a technologist, a journalist, an accountant, those are 
all very important aspects.
    Mr. Turner. Do you recall, Mr. Plesser, when the statute 
that created that Commission in 1977, did they specify the type 
of individuals that should serve, or did it just work out?
    Mr. Plesser. I don't think so. It specified that three from 
the executive branch, two from the House, and two from the 
Senate. I don't recall if it required a specific qualification 
of specific members like Stan's committee. I think it did say 
that there should be a balance of interests, and I think 
people--there was really no controversy, and I can tell you 
that this group functioned extremely well. There was really 
no--there was disagreement on policy issues, but it really was 
a group, including Mr. Bailey at the time, who was kind of a 
business representative, really worked hard to do the right 
thing.
    Mr. Turner. Mr. Sokul, what's your suggestions on 
membership?
    Mr. Sokul. Our Commission had 19 members, and that was 
unwieldy. I remember the first meeting the whole morning was 
just opening statements. But I think----
    Mr. Horn. I might say that's a disease that also happens in 
the Congress.
    Mr. Sokul. I think that with your appointment process, when 
you're having different people appoint different--a certain 
number of appointments, it's going to be hard--unless you 
legislate an individual person in, you're always going to be 
rolling the dice. It's going to be very difficult to obtain the 
balance or the perfection you want.
    I think the most important thing or the two most important 
things are that the people are committed and that they talk to 
each other. I think the Members here probably understand that. 
I think our best meeting was our final meeting where it wasn't 
a formalized structure, but Governor Gilmore just adjourned the 
meeting, and we were in recess in the back room, finally 
talking to each other.
    Maybe the best thing you could do is to exempt the 
Commission for a few working meetings from the Sunshine Act and 
just let them go off in private and talk to each other.
    Mr. Turner. You think the Commission ought to have a little 
privacy, I gather.
    I think all your suggestions have been helpful. I guess the 
next question is open, is whether there should be some 
specification of these types of individuals in the legislation, 
or in the alternative, should there be some prohibition 
against, say, an industry representative or some other type of 
individual from being able to serve. Do any of you have any 
suggestions or thoughts on that point?
    Ms. Singleton. I'll start, since it seems like nobody else 
is going to. What I'll say is contrary to what some people have 
said about avoiding extremes. I think part of the reason that 
the debate has been polarized is that there are real 
philosophical differences there, and I think it would be to 
some extent a shame if the Commission did not reflect to some 
extent those real philosophical differences. And at the same 
time I think it's still possible to have a commission that 
avoids fractiousness by--simply by choosing people with certain 
personality types to be on the Commission as opposed to people 
who are given to pounding the table with their shoes and so on. 
That may be easier said than done, of course, but I think--I 
don't think it would make sense to exclusively prohibit any 
particular perspective from being expressed.
    I won't say any more than that. I think probably others 
have more expertise about whether it would be more effective to 
list or not to list.
    Mr. Belair. As I listened to the discussion, I think I was 
convinced that certain kinds of subject matter expertise are 
absolutely vital, technology, some kind of background in 
finance, economics, and we spelled out several others. I think 
I'd be tempted, if I were writing the bill, to spell that out a 
little bit and maybe also allow for some flexibility as well in 
the appointment process. But it seemed to me that I was 
convinced that there ought to be some of those kinds of people 
at the Commission table.
    Mr. Plesser. I just think that while it's very important to 
think about the Commission members and positions, I think it's 
very important that we make sure that the inquiry is a full and 
balanced one if we do do it. The Privacy Commission had 
something like 60 days of hearings, had hundreds of witnesses, 
and I think that that process really--I mean, if somebody had a 
point of view, it would be very difficult to kind of just stay 
on it. There was a public record and testimony and balanced 
input.
    I certainly agree that you shouldn't have all 
businesspeople. You shouldn't all have all public interest 
people. You shouldn't have all academics. There has to be some 
balance, and I think hopefully the process of appointment will 
do that, and I think you can say that appointments should 
reflect a range of--I think at least I would like to avoid 
saying there has to be one member who represents this interest, 
one member who represents that interest. I think that would 
probably not be good. It also would not be good if there were 
nine CEOs of Web companies on there and nobody else. That would 
not be a good result, nor would it be good to have nine public 
privacy advocates on it.
    So we have to work to get a process. I think the difficulty 
is we don't want it to be like slots. We want good people, 
balanced people representing a range of perspectives, at least 
that's my view.
    Ms. Culnan. I'll just add very quickly I think it's 
important to have flexibility. You may get a person that is 
representing more than one type of expertise, and so, again, by 
specifying one person, one form of expertise, I think that's a 
mistake.
    I think it would also be a mistake to specify that certain 
types of people are not to be appointed, to be as general as 
possible to maintain flexibility to get the very best set of 
people that you can get.
    Mr. Turner. Thank you, Mr. Chairman.
    Mr. Horn. I thank the gentleman.
    I now yield to the gentleman from Arkansas, Mr. Hutchison.
    Mr. Hutchinson. Thank you, Mr. Chairman, and this has been 
a long session, and then we've got another panel, but just to 
further elaborate on the record somewhat, I did want to ask Mr. 
Plesser some followup questions about the 1974 Privacy Study 
Commission. You had some very positive comments to make 
concerning that. Would you describe what the benefits were of 
that Commission and what good came out of it from a 
congressional standpoint?
    Mr. Plesser. There was only one piece of legislation that I 
think could be directly pointed. There were 164 recommendations 
for some kind of legislative implementation. There was only 
really one statute, the Right to Financial Privacy Act, that I 
think resulted directly from the work of the Commission. During 
the work of the Commission, the IRS statute in terms of 
limiting the information that could be exchanged or given to 
the executive branch was put in, but I think that would have 
happened probably with or without us. I think the Right to 
Financial Privacy Act was a direct result of what we did, which 
protected people's interests in their checking accounts and 
information that banks can disclose.
    We recommended strongly regulation in the medical records 
area. It isn't really until this year, 23 years later, that 
we're seeing legislation in the medical area. My own view is 
that it was much delayed, but I think even though Bob Belair 
did kind of a subsequent inquiry into it, I think that the work 
we did in medical records and employment and specific areas 
made a great contribution, and I think it's still used today in 
many areas in analyzing privacy.
    Mr. Hutchinson. Let me just add when I look at a 
commission, you never know what's going to happen down the 
road, but I think information is invaluable to Congress, and 
actually I think that the argument for the supermajority is 
that it makes some requirement for consensus to be built, but 
we also want--the consideration is that if you have a simple 
majority, you will have a report that comes out and a minority 
report, and it's information, different viewpoints. The 
legislative processes still have to work, but it's a tool to 
build consensus in this very difficult area.
    And so I look back to the 1974 Commission. You're right, 
legislation did result from it in not all of the arenas, but 
the other information, someone referenced that it's still being 
passed around today and studied today and referred to today. So 
I see a lot of benefits from a Member of Congress's standpoint 
to having this type of commission.
    There was--one more question with regard to that. 
Everybody's talked about the variety of people on the 
Commission. Is there anything special about the 1974 Commission 
as to who did the appointing process and who we should be 
looking at? You've seen our bill, and we have it divided among 
different congressional leaders and the executive branch.
    Mr. Plesser. Well, the political--I forget exactly the 
politics back then, but I think you had one party controlling 
the House, Senate, and President and executive branch, so there 
wasn't any real political controversy, and in that case you had 
two from the Senate, two from the House, and three from the 
administration, but the administration could name the Chair. So 
that was--I think by having the ability of the administration 
to do the Chair, they had a little edge, but--if you do a party 
split. So that's the way that worked. Whether or not it's the 
best way--it did work in practice. It was, as I said, a 
balanced approach, but who knows what could have happened.
    Did I respond to your question?
    Mr. Hutchinson. Yes, you did. I'm grateful for that.
    Did anyone raise the objection during that time about, 
well, why do we want to have a commission? We just need to pass 
legislation right now. We know what we need to do.
    Mr. Plesser. Let me tell you, even though it was slightly 
before my time, and I might say not only was the Commission 
balanced, but I think the staff was balanced. Carol Parsons, 
who was an extremely able executive director, and she had a 
privacy background, and she was the executive director of the 
very early HHS study on privacy, which really developed this 
concept of fair information practices, and I was a freedom of 
information lawyer. And so they had a privacy person and an 
open government, open access person, and I think there was a 
reason for having that balance, so I think that was effective.
    Mr. Hutchinson. Were you leading to the question I just 
asked, though?
    Mr. Plesser. Sure. Could you repeat it? I interrupted. I'm 
sorry.
    Mr. Hutchinson. You're still on the other question, trying 
to give a more complete answer. I was simply asking at that 
time did people raise the objection that we don't need to have 
a commission, we ought to just move forward with substantive 
legislation now.
    Mr. Plesser. What happened at that time was in 1974, the 
Privacy Act was sponsored by Senator Ervin, and some version 
recommended the omnibus approach for State and Federal--State, 
Federal, and private sector records. The Privacy Act, some 
earlier version was going to cover everything. There was a 
split. There were a lot of people who did not want that to 
happen, at least in terms of the private sector and State and 
local government.
    The compromise was the Commission. The compromise was to 
say, OK, we'll pass the Privacy Act of 1974 in connection with 
Federal records, but then we will throw this issue of whether 
or not the principles of the Privacy Act should be extended to 
private sector and State and local to the Commission. The 
context was a little different. I mean, they started with a 
comprehensive law. I think here now the context is somewhat 
different.
    Mr. Belair. I was at the White House Privacy Committee at 
the time, and I think Ron is exactly right. There was a wide 
consensus that we needed to sort out whether the standards that 
would apply to Federal Government in the Privacy Act should be 
applied to the private sector, but there was also a push back 
in some areas. For example, health privacy even back then was a 
major concern, and as we got later on into the 1970's, Senator 
Javits had a bill. There were bills over here--Bella Abzug had 
a number of bills--and there was a concern that the Privacy 
Commission's work would slow down the march toward 
comprehensive health information privacy legislation. As we've 
seen with hindsight, there were so many things slowing down 
that legislation, that the Privacy Commission made no 
contribution to that.
    Let me just say real briefly, though, I think Ron's being 
modest a bit about the work of the Privacy Protection Study 
Commission. It set the template. It set the model for not just 
the U.S. thinking, but the whole world's thinking for many, 
many years about privacy, fair information practices, a 
distinction between uses of information that had an impact, a 
tangible impact, on individuals and nonadministrative uses that 
did not, a sector-by-sector approach, which the Europeans 
eventually abandoned, but not right away. It had an absolutely, 
I think, profound impact on the way in which the Nation thought 
about privacy.
    Mr. Hutchinson. Thank you.
    Mr. Horn. I thank the gentleman, and I yield to the 
gentleman from Virginia, who I believe will yield to the 
gentleman from Massachusetts, who is welcome to bring up 
himself to the podium here, or you can grab one of the mics. 
Let me make a deal to you and your two colleagues that 
disappeared. If you want to be the lead witnesses at 2 p.m., on 
Thursday, we'd be glad to give you that.
    Mr. Markey. Thank you, Mr. Chairman, but I think I would 
rather be the last witness on this panel.
    Mr. Moran. Do we have a choice as to whether you get the 
last word?
    Mr. Markey. You just chose, and I thank you so much.
    Ms. Varney. Mr. Chairman, I have a child care conflict. 
Could I be excused and give Mr. Markey my seat?
    Mr. Horn. Certainly. If you don't mind, we're going to 
close it down really after Mr. Markey, but we'd like to send 
you a few questions. Would you mind responding to us for the 
record?
    Ms. Culnan. I'd be glad to.
    Mr. Horn. The gentleman from Massachusetts.
    Mr. Moran. We appreciate very much Ms. Varney coming to 
testify. Thank you, Christine. If you want to get in the middle 
here, you can.
    The rest of the panel is going to stay because I know they 
want to hear from you. I'm not going to ask questions. I can 
review the testimony, but I've also got a prize constituent in 
Mr. Belair, and I consult with him regularly, so I will take 
advantage of that. So the floor is all yours.

    STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN 
            CONGRESS FROM THE STATE OF MASSACHUSETTS

    Mr. Markey. I thank you very much for your hospitality. 
Here's my bottom-line point to you all. Members of Congress are 
experts on privacy. Our privacy isn't invaded on an ongoing 
basis. You don't have to be--there's a lot of things on which 
congressional expert is an oxymoron, but compared to real 
experts, we're really not. But on privacy, we're experts.
    The reason that we are experts is for the most part that 
we're human beings, and that's why we've been able to pass laws 
over the last several years to deal with issues as they arose 
that dealt with the privacy of Americans. For example, if 
someone wants to divulge your driver's license, it's opt-in; 
all that information, opt-in. That's a law. If someone wants to 
transfer information about your videocassette rentals, all 
those things that Judge Bork got in trouble for during this 
confirmation hearing, Congress passed a law. They can't sell 
that information to anybody anymore. Opt-in. You want people to 
know every movie you rented? Opt-in. Pretty simple. What 
protection would you want for your family? How complicated is 
that?
    How about the information dealing with whether or not the 
cable company should be able to sell all the information where 
you click on your cable stations, especially after midnight 
when everyone is upstairs asleep, what channels you go to; 
should that be public information everyone has access to? We 
have a law in the country that says opt-in. Unless you want the 
cable company to sell that information to people, no one knows 
what channels you click to when everyone is upstairs asleep. 
Good law.
    How about your tax returns? Opt-in. Do we really have to be 
experts? Do we have to have a panel put together to decide 
whether or not we want our tax returns given out to everybody 
in town, everybody should have access to it? Opt-in. Very 
simple.
    How about on your cell phone when you travel someplace, you 
might not want everyone to know where you are going? How about 
the cell phone companies selling that information where you've 
been going? Opt-in. How about all your phone records, everyone 
you're calling all day long, everyone in your family is calling 
all day long? Should anyone be able to access that? Opt-in. 
Very simple. Not complicated.
    We don't need an expert panel on this subject, and we 
definitely don't need an expert panel to study for 18 months. 
That is absolutely beyond the pale.
    Two years ago when there was a bill coming through to ban 
pornography on-line, I said, fine, I'll go along with that, but 
how about giving me an On-Line Child Privacy Protection Act, 
too; any child 13 and under, unless their parent gives 
permission, has all that information private. That's the law of 
the Nation now. The Federal Trade Commission has promulgated 
the rule. How complicated is that, information for 13 and under 
should not be disclosed even if you got it on-line, even though 
it might impede the new Internet revolution?
    How about a child who's 13, 14, or 15, though. Do we need a 
panel to discuss that one, 18 months for us all to figure it 
out? I don't think so.
    How about--how about our health records? How about the fact 
that your husband or wife has prostate cancer or breast cancer, 
or a child is on Ritalin or has a child psychiatrist? Should 
all the medical exams in the insurance company be able to be 
shared with all the stockbrokers that are in that same firm? 
How about all the checks that you wrote; all the medical 
information is on there. Do we need 18 months to figure this 
out?
    I think we need a panel of 17 Members of Congress to go 
into a room, just give everyone the questions, and everyone 
will decide, because this is an issue that ultimately deals 
with your family.
    Now, I think the biggest fear that everybody has, to be 
honest with you, is whether or not any decisions we make are 
going to affect the Internet and will be responsible for the 
destruction of the Internet. We shouldn't actually value the 
Internet the same way we value all companies, because if we 
valued the Internet the way we value all companies, they'd have 
to have earnings. They'd actually have to have profits. God 
forbid we should actually have that standard. People who talk 
about that lead to the NASDAQ collapsing 2,000 points. How can 
we possibly have that standard? Obviously we shouldn't have--
otherwise everyone who's responsible for saying that they 
should have profits or earnings or revenues are ruining the new 
era.
    How about fraud on-line or gambling on-line or selling 
drugs on-line; do we need a study on these issues before we 
pass any laws with regard to these things that are done on the 
Internet? Why should we allow, then, for people to be able to 
delay another 2 years? And that's what we're talking about 
right here, sitting right here 2 years from now after an 18-
month study, which finally goes to the President later on this 
year, is finally promulgated, and we're not going to move on 
anything because there's a chorus here that is going to go out 
there as soon as this becomes law saying, we've got to wait for 
Congress now, we've got to wait for the expert panel. God 
forbid we should decide.
    The test here is whether or not we can construct a formula. 
Commerce, yes, but commerce with a conscience. And the issue, 
the way I see it, in this bill, by the way, is that, yeah, they 
are going to look at how the government goes into your 
business, but I really don't see the private sector--where is 
the subpoena power for private corporations so you can look at 
them or the right to depose private corporations? Because the 
issue, ladies and gentlemen, is not Big Brother, it's Big 
Browser. The problem is that you can now profile for profits. 
You can take each one of us, each one of our families, gather 
information from all these various sources that are now 
available, put it in a big package, and then sell it to 
hundreds of companies or others that want to look at our 
families.
    Now, I don't know why we want to study this for 2 more 
years because we already know it's right on videocassettes, and 
we know it's right on taxes, and we know its right on cell 
phones, we know it's right on telephones, we know it's right on 
everything, ladies and gentlemen. It's very simple.
    So my bottom line on this is that this is a basic human 
right, the right to be let alone, the right for the world not 
to become--coming into our living room. Wall Street says, we're 
going to give you a window on Wall Street. That's great. But 
the American people just don't want Wall Street to have a 
window in our living room. If we don't want them in our living 
room, they don't have any right to come into our living room, 
and if we want to opt in to get all this great information that 
they want to give us, we can just check off someplace.
    By the way, these same companies that say, oh, it's going 
to be so difficult for us to construct an electronic way in 
which people can check off they don't want privacy, these are 
the same companies that tell us they can transfer $1 trillion 
from here to Osaka in a nanosecond, that they can recreate 
entire economies in China over the next 2 or 3 years if we are 
allowed to sell telecommunications and Internet and software 
technologies into that country, but we can't think, figure out 
in our own country whether or not we want to protect children, 
whether or not we want to protect health records? I don't think 
so.
    So this is without question, with all due respect, to all 
the members of this panel, a central--maybe the central civil 
rights issue of the 21st century. Eighteen months is too long. 
This bill really is not going to give the proper authority, be 
able to look at what the private sector is doing. The 
Commission is totally tilted. You can wind up, if George Bush 
is President, with 4 Democrats and 13 Members of the other 
party are appointed by him, with industry representatives 
dictating ultimately what they believe is best for their 
business.
    So at the end of the day, we have to have the new economy, 
but the new economy with old values, and the old values of the 
very same ones we grew up with, the nurse and the doctor that 
probed our medical records, and no one else in town knows what 
happened to us or member of our family; the banker who gave us 
our little passbook when we went in for the first time, and no 
one in the rest of the town is going to know what is in our 
little passbook, and we know who he is and is going to protect 
us. Same values.
    These companies are going to make it, but they are going to 
make it protecting against the compromise of our privacy by 
engaging in other behavior which we all know is wrong. If they 
are going to be profitable, they are going to have to do it the 
old-fashioned way, protecting solid American values while using 
new technology to drive the old companies out of business, but 
not using new values to drive the old companies out of 
business. They should be forced to compete on the same grounds 
in terms of the values.
    So I thank you, Mr. Chairman, for allowing me to testify. 
This is a very important bill, and I think ultimately, with all 
due respect to the gentleman from Arkansas who I respect very 
much, I just think it delays too long congressional 
consideration of this very important issue. Thank you.
    Mr. Horn. I thank the gentleman for coming.
    I wonder what you would think of the delay that we've had 
between the Senate and the House. We wanted to get to this in 
this committee 3 years ago, and everybody was going off in 20 
different ways around here, and I just wonder what you think 
about that if we'd done the Commission 3 or 4 years ago.
    Mr. Markey. Again, we don't need a commission.
    Mr. Horn. But somewhere you need people building a 
consensus.
    Mr. Markey. The consensus will be built. Eighty-five 
percent of all Americans have the same view on this issue. 
There's a consensus in America already. There's just no 
consensus when you fill up the room with a bunch of lobbyists, 
a bunch of industry representatives. Of course they are all no, 
no, no. If you want to weight them equally with the 85 percent 
of the American people who agree on every one of these health 
care, financial records, child--go down the line--disclosure of 
privacy, there's no debate in America. You can have a technical 
debate over how to do it, but there's no debate on this 
question.
    This is the single highest polling issue in America. People 
value their privacy, their individuality, their American--their 
sense of independence of the big business and big government. 
The far left and the libertarian right join on this issue, 
doesn't leave a lot of room in the middle. They are fighting 
this hard, Mr. Barton and I, Senator Shelby and Senator Bryan 
in the Senate. It's the middle, the practical middle--actually 
it's the business middle that objects.
    So, yeah, we can pass this, but we pass it only for big 
business, only for big bucks, only for Big Browser, but we're 
not passing it for ordinary people. That's not what this study 
is about, because every one of us know what protection we want 
for our mothers, for our fathers, our wives, our husbands, for 
our children. Every one of us know what that answer is on every 
single subject. We're all experts on that.
    Mr. Horn. Before you leave, I'll call on the author and 
coauthor of the bill and see if you want to ask any questions 
of the gentleman from Massachusetts. Mr. Moran still has plenty 
of time.
    Mr. Moran. But we don't have much time here. I've got to 
get to a meeting with Mr. Gephardt that started at 4:15, so I 
can't get into too much questioning.
    We have heard from many people who are not tied into a 
commercial entity, nor have a commercial motivation, who feel 
that this is a more complex issue than it appears to be, and 
certainly than you perceive it to be, Mr. Markey. There are a 
number of different State approaches, some of them conflicting. 
We have legislation that was passed with regard to medical 
privacy that HHS has gotten tens of thousands of responses on 
and has taken 2 or 3 years to try to come up with some 
regulations. We have the financial services modernization bill 
that was recently passed that is legislation. I know you 
opposed it, but nevertheless--opposed at least parts of it. I 
think you voted against the bill, as I recall, but nevertheless 
was passed and is the law of the land and has a significant 
implication for the--for the privacy issue in general, and 
there will be others.
    And one of the purposes of such a commission was to try to 
establish some consistency, some fundamental principles, some 
floor, if you will, when you talk about values, some value 
floor that would either exempt or incorporate or preempt, I 
should say, or incorporate State law. I don't think that we 
want a potpourri of different State statutes. Clearly 
electronic commerce is intrastate, can't be held within 
boundaries, and we have a difficult issue with regard to 
preemption or finding some kind of consistent uniformity.
    We also have a difficult issue, if we're going to ad hoc 
this kind of legislation, whether it be in financial services 
or medical issues or other types of electronic commerce, how we 
achieve consistency, and we also have very rapid developments 
in the field itself and the industry, developments that are 
customer-friendly, developments that respond to market 
incentives.
    People want privacy. We don't disagree that this is a 
cutting-edge issue. If you poll them using any kind of 
simplistic question, you're going to get very high responses. 
People want privacy. And so the industries involved in the 
Internet and information technology understand that and have 
responded with any number of ways to protect people's privacy.
    And so the intent of giving the Congress some analysis with 
which to develop overarching legislation, if you will, was to 
achieve consistency, was to recognize the central tenets of 
federalism, and was to incorporate technological advances that 
have been taking place in the private sector, and also to 
figure out a way that we can coordinate the public and the 
private sector, because we don't necessarily have the parallel 
objectives here. There are some benefits to the public sector 
having some information shared that the private sector 
collects.
    So for all those reasons, there seem to be some benefit to 
studying the issue, and, as Mr. Horn said, no matter how 
anxious many Members might be to get legislation enacted 
immediately, it is not likely to happen. The history is that it 
has held up for what seems to be interminable periods--
certainly longer than 18 months. If you look at financial 
services, we've been working on that for what, 10 years. 
Medical privacy took a significant amount of time to get 
legislated, but even more time to get regulated. So you could 
make an argument that if we could get a consistent format and 
some consensus within 18 months, we'd be doing pretty well, and 
even breaking some precedent.
    Do you want to respond to those? I see you've been taking 
some notes there.
    Mr. Markey. I agree with you that each individual in 
America should be able to avail themselves of the new privacy 
technologies, encryption technologies that are being developed. 
That's important. They also have basically a right to expect 
industry to voluntarily step forward and put together industry 
standards, and they are in some fields, some companies. But 
because there are always going to be a significant number of 
outliers, significant number of companies on-line, especially 
who are just digital desperadoes, just trying to capture 
whatever they can in a short period of time in this new 
economy, there has to be a Federal floor. There has to be a 
third level of Federal guarantee, a right to knowledge that 
information is being gathered about you, a right to know that 
it's going to be reused for purposes other than you and your 
family intended it, and third a right to say no. And then 
you've got some power, too, even if the technology doesn't work 
to block it, even if the companies aren't going to be doing it. 
You've got a right as an American, a right to protect your own 
family's secrets, secrets you are not telling anyone else 
about.
    In Europe they have stronger standards, and from Citicorp 
to every American company that is over there, they abide by 
these stronger privacy codes, and our industry is thriving in 
Europe, abiding by the tougher European privacy codes.
    Many people say, we don't want the European standards here 
in America, but when you poll in America, 85 percent of 
Americans say they want the European standards. Now, we didn't 
import 500 people for this poll. They are all Americans. They 
are just ordinary people. They want the same standards. And the 
reason that we didn't build in the right for an American to 
stop the transfer of their medical insurance records in an 
insurance company now to a broker or banking affiliate is that 
the Rules Committee last year wouldn't allow my amendment out 
on the floor because they knew it was going to pass 350-50. 
That's the only reason it didn't pass. I couldn't get it made 
in order. The industry said, don't allow that amendment, 
because they had won in the Commerce Committee 42-0. No Member 
wanted to vote against it when they were forced to in the 
Commerce Committee that they would have their medical or 
financial information transferred without their permission, so 
they just blocked the vote on the floor. Didn't need any more 
study. Every Member knew they didn't want their family's 
medical privacy spread around town or those checks or those 
insurance exams. It was the industry using the Rules Committee.
    So, yeah, I guess you can say we can bottle everything up, 
use the process to stop it, but I don't think it's an accurate 
reflection of the amount of knowledge that we all have of what 
it is that we want to be built into law for each of our 
families. And all I'm doing is just reflecting my own mother's 
mortification if someone knew of some illness that she had. She 
wouldn't even tell her sisters, much less everyone in town, if 
she was--if she had an incontinence pad. She wouldn't want 
anyone to know that.
    She should have a right to protect that. Every American 
should have that right. I don't think we need to debate it. I 
don't think we need to wait 2 more years for this industry to 
have the same rules that the old industries have. I think we 
owe that to Americans, and waiting 2 more years means waiting 4 
more years.
    Mr. Moran. I was just going to suggest that this may seem 
like a plodding, tedious process to bring everybody together at 
the same table and to try to reach some consensus, but 
sometimes the plodding, tedious process actually accomplishes 
more in terms of legislative enactment than the dance of 
legislation, which can be more thrilling and seemingly 
responsive, but can oftentimes take longer and can become even 
more frustrating.
    Mr. Markey. I'll tell you what happened. In the 1995 
Telecommunications Act, our privacy bill of rights was built 
into that act, and it was worked out by all the Democrats and 
Republicans on the Commerce Committee, and it passed the House, 
and you voted for it. Every Member here voted for it in 1995. 
It was my bill. I worked it out with Jack Fields, I worked it 
out with all the Republicans, and it was a comprehensive 
privacy on-line bill of rights.
    The reason it got knocked out was not that all the Members 
didn't understand what the language was, it was because the 
Republican leadership, a week before we finished the conference 
in February 1996, just knocked it out, just knocked it out. 
Somebody called them, and they just knocked it out. And I was 
in the minority at that point, so I didn't have any power to 
keep it back in, but it was all worked out in a bipartisan, 
bicameral, industry-inclusive basis. That was 5 years ago now, 
6 years ago.
    So we can study it, I guess, until 10 years has elapsed 
since the anniversary of the 1995 act passed on the floor of 
the House, but I just don't think we all need to know much more 
about this subject.
    Mr. Moran. Well, you make a very persuasive presentation as 
always, Mr. Markey.
    Mr. Markey. It's the Jesuit education.
    Mr. Moran. I was going to make a remark about that, but you 
beat me to the punch.
    Mr. Horn. I thought it was just being Irish.
    The gentleman from Arkansas.
    Mr. Hutchinson. Thank you, Mr. Chairman.
    Being a visitor to your subcommittee, I want to tell you 
how impressed I am with the depth of your hearings. This has 
been extraordinarily a mind-expanding experience, and I want to 
thank the gentleman from Massachusetts Mr. Markey for his 
excellent presentation. I think that added certainly to the 
debate today.
    And I've been thinking about that we had a discussion early 
on, and if we take this bill, Mr. Moran and I, we just took 
this bill totally down and say we want to give it every shot, 
we don't want to give anybody an excuse not to support industry 
privacy legislation, in all honesty I don't think it's going 
to--you'll build the consensus to move it forward this year. In 
all honesty I don't think you've got the timeframe to get it 
done this year.
    That's just my view, but I don't want this again to be used 
as an excuse not to move other legislation through. I see it 
complementary. In some areas I think you can--we can all agree 
upon the more simple, basic, fundamental areas of privacy, if 
we need to do something, let's do it and get it done with.
    I asked this from the White House yesterday, the gentleman 
from the Office of Management and Budget, if you adopt these 
other things you're interested in, would it be some benefit to 
a commission looking at the ongoing technology, the ongoing 
privacy issues? His answer was yes, because it's a changing 
world out there. This issue is not--adopt everything that you 
want to adopt, Mr. Markey, everything that you want to adopt, 
and I still believe that we need a commission to look at the 
ongoing developing issues in a comprehensive fashion. So that's 
really my interest in it.
    And then maybe--you raise these illustrations about opt-in, 
and I--quite frankly, I don't know if it is that simple. There 
was an instance the other day if there was an opt-in where 
someone refused to give a consent for information to be 
transferred, an opt-in for a cell phone company, what if a 
person chooses not to opt in and they call from a cell phone 
with an emergency, but the location of that emergency cannot be 
divulged to law enforcement or the fire department? Now, it 
could be a kidnapping, it could be a rape circumstance. And 
actually this information was shared a few weeks ago when a 
lady was kidnapped and she called the police, and the telephone 
company did not want to share the information.
    There very well is an answer to that, appropriate 
exception, but I think the point is that this is--there's some 
areas there that we need to--that should be debated, discussed. 
It is not as simplistic as sometimes is presented on the front 
end.
    And so I hope we'll continue having this discussion, and I 
want to thank you again, Mr. Markey, for your presentation. 
You're making notes. I'll give you a chance to respond.
    Mr. Markey. I thank you so much. On that specific issue 
which you just raised, in fact, we passed a bill that does 
prohibit the tracking of cell phone use, but with an emergency 
exception, so in that particular instance, there was no reason 
why the company could not transfer the information to the 
police or the fire in order to provide rescue or emergency 
medical service for that individual. As a matter of fact, we 
passed a specific law a year ago in order to accomplish that 
goal.
    And on the other issue, again, I'm just reflecting my own 
personal history, which is that the Rules Committee 3 years 
ago, when we were bringing up the financial services bill, it 
ultimately was a failed effort. They would not permit my 
amendment on privacy to be put in order for the floor, but they 
promised there would be comprehensive hearings. That was the 
Banking Committee promise. There were no hearings. And last 
year in 1999, when my amendment was denied consideration on the 
House floor, they promised hearings this year. There have been 
no hearings. So if we want to now conduct a study for 2 more 
years, I think it passes prologue. We already see in the 
conduct of----
    Mr. Hutchinson. Mr. Markey, you mentioned 2 years a couple 
of times. I do want to emphasize because of that point, there's 
a provision that the Commission can report back early if they 
deem it appropriate. If there's a consensus that develops 
within 2 months, they report back to Congress. And so that is 
an outside sunset time, and excuse me for interrupting, but I 
did want to make that point.
    Mr. Markey. With $2.5 million allocated, we're going to 
invoke the rule that work expands the time allotted without 
question, because the salaries of all these staffers that are 
going to be hired and all the expert witnesses will guarantee 
that they'll go right up to the very last minute.
    Mr. Hutchinson. There was a comment. Mr. Plesser, you 
raised your hand a moment ago.
    Mr. Waxman. Are we doing the 5-minute rule?
    Mr. Horn. We went to the 13-minute rule, and we'll be glad 
to give you the same.
    Mr. Plesser. If I can, and I appreciate all the comments 
that Congressman Markey said. I just want to say that I think 
his review of the statutes in saying opt-in simply reflect it's 
somewhat more complex than that. I know he would agree with it, 
although the legislation that he suggested does have some 
affirmative consent proceedings in it, but it also has opt-out 
in terms of the use of mailing lists, marketing lists, not of 
the specifics of the transaction. But many of the statutes that 
he referred to, the Cable Act and others, other of the statutes 
do provide provisions, both a balanced view of opt-out and opt-
in. Mr. Markey has always had this wonderful concept of notice, 
knowledge and no, which I think has really led the industry and 
has led self-regulatory efforts, and I think we just want to 
make sure that it still is notice, knowledge and no, and not 
opt-in under some circumstances.
    I would certainly agree in medical records and in detail 
the kind of examples that he gave, but I think opt-out also has 
a strong role, and I just wanted to just fulfill the record on 
that point.
    Mr. Markey. If I could just followup on that, I agree with 
him, a lot of the medical and financial information is very 
sensitive and should be given opt-in protection. And a lot of 
the other information that's on-line is more prosaic and 
probably doesn't deserve opt-in. But we don't need a year and a 
half to figure out which is and which isn't. We can definitely 
finish the medical and financial that we know should be given 
that protection. The most important issue is the material that 
deals with the financial and health information. We don't need 
to wait another 18 months. If you want, we can have a 
commission on what should be the rules for the prosaic 
information, but I don't think we need more time on that.
    Mr. Hutchinson. Mr. Chairman, I yield back. Thank you.
    Mr. Horn. The gentleman from California Mr. Waxman, 10 
minutes.
    Mr. Waxman. Thank you, Mr. Chairman, for the time. I had a 
conflict and couldn't be here. I thought the House rules 
provided for 5 minutes. I wondered after 5 minutes had gone by 
and no clock evidently keeping track of things of what the 
rules were. I won't take 10 minutes, but I wanted a chance to 
at least ask a few questions.
    Mr. Markey, I can see you're frustrated. I'm frustrated 
because we tried to do something in the area of medical privacy 
together, and the legislation has been introduced. Other people 
have introduced bills on medical privacy. This committee, which 
has jurisdiction, hasn't even held a hearing on medical 
privacy. We'll probably have a commission to review the 
findings of the Commission, and then we have to wonder when are 
we going to get to the point where we're going to do something 
about it, because I think the American people are concerned.
    In the area of medical privacy, individuals have expressed 
concern that their employers or potential employers will have 
an inappropriate access to personal information about their 
health records, and I recently conducted a survey to 
investigate how large employers handle their employees' health 
records. I asked 48 top Fortune 500 companies to voluntarily 
describe their privacy practices regarding handling of their 
employees' health information and to voluntarily provide 
documentation of their privacy policies.
    While a few companies stood out for having quality 
components to their policies, the survey found that only 15 of 
the 48 companies provided documentation of company policies on 
medical privacy, and many of the policies provided--lacked 
critical details. Further, 11 of the 48 companies refused to 
respond to any of the survey questions.
    So I think it's fair to ask if companies are unwilling to 
share information with Congress, why would they be any more 
willing to volunteer information to a congressionally appointed 
Privacy Commission?
    Mr. Markey, you have been deeply involved in medical 
privacy policy. If we do go forward with establishing a Privacy 
Commission, do you think we should require the Commission to 
examine employer practices and policies with respect to health 
information of their employees, and do you think the Commission 
should be given the power to secure information from companies 
regarding such practices and policies?
    Mr. Markey. I do. I think that there should be a power of 
subpoena, there should be a right to depose, without question. 
We're talking about the most fundamental civil rights that we 
each have, which is the right to keep our own medical secrets 
private. It's no one else's business. And if companies are out 
there engaging in practices which compromise that, then I think 
this committee--the Commission, as it's constructed, and as a 
result the American people, should know this, and as a result 
then the legislation which is formulated subsequent to that 
would reflect the protections that have to be built in against 
those practices.
    Mr. Waxman. Another area which many individuals have 
expressed concern is how financial institutions handle personal 
information. The United Kingdom has recently established a 
public registry that helps individuals learn about what types 
of personal data is being maintained and used by data 
collectors, meaning entities that decide how and why personal 
data are processed. Under UK law, data controllers have to 
provide details to the public, register about how they process 
personal information. The registers can be searched on-line by 
entering the name of the particular data controller. The 
register includes a description of the different purposes for 
which the controller holds or uses personal data, describes the 
types of personal data held or maintained.
    I want to share with you the results of a recent staff 
search on this registry for Citibank International. The stated 
purposes for which the personal data is held or used include 
marketing and selling, including direct marketing to 
individuals, personnel/employee administration and business and 
technological intelligence, among many others. For each purpose 
listed, the registry described the types of personal data held 
or used. As an example, I'd like to turn to the category 
marketing and selling including direct marketing to 
individuals, and listed 46 different categories of information 
including personal details, physical descriptions, habits, 
personality, character, current marriage or partnership, 
marital history, details of other family household members, 
other social contacts, immigration status, leisure activities 
interests, lifestyle, academic record, court tribunal inquiry 
proceedings, liabilities, outgoings, loans, mortgages, credits, 
dietary and other special health requirements, and religious 
beliefs. Obviously the register established in the United 
Kingdom provides individuals with a tool for obtaining 
substantial information about the practices of data 
controllers.
    Mr. Markey, you've worked for many years on financial 
privacy policy. Do you think it would be a good use of 
resources to study whether an information register like the one 
established in the United Kingdom would be a valuable system to 
establish in the United States, and if we move forward with 
legislation to establish a Privacy Commission, do you think the 
bill should require the Commission to review the United 
Kingdom's public register system and make recommendations 
regarding establishing a similar system in the United States? 
And do you think the Commission should have the power to secure 
information from companies relevant to this study?
    Mr. Markey. I do. What you're now describing is something 
that was required from the World Wide Web consortium, and the 
British, as a result, were saying to Citicorp, you've got to 
tell us what you're using this information for, give us your 
white paper, tell us what's in there. So you just basically 
listed a financial services FBI file on an individual gathered 
by Citicorp on these Europeans. And Citicorp was very unhappy 
about that, that it was disclosed to the public, because they 
might get the jitters that that kind of detailed profile on 
them is being gathered.
    Now, there's one thing we can be sure of, that Citicorp is 
doing the same thing to all of its customers in America, except 
we don't know about it because we don't have law the way they 
have over there, this data protection registry in Great 
Britain. And once the public understood it, they obviously were 
outraged. So we need a way in which the public and the United 
States knows about what Citicorp and every other corporation is 
doing in terms of this information, and if we don't do that, 
then we're going to ultimately wind up with all of us having 
this--you know, this digital dossier being developed on us and 
our families that tells those companies more about ourselves 
than any member of our own family know about us as individuals.
    So you put your finger right on it, Mr. Waxman. There's the 
core problem, and I think we could have corrected it in the 
financial services bill last year. I think we can correct it 
this year. We had a week of hearings now. We can all agree on 
what should be done. I don't think we have to wait 18 months.
    Mr. Waxman. Do any of the members of the panel think we 
ought to have this Commission with the power to get this 
information from employers as to what they do on medical 
privacy and be hired to study the system in the UK and how they 
are handling these data controllers? Anybody on the panel want 
to talk to those issues?
    Mr. Belair. Let me speak to the situation in Europe. I 
think it's tempting to look across the Atlantic and see a very 
robust privacy environment. I spent a lot of time in Europe 
this year. I know Ron has, and I'm sure others have as well. Of 
course, a number of the EU nations have not yet implemented 
their own national law. In addition, the EU is suing some of 
those nations for their failure to comply, and what's 
fascinating about the European situation, it took a while to 
figure that out, but as you talk to the American, the United 
States affiliates over there or multinational corporations, 
there's such a different enforcement culture there that, in 
fact, I think it's fair to say, and indeed many Europeans say, 
that there is a very liberal interpretation of both the EU 
directive and the national laws. And so I think one----
    Mr. Waxman. What is your conclusion? You don't think we 
ought to study it because it's too different?
    Mr. Belair. No, I think it bears study, but I don't think 
it is necessarily a model for us. I do believe, and I think 
probably----
    Mr. Waxman. We don't know that until we study it.
    Do you think a commission ought to be able to study this 
and ought to be looking at other models?
    Mr. Belair. No question about it. Absolutely. I said that 
in my testimony.
    Mr. Waxman. How about some of the others? If you want to 
talk about the medical privacy issue, if employers are not 
willing to respond to Congress on what their policies are, do 
we need to give a subpoena power to this Commission to get the 
information?
    Ms. Culnan. I would say there's clearly a need for better 
notice in this country. I'm not sure that a registration system 
run by the government is the way to do it, but I think clearly 
that the Commission certainly could look at comparative models 
and see what could work here and what wouldn't. But it's 
particularly important, as Mr. Markey said, that people be 
informed what information organizations hold on them, and 
what's the most effective way to do that I think is the real 
issue.
    I think in terms of collecting information from companies, 
I think it would be important to assure them anonymity. To me, 
I don't think there's any particular benefit in naming names 
and saying one company does this and one company does that, but 
it would be very important to get a sense of the landscape in 
terms of where the problems are, as I said in my testimony, the 
extent to which fair information practices are applied, and 
that would include do employees know what companies are doing 
with their information.
    Mr. Waxman. I see my time is up. I don't know if the 
chairman wants to allow anybody else to speak on this issue.
    Mr. Horn. Once you ask the question, the Horn rule is to 
let everybody else answer, but that's it. Then we move to the 
next person.
    Mr. Greenwood is with us.
    Who else would like to answer----
    Mr. Waxman. Anybody. I just wanted to know if anybody 
wanted to respond. I didn't ask each one to respond.
    Ms. Singleton. Just a very quick comment. I understand 
Germany also looked at the possibility of a central registry 
and rejected the possibility because they were concerned it 
could become a target for human rights violations to have a 
list somewhere of all the information and immediately somebody 
who you don't want to have access to that list get access to 
it. It becomes a tool in the wrong hands.
    With respect to the subpoena power, I second Professor 
Culnan's remarks on the anonymity. I think it would be very 
valuable to get a picture of how information is actually used 
in the economy, particularly in the form of a survey, and that 
anonymity would help to ensure great participation.
    Mr. Plesser. On the subpoena power question, yes, no 
question, the Privacy Commission had it in the mid-1970's. It 
was horrible and unwieldy to use, and I don't think we ever 
used it, but the threat of it was effective. Without it I don't 
think anybody would have spoken to us.
    Whether or not you go forward with a commission, I think 
broader subpoena power is a good idea. I don't think there 
should be any limit on what you want to study. I think if you 
want to study data registration in Europe, that's fine. There 
has been one issue of which there is total unanimity among 
every person who has looked at privacy in the United States. 
Every privacy advocate, every expert, everybody that I've known 
or ever spoke to have always opposed the concept of data 
registration being imported to the United States. I've never 
heard even the most radical privacy advocate ask for that.
    I think it's important to study it, to consider it. I think 
in the end the comment we just heard that it's really anti-
privacy rather than pro-privacy is appropriate because then the 
officials know where to go, then they know how to organize it 
and have the map. I think the problem of data registration is a 
significant one, and it's antithetical to our tradition and 
never really has been seriously suggested for the United 
States. But absolutely, let's have a study, let's look at it 
and see if there's a way that some of those concepts are 
helpful, but also to find out what the negative concepts would 
be. Thank you.
    Mr. Horn. Mr. Sokul, any comment to Mr. Waxman's question?
    Thank you very much.
    We now have Mr. Greenwood, Jim Greenwood from the State of 
Pennsylvania.
    Mr. Hutchinson. Mr. Chairman, are the panelists that have 
been here, are they expected to stay?
    Mr. Horn. Well, we'd certainly welcome them, but the dialog 
with the Members--I think Mr. Waxman's question deserved an 
answer, and we went down the line, but you're certainly free to 
leave, and we will, as I said earlier, send you some questions, 
if you don't mind. We're going to ask Democratic counsel and 
Republican counsel what key questions did we miss, and we'd 
appreciate your writing us back. We'll put it at this point in 
the record without objection.
    So we now turn to Mr. Greenwood, and we're delighted to 
have him here. He had to suffer the long wait that you and Mr. 
Markey and Mr. Barton gave up, I gather, and you're always 
welcome. You're a real leader in the House, and we're glad to 
have you here.
    Mr. Greenwood. Thank you, Mr. Chairman. I will be brief 
because, unfortunately, my schedule is going to require that as 
well.
    You've been listening to testimony for 3 hours on this 
issue, so I'm not sure how much more enlightenment I can offer. 
But I would like to share with you why it is that I am prime 
sponsor of H.R. 2470, which is the Medical Information 
Protection and Research Enhancement Act, which is an attempt to 
legislate this issue this year, and I'm also a sponsor of Mr. 
Hutchison's bill, H.R. 4049, the Privacy Commission Act bill, 
which you've been hearing of.
    As you know, this is a long-standing and highly 
controversial issue and a very important issue. Back in 1996, 
the Congress basically directed and passed HIPAA, that 
required, if we couldn't get our act together legislatively by 
the summer of last year, that HCFA would do the regulations. We 
couldn't. We failed as a Congress to legislate. During that 3-
year interim, I introduced my bill in July of last year, and 
we've not been able to move it, and there are reasons for that.
    This is like any other controversy. This issue involves the 
collision of a couple of values: of course, the commitment that 
we all have to protect privacy with regard to the most intimate 
details of our lives. The second one is that there's a terrific 
benefit to society when medical outcomes can be--that data can 
be collected and can be used by researchers and health care 
providers and insurers and others to try to enhance therapies 
and treatments for all of us. So the challenge in this issue is 
how do you merge these two values without compromising, on the 
one hand, confidentiality, nor compromising, on the other hand, 
the ability of society to benefit from this data.
    My experience with this issue is that there are two 
fundamental policy roadblocks, the first of those has to do 
with liability. The consumer advocates generally represented by 
the Democrats in the House advocate for a relatively liberal 
policy with regard to liability. They believe that if one's 
confidentiality is breached in any way, that there ought to be 
ready access to the courts.
    The other issue of controversy has to do with preemption. 
Many of us, including myself, perceive that in this digital 
age, information travels from our health care provider, to our 
health insurer, to a researcher across the State lines at the 
speed of light, and if we are going to use the values of the 
information age, we need to make sure that this data doesn't 
have to stop at every State boundary on the way. It won't work 
that way. The States have moved ahead and have, in some cases, 
passed some very strict confidentiality laws as it relates to 
issues like AIDS, mental health, and genetic information.
    I believe that we need to find a way to build a very 
airtight channel for this information to move from State to 
State without violating confidentiality. We haven't been able 
to do that. I've worked with Congressman Waxman, Congressman 
Markey, Congressman Brown, and Congresswoman Eshoo on the 
Commerce Committee trying to forge bipartisan support for the 
bill, and frankly we just haven't succeeded. We just haven't 
been able--in good faith negotiations to reach consensus.
    So my first wish would be that my legislation could pass, 
and we could have it enacted in this Congress. I don't see 
that, frankly, as being likely. So my second priority would be 
that Mr. Hutchinson's bill becomes enacted so that we can find, 
through the use of a commission, the consensus that we've not 
been able to find legislatively. In my view, the worst of all 
possible scenarios is that nothing happens, and that this issue 
drags on for failure on our part to find bipartisan consensus.
    Mr. Horn. Does the gentleman from Arkansas have any 
questions of the witness?
    Mr. Hutchinson. No. I just want to thank you for putting a 
good cap on this hearing today. You expressed really what my 
attitude is. I'd like to see your legislation move forward 
first and foremost, and I appreciate your understanding that 
this commission bill--I don't want it to be a threat to 
anyone's individual bill. I want to it to be complementary, I 
want it to be helpful and take a long-term look.
    So thank you very much for expressing that so succinctly 
and for your support and your initiative, which I'm delighted 
to support, and also for your support of the Commission.
    So thank you, Mr. Greenwood.
    Mr. Greenwood. If Mr. Horn would take my bill up and move 
it, I would be happy to have it transfered to this committee.
    Mr. Horn. It's sitting in the Commerce Committee. Can you 
get it over here? We'll give you a fast 24-hour look at it.
    We have to vote on the floor, and I want to thank the staff 
that helped prepare this hearing. We will hold another hearing 
tomorrow, which I believe will be Thursday--yes, Thursday at 2, 
and it will be on privacy. I guess we haven't learned enough 
yet.
    And we want to thank the court reporter Laurie Harris. I 
don't know how you stood it, Laurie. You should have nodded, I 
guess.
    And the staff director and Chief Counsel George has been 
with us in and out. Heather Bailey is to my left, your right, 
as the professional staff member putting things together here; 
and Bonnie Heald, director of communication; Bryan Sisk, clerk; 
Liz Seong, intern; and Michael Soon, intern. Trey Henderson is 
counsel for the minority, and Jean Gosa is minority clerk. And 
with that, we adjourn the meeting.
    [Whereupon, at 5:06 p.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T1178.117

[GRAPHIC] [TIFF OMITTED] T1178.118

[GRAPHIC] [TIFF OMITTED] T1178.119

[GRAPHIC] [TIFF OMITTED] T1178.120

[GRAPHIC] [TIFF OMITTED] T1178.121

[GRAPHIC] [TIFF OMITTED] T1178.122

[GRAPHIC] [TIFF OMITTED] T1178.123

[GRAPHIC] [TIFF OMITTED] T1178.124

[GRAPHIC] [TIFF OMITTED] T1178.125

[GRAPHIC] [TIFF OMITTED] T1178.126

[GRAPHIC] [TIFF OMITTED] T1178.127

[GRAPHIC] [TIFF OMITTED] T1178.128

[GRAPHIC] [TIFF OMITTED] T1178.129

[GRAPHIC] [TIFF OMITTED] T1178.130

[GRAPHIC] [TIFF OMITTED] T1178.131

[GRAPHIC] [TIFF OMITTED] T1178.132

[GRAPHIC] [TIFF OMITTED] T1178.133

[GRAPHIC] [TIFF OMITTED] T1178.134

[GRAPHIC] [TIFF OMITTED] T1178.135

[GRAPHIC] [TIFF OMITTED] T1178.136

[GRAPHIC] [TIFF OMITTED] T1178.137

[GRAPHIC] [TIFF OMITTED] T1178.138

[GRAPHIC] [TIFF OMITTED] T1178.139

[GRAPHIC] [TIFF OMITTED] T1178.140

