[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
PRIVACY IN THE COMMERCIAL WORLD
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
COMMERCE, TRADE AND CONSUMER PROTECTION
of the
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
MARCH 1, 2001
__________
Serial No. 107-16
__________
Printed for the use of the Committee on Energy and Commerce
Available via the World Wide Web: http://www.access.gpo.gov/congress/
house
__________
U.S. GOVERNMENT PRINTING OFFICE
71-496 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
W.J. ``BILLY'' TAUZIN, Louisiana, Chairman
MICHAEL BILIRAKIS, Florida JOHN D. DINGELL, Michigan
JOE BARTON, Texas HENRY A. WAXMAN, California
FRED UPTON, Michigan EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma BART GORDON, Tennessee
RICHARD BURR, North Carolina PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia BART STUPAK, Michigan
BARBARA CUBIN, Wyoming ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois TOM SAWYER, Ohio
HEATHER WILSON, New Mexico ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING, KAREN McCARTHY, Missouri
Mississippi TED STRICKLAND, Ohio
VITO FOSSELLA, New York DIANA DeGETTE, Colorado
ROY BLUNT, Missouri THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia BILL LUTHER, Minnesota
ED BRYANT, Tennessee LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska
David V. Marventano, Staff Director
James D. Barnette, General Counsel
Reid P.F. Stuntz, Minority Staff Director and Chief Counsel
______
Subcommittee on Commerce, Trade, and Consumer Protection
CLIFF STEARNS, Florida, Chairman
NATHAN DEAL, Georgia EDOLPHUS TOWNS, New York
Vice Chairman DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky LOIS CAPPS, California
BARBARA CUBIN, Wyoming MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona JANE HARMAN, California
ED BRYANT, Tennessee HENRY A. WAXMAN, California
STEVE BUYER, Indiana EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon ANNA G. ESHOO, California
LEE TERRY, Nebraska JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana (Ex Officio)
(Ex Officio)
(ii)
C O N T E N T S
__________
Page
Testimony of:
Cate, Fred H., Professor of Law, Indiana University School of
Law........................................................ 17
Feldblum, Chai R., Professor of Law, Georgetown University
Law Center................................................. 67
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center......................................... 61
Rubin, Paul, Professor of Law and Economics, Emory University
School of Law.............................................. 47
Singleton, Solveig, Senior Policy Analyst, Competitive
Enterprise Institute....................................... 57
Volokh, Eugene, Professor of Law, UCLA Law Center............ 26
Material submitted for the record by:
Cate, Fred H., Professor of Law, Indiana University School of
Law, letter dated march 8, 2001, enclosing material for the
record..................................................... 103
Singleton, Solveig, Senior Policy Analyst, Competitive
Enterprise Institute, response for the record.............. 108
(iii)
PRIVACY IN THE COMMERCIAL WORLD
----------
THURSDAY, MARCH 1, 2001
House of Representatives,
Committee on Energy and Commerce,
Subcommittee on Commerce, Trade,
and Consumer Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:04 a.m. in
room 2322, Rayburn House Office Building, Hon. Cliff Stearns
(chairman) presiding.
Members present: Representatives Stearns, Upton, Shimkus,
Bryant, Buyer, Terry, Tauzin (ex officio), DeGette, Doyle,
John, Harman, Markey, Gordon, Rush, Eshoo, and Dingell (ex
officio).
Staff present: Ramsen Betfarhad, majority counsel; Yong
Choe, majority clerk; Bruce Gwinn, minority professional staff;
and Courtney Johnson, minority clerk.
Mr. Stearns. The subcommittee will come to order. I want to
thank all of you for attending this morning the first hearing
of the Subcommittee on Commerce, Trade, and Consumer
Protection. In particular, I would like to thank Diana DeGette
from Colorado, who is substituting for Eddie Towns, who had to
go back to New York City. And I want to thank, of course, all
of the members of the subcommittee.
I want to thank, of course, our distinguished witnesses for
appearing before this panel, and I look forward to their
testimony and hearing their answers to our questions.
I plan on and expect that this subcommittee, all of us
working together, will create a productive and distinguished
record for the 107th Session. I look forward to working with
each and every subcommittee member.
The subcommittee's jurisdiction is broad and encompasses
areas which pose some difficult and complicated questions.
Privacy is just one such question. I'd like to take a moment to
briefly outline my priorities for this subcommittee. They are,
one, privacy and other e-commerce issues; two, international
trade, specifically as it relates to e-commerce; and three,
discrete consumer protection issues, such as continued work on
tire safety, car safety; and, four, these mega-mergers that we
see today.
The subcommittee is the front-line subcommittee on the
topical issue of privacy. We, I believe, must create a forum
for open and honest discussion on the subject. Moreover, I
think the subcommittee must also advance the cause of e-
commerce by examining and, if need be, addressing some of the
more significant issues confronting e-commerce, both at home
and abroad.
The international dimensions of e-commerce will be another
focal point of our subcommittee's actions. Developments beyond
our shores, in particular in the European Community, relating
to e-commerce necessitate our careful examination and
heightened vigilance on the matter. Finally, there are a myriad
of consumer protection issues that we will pursue.
Today, we begin to address what may be one of the most
difficult and important issues confronting Congress this
session. That issue is information privacy in the commercial
world. Today's hearing is the first in a series addressing the
issue of information privacy. I believe it is incumbent upon us
to create a forum for open and honest discussion.
Precisely for these reasons, we must ask today's witnesses,
a distinguished group of scholars and thinkers on the matter,
to place the issue in its proper historical context. It is rare
that you have a hearing without legislation in place. And so,
today, I seek to establish this forum to have the proper
historical, intellectual and jurisprudential contexts before we
even begin.
We must raise the fundamental issues that are implicated in
this discussion. It would not be an understatement to suggest
that information privacy in the commercial context is a complex
and indeed a vexing issue. The testimony today will attest to
its complexity, scope and breadth. For example, the issue of
privacy transverses such varied areas of common law as
contracts, torts and property, and information privacy as it
relates to commercial activities carries with it an implication
well beyond the world of commerce.
Today, we will hear testimony advising us to be vigilant
and careful when contemplating information privacy fixes for
the commercial world, for we may risk triggering serious
Constitutional questions and violations. In addressing the
issue of information privacy, we must be mindful of the First
Amendment, a cornerstone of the American democracy. The
testimony also informs us of the tremendous benefits that have
accrued to our economy and the American consumer from the
tradition of a free flow of information within the commercial
context, and we are warned of the negative repercussions that
attach to a restrictive information regime in the commercial
world. On the other hand, we must also be advised that
information privacy rights have enabled the development of new
commercial services.
I have highlighted just a few interesting observations
extrapolated from today's testimony. There are many more, my
colleagues. But today's testimonies are a testimony to the
richness and complexity of the debate we as a subcommittee are
embarking upon this morning. So I encourage all members to take
the time to carefully examine the issues before us, and I hope
you will find, as I am sure you will, this hearing helpful as
we move this process forward.
In closing, I would like to reiterate my commitment to
having a close working relationship with all subcommittee
members. I look forward to bipartisanship and a willingness to
put together legislation that is meaningful.
With that, I will call upon Ms. DeGette for her opening
statement.
Ms. DeGette. Thank you, Mr. Chairman.
Mr. Chairman, I was privileged to work with Mr. Towns on
the previous Financial Services Subcommittee and know I can
speak for both of us in saying that all of the members of the
minority, particularly myself and Mr. Towns, look forward to
working with you on these important issues of privacy. I want
to commend you for quickly holding this first hearing on the
topic. I know it is a very complex topic, and those pesky
little Constitutional issues do creep up. I am glad that you
recognize that, too.
We all know that it is an important subject and one that
needs to be addressed. I also want to welcome the witnesses
here today. I know I speak for all of the members in saying we
look forward to hearing your testimony.
Over the past few years, my constituents have become more
and more interested and concerned about personal privacy
protections. I personally believe that the diversity of views
among different industries and consumer groups, coupled with
the complexity of the issue, will make it a very challenging
task for policymakers. However, I think that there is a
consensus that we need to address both the perceived and real
fears that people have with respect to their privacy,
particularly in this electronic age.
As I mentioned, I was on the Financial Services
Subcommittee and was privileged to be a conferee on the Gramm-
Leach-Bliley legislation that overhauled the financial services
industry. Privacy was a big issue during those negotiations.
Some think that the final language was a good compromise; some
think it went too far; and many think it didn't go far enough.
One thing everyone has an agreement on: it was no easy feat
to try to strike a balance between preserving the
competitiveness of business and protecting the privacy of
consumers. I think that that is an issue that the Federal
legislators will struggle with for many years to come. I do
think, though, that there are two dirty little secrets in the
context of this issue. The first is privacy can actually be
good for business. The second is information sharing can
actually be good for consumers.
Certainly, the issue of privacy can be a new opportunity
for increased consumer confidence and trust in business. I know
there are many companies that are already busily working
customers with their own privacy policies. Every consumer who
participates in the new economy has privacy concerns on one
level or another, and I know that everyone will work together
who has a stake in privacy issues to ensure that the rights and
responsibilities of consumers are balanced with that of
business.
Privacy should and needs to be at the top of every
company's priority list. It should be noted that more than one
expert on this topic has called privacy not just a social or
moral issue but the single most important business decision a
company can make today. And I want to talk just a moment about
medical privacy. Congress acted in a bipartisan fashion in 1996
when it mandated that a sweeping medical records privacy bill
be passed by 1999. The goal was not met, and as everyone here
knows, the Clinton administration wrote the new HIPAA
regulations at the end of last year.
I have heard from many constituents back home who are in
the health care industry that these new regulations are too
burdensome, and the bar has been set too high. I am sympathetic
with those concerns, but I do believe that the administration
needs to work with this subcommittee and the rest of Congress
to modify the regulations rather than simply withdrawing them,
because I do believe that medical records privacy is a critical
issue.
Mr. Chairman, again, I look forward to hearing from the
witnesses today, and I particularly look forward to working
with you and the rest of these members on these complex issues
over the next 2 years.
Mr. Stearns. Thank you.
And now, we have our distinguished chairman of the
committee here for his opening statement. Mr. Chairman?
Mr. Tauzin. Thank you, Mr. Chairman. Good morning.
I want to welcome everyone here today, especially the panel
of witnesses. I remember when I first entered the Louisiana
legislature, Cliff, and I had my first chance to examine my own
law professors----
What a wonderful experience that was to be able to ask them
a few tough questions for a change.
I want to also acknowledge to all of you: this is the first
official action of the Subcommittee on Commerce, Trade, and
Consumer Protection, and I particularly want to welcome
Chairman Stearns to this endeavor. This committee is going to
be an extremely busy committee this year, and information
privacy is obviously one of many big concerns of this
committee, but it is a huge one, and I want to congratulate
you, Cliff, for making it the first inquiry of this session.
I also want to welcome two members who are not here now,
but your ranking member, Mr. Towns, who has been a dear friend
for a long time, and he and the vice-chairman of the committee,
Deal, are going to be great assets to you as you move forward
with this and other hearings, and I want to wish you all well,
particularly the new members of the subcommittee, as they are
new members of the committee. This issue is particularly
intriguing, and I am glad you are starting with an examination
of the legal foundations, philosophical basis. We need to think
through what privacy has meant in this country and how it has
been applied in the context of the various jurisdictions and
the U.S. Constitution. Hearing from professors who have thought
about, written about and understand many of the complex issues
is a good start. I want to thank you for that.
But I also want to point out, as did Ms. DeGette, that this
is not a new issue for us. I think if you looked at the books,
you would see about 17 statutes on privacy that have been
enacted by the Congress over the years: consumer credit--not
just the financial services bill and medical privacy but quite
a host of smaller but nevertheless important privacy bills that
were written in the brick and mortar world to protect people's
privacy and, at the same time, protect free speech and the free
flow of information. It is a delicate balance.
The other thing I want to point out to you is that while
the last administration certainly had a great interest in this
subject matter, that we asked the GAO to look at Federal online
sites and discovered that the Federal Government was not doing
a very good job of protecting people's privacy, in fact,
ironically onsites that people don't necessarily visit
voluntarily. For example, the IRS site, which is sort of a site
you have got to go to if you don't want to file on paper, and
we discovered they even had a cookie on that site.
So we discovered some bad features of our own Federal
protection of privacy on Federal Websites, and we need to pay
attention, and I know you will look at that, Cliff, as you go
forward with these hearings.
I also wanted to point out that every time we have hearings
on this, people's positions start shifting. I was just in
Silicon Valley the last week or so, and I have seen a different
tone. There was a don't do anything attitude for a long time
now, and at the conference we had at Landsdowne and meetings I
am having lately with folks in the Valley, there is a different
attitude. The attitude is you better do something, because we
will have 50 states acting and 1,000 other jurisdictions
acting, and we will have so many policies and conflict that
interstate commerce will get bogged down. And maybe we need to
have a common policy that we all understand.
Second, I know you will focus on the great advances made in
the private sector, the new self-policing organizations; the
new seal of approval organizations, the things that private
industry is doing to better inform and give consumers a better
chance to protect their own information when they want to.
Particularly, I hope you will examine the technological
advances that give consumers more security in the information
age in regards to information they want to keep private.
And finally, punting might be good in football, but this
committee is finished punting. As we meet in this room,
downstairs, we are meeting on the Patients First project, a
project to deeply involve this committee in the health care
issues of this country again. Here on this level, this
amazingly complex set of issues that face you, I am excited
that you are not punting either. The last thing we ought to do
is turn this one over to regulators. We ought to make the
policy here. We ought to make it carefully; we ought to make it
targeted; we ought to make sure it helps, not impedes, e-
commerce. We ought to make sure that when we get through,
consumers feel like they are getting a good deal out there, and
they have got better control of the information that is
pertinent but nevertheless important and sometimes very
personal to them.
Mr. Stearns and members of the committee, I want to wish
you well. I am delighted, frankly, that you are engaged like
this, and Cliff, you know you will have my full support and the
support of the entire staff, as I know Mr. Towns will offer his
support and his staff to you as well. Good luck and bon voyage.
Mr. Stearns. Mr. Chairman, thank you for your confidence,
and, of course, we look forward to your continued support and
your input in this very awe-inspiring attempt to try to come up
with a fair, balanced approach that weighs the risk for
consumers but also providing the opportunity for technology
advancement. So I appreciate your support.
Mr. Dingell, the ranking member of the full committee.
Mr. Dingell. Thank you, Mr. Chairman.
This is an important hearing, and I commend you for having
it. Privacy is not only important to those who don't have it,
but it is an essential need of electronic commerce and
communication if they are to fulfill their promise. It is not a
new issue to this committee. For more than 20 years, we have
had privacy provisions for sensitive business information in
virtually every major bill that has gone through the committee.
For example, in the Safe Drinking Water Act in 1975, the
committee gave business strong privacy protections not unlike
those advocated today by consumers, Internet users and most of
us in our relationships with our health care providers, our
financial institutions and our employers.
The act limited information that EPA could collect from
business. It also required that EPA give business the ability
effectively to opt out or to prevent the agency from publicly
releasing sensitive business information. We had a choice to
make, and the committee chose to satisfy industry's concerns
about sensitive information, so that EPA could get reliable
access to the information it needs but not to intrude
excessively into the privacy of business or to impair the needs
of business to protect business and trade secrets or other
matters of concern to business.
Today, individuals need the same kind of assurances that
business has gotten and demanded so that the commercial
potential of the Internet and the benefits of electronic
communication can be fully realized. Without public trust as to
the protection of privacy, there will be no ability of business
to utilize electronic communications the way they can and
should be.
There are a lot of stories about harm that individuals can
suffer when privacy is abused today. I would commend to the
committee a recent article entitled ``Gene Gap Creates New
Frontier for Discrimination.'' This article makes the point
that there are strong possibilities that women, for example,
who are being examined for breast cancer will refuse to get
genetic testing. This has already happened. And their reason,
of course, is fear of genetic discrimination;.
There are privacy problems in the financial area, and these
are extreme. They are exacerbated by the unfortunate action
which the Congress took during the prior session with regard to
the financial deregulation legislation that passed last year.
Already, we are hearing that there are major problems in
banking. Plaintiffs' attorneys now say that fewer than one
quarter of the people involved in one case against the Bank of
America, the Nation's third-largest bank, have ever been Bank
of America customers. But nonetheless, the bank is being sued
for having obtained thousands of credit reports and then
selling them to entities that were not affiliated with the
bank.
So if you want your financial privacy, you better be
starting to be concerned about this matter and about the
defects and failures, because it appears that the Congress has
permitted Pandora to open the box, and the devils which attack
privacy are now moving widely through our society. Individuals
must have power to control how and when and with whom their
personal information is shared. To accomplish this task, the
efforts and cooperation of many are going to be needed, and
active supervision of this subcommittee and of this committee
will be required.
Business is going to have to establish strong self-policing
practices and procedures to ensure compliance with privacy
guidelines. The Government is going to have to see that honest
men are kept honest by a good statutory framework that will
punish wrongdoing, which hurts ordinary citizens, and failing
that, we can look forward to nothing but trouble in this area.
Mr. Chairman, I look forward to working with you and other
members of the subcommittee on this important issue. Thank you.
Mr. Stearns. I thank you, Mr. Dingell.
Mr. Shimkus, opening statement?
Mr. Shimkus. Thank you, Mr. Chairman. I just want to echo
what my good friend and colleague Diana DeGette said, and I'm
going to use it from now on, Diana. Privacy will be very good
for business, and information sharing is and will be found to
be very good for the consumer. Marrying those two so that they
don't bleed into each other, and we have legal and the
Constitutional debate, that is the challenge. That is why you
are there to help us, really educate us, on these difficulties.
I look forward to hearing your testimony and welcome, and I
yield back my time, Mr. Chairman.
Mr. Stearns. Mr. Doyle?
Mr. Doyle. Thank you, Mr. Chairman. I want to thank you for
convening this hearing to examine individual and consumer
privacy protection issues in our growing high-tech economy.
This hearing should provide a forum to address privacy
concerns in cyberspace as our Internet and electronic commerce
sectors continue to expand and evolve. In recent years, we've
witnessed more and more traditional old economy industries and
businesses offer their goods and services online, speaking to
the fact that e-commerce provides a never-before-seen ease of
accessibility and convenience to an increasing volume of
consumers.
Newly minted companies immediately turn to the Internet as
an effective resource to reach potentially unlimited numbers of
customers worldwide. The sudden serve in e-commerce popularity
demonstrated a public confidence and willingness to indulge in
this innovative medium. Although the recent slowdown in the
high-tech and e-commerce industries have created some financial
headaches for businesses and investors alike, utilizing the
capabilities of the Internet for commerce will remain high on
the priority list for competitive industries in the Twenty-
First Century.
As more households in America turn to online entities for
goods and services, protecting the privacy of users has
exploded to the forefront of discussions. In my view, one of
the fundamental issues governing the evolution of a thriving
high-tech and e-commerce sector in the American economy will be
the level of consumer trust in online institutions and
communication. Without trust in digital systems and networks,
the benefits of this growing economy will be severely limited,
and the American public will miss a golden opportunity.
Information privacy concerns are a double-edged sword for
e-commerce. Routine information about users and their usage
might be used to assist online service providers in government,
business and medical areas to provide efficient, informed and
highly personalized customer service. Lacking the trust and
assurance that their information is truly protected online,
consumers will turn away from online resources. Ensuring
consumer trust in online transactions means enhancing online
security measures and information sharing practices, thus
creating a need for highly trained software and system
engineers and companies, spawning more economic growth.
I believe that we in Congress must continue to examine the
best means possible to foster and promote sustained economic
growth in the high-tech sectors of our economy. Realizing that
a critical component of any sustainable growth is high consumer
confidence and trust in the available services, we must look at
the role the Federal Government must assume to achieve
effective results.
I am aware that in the past, far-reaching Federal
regulations have created unnecessary burdens on business, to
the point where some industries found it economically
unfeasible to continue without significant restructuring or
downsizing. That is not to say that Federal agencies design to
choke firms out of business by promulgating excessive
regulations; rather, the Government responded to a definite
need to ameliorate certain abusive practices and situations by
those industries. But at times, we simply reacted too harshly.
It would be unfortunate if a similar situation was to occur
with our budding high-tech economy.
In closing, Mr. Chairman, it is my sincere hope that we may
find a happy medium from today's discussions in which the
privacy and trust of concerned citizens is protected and
upheld, while industry practices responsible utilization of
consumer information sources as a means to enhance and develop
online e-commerce assets.
Thank you, Mr. Chairman.
Mr. Stearns. I thank my colleague, and I want to welcome
one of the newest members to our full committee at Commerce,
and I enjoy having him on my subcommittee, Mr. Buyer.
Mr. Buyer. No, I pass.
Mr. Stearns. Okay.
Mr. Buyer. I want to hear the witnesses.
Mr. Stearns. Mr. Markey, for an opening statement?
Mr. Markey. Thank you, Mr. Chairman very much, and thank
you for having this very important hearing today.
We have come a long way in 1 year. A year ago, the industry
generally was saying don't tax us; don't force us to give
privacy protections; don't pass laws that protect us engaging
in fraud, or else, you will ruin the industry. And thank God we
didn't do anything on anything, because the industry did it to
itself obviously. I will also add another thing: don't expect
us to make money or have any revenues, you know.
And the stock market has reflected their view of that.
Although it was belated, it obviously has now taken at least
half of the air out of that bubble, and so, at least, now, we
can discuss these issues without fear that anything we might do
in the privacy front would be then responsible for knocking
half of the value off of the Nasdaq.
Because obviously, privacy had nothing to do with it. It
had to do with the irrational exuberance of those who were
investing in the Nasdaq.
So without question, privacy is a looming legislative issue
in this Congress. At today's hearing, we can get a brief
glimpse of the simmering policy issues that are of increasing
concern to Americans throughout many segments of our society,
including financial privacy; Internet privacy; medical privacy
and genetic discrimination.
Let me briefly just touch on a few of these issues. With
respect to financial privacy, this committee approved
legislation which would have given consumers the ability to say
no to having their banking, their brokerage or their insurance
records shared with affiliates of a huge financial holding
company or with third parties. Unfortunately, the House
Republican leadership gutted this provision, replacing it with
a loophole-ridden privacy provision. We need to close those
loopholes so that consumers have control over how their most
sensitive financial secrets are disseminated.
With respect to medical privacy, what we have right now is
the story of medical privacy on hold. The red light is
blinking, but nobody seems to be picking up on the fact that
the American people want medical privacy standards. And by law,
these protections should have been established a whole year
ago. In 1996, Congress promised Americans that specific health
privacy protections would be in place by February of 2000. We
are over a year late with our promise. I think we have put
medical privacy on hold for long enough.
For this reason, I am particularly concerned that the
Department of Health and Human Services has recently announced
a recent decision to open up the Health Insurance Portability
and Accountability Act privacy regulation for a 30-day comment
period. I am drafting a letter to be sent to the Secretary, and
I hope to get bipartisan support urging the rule's timely
implementation.
While this rule isn't perfect, it is a carefully crafted
first step toward a comprehensive privacy standard, and once
implemented, I plan to introduce legislation to improve it.
With respect to online privacy, it is no secret that I have
long been advocating action to put common sense privacy rules
on the books to protect privacy in cyberspace. I believe that
such action will be good for business, and it will increase
consumer confidence in the medium. It is clear that industry
self-regulation alone is a failure and is insufficient. Our
current policymakes absolutely no sense. It is anti-consumer
because it doesn't afford anything remotely resembling
comprehensive protections consumers deserve.
Beyond undermining consumer confidence, however, the lack
of legal privacy requirements also creates an inverse system of
rewards and risks for the industry. If a company posts a
privacy policy and then subsequently violates it, the FTC can
take action under its authority to police unfair and deceptive
practices. Conversely, if a company posts no policy at all and
then engages in personal information hijacking, it is legally
able to continue on its merry way. The company is shielded by
the privacy paradox: as long as it never promises to protect
privacy, it can never be accused of deceiving its customers.
Again, I have argued that what we must have is a national
privacy policy that continues and urges self-regulatory efforts
but complements such efforts with the promotion of
technological tools and enhanced privacy as well as a set of
meaningful, enforceable privacy guidelines that protect all
Americans in the online environment.
I think at this point, everyone is familiar with the
essential ingredients of fair information practices. What we
need to do now is proceed with a more detailed, rigorous
examination of how these principles can be fleshed out
legislatively so that beyond our discussion of privacy
principles, we can better explain to consumers and industry of
how these key privacy rights will work operationally in the
online environment.
I encourage both the industry and privacy advocates to
articulate in a more detailed fashion what they would like to
see in any legislation that this committee considers. I want to
commend you, Mr. Chairman. I think we are at the beginning of a
very, very important process that I hope will produce, by the
end of this year, an online privacy bill of rights that will
give every American the protection which they need for their
family's secrets.
Thank you, Mr. Chairman.
Mr. Stearns. I thank my colleague.
Mr. Terry?
Mr. Terry. I am going to pass, but I want to hear what a
privacy bill of rights entails. But I want to flesh out my
philosophy on privacy through questions to the panel.
Thank you.
Mr. Stearns. Ms. Harman for an opening statement?
Ms. Harman. Thank you, Mr. Chairman.
One of the primary reasons I sought to join the Energy and
Commerce Committee was to serve on this subcommittee, and I am
very pleased to see that this subject is first up. I represent
a district which 10 years ago was heavily dependent on defense
and aerospace. In the last 5 or 10 years, it has transformed
itself into the heart of Southern California's digital coast.
The new industrial base is e-commerce, multimedia, Web design,
telecommunications and other high-tech businesses, and all of
them have significant presence in Venice, El Segundo and the
South Bay of California.
The success and future of those businesses depends to a
large degree on consumer confidence in the Internet, and
confidence requires control, giving consumers control over the
information that consumers reveal when they are online. How to
achieve real consumer control or real consumer choice is
tricky, and numbers of our members have just commented on that.
I believe that industry self-regulation and code-based
solutions like the P3P protocol have a role, but they are
probably not the entire answer.
The Federal Government also has a role, and one component
of that role needs to be, in my opinion, to preempt some State
regulations so that interstate commerce is not impeded. The
proliferation of multiple State standards has prompted industry
to seek Federal Government help; to seek partnerships. That, in
my view, is good, and so is drawing bright lines around
personal health and financial records.
Numbers of members this morning have talked about potential
abuses. I would just like to mention one real abuse that I
learned of last fall while holding hearings on this subject in
my district. One woman told me that her husband had been
diagnosed with cancer and in this regard was also tested for
HIV/AIDS. While he was in the hospital, she happened to sneak a
look at his medical chart which, instead of saying HIV pending,
because he had been tested, said HIV positive.
Of course, the test turned out to be negative. She insisted
that the chart be changed. But imagine if that information was
routinely used by insurance companies, employers or credit card
companies. That man's future would have been seriously affected
by an inaccurate statement on his medical chart. And so, it is
absolutely critical that we find the right ways to protect
medical privacy and the related issue of financial privacy.
I am looking forward to this hearing, Mr. Chairman, and to
future hearings and to playing as important a role as I can on
fashioning a balanced and bipartisan piece of legislation that
deals with this critical issue.
Thank you very much.
Mr. Stearns. I thank my colleague.
Mr. John, opening statement if you have one?
Mr. John. Thank you, Mr. Chairman.
I have a copy of my statement that I would like to submit
for the record, and in the interest of time, I would just like
to say thank you for this hearing. I think this is very
important. And my comments reference, among other things, an
article that was in the Wall Street Journal on February 20 that
talks about and compares Europe's Web privacy with the United
States and how, over the last 5 years, the European Commission
has put a wealth of regulations on the books, and they
commissioned a study that basically said that there is a
balance between what happens in the United States; that self-
regulation is not that bad; that some of these regulations have
been overburdening, and actually, in the United States,
according to the study, there are a lot more privacy
protections for consumers without the regulations.
Although I don't think it is absolute, I think it is an
interesting read to start us off and to see where we are going
and learn from a case study that was actually funded by the EU
to learn about privacy and government and private industry's
involvement in how you get to that ultimate goal of which I
don't think any of us really know or have our finger on, which
is consumer protection and also not stifling economic growth.
So I would urge each member of the committee to take a look
at this article. It is very interesting. With that, I yield
back my time and look forward to the witnesses.
[The prepared statement of Hon. Christopher John and the
Wall Street Journal article follow:]
PREPARED STATEMENT OF HON. CHRIS JOHN, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF LOUISIANA
Mr. Chairman, thank you for assembling today's panel of experts on
privacy matters. I believe that this Subcommittee's focus on privacy
will be one of the most important issues that this Congress faces, and
I look forward to their testimony.
Mr. Chairman, recent analysis has shown that as goes the NASDAQ, so
goes consumer confidence in this country. Granted, these movements have
not been rigorously tested statistically, but the point that is
relevant to this Subcommittee and this hearing remains: consumer trust
and confidence are fundamental to the success of the increasingly
global Internet economy and privacy is a critical component of the
``trust and confidence'' measure that consumers hold. It applies to
both e-commerce in general and the practices of specific companies in
particular. We have an opportunity during the 107th Congress to ensure
that we provide the best environment for future economic growth while
ensuring adequate consumer protections in this regard. I do not believe
that these are mutually exclusive goals.
Having said that, I do not have the equation that solves the vexing
problem we are dealt here today--resolving American's desire for one-
stop shopping on the Internet without making themselves more vulnerable
to tracking by criminals, businesses and even the government. However,
I would like to submit for the record a recent Wall Street Journal
article entitled, ``Europe Lags Behind U.S. on Web Privacy.'' It
suggests, via a European consumer's organization study, that Internet
users' privacy is better protected in the U.S. than in Europe, despite
the privacy directive that exists there. In all fairness, it does not
endorse the private sector solution that we have allowed in the U.S.
and it is critical of our lack of provisions regarding right to
redress. However, I think the lessons and challenges that the article
outlines should be paramount on all of our minds as we move forward in
discussing privacy matters in this Subcommittee and in this Congress.
Thank you, again, Mr. Chairman for holding this hearing. These
matters are of extreme importance to my constituents in the 7th
Congressional District of Louisiana. I look forward to the hearing
today.
______
[Tuesday, February 20, 2001--The Wall Street Journal]
Europe Lags Behind U.S. on Web Privacy
MORE AMERICAN FIRMS LET CUSTOMERS GUARD DATA, STUDY FINDS
By Ben Vickers
Internet users' privacy is better protected in the U.S. than in
Europe, despite the raft of privacy regulations that have been approved
by the European Commission over the past five years, according to
European consumers organizations.
The U.S. model of voluntary self-regulation of the use of private
data collected online appears to work better, according to a
commission-funded study by United Kingdom-based Consumers
International, a federation of more than 250 consumer organizations in
110 countries.
The study reveals, for example, that 80% of European Web sites
don't comply with current EU law that requires the sites to give online
customers the chance to opt out of allowing their personal data to be
stored and reused. In the U.S., however, almost 60% of most-popular
sites offer their users the chance of opting out of having their data
stored and reused.
Fewer sites in Europe collect data on users, compared with the U.S.
overall. But of those that do, the study says, only about a third
comply with the EU rule on offering public privacy policies. More than
63% of European Web sites collect information on users, but only 32%
point them to their privacy policy, which explains that company's use
of private data. In the U.S. a massive 90% of sites collect information
on users, but 62% of these point users to their privacy policy,
according to the study.
``Despite tight EU legislation . . . U.S.-based sites tend to set
the standard for decent privacy, policies,'' the survey of 751 Web
sites, concludes.
There are five separate EU Directives that regulate online privacy,
plus sections of the European Treaties and Charters, such as the
recently finalized European Charter of Fundamental Rights.
Privacy Directive
Two-thirds of the 15 EU-member states have passed the Privacy
Directive into their national law. Those who haven't done so yet have
until January next year to complete the process. Most of the other
directives are already being applied, and some will soon be due for
revision.
Each EU member state now has a data-privacy commissioner and a
national enforcement agency that monitors compliance with the new laws.
But many countries are still adapting their existing agencies to enable
them to carry out the work of monitoring the Internet.
And Europe is taking a long time to get around to applying its
privacy regulations.
``The evidence is that enforcement [of the regulations] is simply
not happening,'' says Anna Fielder, director of Consumers International
in London. ``When you talk to the national regulators who are supposed
to make sure the rules are applied, they always complain of a lack of
funding and a lack of staff for an enormous amount of work,'' she says.
Although references to the Fundamental Rights and the threat
represented by privacy abuses pop up in any parliamentary debate on the
privacy issue, the resources for enforcement of privacy rules are not
adequate, Consumers International says.
But consumers' organizations, which lobbied hard for the privacy
regulations, consider the EU on the right track, despite the lack of
enforcement now and the lead the U.S. appears to have in self-
regulation.
`A Right to Redress'
``Consumers in the EU have a right to redress. There is a law,
there is an enforcement agency in each state . . . Redress in the case
of abuse is not available in the U.S. with the voluntary systems they
have,'' says Ms. Fielder. In Europe, consumers have someone who will
represent them in the case of a dispute and laws to back up their
claims, she says.
At a debate on the need for updating EU privacy regulations last
January, Gregory Rohde, the U.S. assistant secretary of commerce for
communications and information, told members of the European Parliament
that there was a need for ``clear, consistent, and enforceable rules.''
Mr. Rohde pointed out that while the U.S. has taken very limited
action in regulating privacy protection, it has only regulated for
financial services, health-care information and for the protection of
child privacy online.
``But we are starting to see a shift towards stronger governmental
action in the U.S.,'' Mr. Rohde told members of the European
Parliament. ``Up to this point, the U.S. has chosen to allow the
emerging Internet and new communications systems to develop without
broad-scale government regulation,'' he said.
Online Trading
A focus of the commission's electronic commerce strategy this year
is to increase consumer confidence in online trading, according to EU
Health and Consumer Protection Commissioner David Byrne. ``E-commerce
in Europe is being held back by several key worries,'' Mr. Byrne told
European Parliament members. ``These are related to the risk of online
fraud and data protection.''
One solution being encouraged in Europe is a code of conduct and
trustmarks--a certification offered by third parties that guarantees
minimum standards in areas such as respect of privacy and protection
of, personal data. Similar initiatives exist in the U.S., where the
private sector has produced third-party verification of privacy
policies like Truste (www.truste.org) or Better Business Bureau Online
(www.bbb.org). Almost all sites using third-party certification are
based in the U.S., according to the commission survey.
The commission says it hopes to encourage their development in
Europe. Meanwhile, it has posted a first version of e-commerce ``best
practices'' that resulted from consultations with industry players on
its ``e-confidence'' forum on the Internet, (http://
econfidence.jrc.it).
Online consumer-confidence building is also one of the objectives
of the recently approved ``Brussels Regulation,'' which allows online
consumers to settle disputes in the courts of their country of
residence, as is the case for online consumers who are resident in the
U.S.
The commission has also recognized the need for introducing credit-
card charge-back systems in Europe. Online consumers using credit cards
in Europe aren't able to call on card companies to mediate in the case
of a dispute with an online supplier, as in the U.S. The charge-back
system has given a major boost to the credit-card sector in the U.S.,
according to Mr. Byrne, who has had contacts with credit-card issuers
to look at promoting the system in Europe.
But privacy remains a major concern to online consumers. A survey
by American Express Co., covering 10 countries, found 79% of the
financial-services company's clients considered privacy and security as
major issues in online shopping.
Unwanted E-Mail
The scale of the problem is indicated by the volume of unwanted e-
mail dispatched over the Internet. The abuse of private data feeds the
turnover of unsolicited e-mail messages, and is expected to cost
Internet users 10 billion euros ($9.2 billion) world-wide this year,
according to figures just released by the commission, which is also
preparing regulations for this area. America Online estimates that one
third of the e-mail messages arriving on its servers are unwanted.
The balance between consumer protection and marketplace freedoms
that both the EU and the U.S. say they are seeking--though with
different approaches--is exemplified in the Safe Harbor certification
scheme for U.S. companies willing to Comply with EU Privacy laws in
their dealings with EU clients. Companies that don't adhere to the
Department of Commerce Plan could find themselves facing court cases in
Europe over private-data abuse.
Mr. Stearns. I thank my colleague, and just for members'
information, we have a copy of that study. If anybody on the
committee would like it, we would be glad to provide that to
them.
Ms. Eshoo?
Ms. Eshoo. Thank you, Mr. Chairman, and as you are talking
about copies of things, it might be well for the committee
staffs on the majority and minority sides of the aisle to
provide for the new members a copy of or summaries of the
copies of the testimony of the Federal Trade Commission when
they gave testimony in 1999 and then last year before our
subcommittee, because it is highly instructive about what they
found and how they changed their minds, and I think new
members, wherever you land on this, would really benefit for
it.
So I would ask for unanimous consent that that be provided
for our members.
Mr. Stearns. I was advised by counsel: this whole thing is
on the FTC Website. So, I mean, we are welcome to put this in
by unanimous consent, but I think any member, if he or she
would like, they can just go on the Website and read it, and
they can go back to 1999 and get that testimony.
Ms. Eshoo. What? The testimony that they gave?
Mr. Stearns. The testimony.
Ms. Eshoo. Good; well, I just wanted to make that
suggestion.
Thank you for holding this hearing and for promptly
initiating our discussion and a debate on the issue of privacy.
The right to privacy is really so highly valued by all
Americans. I always say to my staff that I think privacy runs
through the veins of the American people. We have a healthy
suspicion of government and Big Brother. We don't want anyone
and are resentful of anyone ever looking over our shoulders
into anything that we believe just belongs to us, to ourselves.
I speak as an American whose privacy I really think was
highly violated when, 2 years ago, I found that someone had not
only gotten my Social Security number but had filed a
fraudulent tax return in my name. So if you don't think that
you're vulnerable to something out there, there are stories
that can go on and on. And it really brings home very, very
quickly what can be done today because of so many of our
successes and our breakthroughs relative to technology. But,
boy, when it hits the human being, it still has the same
effect.
So I think that the Congress is poised today or should be
poised today not only in the examination of this issue but also
to take the right kind of action. This right that Americans
have has evolved through the years of judicial examination and,
indeed, civic demand, because again, this is an all-American
idea and right.
Now, we are in the midst of the information revolution, and
the parameters have certainly changed. We are faced with
complex issues, such as finding the correct balance between the
protection of our personal information and the level of freedom
necessary for the Internet--because the Internet is different--
to continue to flourish so that we can continue enjoying its
benefits. As both a personal communication tool and as an
electronic marketplace for consumers and businesses, the
Internet has become a significant part of the lives of
Americans, and it will continue to in a much larger and
profound way.
So the privacy of the information that is exchanged is
really very, very important to the continued expansion of the
Internet. So obviously, we have to find a balance. Members have
said that. Balance is a funny word in public policy, because
what some people consider to be skewed, other people see it as
just right.
In January, January 20, when we had just a very small
window of opportunity to introduce legislation, the day the new
President was inaugurated, Representative Chris Cannon and
myself introduced the Consumer Internet Privacy Enhancement
Act. We obviously think that this is a prudent way to go. It
establishes a floor, not a ceiling. It mirrors the Kerry-McCain
legislation that was introduced in the Senate last year, and I
believe the Senators will introduce that mirror legislation
again.
Our laws, I believe, need to catch up with and reflect
where we are today. They should, in my view, require Website
operators to provide clear and conspicuous notice of how they
will use personal information. Moreover, consumers should then
have the opportunity to make a choice as to whether they want
to comply with the operator's stated use of their information.
Websites that violate any of these protections should face
rigorous penalties, and our bill addresses each of these needs.
Today, for all of the new members, you know this of the
committee, it is strictly a voluntary situation. So if someone
wants to, fine. Now, the industry, I think, has moved, but the
FTC found that there was a need for the Congress to step in.
Still, as we protect consumer security, we have to also be sure
that we don't legislate an impediment to the free flow of
information across the Internet. That is what the Internet is
all about. The Consumer Internet Privacy Enhancement Act
addresses this factor as well.
I want to just summarize and say, Mr. Chairman, that I look
forward to being key in this debate and the shaping of
legislation. I don't think there is Republican privacy and
Democratic privacy. And I think if there is an area that this
Congress can certainly--this subcommittee and our full
committee--can come up with is something that consumers will
hail and say they got it; they understood it; we now have
protections that have some teeth in them. If, in fact, it is
necessary to have the teeth to sink in; we also have fully
recognized what the Internet represents: the free flow of
information without damaging an individual and their privacy.
So with these considerations in mind, I thank you once
again, and if I have any time left, I yield it back. And thank
you to the witnesses. We have a wealth of information in front
of us. So thank you for being here to enlighten us.
Mr. Stearns. I thank my colleague.
Mr. Gordon?
Mr. Gordon. Thank you, Mr. Chairman.
This is an important issue. I am glad that you have
targeted it as a high priority for this subcommittee, and I am
confident that if we will work hard and listen to the advice of
a lot of folks and try to put that through our system here that
we are going to have a good bill that will find Anna's balance.
Thank you for this hearing.
[Additional statements submitted for the record follow:]
PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF NEW YORK
Thank you Mr. Chairman for holding this hearing on one of the most
important issues under the Subcommittee's jurisdiction--the issue of
PRIVACY.
I also want to join my good friend from Florida in welcoming the
witnesses on the panel today, and I look forward to hearing their
testimony.
Over the past several years, my constituents have become more and
more interested and concerned about personal privacy protections. While
I personally believe that the diversity of views and the complexity of
this issue could make it difficult for us to pass a ``one size fits
all'' policy, I do believe that we need to address the perceived or
real fears people have with respect to privacy. Mr. Chairman, I also
believe we need to act this Congress in the most deliberate and
responsible way possible.
Recently, I read an account in the press where an industry leader
said that we in society have no privacy anyway and that we should just
``GET OVER IT.'' That is an unacceptable view in my mind and one that
does not sit well with my constituents. Privacy protection is not only
very important but very necessary as well.
I would like to encourage my friends who see privacy as a
burdensome issue to look at this process as a new opportunity for
increased consumer confidence and trust in your businesses. Every
consumer who participates in the new economy has privacy concerns on
one level or another. I look forward to working with the involved
parties to ensure that the rights and responsibilities of consumers are
balanced with those of business.
Privacy should and needs to be at the top of every company's
priority list. It should be noted that more than one expert on this
topic has called privacy not a social or moral issue, but the single
most important business decision a company can make today.
We in Congress acted in a bipartisan fashion in 1996 when we
mandated that Congress pass a sweeping medical records privacy bill by
1999. This goal was not met and so the Clinton Administration had the
responsibility to write the HIPPA regulations at the end of last year.
Some in the Healthcare industry have been critical of the new
regulations, stating that the bar has been set too high and have
lobbied the new administration to re-open the regulation writing
process. I believe that this would be a grave mistake in judgment by
the administration. People need to be given complete control over their
personal medical records and now is not the time to turn back the
clock.
In closing, it is critical that we act in moderation as we delve
into this issue. I do not want to see premature, knee-jerk legislation
pass just so that we can all go home and say we did something that may
turn out to be the wrong decision a week, a month or a year from now.
If we are going to pass legislation on this issue, lets be sure to get
it right--THE FIRST TIME. Again, I look forward to hearing from all of
our witnesses today, and I yield back the balance of my time.
______
PREPARED STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF ILLINOIS
Mr. Chairman, thank you for holding this important hearing on
privacy in the commercial world. This subject is extremely far-reaching
and complex and I am glad to see that we have such an esteemed panel of
experts here before us. However, before turning it over to the panel, I
would like to express my concern over one area which seems to be
attracting greater and greater attention lately: medical privacy.
As we are all aware, the previous administration issued final
regulations last December which would protect the privacy of an
individual's medical records from undue intrusion. Those regulations
have been re-opened for comment for 30 days by the current
administration.
While we may disagree on how to protect the privacy of medical
records, I think we can all agree on the over-arching need for medical
privacy.
With recent advances in medical technology, such as the mapping of
the human genome, it has become increasingly evident that the privacy
of one's medical records is the best defense against genetic
discrimination. Since we all can agree on the need for medical privacy,
I think it is important to discuss how we can obtain that goal without
overburdening the health care community responsible for providing care
or establishing a system without adequate enforcement mechanisms such
as a private right of action. I look forward to working with my
colleagues to ensure that whatever action is taken on the medical
privacy regulations, it strikes a balance between operational
feasibility for providers and health care facilities and protection of
our most sensitive information.
Mr. Stearns. I thank my colleagues. We are ready for our
panel, the first panel we have and only panel. We have
Professor Fred Cate, professor of law, Indiana University
School of Law; we have Professor Eugene Volokh, professor of
law, UCLA School of Law; Professor Paul Rubin, professor of law
and economics, Emory University School of Law; Ms. Solveig
Singleton, senior policy analyst at the Competitive Enterprise
Institute; Mr. Marc Rotenberg, executive director, Electronic
Privacy Information Center; and Professor Chai Feldblum,
professor of law at Georgetown University Law School.
I welcome all of you here, and we look forward to your
opening statements, which, as you understand, are generally 5
minutes.
Professor Cate?
STATEMENTS OF FRED H. CATE, PROFESSOR OF LAW, INDIANA
UNIVERSITY SCHOOL OF LAW; EUGENE VOLOKH, PROFESSOR OF LAW, UCLA
LAW CENTER; PAUL RUBIN, PROFESSOR OF LAW AND ECONOMICS, EMORY
UNIVERSITY SCHOOL OF LAW; SOLVEIG SINGLETON, SENIOR POLICY
ANALYST, COMPETITIVE ENTERPRISE INSTITUTE; MARC ROTENBERG,
EXECUTIVE DIRECTOR, ELECTRONIC PRIVACY INFORMATION CENTER; AND
CHAI R. FELDBLUM, PROFESSOR OF LAW, GEORGETOWN UNIVERSITY LAW
CENTER
Mr. Cate. Thank you very much, Mr. Chairman, members of the
committee.
First, let me thank you both for the opportunity to be here
but especially for holding a hearing such as this. It is really
quite remarkable to have the chance to be part of the hearing
where there isn't a particular bill on the table and in an area
as complex as privacy in which the ramifications of regulating
too much or too little are so great. The opportunity to look at
the issue in its entirety, without breaking it into some small
subset, some particular area, is particularly appropriate. So I
am very grateful for that.
Let me also acknowledge your courage in organizing a panel
of primarily law professors, people who, for our very
livelihood, never answer a question. This will be an
interesting change for us today. In fact, we, of course,
normally ask them.
I would like to make just three points today in order to
stay within the time limit; first, to talk about the critical
roles that information plays in our economy and our society;
second, the extent to which privacy laws inevitably are in
tension with those roles. Many of you and many other people
have noted that they would like privacy laws that did not
interfere with the flow of information, and those just don't
exist. The question is how you draw that balance, how you
balance that tension between the two. And finally, I would like
to speak just briefly about some of the limits of consent; that
consent is not a way out of this dilemma; consent often,
instead, exacerbates this dilemma.
So to start first with what I have called the information
infrastructure, it merely recognizes what I believe the Federal
Reserve Board and many others have testified before this
committee and others repeatedly: that the accessibility of
personal information has created a profound transformation of
commerce and the economy in this country. Commerce now depends
increasingly on complete, objective and reliable information,
and the accessibility, the availability of that information
makes it possible to treat consumers as individuals, not as
groups. It makes it possible to target services to their
specific needs, and it makes it possible to evaluate them for
service based on their own records, not on their race or gender
or who they know or what they have access to but rather their
own demonstrated record in the market.
Now, although I have included in my written testimony
numerous examples of this, let me suggest just two now. One is,
of course, the whole market for consumer credit, where we see
in this country, unlike in Europe, which does have restrictive
privacy laws, much wider availability of credit; much faster
granting of credit; and much cheaper credit, credit available
at much lower costs. This is, of course, because information
about consumers is routinely collected, subject to Federal law.
It is available so that when a decision needs to be made, it
does not have to be put together from scratch; and it is
available in a reliable form, so that lenders do not have to
insure themselves against bad information or missing
information as they do in Europe and therefore charge higher
interest rates, fees or other charges.
Now, maybe a second example of this use of information is,
of course, the ability to target interested consumers, and you
may wonder why anyone in their right mind would ever speak to
Congress about what you are certainly going to interpret as
junk mail. But the irony is that the argument that information
should not be available for targeting marketing opportunities
to consumers means not less junk mail but, of course, more and
not less satisfying--not more satisfying communications but
less, because they will not have been targeted; they will not
reflect that consumer's likely interest.
I dare say not one of you here or many people elsewhere in
the Congress or in State legislatures have ever run a campaign
without contacting people based on knowing what party they
belong to; what their likely interest, their likely past
donating record has been. This is precisely the type of
information that makes it possible to communicate efficiently
and effectively with individuals.
Now, against these and many other benefits, we have the
privacy tension, the tension that if information is not
available or it cannot be used, then it is inevitably going to,
as one State attorney general put it, interfere with
information flows and cause consumers to pay the price in terms
of either higher prices or a restricted set of choices offered
to them in the market. This is the inevitable effect of this
tension. There is no way around it.
This leads, then, to the third and final point on the limit
of consent, because we have heard the argument many times in
the privacy debate that all we are seeking in privacy law is
that consumers be given a chance to consent. But there are many
reasons why consent does not alleviate these concerns; for
example, the difficulty of obtaining consent; the difficulty,
in many instances, of even reaching consumers, particularly
when the information flow, as in the credit example, is largely
among parties whom the consumer may not directly see; the cost
of reaching consumers; and also the fact--and one that is often
overlooked--that many uses of information are interrelated. So
if we want information available for, say, fraud detection and
crime detection, the way the cost of that is often borne is by
other users who use that information for other purposes. If you
eliminate those other purposes, you inevitably affect the
availability of that information for those purposes.
I see my time is up, so I will stop.
[The prepared statement of Fred H. Cate follows:]
PREPARED STATEMENT OF FRED H. CATE, DIRECTOR, INFORMATION LAW AND
COMMERCE INSTITUTE, INDIANA UNIVERSITY SCHOOL OF LAW
Mr. Chairman: My name is Fred Cate, and I am a professor of law
and director of the Information Law and Commerce Institute at the
Indiana University School of Law in Bloomington. For the past 12 years,
I have researched, written, and taught about information laws issues
generally, and privacy law issues specifically. I directed the
Electronic Information Privacy and Commerce Study for the Brookings
Institution, served as a member of the Federal Trade Commission's
Advisory Committee on Online Access and Security, and currently am a
visiting fellow, addressing privacy issues, at the American Enterprise
Institute.
I appreciate the opportunity to testify today and, more
importantly, I want to acknowledge you and the Members of the
Subcommittee for holding such a broad hearing on the subject of
``Privacy in the Consumer World.'' It is a rare pleasure to participate
in a hearing that is not restricted to a particular bill or event, but
rather inquires widely about the uses of personal information, the need
for further legislation, and the potential impact of adopting new
privacy laws. Such an open-minded approach in an area as complex and
important as privacy is desperately needed, and I applaud your
leadership in providing it.
I would like to take advantage of the presence of the other
distinguished members on this panel, who I believe will address a
number of the issues posed by privacy laws, and limit my testimony to
three points: the critical roles that information plays in our economy
and society; the extent to which privacy laws inevitably interfere with
the benefits that consumers enjoy as a result of accessible personal
information; and the ways in which requiring consumer ``consent''
exacerbates, rather than ameliorates, the harmful impact of many
privacy laws on consumers.
1. THE INFORMATION INFRASTRUCTURE
Information is the lifeblood of our 21st century economy. In the
words of the Federal Reserve Board: ``[I]t is the freedom to speak,
supported by the availability of information and the free-flow of data,
that is the cornerstone of a democratic society and market economy.''
\1\ These simple words reflect a profound transformation: Consumers are
increasingly evaluated today according to more complete, objective, and
reliable information about them than was ever before possible. As a
result, consumers can now expect--and the law can meaningfully
require--that they be treated as individuals and judged on their own
records, not by their race, gender, who they know, or other subjective
prejudices. This is the result of the information revolution: Routine,
comprehensive information collection has contributed to unprecedented
prosperity, and allows more Americans than ever before to share in that
prosperity, and to do so on a more equitable basis. Consider the
following examples of benefits that this ``information infrastructure''
makes possible.
---------------------------------------------------------------------------
\1\ Board of Governors of the Federal Reserve System, Report to the
Congress Concerning the Availability of Consumer Identifying
Information and Financial Fraud 2 (1997).
---------------------------------------------------------------------------
a. Expanding the Availability, Enhancing the Speed, and Lowering the
Cost of Consumer Credit
The routine sharing of reliable, standardized personal information
has greatly expanded the availability, increased the speed, and reduced
the cost of consumer credit. So, for example, when a consumer applies
for a mortgage, car loan, or instant credit, the lender makes its
decisions about whether, how much, and on what terms to lend based on
information collected from a wide variety of sources over time. The
lender can have confidence in that information because it has been
assembled routinely--not just for the purpose of one loan application--
and presents a complete picture of the borrower's financial situation--
not just one moment in time or information from just a selective sample
of the businesses with which the borrower deals. Because of that
confidence, lenders provide more loans to a wider range of people than
ever before. Between 1956 and 1998, the number of U.S. households with
mortgage loans more than trebled. The same trend is true for credit
card products; today, the average American adult carries 13 credit
cards.
Consumers benefit by obtaining the funds they need to buy homes and
cars and finance educations. The ``almost universal reporting'' of
personal credit histories, in the words of economist Walter Kitchenman,
is the ``foundation'' of consumer credit in the United States and a
``secret ingredient of the U.S. economy's resilience.'' \2\ In
addition, because the necessary information does not have to be
collected from scratch, loan applications are reviewed and approved
faster than ever before. In 1997, 82% of automobile loan applicants
received a decision within an hour; 48% of applicants received a
decision within 30 minutes.\3\ Many retailers open new charge accounts
for customers at the point of sale in less than two minutes. This is
unheard of in countries where restrictive laws prevent credit bureaus
and other businesses from routinely collecting the information on
consumer activities required to maintain the accurate, up-to-date files
necessary to support rapid and accurate decision making.
---------------------------------------------------------------------------
\2\ Walter F. Kitchenman, U.S. Credit Reporting: Perceived Benefits
Outweigh Privacy Concerns 1 (The Tower Group 1999).
\3\ Consumer Bankers Association, 1998 Automobile Finance Study at
19.
---------------------------------------------------------------------------
The greater accuracy, speed, and efficiency of the credit system,
and the greater confidence of lenders also drives down the cost of
credit. Lenders don't have to charge higher interest rates and fees to
guard against bad or missing information. And it is easier for lenders
to pool loans according to risk and sell them in the secondary market--
a process known as ``securitization.'' This makes more capital
available for new loans and further reduces the cost of credit in the
United States by an estimated $80 billion per year for mortgages
alone.\4\ Most importantly, consumers benefit from the knowledge that
loan decisions will now be based on their own financial situation, not
on local biases or prejudices. Readily available, standardized personal
information not only makes this possible, it also facilitates easy
analysis of lender compliance with fair lending laws.
---------------------------------------------------------------------------
\4\ Kitchenman, supra, at 7.
---------------------------------------------------------------------------
b. Identifying and Meeting Consumer Needs
Businesses use personal information to identify and meet customer
needs. According to Federal Reserve Board Governor Edward Gramlich:
``Information about individuals' needs and preferences is the
cornerstone of any system that allocates goods and services within an
economy.'' The more such information is available, he continued, ``the
more accurately and efficiently will the economy meet those needs and
preferences.'' \5\ In short, information-sharing allows businesses to
ascertain customer needs accurately and meet those needs rapidly and
efficiently. Detailed consumer information is at the heart of new
individualized offerings that provide each customer with the
recognition and personalized service that she desires.
---------------------------------------------------------------------------
\5\ Financial Privacy, Hearings before the Subcomm. on Financial
Institutions and Consumer Credit of the House Comm. on Banking and
Financial Services, July 21, 1999 (statement of Edward M. Gramlich).
---------------------------------------------------------------------------
c. Enhancing Customer Convenience and Service
Information-sharing also enhances customer convenience and service.
For example, many services are provided through a myriad of companies.
A customer may have a checking account, a savings account, a credit
card, and an investment account all with the same bank, but the four
services will likely be provided by four completely separate
affiliates. The customer's checks will be printed by a separate company
altogether. Billing for the credit card may be handled by still another
company. Because of information-sharing, the customer can deal with all
six entities as if they were one. Her high savings balance may be used
to qualify her for free checking. Overdrafts on her checking account
can be covered automatically with her credit card. She can call one
customer service number with questions, and if her credit card or
checks are stolen, a single call is all that is needed to protect all
of her accounts.
Many retailers provide specialty services and products, such as
fine jewelry, photographic studios, vision services, hair care, and
product repair or installation through independent companies that
license the retailer's name, but are not the retailer's affiliates.
This approach is required because of the nature of the service,
efficiencies that come with specialization, insurance factors, and
federal and state tax and licensure laws. Due to routine information-
sharing, these independent companies provide services to customers
under the retailer's name, accept the retailer's credit card, include
information and coupons in the retailer's mailings and advertisements,
participate in the retailer's loyalty programs, and, from a customer
perspective, are simply another department of the retailer's
operations.
d. Targeting Interested Consumers
Information-sharing also allows consumers to be informed rapidly
and at low cost of those opportunities in which they are most likely to
be interested. As a result, information on second mortgages and home
improvement services can be targeted only to home owners. Information
on automotive products and services are targeted only to car owners.
The American Association of Retired People can target its offers only
to older Americans, veteran's organizations can appeal only to people
who have served in the armed forces, and political campaigns can target
their solicitations to registered members of their party.
In the absence of information-sharing, these organizations either
(1) could not afford to communicate with potential customers or
members, or (2) they must contact even more households--meaning more
unsolicited mail, e-mail, and telephone calls--to find people
interested in their offer. The first alternative would mean the death
of many organizations. In fact, the cost of alerting consumers about a
new product or opportunity can be a major obstacle to the launch of new
businesses and prevent innovative products from ever reaching the
marketplace. The second alternative means that the public is peppered
with more mail, e-mail, and telephone calls, a higher percentage of
which will be of no interest to the recipient. This would truly be
``junk mail,'' because it would have been generated without regard for
the recipient's demonstrated interests. Targeting marketing to consumer
interests lowers the volume, cost, and environmental impact of that
marketing while increasing consumer satisfaction.
e. Promoting Competition and Innovation
Information-sharing is especially critical for new and smaller
businesses, which lack extensive customer lists of their own or the
resources to engage in mass marketing to reach consumers likely to be
interested in their products or services. This may help explain why
some large European national banks and industrial concerns supported
new privacy laws there: By restricting the availability of information
about their customers, privacy laws help to protect established
businesses from competition from other countries or start-ups. Open
access to third-party information and the responsible use of that
information for targeted marketing is essential to level the playing
field for new market entrants.
Similarly, businesses offering specialized products and services
rely on accessible information to help them identify and reach those
customers most likely to be interested in their offerings, wherever
those customers are located. Many businesses in today's markets never
see their customers because transactions are conducted exclusively by
telephone, Internet, or mail. These businesses are able to serve the
needs of potential customers they have never met because of the free
flowing information that allows them to identify who those likely
customers are. In a global market, information-sharing is key to
connecting far-flung customers and businesses.
f. Preventing and Detecting Fraud
Another key use of personal information is to prevent and detect
fraud. More than 1.2 million worthless checks are cashed at retailers,
banks, and other U.S. businesses every day, accounting for more than
$12 billion in annual losses.\6\ Treasury Department officials
estimated that credit card fraud losses would be between $2 billion and
$3 billion in 2000.\7\ The insurance industry paid $24 billion--10% of
all claims--in 1999 for fraudulent property and casualty claims.\8\ The
GAO found that Medicare made improper payments of $13.5 billion in
fiscal year 1999 alone, and has estimated that health care fraud
accounts for up to 10% of national health care spending each year.\9\
Across the economy, business losses due to all forms of document fraud
and counterfeiting exceed $400 billion--6% of annual revenue of
American businesses--per year.\10\ Although businesses paid for
virtually all of these losses, they ultimately affect consumers through
higher prices, inconvenience, and lost time and productivity.
---------------------------------------------------------------------------
\6\ Barry Flynn, ``In Search of Security, Some Banks Are Giving the
Thumbs up to Fingerprinting New Customers,'' Orlando Sentinel, March
2000, at B1; Steven Marjanovic, ``Banks Tap ATM Systems To Banish 18B
Checks,'' American Banker, June 14, 2000, at 1.
\7\ Gary Fields, ``Victims of Identity Theft Often Unaware They've
Been Stung,'' USA Today, March 15, 2000, at 6A (quoting Undersecretary
James Johnson of the U.S. Treasury Department).
\8\ ``Insurance Fraud,'' III Insurance Issues Update, Oct. 2000.
\9\ General Accounting Office, Medicare Improper Payments: While
Enhancements Hold Promise for Measuring Potential Fraud and Abuse,
Challenges Remain (GAO/AIMD/OSI-00-281) at 4 (2000).
\10\ Association of Certified Fraud Examiners, Report to the Nation
on Occupational Fraud and Abuse .
---------------------------------------------------------------------------
Personal information is one of the most effective tools for
stemming these losses. Such information is used every day to identify
consumers cashing checks and seeking access to accounts. Close
monitoring of account activity also allows credit providers, insurance
companies, and other businesses to recognize unusual behavior that may
indicate that someone is using a credit card or debit card without
authorization or making improper claims. Moreover, because of
information-sharing, companies share alerts about lost or stolen credit
or debit cards and information about fraud schemes so that they can
prevent further losses and improve the odds of apprehending the thief.
g. Informing the Electorate and Protecting the Public
Personal information is also used for a wide variety of purposes
central to democratic self-governance and protecting public health and
safety. For example, information is used to elect and monitor public
officials and to facilitate public oversight of government employees
and contractors. The Supreme Court has found that these uses are so
critical that it has virtually eliminated any recourse by public
officials or public figures for the publication of true information,
even if defamatory or highly personal.\11\
---------------------------------------------------------------------------
\11\ Monitor Patriot Co. v. Roy, 401 U.S. 265 (1971).
---------------------------------------------------------------------------
Law enforcement officials rely on collected personal information to
prevent, detect, and solve crimes. Journalists and other researchers
use accessible information to inform the public about matters of public
importance. Personal information is also used for product safety
warnings and recall notices, such as when Firestone and Ford Motor
Company used databases to identify and obtain current addresses for
people who own recalled Firestone tires.
Medical researchers rely heavily on personal information to conduct
``chart reviews'' and perform other research that is critical to
evaluating medical treatments, detecting harmful drug interactions,
uncovering dangerous side effects of medical treatments and products,
and developing new therapies. Such research cannot be undertaken with
wholly anonymous information, because the detailed data that
researchers require will always include information that could be used
to identify a specific person, and when that information indicates that
a given therapy or drug poses a real health risk, researchers must
notify the affected individuals.
Even information as mundane as citizen addresses is used to locate
missing family members, owners of lost or stolen property, organ and
tissue donors, and members of associations and religious groups and
graduates of schools and colleges; and to identify and locate suspects,
witnesses in criminal and civil matters, tax evaders, and parents who
are delinquent in child support payments. (This same information is
used to help verify the identity of consumers who apply for instant
credit, begin new utility service, or seek other valuable products and
services.)
These examples are not exhaustive; they are mere illustrations of
the extent to which personal information constitutes part of this
nation's essential infrastructure, the benefits of which are so
numerous and diverse that they impact virtually every facet of American
life.
2. THE PRIVACY TENSION
All of the benefits outlined above flow from readily accessible
information about consumers. To provide those and other benefits,
access to data is essential. Laws and regulations designed to protect
privacy interfere with that access and therefore with the benefits that
result from open information flows. As a result, those laws--although
motivated by the best of intentions--inevitably harm consumers. In the
words of one state Attorney General, because privacy laws interfere
with information flows, consumers ultimately pay the price for those
laws ``in terms of either higher prices for what they buy, or in terms
of a restricted set of choices offered them in the marketplace.'' \12\
But the harm to consumers is also experienced through reduced
convenience and service, an increased number of less well-targeted
commercial solicitations, limited competition and innovation, and even
diminished public health and safety.
---------------------------------------------------------------------------
\12\ Bill Pryor (R-Ala.), Protecting Privacy: Some First
Principles, Remarks at the American Council of Life Insurers Privacy
Symposium, July 11, 2000, Washington, DC, at 4.
---------------------------------------------------------------------------
3. THE LIMITS OF CONSENT
Proponents of new privacy laws often argue that these costs can be
avoided because most privacy laws do not block information flows
outright, but rather condition them on consumer consent. This reflects
the recent dominant trend in privacy legislation--to invest consumers
with near absolute control over information, what Alan Westin, in his
path-breaking study Privacy and Freedom, described as ``the claim of
individuals, groups, or institutions to determine for themselves when,
how, and to what extent information about them is communicated to
others.'' \13\ The National Association of Attorneys General's December
2000 draft statement on Privacy Principles and Background sets forth as
its core principle: ``Put simply, consumers should have the right to
know and control what data is being collected about them and how it is
being used, whether it is offline or online.'' \14\ And virtually all
of the privacy bills pending before Congress reflect this goal: ``To
strengthen control by consumers'' and ``to provide greater individual
control.'' \15\
---------------------------------------------------------------------------
\13\ Alan F. Westin, Privacy and Freedom 7 (1967).
\14\ National Association of Attorneys General, Draft Statement on
Privacy Principles and Background at 7 (Dec. 11, 2000) (emphasis
added).
\15\ S. 30, 107th Cong. Sec. 2 (2001); H.R. 89, 107th Cong.
Sec. 2(b)(1) (2001); H.R. 347, 107th Cong. Sec. 2(b)(1)(A) (2001)
(emphasis added)
---------------------------------------------------------------------------
As a result, proponents of privacy laws argue that the costs of
these laws can be avoided, because if consumers are persuaded that they
benefit from information flows, they will consent to the collection and
use of information about them. The simple, straightforward nature of
this argument has made it very powerful. However, in addition to
conflicting with Supreme Court precedent on the ownership of
information \16\ and the protection of expression, \17\ this approach
ignores the practical difficulty and burden to consumers of attempting
to exercise control over the vast amount of data that they generate and
disclose about themselves in a increasingly networked economy, and
ignores the many powerful reasons why society permits access to
information about others.
---------------------------------------------------------------------------
\16\ See, e.g., United States v. Miller, 425 U.S. 435 (1976).
\17\ See, e.g., Martin v. Struthers, 319 U.S. 141 (1943); Lamont v.
Postmaster General, 381 U.S. 301 (1965); Denver Area Educational
Telecommunications Consortium, Inc. v. Federal Communications Comm'n,
518 U.S. 727 (1996).
---------------------------------------------------------------------------
a. Unanticipated Benefits
The benefits of personal information are often unanticipated. For
example, many retailers collect information about consumer purchases
and then access that information so that consumers can return
merchandise without a receipt, order supplies and replacement parts
without knowing the exact model number or specific product information,
obtain information about past purchases for insurance claims when fire
or other disasters destroy or damage those goods, and receive immediate
notification about product recalls and other safety issues. These are
tangible benefits that many consumers take advantage of every day, but
few consumers would anticipate in advance that they were going to need
information about a past transaction for insurance purposes or to order
replacement parts. The benefit is exceptionally valuable when it is
needed, but often illusory before that time.
b. Lack of Consumer Contact
Many benefits result from uses of personal information that do not
involve the consumer directly. For example, credit bureaus update
consumer credit files--the files that are used to obtain rapid, low
cost access to credit of all forms--without ever dealing directly with
the consumer. In fact, few Americans will ever deal directly with a
credit bureau. To require the credit bureau to establish contact with
the consumer every time it needed to collect or use information about
him or her would be expensive and burdensome to the consumer.
Similarly, most mailing lists are obtained from third parties, not the
people whose names are on the list. For a secondary user to have to
contact every person individually to obtain consent to use the
information would cause delay, require additional contacts with
consumers, and increase costs.
c. Value of Standardized and Third-Party Information
There are many beneficial uses of personal information where the
benefit, frankly, is derived from the fact that the consumer has not
had control over the information. This is certainly true of credit
information: Much of its value derives from the fact that the
information is obtained routinely, over time, from sources other than
the consumer. Allowing the consumer to block use of unfavorable
information would make not only that credit report useless, but all
others, because lenders, merchants, employers, and others who rely on
credit reports would not know which ones contained only selective
information. Even when information is not particularly ``positive'' or
``negative,'' its value may depend on it being complete. Many
businesses monitor accounts for suspicious activity that may indicate
fraudulent activity. Often credit card companies will call a card
holder whose account has experienced unusual charges to verify that the
card has not been stolen. Identifying the unusual requires knowing what
is usual and that, in turn, requires access to a complete set of data.
d. Consumer Preferences
Most consumers do not want to be deluged with repeated requests for
consent. The ultimate result is that consumers will either not consent,
and thereby diminish the benefits that flow from information-sharing
both for themselves and others, or they will consent to everything,
just to avoid further calls, letters, and e-mails. The Los Angeles
Times reported in December 1999 that banking customers are
understandably ``irritated if the bank fails to inform them that they
could save money by switching to a different type of checking
account.'' As the newspaper noted, however, ``to reach such a
conclusion, the bank must analyze the customer's transactions.'' \18\
One major U.S. bank reported that its customers who participated in a
test of various privacy policies were annoyed at the very idea of being
contacted by the bank to obtain permission to contact them again in the
future to offer selected opportunities. Customers expected that the
bank would use their information to offer them appropriate offers. The
last thing they wanted was another phone call or letter asking
permission to do what they perceived to be the very foundation of their
relationship with the institution.
---------------------------------------------------------------------------
\18\ Edmund Sanders, ``Your Bank Wants to Know You,'' Los Angeles
Times, Dec. 23, 1999, at A1.
---------------------------------------------------------------------------
e. The Practical Obstacles to Consumer Contact
Conditioning use of personal information on specific consent may
also harm consumers because of the practical difficulties of reaching
them. Consider the experience of U.S. West, one of the few U.S.
companies to test an ``opt-in'' system. To obtain permission to utilize
information about its customer's calling patterns (e.g., volume of
calls, time and duration of calls, etc.), the company found that it
required an average of 4.8 calls to each customer household before they
reached an adult who could grant consent. In one-third of households
called, U.S. West never reached the customer, despite repeated
attempts. Consequently, many U.S. West customers received more calls,
and one-third of their customers were denied opportunities to receive
information about valuable new products and services.\19\
---------------------------------------------------------------------------
\19\ Brief for Petitioner and Interveners at 15-16, U.S. West, Inc.
v. Federal Communications Comm'n, 182 F.3d 1224 (10th Cir. 1999) (No.
98-9518).
---------------------------------------------------------------------------
f. The Cost of Obtaining Consent
There is always a price to obtaining consent and recent experience
has shown that those costs are often quite significant. For example,
the privacy provisions of the Gramm-Leach-Bliley Financial Services
Modernization Act require financial institutions to ``clearly and
conspicuously'' provide customers with a notice about its policies and
practices for disclosing personal information and informing customers
about their right to ``opt-out'' of certain sharing of that
information.\20\ That disclosure must be made ``[a]t the time of
establishing a customer relationship with a consumer and not less than
annually during the continuation of such relationship.'' \21\ By July
1, 2001, approximately 40,000 financial institutions will be sending as
many as 2-5 billion notices to their various customers. Households will
receive an average of 20 or more notices each. Printing and mailing
costs alone will run into the billions of dollars. Internal compliance
costs are certain to be much higher.
---------------------------------------------------------------------------
\20\ Gramm-Leach-Bliley Financial Services Modernization Act tit.V,
106 Pub. L. No. 102, 113 Stat. 1338 (1999) (codified at various
sections of 15 U.S.C.).
\21\ 15 U.S.C. Sec. 503(a).
---------------------------------------------------------------------------
``Opt-in'' systems cost even more. The Department of Health and
Human Services calculates that compliance with its recently released
Health Insurance Portability and Accountability Act privacy rules will
cost $3.2 billion for the first year, and $17.6 billion for the first
ten years.\22\ Based on the prior, less complicated draft of the rules,
health care consulting companies have calculated that the cost will be
much higher--between $25 and $43 billion (or three to five times more
than the industry spent on Y2K) for the first five years for compliance
alone, not including impact on medical research and care or liability
payments.
---------------------------------------------------------------------------
\22\ Standards for Privacy of Individually Identifiable Health
Information, 65 Fed. Reg. 82,462 (2000) (HHS, final rule) (to be
codified at 45 C.F.R. pt. 160, Sec. Sec. 164.502, 164.506).
---------------------------------------------------------------------------
These costs are inevitably passed on to consumers. If the market
will not bear the added cost, then these costs mean that the service or
product will not be offered.
g. The Interconnectedness of Consent
Many of the beneficial uses of information that consumers now enjoy
depend on spreading the cost of collecting and maintaining the
information for a variety of uses. For example, commercial
intermediaries collect, organize, and make accessible to the public
government records. Those records are used for countless socially
valuable purposes: monitoring government operations, locating missing
children, preventing and detecting crime, apprehending wanted
criminals, securing payments from ``deadbeat'' parents and spouses, and
many others. In fact, in 1998 the FBI alone made more than 53,000
inquiries to commercial online databases for ``public record
information'' that led to the arrest of 393 fugitives wanted by the
FBI, the identification of more than $37 million in seizable assets,
the locating of 1,966 individuals wanted by law enforcement, and the
locating of 3,209 witnesses wanted for questioning.\23\ The Association
for Children for Enforcement of Support uses information from public
records, provided through commercial vendors, to locate over 75% of the
parents they sought.\24\ Access to these records is possible, as well
as convenient and inexpensive, precisely because commercial
intermediaries assemble the information for such a wide variety of
other uses. If the law restricted the other valuable uses of public
records, or made those uses prohibitively expensive, then the data and
systems to access them would not be in place for any use. In as much as
the beneficial uses of information outlined above are interconnected,
and often depend on common systems and spreading the cost of acquiring
and managing data over many uses, consent-based laws may only create
the illusion of consent, because they will lead to consumers having
fewer opportunities made available to them to which they can consent.
---------------------------------------------------------------------------
\23\ Hearings before the Subcomm. for the Departments of Commerce,
Justice, and State, the Judiciary and Related Agencies of the Senate
Comm. on Appropriations, March 24, 1999 (statement of Louis J. Freeh).
\24\ Hearings before the House Committee on Banking and Financial
Services, July 28, 1998 (statement of Robert Glass, Vice President and
General Manager of the Nexis Business Information Group of Lexis-
Nexis).
---------------------------------------------------------------------------
h. Required Consent
The opportunity for consent may also be illusory because many
services or products cannot or will not be provided without personal
information. HIPAA, for example, requires that physicians provide
extensive disclosures and obtain explicit consent concerning
information collection and use prior to treating a patient. If a
patient wishes to be treated, she must consent. The law is effectively
irrelevant, because the physician cannot treat the patient without
information about his or her condition. Moreover, as a practical
matter, signing the consent form is likely to become just another
procedural hurdle, like signing an insurance authorization form, to
getting in to see a doctor. Experience suggests that few people will
shop for physicians based on information policies; rather, their
decisions about from whom to seek service will be driven by price,
location, insurance coverage, specialty, and other considerations. So
the expense of crafting, providing, and storing consent forms will
likely achieve little in terms of enhancing consumer choice or privacy.
i. Consumer Ignorance and Lethargy
Finally, even if the request gets through to the intended adult
recipient, the typical response to requests for consent to use personal
information, to judge by the extensive experience of businesses and
not-for-profit organizations, is that the customers will simply ignore
them. Most unsolicited mail in this country is discarded without ever
being read and most unsolicited commercial or fund-raising telephone
calls are terminated by the consumer without the offer ever being made.
It will not matter how great the potential benefit resulting from the
information use, if the request is not read or heard, it cannot be
acted on. Even where mail is actually read and the offer appeals to the
consumer, lethargy and the competing demands of busy lives usually
conspire to ensure that no action is taken. It is difficult to imagine
that promises of potential future benefits from information use will
command greater attention or activity.
These considerations suggest that simply conditioning the use of
personal information on specific consent is tantamount to prohibiting
outright many beneficial uses of information, because of the cost of
obtaining consent, the extent to which consent may undermine
information's usefulness, the degree to which uses of information are
interconnected, and the many impediments to consumers receiving and
acting on the request, even when it is in their best interest to do so.
CONCLUSION
The fact that information flows constitute a central part of our
economic and social infrastructure, and that privacy laws--by
interfering with those information flows--inevitably harm consumers and
businesses, does not suggest that there is no role for the government
or for law in protecting privacy. Far from it.
The government plays many critical roles in helping to protect
individual privacy. One of the most important responsibilities of the
government is assuring that its own house is in order. Only the
government has the power to compel disclosure of personal information
and only the government operates free from market competition and
consumer preferences. As a result, the government has special
obligations to ensure that it complies with the laws applicable to it;
collects no more information than necessary from and about its
citizens; employs consistent, prominent information policies through
public agencies; and protects against unauthorized access to citizens'
personal information by government employees and contractors.
Similarly, there are many steps that only the government can take
to protect citizens against privacy-related harms, such as identity
theft: Make government-issued forms for identification harder to
obtain; make the promise of centralized reporting of identity thefts a
reality; make it easier to correct judicial and criminal records and to
remove permanently from one individual's record references to acts
committed by an identity thief. The government alone has this power.
Regulators and law enforcement officials should enforce existing
privacy laws vigorously, and legislators should ensure that they have
the resources to do so.
The government should also help educate the public about privacy
and the tools available to every citizen to protect her own privacy.
Many privacy protections can only be used by individuals--no one else
can protect their privacy for them. Yet few individuals will recognize
the importance of their responsibility or have the knowledge to fulfill
it without education.
Finally, should you conclude that new laws or regulations are
necessary, it is critical to identify and articulate clearly the
purpose of the proposed privacy law or regulation, and whether it will
in fact serve that purpose: In sum, what public benefit justifies the
government's action? Only after having answered this question can the
benefits of the proposed law or regulation be balanced against both the
beneficial uses of information with which it interferes and the other
costs of implementing and complying with the law. Armed with this
information, you can then ask whether the law is worth its cost or
whether there are other less intrusive, less expensive, or more
effective tools for achieving the same purpose.
I address these and related issues in greater detail in a report
that will forthcoming soon from the American Enterprise Institute.
Because that document is so directly responsive to the subject of this
hearing, with your permission, I append the complete draft report to my
testimony.
Thank you again for the opportunity to testify.
Mr. Stearns. Thank you.
Professor Volokh?
STATEMENT OF EUGENE VOLOKH
Mr. Volokh. Thank you. Mr. Chairman, members of the
subcommittee, it is a great pleasure and honor to be invited to
testify here. I will limit my remarks to the First Amendment
questions posed by certain kind of privacy rules and will not
speak to whether they are a good policy or bad policy but
solely to the Constitutional questions.
Why are there First Amendment problems involved here? I
mean, isn't privacy sort of one of those wonderful, warm, fuzzy
things that sort of everybody should be in favor of? Well, the
right to control information about ourselves sounds very
appealing until you realize that what it means, literally what
it means is the right to stop others from speaking about us,
the right to stop others from communicating about us.
So let's look at what would happen if the right were taken
to its logical conclusion, just read by its terms. If people
had the right to control information about themselves, that
means they could perhaps sue us if we gossip about them to our
friends. They could sue newspapers, as some people have tried
to do, if they publish information that for whatever reason the
subject of the information doesn't like--accurate information,
but still, it's information about them. If the subject has the
right to control information about himself, he should be able
to stop newspapers from reporting it or stop his business
partners, people who have done business with him, discussing
the outcome and the terms of that transaction.
The right to control information about ourselves is the
right to stop others from communicating this information, and
whenever you start talking about rights to stop others from
communicating, you run up against the First Amendment. In fact,
people have talked about codes of fair information practices,
and I would like to suggest that at least as to many kinds of
practices, the First Amendment is our code of fair information
practices, just as if you wanted to talk about a code of fair
journalism practices or a code of fair political debate
practices. You know, we're all in favor of fair journalism, of
fair political debate, of fair information management. But in
the case of fair journalism practices, of fair political debate
practices, I would take it we would say it is not up to the
Government to set up this code; this code already exists, and
it is the First Amendment.
It seems to me that the same is, in large measure, true
about other kinds of communication of information. Just to give
a couple of very brief examples of where this tension comes up,
there is a case from California where California courts
recognized the so-called disclosure tort, which really does
give people control of information about themselves. There is a
Reader's Digest article that was published about somebody who
was an armed robber. Ten years before, he had engaged in armed
robbery involving a gun battle with the police, but the courts
allowed him to sue when Reader's Digest reported this fact in
kind of a story saying, you know, here is a story from the past
about this formerly notorious crime.
The theory was, well, he has a right to privacy. And the
court said, well, right-thinking people shouldn't want to know
this information, and it used the term right-thinking people.
And I submit that under the First Amendment, it is up to each
of us to decide, using our own thinking, whether we want to
know certain information and whether we want to communicate
certain information that we have acquired, whether as a result
of reading public records; a result of doing business with
somebody; or as a result of talking to people about this
person.
Now, it seems to me, as I said, that similar things arise
in the context of many--not all--some of the proposals that I
think might be quite sound, but many cyberspace information
privacy speech restrictions are, indeed, speech restrictions.
Let me briefly make, I think, one distinction that I think
is very important in this context, and that is between
restrictions that merely enforce contracts, either expressed or
implied contracts, and distinctions that go beyond that; that
we do not have and should not have a right to control people
from speaking about us, but we should have a right to insist
that they keep their promises to us. So if somebody on their
Website says I promise to keep your information private, it is
certainly quite legitimate for the government, either through a
normal contract lawsuit or through, perhaps, FTC action and
such, to enforce that. It seems to me, again, there might be
policy questions as to what the best way of doing it is, but it
would be quite Constitutional.
In certain situations, I think it is also legitimate for
the government to say that we will infer a term, a privacy
term, into the contract. I think that is how we can best
understand things like attorney-client privilege and a variety
of other such things; that when you go to an attorney,
implicitly, the attorney is promising to keep certain
information secret. And I think the government can establish
these defaults in certain situations so long as the defaults
are waiveable; so long as the person can say or the Website can
say I stand on my rights as a speaker to communicate this
information.
And I warn you up front: you know about it. If you deal
with me, you have to understand that I am going to feel free to
communicate information about you.
So if it is a truly contractual thing, including default
terms, including more aggressive enforcement, then, it seems to
me that would be a Constitutional thing. But if it goes beyond
it, if it says we will impose this speech restriction, even in
the noble name of privacy, we will impose this speech
restriction on you even without any contractual understanding,
that, it seems to me, poses very serious First Amendment
problems.
My time is up, but I would be happy to discuss some of the
doctrinal issues having to do with things like intellectual
property arguments, which I think are unsound; commercial
speech arguments, which I think don't apply here; and other
First Amendment doctrines that I think ultimately support
rather than contradict my conclusions.
[The prepared statement of Eugene Volokh follows:]
PREPARED STATEMENT OF EUGENE VOLOKH,1 PROFESSOR OF LAW, UCLA
LAW SCHOOL
---------------------------------------------------------------------------
\1\ Professor of Law, UCLA Law School ([email protected]). This
testimony is largely based on an article with the same title in 52
Stanford Law Review 1049 (2000), Copyright 2000 by Eugene Volokh and
the Board of Trustees of the Leland Stanford Junior University.
---------------------------------------------------------------------------
INTRODUCTION
Privacy is a popular word, and government attempts to ``protect our
privacy'' are easy to endorse. Government attempts to let us ``control
. . . information about ourselves'' 2 sound equally good:
Who wouldn't want extra control? And what fair-minded person could
oppose requirements of ``fair information practices''? 3
---------------------------------------------------------------------------
\2\ See, e.g., Charles Fried, Privacy, 77 Yale L.J. 475 (1968);
Susan E. Gindin, Lost and Found in Cyberspace: Informational Privacy in
the Age of the Internet, 34 San Diego L. Rev. 1153, 1155 (1997).
\3\ See, e.g., Joel R. Reidenberg, Setting Standards for Fair
Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497
(1995); Paul M. Schwartz, Privacy and Participation: Personal
Information and Public Sector Regulation in the United States, 80 Iowa
L. Rev. 553 (1995).
---------------------------------------------------------------------------
The difficulty is that the right to information privacy--my right
to control your communication of personally identifiable information
about me--is a right to have the government stop you from speaking
about me. We already have a code of ``fair information practices,'' and
it is the First Amendment, which generally bars the government from
controlling the communication of information (either by direct
regulation or through the authorization of private lawsuits
4), whether the communication is ``fair'' or
not.5 While privacy protection secured by contract is
constitutionally sound, broader information privacy rules are not
easily defensible under existing free speech law.
---------------------------------------------------------------------------
\4\ Cf., e.g., New York Times v. Sullivan, 376 U.S. 254, 265 (1964)
(holding that the First Amendment applies to ``civil lawsuit[s] between
private parties,'' because such lawsuits involve ``[state] courts . . .
appl[ying] a state rule of law'').
\5\ If ``fair information practices'' applied only to the
government's control of its own speech, I would have had no objection
to them. But governmental restriction of supposedly ``unfair'' speech
by nongovernmental entities raises serious First Amendment problems.
---------------------------------------------------------------------------
Consider, for instance, the ``disclosure of private facts'' tort,
which bars the media from reporting supposedly ``nonnewsworthy''
personal information that most people would find highly
private.6 On the one hand, it sounds appealing; by
definition, if the information is ``nonnewsworthy'' and ``private,''
why should anyone print it?
---------------------------------------------------------------------------
\6\ See Restatement (Second) of Torts Sec. 652D (1977).
---------------------------------------------------------------------------
But under our free speech regime, should a government agency (such
as a court) really be able to decide what is ``newsworthy'' or ``of
legitimate public concern''? Should, for instance, courts be able to
hold--as California courts did--that the media may be punished for
reporting that a college student politician is a transsexual, or that a
person had committed armed robbery and engaged in a shootout with
police ten years before?
True, some citizens might think that such reporting, in the words
of one court, has no ``public purpose'' and was not ``of legitimate
public interest,'' that there was no ``reason whatsoever'' for it, and
that ``we, as right-thinking members of society, should permit [a
person] to continue in the path of rectitude rather than throw him back
into a life of shame or crime'' by revealing his past.7
Others, though, may disagree. And under the First Amendment, it should
be up to each of us, as readers and publishers, to decide what we think
is ``of legitimate public interest,'' and not to have the government
make the decision for us, even in the name of ``privacy.'' The Supreme
Court has never fully considered the constitutionality of the
disclosure tort, but many courts have recognized the serious First
Amendment problems that the tort poses.
---------------------------------------------------------------------------
\7\ Briscoe v. Reader's Digest Ass'n, 483 P.2d 34, 36, 41 (Cal.
1971).
---------------------------------------------------------------------------
Consider also Bartnicki v. Vopper, a currently pending Supreme
Court case. In Bartnicki, an unknown person tape-recorded a cellular
phone conversation in which two union officials were discussing the
possibility of ``blow[ing] off the[] front porches'' of management. The
tape eventually made its way to a radio station, which played it on the
air. The station was then sued under a federal statute banning the
media from publishing or even paraphrasing intercepted cellular phone
conversations, even when the media entity was entirely innocent of the
actual interception.8
---------------------------------------------------------------------------
\8\ Bartnicki v. Vopper, 200 F.3d 109 (3rd Cir. 1999).
---------------------------------------------------------------------------
Again, the law serves noble purposes: it seeks to protect people's
privacy, and to deter illegal interception of cellular conversations
(and everyone agrees that the interception itself should be illegal).
But it does this by restricting the press's freedom to publish--the
right to control information, we again see, is a right to stop others
from speaking.
And the logic of the law of course doesn't stop at the rather
unusual context of intercepted cell phone conversation: The same sort
of law could easily be enacted to ban the publication of any material
that's illegally leaked (for instance, in violation of an employer's
nondisclosure agreement or a fiduciary duty of loyalty) as well as to
the publication of material that's illegally gathered. The
understandable desire to protect people's privacy can thus dramatically
interfere with the media's freedom to report the news, and to the
public's access to the news.
The same First Amendment objections apply, I will argue, to many
recent proposals for laws securing information privacy on the Internet.
Some people have argued that these proposals are different from the
examples I give above, because they fall into some exceptions to First
Amendment protection. And I agree that some such proposals, if they are
framed as default contractual rules (such as true ``opt-in'' or ``opt-
out'' provisions), or as disclosure requirements, are constitutional.
But other proposals are not constitutional, and the defenses which
are most often given for them--the intellectual property argument, the
commercial speech argument, the private concern argument, and the
compelling government interest argument--are not sound under current
First Amendment doctrine. And while one can urge courts to narrow
current First Amendment law to accommodate these new proposals, I think
that would be a serious mistake. If free speech principles are diluted
in the attractive case of information privacy speech restrictions, such
a decision will be a powerful precedent for still more restraints that
might be proposed in the future.
Such slippery slope concerns are still quite sensible, because
accepting a proposed speech restriction entails accepting a principle
that is broader than the particular proposal and that can logically
cover many other kinds of restraints.9 Our legal system is
based on precedent. Our political life is in large measure influenced
by arguments by analogy. And many people's normative views of free
speech are affected by what courts say: If the legal system accepts the
propriety of laws mandating ``fair information practices,'' people may
becomes more sympathetic to legal mandates of, for instance, fair news
reporting practices or fair political debate practices.10
---------------------------------------------------------------------------
\9\ One of the most eloquent American expressions of this concern
with uncabinable principles is also among the earliest:
[I]t is proper to take alarm at the first experiment on our
liberties. We hold this prudent jealousy to be the first duty of
citizens, and one of [the] noblest characteristics of the late
Revolution. The freemen of America did not wait till usurped power had
strengthened itself by exercise, and entangled the question in
precedents. They saw all the consequences in the principle, and they
avoided the consequences by denying the principle. We revere this
lesson too much, soon to forget it. Who does not see that the same
authority which can establish Christianity, in exclusion of all other
Religions, may establish with the same ease any particular sect of
Christians, in exclusion of all other Sects? That the same authority
which can force a citizen to contribute three pence only of his
property for the support of any one establishment, may force him to
conform to any other establishment in all cases whatsoever?
James Madison, Remonstrance Against Religious Assessments (1786). I
likewise fear that the same authority which can force a citizen to stop
speaking on one matter by, for instance, defining it out of the zone of
``legitimate public concern'' may in time do the same as to speech on
other matters.
\10\ For some examples of past attempts to restrict such ``unfair''
speech, see, e.g., Hustler Magazine v. Falwell, 485 U.S. 46 (1988)
(rejecting attempt to impose liability for a publisher's vicious parody
of a political enemy); Miami Herald v. Tornillo, 418 U.S. 241 (1974)
(rejecting attempt to require a newspaper to publish rebuttals of
attacks on a consolidate); Keefe v. Organization for a Better Austin,
402 U.S. 415 (1971) (rejecting attempt to enjoin leafletting aimed at
pressuring a local resident to change his business practices); Mills v.
Alabama, 384 U.S. 214 (1966) (rejecting attempt to ban election-day
political editorials in the interests of preventing unrebuttable
attacks).
The European Personal Data Directive, which is often praised by
privacy advocates, does require countries to create a code of fair news
reporting practices: It on its face applies to journalism that reveals
personal data such as ``racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, and the
processing of data concerning health or sex life,'' and mandates that
governments create exemptions for journalism, art, or literature ``only
if they are necessary to reconcile the right to privacy with the rules
governing freedom of expression.'' Directive 95/46/EC, 1995 O.J. (L
281) 31, arts. 8(1), 9. What this provision will ultimately mean is so
far unclear. Cf. James R. Maxeiner, Freedom of Information and the EU
Data Protection Directive, 48 Fed. Comm. L.J. 93, 102 (1995) (stating
that the ``only if they are necessary'' language was added to prevent
``the balance [from] fall[ing] too much in favor of the media,'' and
concluding that the scope of the journalism exception is uncertain);
Paul Eastham, I Would Have Gagged the Press Over Cook, London Daily
Mail, Feb. 5, 1998, at 2 (quoting the senior English Law Lord as taking
the view that the privacy directive would have barred certain news
stories about a cabinet minister's alleged affair).
The disclosure tort, of course, has always been an attempt to
mandate fair news reporting practices.
---------------------------------------------------------------------------
I ultimately conclude that these risks of watering down important
free speech protections are troubling enough that I must reluctantly
oppose such information privacy rules. But I hope my views will also be
useful to those who are committed to supporting information privacy
speech restrictions, but would like to design their arguments in a way
that will minimize the risks that I identify.
Thinking ahead about the possible unintended implications of a
proposal--even, and perhaps especially, if it seems viscerally
appealing--is always worthwhile.
I. INFORMATION PRIVACY SPEECH RESTRICTIONS
My analysis focuses on the government acting as sovereign,
restricting what information nongovernmental speakers may communicate
about people. I thus exclude restrictions that the government imposes
on its own agencies, such as Freedom of Information Act provisions that
prevent government revelation of certain data, or IRS or census rules
that prohibit the communication of some tax or census data to other
government agencies or to the public. By focusing on communication by
nongovernmental speakers--reporters, businesspeople, private
detectives, neighbors--I limit the inquiry to people and organizations
that indubitably have free speech rights.
I also exclude restrictions that the government imposes as an
employer (e.g., telling its employees that they may not reveal
confidential information learned in the course of employment), or as a
contractor putting conditions on the communication of information that
it has no constitutional duty to reveal (e.g., telling people who want
certain lists from the Federal Election Commission that they may only
get them if they promise not to use those lists for certain purposes,
or telling litigants that they will get discovery materials only if
they promise not to reveal them). The government has long been held to
have much broader powers when it's acting as employer or contractor,
imposing constraints on those who assume them in exchange for
government benefits or for access to government records, than when it's
acting as sovereign, controlling the speech of private citizens.
I also focus only on restrictions on communication. Other things
that are often called privacy rules--the right to be free from
unreasonable governmental searches and seizures, the right to make
certain decisions about one's life without government interference, the
right not to have people listen to you or watch you by going onto your
property, the right not to have people electronically eavesdrop on your
conversations, the requirement that credit bureaus notify consumers
when credit reports about them are prepared, and the like--are outside
the scope of my discussion.
Some of these laws, for instance restraints on government snooping
or control, pose no First Amendment problems. For other laws, such as
restrictions on nongovernmental gathering of information through
nonspeech means, the First Amendment rules are unclear; but it is clear
that the analysis of restrictions on information gathering is different
from the analysis of restrictions on speech. It is the latter doctrine
that is most fully developed, and that provides the most protection
against government restrictions.
These three exclusions merely reflect the fact that the strongest
protection of free speech has long been seen as arising when the
government is acting as sovereign, restricting the speech of private
parties. And within this zone lie a variety of current and proposed
speech restrictions, including both older rules such as the disclosure
tort, and newer ones such as some proposed restrictions on businesses
revealing information about their customers.
II. CONTRACT
A. Permissible Scope
To begin with, one sort of limited information privacy law--
contract law applied to promises not to reveal information--is
eminently defensible under existing free speech doctrine. The Supreme
Court explicitly held in Cohen v. Cowles Media that contracts not to
speak are enforceable with no First Amendment problems.11
Enforcing people's own bargains, the Court concluded (I think
correctly), doesn't violate those people's rights, even if they change
their minds after the bargain is struck. Insisting that people honor
their bargains is a constitutionally permissible ``code of fair
practices,'' whether information practices or otherwise.
---------------------------------------------------------------------------
\11\ 501 U.S. 663 (1991).
---------------------------------------------------------------------------
And such protection ought not be limited to express contracts, but
should also cover implied contracts (though, as will be discussed
below, there are limits to this theory). In many contexts, people
reasonably expect--because of custom, course of dealing with the other
party, or all the other factors that are relevant to finding an implied
contract--that part of what their contracting partner is promising is
confidentiality.
Furthermore, though Cohen v. Cowles Media involved traditional
enforcement of a promise through a civil suit, there should be no
constitutional problem with the government enforcing such promises
through administrative actions, or using special laws imposing presumed
or even punitive damages for breaches of such promises.
I suspect that even with purely contractual remedies, the threat of
class action suits could be a powerful deterrent to breaches of
information privacy contracts by e-commerce sites, especially since the
suits would create a scandal: In the highly competitive Internet world,
a company could lose millions in business if people hear that it's
breaking its confidentiality promises. But I think it would be
constitutional for the government to try to increase contractual
compliance either by providing an extra incentive for aggrieved parties
to sue or by bringing a complaint itself.
The great free speech advantage of the contract model is that it
does not endorse any right to ``stop people from speaking about me.''
Rather, it endorses a right to ``stop people from violating their
promises to me.'' One such promise may be a promise not to say things,
and perhaps there may even be special defaults related to such promises
or special remedies for breaches of such promises.
The government may enforce obligations that the would-be speaker
has himself assumed. And such enforcement, in my view, poses little
risk of setting a broad precedent for many further restrictions,
precisely because it is founded only on the consent of the would-be
speaker, and thus cannot justify the other speech restraints to which
the speaker has not consented.
B. Limitations
Contract law protection, though, is distinctly limited, in two
ways.
First, it only lets people restrict speech by parties with whom
they have a speech-restricting contract, express or implied. If I make
a deal with a newspaper reporter under which he promises not to
identify me as a source, I can enforce the deal against the reporter
and the reporter's employer, whom the reporter can bind as an agent.
But if a reporter at another news outlet learns this information, then
that outlet can publish it without fear of a breach of contract
lawsuit.
Second, Cohen v. Cowles Media cannot validate speech-restrictive
terms that the government compels a party to include in a contract; the
case at most validates government-specified defaults that apply unless
the offeror makes clear that these terms aren't part of the offered
deal. Thus, while the government may say ``Cyberspace sales contracts
shall carry an implied warranty that the seller promises not to reveal
the buyer's personal information,'' it may not add ``and this implicit
warranty may not be waived, even by a prominent statement that is
explicitly agreed to by a customer clicking on an `I understand, and
agree to the contract in spite of this' button.''
This flows directly from the rationale on which Cohen v. Cowles
Media rests: ``The parties themselves . . . determine the scope of
their legal obligations, and any restrictions which may be placed on
the publication of truthful information are self-imposed.'' A
merchant's express promise of confidentiality is ``self-imposed''; so,
one can say, is an implicit promise, when the merchant had the
opportunity to say ``by the way, I am not waiving my rights to speak
about this transaction and am thus not promising confidentiality'' but
didn't do so. But when someone is legally barred from communicating,
even if he explicitly told his contracting partner that he was making
no such promise, then such an obligation is hardly ``self-imposed'' or
determined by mutual agreement.
Thus, I certainly do not claim that a contractual approach to
information privacy, even with a large dollop of implied contract, is a
panacea for information privacy advocates. There is much that
information privacy advocates may want but that contract will not
provide. I claim only that contractual solutions are a constitutional
alternative and may be the only constitutional alternative, not that
they are always a particularly satisfactory alternative.
C. Contracts with Children
Finally, this discussion of contracts presupposes that both parties
are legally capable of entering into the contract and of accepting a
disclaimer of any implied warranty of confidentiality. If a cyber-
consumer is a child, then such an acceptance might not be valid. This
is also a difficult issue, but one that is outside the scope of this
Article.12
---------------------------------------------------------------------------
\12\ Cf. Children's Online Privacy Protection Act of 1998, 15
U.S.C. Sec. Sec. 6501 et seq.; Justin Matlick, Governing Internet
Privacy: A Free-Market Primer (Pacific Research Institute, July 1999),
(visited March 3, 2000) ; Solveig
Singleton, Privacy as Censorship: A Skeptical View of Proposals to
Regulate Privacy in the Private Sector, Cato Policy Analysis No. 295
(Jan. 22, 1998) , text
accompanying nn.76-79.
---------------------------------------------------------------------------
III. PROPERTY
A. Intellectual Property Rules as Speech Restrictions
Partly because of the limitations of the contract theory, many
information privacy advocates argue that people should be assigned a
property right in personal information about themselves.13
Such a property approach would bind everyone, and not just those who
are in contractual privity with the person being talked about.
---------------------------------------------------------------------------
\13\ See, e.g., Lawrence Lessig, The Architecture of Privacy, Vand.
J. Ent. L. & Prac., April 1999, at 56, 63.
---------------------------------------------------------------------------
Database operators would have to stop communicating information
about people unless people give permission, even though the database
operators have never promised, expressly or implicitly, to keep silent.
Likewise, people could stop newspapers from publishing stories about
them, even if the information was gleaned through interviews with third
parties or was taken (with no contractual constraints) from public
records.14
---------------------------------------------------------------------------
\14\ See Edward J. Bloustein, Privacy Is Dear at Any Price: A
Response to Professor Posner's Economic Theory, 12 Ga. L. Rev. 429,
439-40 (1978).
---------------------------------------------------------------------------
Calling a speech restriction a ``property right,'' though, doesn't
make it any less a speech restriction, and it doesn't make it
constitutionally permissible. Broad, pre-New York Times v. Sullivan
libel laws can be characterized as protecting a property right in
reputation; in fact, some states consider reputation a property
interest.15 The right to be free from interference with
business relations, including interference by speech urging a boycott
as in NAACP v. Claiborne Hardware,16 is often seen as a
property right.17
---------------------------------------------------------------------------
\15\ Reputation is generally not a property interest for purposes
of the federal Due Process Clause, Paul v. Davis, 424 U.S. 693 (1976),
but it can be a property right for other purposes. E.g., Marrero v.
City of Hialeah, 625 F.2d 499, 514 (5th Cir. 1980).
\16\ 458 U.S. 886 (1982).
\17\ E.g., Leonard Duckworth, Inc. v. Michael L. Field & Co., 516
F.2d 952, 955 (5th Cir. 1975).
---------------------------------------------------------------------------
Restrictions on speech that uses cultural symbols in ways that the
cultures find offensive might likewise be reframed as property rights
in those symbols.18 A ban on all unauthorized biographies,
whether of former child prodigies, movie stars, or politicians, can be
seen as securing a property interest in the details of those people's
lives. Similarly, an early right of publicity case took the view that
people who aren't public figures have the exclusive right to block all
photos and portraits of themselves, with no exceptions for news
stories.19
---------------------------------------------------------------------------
\18\ Cf. Hornell Brewing Co. v. Rosebud Sioux Tribal Court, 133
F.3d 1087 (8th Cir. 1998) (involving the descendants of the Sioux
leader Crazy Horse, then 115 years dead, trying to use right of
publicity law to stop the marketing of Crazy Horse Malt Liquor; the
malt liquor company won on procedural grounds).
\19\ Corliss v. E.W. Walker Co., 64 F. 280, 282 (C.C.D. Mass.
1894).
---------------------------------------------------------------------------
Each of these ``property rights,'' though, would remain a speech
restriction. A property right is, among other things, the right to
exclude others; 20 an intellectual property right in
information is the right to exclude others from communicating the
information--a right to stop others from speaking. Like libel law,
intellectual property law is enforced almost entirely through private
litigation, but like libel law, it's still a government-imposed
restriction on speech.21 Some such restrictions may be
permissible because there's some substantive reason why it's proper for
the government to restrict such speech, but not because they are
intellectual property rights.
---------------------------------------------------------------------------
\20\ See, e.g., Kaiser Aetna v. United States, 444 U.S. 164, 179-80
(1979) (``the `right to exclude' [is] universally held to be a
fundamental element of the property right'').
\21\ See, e.g., New York Times Co. v. Sullivan, 376 U.S. 254, 265
(1964); see also Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (same
as to intentional infliction of emotional distress); NAACP v. Claiborne
Hardware, 458 U.S. 886 (1982) (same as to intentional interference with
business relations).
---------------------------------------------------------------------------
The question isn't (as some suggest) ``who should own the property
right to personal information?'' 22 Rather, it's whether
personal information should be treated as property at all--whether some
``owner'' should be able to block others from communicating this
information, or whether everyone should be free to speak about it.
---------------------------------------------------------------------------
\22\ See, e.g., Richard S. Murphy, Property Rights in Personal
Information: An Economic Defense of Privacy, 84 Geo. L.J. 2381, 2393
(1996).
---------------------------------------------------------------------------
B. Existing Restrictions as Supposed Precedents
The Court has, of course, upheld some intellectual property rights
against First Amendment challenge, acknowledging that they are speech
restrictions but holding that those restrictions were constitutional.
In all these precedents, though, the Court has stressed a key point:
The restrictions did not give the intellectual property owners the
power to suppress facts. And this power to suppress facts is exactly
the power that information privacy speech restrictions would
grant.23
---------------------------------------------------------------------------
\23\ See generally, e.g., Rochelle Cooper Dreyfuss, Warren and
Brandeis Redux: Finding (More) Privacy Protection in Intellectual
Property Lore, 1999 Stan. Tech. L. Rev. VS 8, available at (concluding that
traditional intellectual property law provides little support for
informational privacy speech restrictions); Pamela Samuelson, Privacy
as Intellectual Property?, 52 Stan. L. Rev. 1125, 1136-46 (2000)
(same).
---------------------------------------------------------------------------
Harper & Row v. Nation Enterprises, which held that copyright law
is constitutional, 24 is the best example of this. Under
copyright law, I may not publish a book that includes more than a
modicum of creative expression from your book, even though my book is
neither obscene nor libelous nor commercial advertising; such a
restriction, Harper & Row held, is indeed a speech restriction, but a
permissible one.
---------------------------------------------------------------------------
\24\ 471 U.S. 539 (1985).
---------------------------------------------------------------------------
But the main reason Harper & Row gave for this conclusion is that
copyright law does not give anyone a right to restrict others from
communicating facts or ideas. ``[C]opyright's idea/expression dichotomy
strike[s] a definitional balance between the First Amendment and the
Copyright Act by permitting free communication of facts while still
protecting an author's expression.'' ``No author may copyright his
ideas or the facts he narrates.''
Copiers ``possess[] an unfettered right to use any factual
information revealed in [the original],'' though they may not copy
creative expression. There ought not be ``abuse of the copyright
owner's monopoly as an instrument to suppress facts.'' ``In view of the
First Amendment protections already embodied in the Copyright Act's
distinction between copyrightable expression and uncopyrightable facts
and ideas,'' copyright law is constitutional. Under the copyright
exception to free speech protection, then, speech that borrows creative
expression is restrictable, but speech that borrows only facts remains
free.
The same goes for other intellectual property rights in speech,
such as trademark law, right of publicity law, and trade secret law.
For space reasons, I will not discuss them in detail here; a thorough
discussion is available in Parts III.B.2-4 of http://www.law.ucla.edu/
faculty/volokh/privacy.htm. But the bottom line is that all these
restrictions create a fairly narrow right that may affect the form of
people's speech but ought not prevent people from communicating facts.
Any putative property right in one's personal information can thus be
adopted by analogy only if one is willing to relax this limitation, a
limitation that is critical to protecting free speech.
C. Functional Arguments for Upholding Information Privacy Speech
Restrictions Under a Property Theory
1. Avoiding ``free-riding'' and unjust enrichment.
Some argue for property rights in personal information on
functional grounds: Those who communicate personal information about
others are engaging in a sort of free riding, enriching themselves
without compensating the people whose existence makes their enrichment
possible; and property rights, the argument goes, are the way to avoid
this free riding. As one article argued, in 1988 three leading credit
bureaus made almost $1 billion put together from selling credit
information, but ``[h]ow much did these credit bureaus pay consumers
for the information about them that they sold? Zero.'' 25
---------------------------------------------------------------------------
\25\ Scott Shorr, Personal Information Contracts: How to Protect
Privacy Without Violating the First Amendment, 80 Cornell L. Rev. 1756,
1793 (1995).
---------------------------------------------------------------------------
This, though, cannot be the justification for restricting speech,
unless we are willing to dramatically redefine free speech law.
Newspapers and radio and TV news programs, after all, make billions
from stories that are made possible only by the existence of their
subjects.
The essence of news is precisely the reporting of things done or
discovered by others; the essence of the news business is profiting
from reporting on things done or discovered by others. But news
organizations generally don't pay a penny to the subjects of their
stories--in fact, it is seen as unethical for news organs, though not
entertainment organs, to pay subjects. Likewise, unauthorized
biographers and historians make money from publishing information about
others, information that only exists because those people exist.
Comedians who tell jokes about people make a living from those they
mock.26
---------------------------------------------------------------------------
\26\ In some of these examples, some subjects of the speech do
profit from the speech, albeit indirectly. The subject of a story may
be pleased by his newfound fame; the manufacturer of a product that's
covered favorably in the newspaper may make money as a result of the
coverage. But of course other subjects of news stories are hurt, either
financially or emotionally, by those stories; in such cases, the news
organ may be making a profit at the same time that the subjects of the
stories, without whom the stories would never have existed, are
suffering a loss. Free speech law's response to these subjects is
``tough luck,'' at least unless the stories say something false.
And in this respect, distribution of personal information databases
is no different from the publishing of news. Many, perhaps most, of the
subjects of these databases derive indirect benefits just like the
subjects of news stories do. If I have a good credit history, I am
benefited by the credit history databases--if the databases didn't
exist and would-be creditors had no way of knowing my record, I'd have
to pay a higher interest rate. Likewise, while many people are annoyed
by having their personal information available to marketers, some
people apparently find the targeted marketing useful, or else they
wouldn't buy as a result of this marketing and the marketing would
become unprofitable and stop. Thus, some (but not all) people
indirectly benefit as a result of information about them being stored
in databases--just as some (but not all) people indirectly benefit as a
result of news stories about them or their businesses.
---------------------------------------------------------------------------
All these speakers are free-riding: They are taking advantage of
something that relates to someone else and that exists only because of
that other person's existence, and they aren't paying that person for
it (though they are usually investing a good deal of time, money, and
effort in the project--this free-riding is certainly not mere literal
copying). But our legal system correctly allows a great deal of free-
riding. It has never been a principle of tort law that all free-riding
is illegal, or that all such enrichment is unjust.
Intellectual property law has generally tried to prevent not free-
riding as such, but free-riding of a particular kind: the use not just
of something that relates to another, but the use of the product of
another's substantial labor, and even that only in limited cases. Such
a use runs the risk of dramatically diminishing the incentive to engage
in such labor, which is what makes the defendant's enrichment socially
harmful rather than merely unjust in some abstract moral sense.
This concern is at the heart of copyright law, 27 of the
right to prevent the unauthorized transmission of an entire act,
28 and to a large extent of trade secret law. But this
concern does not apply to personal information about people, where the
incentive arguments don't really apply.
---------------------------------------------------------------------------
\27\ See Feist Publications, Inc. v. Rural Tel. Serv. Co., 499 U.S.
340, 349 (1991).
\28\ Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 576
(1977).
---------------------------------------------------------------------------
2. Internalizing costs and maximizing aggregate utility.
Another functional argument often made on behalf of a property
rights theory of information privacy speech restrictions is that the
property rights model is the best way to require speakers to
``internalize th[e] cost'' of their speech ``by paying those whose data
is used.'' 29 Such internalizing, the theory goes, would
maximize aggregate social utility: By ``recogniz[ing the] diversity''
of people's desires for information privacy, the property rule could
make sure that information about each person is communicated only if
the benefit to the speaker exceeds the felt cost to the
subject.30
---------------------------------------------------------------------------
\29\ Lessig, supra note 12, at 63.
\30\ See, e.g., id.; Bloustein, supra note 12, at 439-40; Murphy,
supra note 12, at 2395-96.
---------------------------------------------------------------------------
The principle of free speech law, though, is that speakers do not
have to internalize all the felt costs that flow from the communicative
impact of their speech. The NAACP didn't have to internalize the
tangible economic (not just emotional) cost that its boycott imposed on
the Claiborne County merchants.31 Movie producers don't have
to internalize the tangible cost that their movies impose on victims of
viewers who commit copycat crimes.32 Cohen, Johnson, and
Hustler didn't have to internalize the emotional distress cost that
their speech inflicted on passersby or on its subject.33
---------------------------------------------------------------------------
\31\ NAACP v. Claiborne Hardware Co., 458 U.S. 886 (1982).
\32\ E.g., Olivia N. v. NBC, Inc., 178 Cal. Rptr. 888 (Ct. App.
1981) (barring recovery where child was sexually abused by minors who
allegedly copied a similar crime shown on television).
\33\ Cohen v. California, 403 U.S. 15 (1971) (public profanity
constitutionally protected); Texas v. Johnson, 491 U.S. 397 (1989)
(public flag burning constitutionally protected); Hustler Magazine v.
Falwell, 485 U.S. 46 (1988) (vicious personal attack constitutionally
protected).
---------------------------------------------------------------------------
D. The Potential Consequences
Of course, despite the arguments given above, the Court is always
free to broaden the intellectual property exception to allow people to
restrict facts; but this, I think, would be a bad idea.
Speech that reveals private information is not the only speech that
some want to restrict under the property rights model. As many leading
commentators have recently argued, we are now in the midst of a broad
movement that uses intellectual property rhetoric to broaden people's
rights to restrict others' speech.34 The proposed database
protection legislation would give database owners a form of property
right in collections of information.35
---------------------------------------------------------------------------
\34\ See, e.g., Yochai Benkler, Free as the Air to Common Use:
First Amendment Constraints on Enclosure of the Public Domain, 74
N.Y.U. L. Rev. 354, 354 (1999) (``We are in the midst of an enclosure
movement in our informational environment.'').
\35\ See id. at 358, 440, 445-46.
---------------------------------------------------------------------------
Some recent cases have revived the misappropriation tort,
recognizing a property right in news.36 Many recent cases
have broadened trademark owners' rights to restrict parodies and other
transformative uses (though fortunately some courts seem to be
resisting this trend).37 The right of publicity is growing
to include any advertising, merchandising, and even interior decor that
reminds people of a celebrity, even if it doesn't use the celebrity's
name or likeness.38
---------------------------------------------------------------------------
\36\ See, e.g., NBA v. Motorola, Inc., 105 F.3d 841, 853 (2nd Cir.
1997) (fortunately limiting the tort to only a narrow range of hot
news).
\37\ See generally Mark A. Lemley, The Modern Lanham Act and the
Death of Common Sense, 108 Yale L.J. 1687 (1999).
\38\ See, e.g., White v. Samsung Elecs. Am., Inc., 989 F.2d 1512,
1520 (9th Cir.) (Kozinski, J., dissenting from denial of rehearing en
banc); Wendt v. Host Int'l, 125 F.3d 806 (9th Cir. 1997).
---------------------------------------------------------------------------
Many have criticized this creeping propertization of speech, often
on First Amendment grounds.39 But if the arguments that
``it's not a speech restriction, it's an intellectual property rule''
or ``the Supreme Court has upheld property rights in information, so
property rights in information are constitutional'' are accepted for
information privacy speech restrictions, they will be considerably
strengthened as to the other restrictions, too.
---------------------------------------------------------------------------
\39\ See, e.g., Lemley, supra note 36, at 1710-12 (``The expansive
power that is increasingly being granted to trademark owners has
frequently come at the expense of freedom of expression. As trademarks
are transformed from rights against unfair competition to rights to
control language, our ability to discuss, portray, comment, criticize,
and make fun of companies and their products is diminishing.'').
---------------------------------------------------------------------------
Now perhaps my parade of horribles isn't so horrible; maybe we
should have more property rights in facts, which is to say restrictions
or speech that communicates facts. Nonetheless, people who are worried
about the general trend towards propertization of information should
look very carefully at even those proposals that might at first seem
benign and even just; such proposals could have effects far beyond the
context in which they are first suggested.
IV. COMMERCIAL SPEECH
A. What ``Commercial Speech'' Means
Some argue that sale of information about customers is restrictable
because it fits within the ``commercial speech'' doctrine.40
The Court's definition of ``commercial speech,'' though, isn't (and
can't be) simply speech that is sold as an article of commerce: Most
newspapers, movies, and books are articles of commerce, too, but they
remain fully protected.41 Likewise, speech can't be
commercial just because it relates to commerce, or else the Wall Street
Journal, union leaflets and newsletters, 42 newspaper
reviews of commercial products, 43 and speech by disgruntled
consumers criticizing what they consider poor service by producers
would be deprived of full constitutional protection.
---------------------------------------------------------------------------
\40\ See, e.g., United Reporting Publ'g Corp. v. California Highway
Patrol, 146 F.3d 1133, 1137 (9th Cir. 1999), rev'd on other grounds sub
nom. Los Angeles Police Dep't v. United Reporting Publ'g Corp., 120 S.
Ct. 483 (1999).
\41\ See, e.g., Smith v. California, 361 U.S. 147, 150 (1959) (``It
is of course no matter that the dissemination [of speech by the
claimant] takes place under commercial auspices'').
\42\ See, e.g., Debartolo Corp. v. Florida Gulf Coast Trades
Council, 485 U.S. 568 (1988).
\43\ See, e.g., Bose Corp. v. Consumers Union, 466 U.S. 485 (1984).
---------------------------------------------------------------------------
Rather, the Court's most now-standard definition of commercial
speech is speech that explicitly or implicitly ``propose[s] a
commercial transaction.'' 44 Commercial advertisements for
products or services are classic examples. So are stock prospectuses,
which propose the purchase of stock; this is why fairly heavy SEC
regulation of speech in such prospectuses is largely permissible, while
similar SEC regulation of newsletters or newspapers that discuss stocks
is not.45
---------------------------------------------------------------------------
\44\ Virginia State Bd. of Pharmacy v. Virginia Citizens Consumer
Council, Inc., 425 U.S. 748, 761 (1976).
\45\ See Lowe v. SEC, 472 U.S. 181, 211 (1985) (White, J.,
concurring in the judgment).
---------------------------------------------------------------------------
Under the ``speech that proposes a commercial transaction''
analysis, communication of information about customers by one business
to another is not commercial speech. It doesn't advertise anything, or
ask the receiving business to buy anything from the communicating
business.46 It poses no special risk of the speaker
misleading or defrauding the listener, beyond those risks present with
fully protected speech generally. The recipient business does intend to
use the information to more intelligently engage in commercial
transactions, but that's equally true of businesspeople reading Forbes.
---------------------------------------------------------------------------
\46\ Sometimes, of course, a business will use customer information
that it has bought from another business to send out commercial
advertisements to prospective clients. These advertisements would
indeed be commercial speech, though the original communication of the
customer information is not. See U.S. West, Inc. v. FCC, 182 F.3d 1224
(10th Cir. 1999).
---------------------------------------------------------------------------
Of course, even if speech that communicates personal information is
seen as ``commercial speech,'' restrictions on such speech will still
have to face considerable scrutiny. Whether they will pass such
scrutiny is hard to tell, since commercial speech scrutiny is so
notoriously vague. But this question is actually somewhat tangential to
my main point. To me, the main problem with treating speech that
communicates personal information as ``commercial speech'' is not that
this will put such speech at more risk of restriction. Rather, it is
that stretching the definition of ``commercial speech'' will put a wide
range of other speech at risk, too.
B. The Risks to Other Speech
Consider a recent example of the government trying to regulate
cyberspace speech about economic matters on the grounds that it's
``commercial speech.'' In Taucher v. Born, several operators of
commodities-themed Web sites successfully sued to set aside a prior
restraint system which bars people from distributing for profit any
unlicensed speech that relates ``to the value of or the advisability of
commodity trading'' or that contains ``analyses or reports'' about
commodities.47
---------------------------------------------------------------------------
\47\ 7 U.S.C. Sec. 6m(1).
---------------------------------------------------------------------------
And the license that speakers must get to be allowed to speak isn't
just a modest tax; the Commodities Futures Trading Commission can
refuse a license if it finds ``good cause'' to do so, and speaking
without a license is illegal. Nor is this speech restriction limited to
individualized, person-to-person professional advice: The regulation is
broad enough to cover people who ``never engage in individual
consultations with their customers'' and who ``under no circumstances
make trades for their customers.'' 48
---------------------------------------------------------------------------
\48\ Taucher v. Born, 53 F. Supp. 464, 478 (D.D.C. 1999).
---------------------------------------------------------------------------
The law essentially restricts the Web equivalent of books and
newspapers about commodity training--it's as if the government claimed
the right to refuse the Wall Street Journal a license to publish
articles about the market. As it happens, the law specifically excludes
publishers who publish such data ``incidental[ly]'' as part of a
broader news enterprise of ``general and regular dissemination,''
49 so the Journal can sleep easy. But under the logic of the
law, newspapers and book publishers could also be subject to a prior
restraint system, just as the small commodities-focused electronic
publishers were subject to it until the court's ruling.
---------------------------------------------------------------------------
\49\ 7 U.S.C. Sec. Sec. 1a(5)(B)(iv), 1a(5)(C).
---------------------------------------------------------------------------
The CFTC argued that speech about commodities is mere ``commercial
speech,'' but the court correctly rejected this: 50 ``The
plaintiffs' publications in this case do not propose any commercial
transaction between the plaintiffs and their customers.'' 51
If, however, the commercial speech doctrine had been extended to cover
the sale of speech about a business's clients, the court's decision
might well have been different.
---------------------------------------------------------------------------
\50\ The CFTC's other argument was that the government may regulate
speech in the context of a professional-client relationship, but the
court adopted the response to a similar argument given by Justice White
in his SEC v. Lowe, 472 U.S. 181 (1985), concurrence: Whatever extra
power the government may have to regulate the professional-client
relationship, this power arises only when the professional exercises
individualized judgment on behalf of a particular client. Personal
advice may to some extent be restricted, but books, newsletters, and
the like may not be.
\51\ Taucher v. Born, 53 F. Supp. at 480.
---------------------------------------------------------------------------
After all, the Web business journalist who writes about commodities
is likewise selling information that's primarily of economic concern,
and that has little to do with broad political debates. If that's
enough to deny free speech protection to communications about
customers, it may be enough to deny such protection to communications
about commodities.
Consider another example: disgruntled homebuyers putting up signs
criticizing the developer that sold them their homes, or consumers
leafleting outside a business that they claim sold them defective
goods, often hoping that the business will give them a refund or at
least will do a better job in the future. In cyberspace, the analogy
would be consumers putting up a http://www.[businessname]sucks.com site
or circulating messages to a long list of acquaintances or to a Usenet
newsgroup.
In my view, the First Amendment fully protects such speech that is
aimed at creating public pressure on someone to do what you think is
right, even in economic contexts--that, after all, is what much
advocacy is about.52 The fact that the speech exposes
alleged problems with a product and aims at redressing an economic harm
should not strip it of protection. For many people problems with their
homes and redress for shoddy wares are more important than problems
with politicians and redress for shoddy policies, and far more
important than art, entertainment, or many other kinds of fully
protected speech.
---------------------------------------------------------------------------
\52\ See, e.g., Debartolo Corp. v. Florida Gulf Coast Trades
Council, 485 U.S. 568 (1988); NAACP v. Claiborne Hardware, 458 U.S. 886
(1982); Keefe v. Organization for a Better Austin, 402 U.S. 415 (1971).
---------------------------------------------------------------------------
If the consumer's speech is an intentional lie (or perhaps in some
circumstances if it's merely negligently false), the business can sue
for libel; false statements of fact, whether on economic matters or
not, lack constitutional protection. But the law shouldn't impose extra
restrictions on the speech just because the speech deals with economic
issues.
Again, though, a broadening of the commercial speech doctrine would
jeopardize speech of this sort. If communicating information about a
person's bad credit record is mere ``commercial speech,'' then
communicating information about a business's bad service record should
be, too.
Both, after all, involve speech on economic matters. Both involve
speech that's primarily of economic interest to listeners. Both are
motivated by the speaker's economic interest--either a desire to get
money from the buyer of the information, or a desire to get redress
from the business. Either both are commercial speech or neither is.
In a free and competitive economy, people naturally want to talk
about economic matters. Giving the government an ill-defined but
potentially very broad power to restrict such speech--not just speech
that proposes a commercial transaction between speaker and listener and
thus directly implicates the risk of fraud--risks exposing a great deal
of speech to government policing.
V. SPEECH ON MATTERS OF PRIVATE CONCERN
A. The Argument
One feature of virtually all information privacy proposals (except
those built on a contract model) is their distinction between speech on
matters of public concern and speech on matters of private
concern.53 Even people who argue that newspapers should be
forbidden from publishing a private person's long-ago criminal history
or a politician's sexual orientation would probably agree that they
have a right to publish the politician's criminal history, no matter
how old. ``Political speech'' or ``speech on matters of public
concern'' or ``newsworthy'' material, they would argue, is
constitutionally protected, while speech that is merely of private
concern is not protected, at least against information privacy speech
restrictions.
---------------------------------------------------------------------------
\53\ See, e.g., among many others, Peter B. Edelman, Free Press v.
Privacy: Haunted by the Ghost of Justice Black, 68 Tex. L. Rev. 1195,
1229-30 (1990); Julie Cohen, Examined Lives: Informational Privacy and
the Subject as Object, 52 Stan. L. Rev. 1373, 1414, 1417 (2000).
---------------------------------------------------------------------------
But this approach, I will argue, is theoretically unsound; it is
precedentially largely unsupported; in the few circumstances in which
it has been endorsed, it has proven unworkable; and, if adopted, it
would strengthen the arguments for many other (in my view improper)
speech restrictions.
B. The Dangers of the Argument
Under the First Amendment, it's generally not the government's job
to decide what subjects speakers and listeners should concern
themselves with.54 A private concern exception essentially
says ``you have no right to speak about topics that courts think are
not of legitimate concern to you and your listeners,'' a view that's
inconsistent with this understanding.
---------------------------------------------------------------------------
\54\ See, e.g., Police Dep't v. Mosley, 408 U.S. 92, 95 (1972)
(``[A]bove all else, the First Amendment means that government has no
power to restrict expression because of its message, its ideas, its
subject matter, or its content.''). The Court has recognized some
exceptions to this principle, but this presumption is still the basis
for the Court's analysis of speech restrictions imposed by the
government as sovereign.
---------------------------------------------------------------------------
A clear example of the danger of such government power comes in a
disclosure tort case, Diaz v. Oakland Tribune.55 Diaz, the
first woman student body president at a community college, was a
transsexual, and the Oakland Tribune published this fact. Diaz sued,
and the court of appeals held that her lawsuit could go forward; if a
jury found that Diaz's transsexuality wasn't newsworthy, she could
prevail.56
---------------------------------------------------------------------------
\55\ 188 Cal. Rptr. 762 (Ct. App. 1983).
\56\ The court set aside the verdict for Diaz because of a jury
instruction error, but remanded for a new trial.
---------------------------------------------------------------------------
As usually happens in these cases, the court didn't define
newsworthiness but left it to the jury, subject only to the instruction
that ``[i]n determining whether the subject article is newsworthy you
may consider [the] social value of the fact published, the depth of the
article, [its] intrusion into ostensibly private affairs, and the
extent to which the plaintiff voluntarily acceded to a position of
public notoriety.'' But the court did stress that a jury could find
that the speech wasn't newsworthy: ``[W]e find little if any connection
between the information disclosed and Diaz's fitness for office. The
fact that she is a transsexual does not adversely reflect on her
honesty or judgment.''
Now I agree with the court's factual conclusion; people's gender
identity strikes me as irrelevant to their fitness for office. But
other voters take a different view. Transsexuality, in their opinion,
may say various things about politicians: It may say that they lack
attachment to traditional values, that they are morally corrupt, or
even just that they have undergone an unnatural procedure and therefore
are somehow tainted by it.
These views may be wrong, but surely it is not for government
agents--whether judges or jurors--to dictate the relevant criteria for
people's political choices, and to use the coercive force of law to
keep others from informing them of things that they may consider
relevant to those choices. I may disagree with what you base your vote
on, but I must defend your right to base your vote on it, and the right
of others to tell you about it.
This is the clearest example of a court using the public concern
test to usurp what should be a listener's and speaker's choice, but
other public disclosure cases raise similar problems. Consider, for
instance, the criminal history cases, in which some courts held that it
was illegal for newspapers to print information about ``long past''
criminal activity by people who are now supposedly rehabilitated and
are leading allegedly blameless lives. The leading such case is Briscoe
v. Reader's Digest Association, in which Reader's Digest was held
liable for revealing that Briscoe had eleven years earlier been
convicted of armed robbery (a robbery that involved his fighting ``a
gun battle with the local police'').57
---------------------------------------------------------------------------
\57\ 483 P.2d 34, 36 (Cal. 1971).
---------------------------------------------------------------------------
The court acknowledged that the speech, while not related to any
particular political controversy, was newsworthy; the public is
properly concerned with crime, how it happens, how it's fought, and how
it can be avoided. Moreover, revealing the identity of someone
``currently charged with the commission of a crime'' is itself
newsworthy, because ``it may legitimately put others on notice that the
named individual is suspected of having committed a crime,'' thus
presumably warning them that they may want to be cautious in their
dealings with him.
But revealing Briscoe's identity eleven years after his crime, the
court said, served no ``public purpose'' and was not ``of legitimate
public interest''; there was no ``reason whatsoever'' for it. The
plaintiff was ``rehabilitated'' and had ``paid his debt to society.''
``[W]e, as right-thinking members of society, should permit him to
continue in the path of rectitude rather than throw him back into a
life of shame or crime'' by revealing his past.
``Ideally, [Briscoe's] neighbors should recognize his present worth
and forget his past life of shame. But men are not so divine as to
forgive the past trespasses of others, and plaintiff therefore
endeavored to reveal as little as possible of his past life.'' And to
assist Briscoe in what the court apparently thought was a worthy effort
at concealment, the law may bar people from saying things that would
interfere with Briscoe's plans.
Judges are of course entitled to have their own views about which
things ``right-thinking members of society'' should ``recognize'' and
which they should forget; but under the First Amendment, members of
society have a constitutional right to think things through in their
own ways.
And some people do take a view that differs from that of the
Briscoe judges: While criminals can change their character, this view
asserts, they often don't. Someone who was willing to fight a gun
battle with the police eleven years ago may be more willing than the
average person to do something bad today, even if he has led a
blameless life since then (something that no court can assure us of,
since it may be that he has continued acting violently on occasion, but
just hasn't yet been caught).
Under this ideology, it's perfectly proper to keep this possibility
in mind in one's dealings with the supposedly ``reformed'' felon. While
the government may want to give him a second chance by releasing him
from prison, restoring his right to vote and possess firearms, and even
erasing its publicly accessible records related to the conviction, his
friends, acquaintances, and business associates are entitled to adopt a
different attitude.
Most presumably wouldn't treat him as a total pariah, but they
might use extra caution in dealing with him, especially when it comes
to trusting their business welfare or even their physical safety (or
that of their children) to his care.58 And they might use
extra caution in dealing with him precisely because he has for the last
eleven years hidden this history and denied them the chance to judge
him for themselves based on the whole truth about his
past.59 Those who think such concealment is wrong will see
it as direct evidence of present bad character (since the concealment
was continuing) and not just of past bad character.
---------------------------------------------------------------------------
\58\ If you were deciding whether to leave your children for the
day in a neighbor's care, would you consider his eleven-year-old
conviction for a violent crime involving a gun battle with police
relevant (not necessarily dispositive, but relevant) to your decision?
Would you advise your daughter to consider a prospective date's armed
robbery conviction when deciding whether and under what conditions to
go out with him?
\59\ Richard A. Epstein, Privacy, Property Rights, and
Misrepresentations, 12 Ga. L. Rev. 455, 472-73 (1978).
---------------------------------------------------------------------------
Revealing Briscoe's name, under this view, may have little to do
with broad political debates, but it is still of intense and eminently
legitimate public concern to one piece of the public: people who know
Briscoe, the very same group whose ignorance Briscoe seemed most
concerned about preserving. These members of the public would use this
information to make the decision, which is probably more important to
them than whom they would vote for next November, about whether they
could trust Briscoe in their daily dealings.
This isn't speech on political matters, but rather on what I might
call ``daily life matters.'' Under the First Amendment, which protects
movies, art, jokes, and reviews of stereo systems, 60 such
speech on daily life matters is at least equally worthy.
---------------------------------------------------------------------------
\60\ See, e.g., Winters v. New York, 333 U.S. 507 (1948)
(entertainment); Bose Corp. v. Consumers Union, 466 U.S. 485 (1984)
(product review of stereo equipment); Abood v. Detroit Bd. of Educ.,
431 U.S. 209, 231 (1977) (``[O]ur cases have never suggested that
expression about philosophical, social, artistic, economic, literary,
or ethical matters--to take a nonexhaustive list of labels--is not
entitled to full First Amendment protection.'').
---------------------------------------------------------------------------
At least as much as those kinds of protected speech, daily life
matter speech--communication related to ``the real, everyday experience
of ordinary people'' 61--indirectly but deeply affects the
way we view the world, deal with others, evaluate their moral claims on
us, and even vote; and its effect is probably greater than that of most
of the paintings we see or the editorials we read. Consider how much
our view of crime and punishment, secrecy and publicity, and many other
topics would be indirectly influenced--towards greater liberalism,
conservatism, or something else--by the knowledge that some of our
seemingly law-abiding neighbors have been concealing a criminal past.
---------------------------------------------------------------------------
\61\ Cynthia L. Estlund, Speech on Matters of Public Concern: The
Perils of an Emerging First Amendment Category, 59 Geo. Wash. L. Rev.
1, 37 (1990).
---------------------------------------------------------------------------
In any event, which viewpoint about our neighbors' past crimes is
``right-thinking'' and which is ``wrong-thinking'' is the subject of a
longstanding moral debate. Surely it is not up to the government to
conclude that the latter view is so wrong, that Briscoe's conviction
was so ``[il]legitimate'' a subject for consideration, that the
government can suppress speech that undermines its highly controversial
policy of forgive-and-forget.
This also goes for databases of personal information as much as for
news stories about such information. Many such databases--for instance,
credit history databases or criminal record databases--are used by
people to help them decide whom it is safe to deal with and who is
likely to cheat them.
Other databases, which contain less incriminating information, such
as a person's shopping patterns, may be less necessary for self-
protection; but of course for the same reason the data stored in them
will also generally be much less embarrassing to their subjects, which
makes the supposed harm to the subjects of the communication of such
data much smaller. And in any event, even this data is of direct daily
life interest to its recipients, since it helps them find out with whom
they should do business.
In some instances, it may be quite unlikely that certain speech
would be useful to the listeners either for political purposes or for
daily life purposes; this largely has to do with information that shows
people in ridiculous, embarrassing, or demeaning contexts without
revealing any useful new information about them. Everybody knows that I
go to the bathroom; printing a picture of me on the toilet would
embarrass me not because it reveals something new about me, but because
it shows me in a pose that by cultural convention is seen as ridiculous
or undignified.
But while there may be a narrow zone of fairly uncontroversially
non-public-concern topics, the danger is that the vague, subjective
``public concern,'' ``newsworthiness,'' or ``legitimate public
interest'' test will flow far beyond this zone; and as Briscoe and
Diaz, among others, show, this danger has materialized. This risk may
be enough to abandon the test altogether, and it is certainly enough to
demand that the test be rephrased as something much clearer and
narrower before it is accepted.
We can all think of examples of entertainment that has no
connection to public issues, but Winters v. New York was right to
conclude that entertainment should be protected despite this, because
``[t]he line between the informing and the entertaining is too elusive
for the protection of [the] basic right [of free speech].''
62 If vitriolic, relatively nonsubstantive parodies such as
the one in Hustler v. Falwell were banned, ``public discourse would
probably suffer little or no harm,'' but the Court correctly refused to
uphold such a ban, since it could find no ``principled standard to
separate'' them from speech that had to be protected.63
---------------------------------------------------------------------------
\62\ 333 U.S. 507, 510 (1948).
\63\ . 485 U.S. 46, 55 (1988).
---------------------------------------------------------------------------
Likewise, the notion that speech should generally be restrictable
when it doesn't relate to matters of public concern strikes me as so
potentially broad and so vague that it deserves to be abandoned, even
if it would yield the right results in a narrow subset of the cases in
which it would be applied.
C. Doctrine
That, then, is why I think the public concern test is theoretically
unsound. The doctrinal discussion is easier: Though the Court has often
said in dictum that political speech or public-issue speech is on the
``highest rung'' of constitutional protection, 64 it has
never created any general exception for speech on matters of ``private
concern.'' Political speech, scientific speech, art, entertainment,
consumer product reviews, and speech on matters of private concern are
thus all doctrinally entitled to the same level of high constitutional
protection, restrictable only through laws that pass strict scrutiny.
---------------------------------------------------------------------------
\64\ Carey v. Brown, 447 U.S. 455, 467 (1980).
---------------------------------------------------------------------------
The two situations where the Court has adopted a public concern /
private concern distinction are narrow exceptions to this general
principle. The first such exception, established in Connick v. Myers,
is that the government acting as employer may freely restrict speech on
matters of private concern by its employees.65
---------------------------------------------------------------------------
\65\ 461 U.S. 138 (1983).
---------------------------------------------------------------------------
The government's power as employer to fire its employees for what
they say has always been far greater than its power to fine or imprison
private citizens for what they say, and the Connick Court explicitly
stressed that private-concern speech remains protected against the
government acting as sovereign.66 The restriction on such
speech by government employees was justified only by the special role
of the government acting as employer, in which the government's
interest in efficient day-to-day operation would make it infeasible to
let people sue the government over every discharge that was based on
any sort of speech.
---------------------------------------------------------------------------
\66\ ``We in no sense suggest that speech on private matters falls
into one of the narrow and well-defined classes of expression which
carries so little social value, such as obscenity, that the State can
prohibit and punish such expression by all persons in its jurisdiction
[and not just its own employees].'' Id. at 147.
---------------------------------------------------------------------------
The second exception, established in Dun & Bradstreet v. Greenmoss
Builders, is that plaintiffs in libel cases involving false statements
on matters of purely private concern may be awarded punitive and
presumed damages without a showing of actual malice.67 This,
though, also came in a context where the government has special power
to restrain speech: restrictions on false statements of fact.
---------------------------------------------------------------------------
\67\ 472 U.S. 749 (1985).
---------------------------------------------------------------------------
Such statements, the Court has held, have ``no constitutional
value''; any protection they get stems from the need to prevent the
undue chilling of true statements, which are indeed constitutionally
protected.68 The economic interests of the speaker and its
audience, the Court argued, warrant no special protection when ``the
speech is wholly false.'' 69 Dun & Bradstreet thus says
little about the propriety of applying the ``private concern'' test to
speech that, unlike false statements of fact, is presumptively
constitutionally valuable.70
---------------------------------------------------------------------------
\68\ Id. at 767 (White, J., concurring in the judgment). See Gertz
v. Robert Welch, Inc., 418 U.S. 323, 340-41 (1974).
\69\ Dun & Bradstreet, 472 U.S. at 762 (emphasis added).
\70\ Cf., e.g., U.D. Registry, Inc. v. California, 40 Cal. Rptr. 2d
228, 232 (Ct. App. 1995) (``While the distinction [between private and
public concern speech] may be significant in the area of defamation, it
does not define the parameters of permissible regulation for truthful
reporting.'').
---------------------------------------------------------------------------
D. The Experience Under the Two ``Public Concern'' Doctrines
In practice, neither of these doctrines has been a success story
for the public concern test. As many critics have pointed out, the
government employee private concern doctrine has proven both vague to
the point of indeterminacy and extremely broad.71 Much
speech that would clearly fit within a normal reading of the words
``public concern'' has been found to be of purely private concern and
therefore unprotected, with seemingly little justification other than
the desire to make life easier for government employers confronted with
troublemaking employees.
---------------------------------------------------------------------------
\71\ See, e.g., Stephen Allred, From Connick to Confusion: The
Struggle to Define Speech on Matters of Public Concern, 64 Ind. L.J. 43
(1988); Estlund, Speech on Matters of Public Concern, supra note 60, at
7 n.40, 34, 45.
---------------------------------------------------------------------------
Connick itself found that speech among District Attorney's office
employees about ``the confidence and trust that [employees] possess in
various supervisors, the level of office morale, and the need for a
grievance committee'' was ``not of public concern,'' hardly a
commonsense reading of the term ``public concern.''
Later cases have likewise found, for instance, that speech
criticizing the way a dean runs a public university department,
72 alleging race discrimination by a public employer,
73 and criticizing the way the FBI decides whom to lay off
74 was not ``of public concern,'' though other cases reached
opposite results on seemingly similar facts.75 Whether or
not the government should have the power to dismiss employees for such
speech, surely the government ought not have the power to censor such
speech by citizens at large on the grounds that it's supposedly of
insufficient ``public concern.''
---------------------------------------------------------------------------
\72\ Landrum v. Eastern Ky. Univ., 578 F. Supp. 241 (E.D. Ky.
1984).
\73\ Lipsey v. Chicago Cook County Criminal Justice Comm'n, 638 F.
Supp. 837 (N.D. Ill. 1986).
\74\ Murray v. Gardner, 741 F.2d 434 (D.C. Cir. 1984).
\75\ See generally Allred, supra note 70, at 65-73.
---------------------------------------------------------------------------
Under Dun & Bradstreet, the concept of ``speech of purely private
concern'' has ended up similarly vague, and has sometimes covered
speech that clearly seems to be of public concern under any normal
definition of the term: for instance, speech discussing the competence
of psychologists to whom children are sent by government-run schools,
the business practices of car dealers, and alleged misconduct by the
owner of a gymnastics school.76 Again, perhaps it's
permissible to allow presumed and punitive damages for false statements
on such topics, but surely it would be unconstitutional to restrict
true statements on these matters on the grounds that they aren't of
``public concern.''
---------------------------------------------------------------------------
\76\ See Robert E. Drechsel, Defining ``Public Concern'' in
Defamation Cases Since Dun & Bradstreet v. Greenmoss Builders, 43 Fed.
Comm. L.J. 1, 17-18 (1990); Saunders v. Van Pelt, 497 A.2d 1121 (Me.
1985); Vern Sims Ford, Inc. v. Hagel, 713 P.2d 736 (Wash. Ct. App.
1986); Ramirez v. Rogers, 540 A.2d 475 (Me. 1988).
---------------------------------------------------------------------------
The experience of the public concern test in these two areas thus
suggests that the theoretical criticisms of the public concern /
private concern distinction are sound: There's a substantial practical
risk of the courts finding too much speech to be of ``private
concern,'' and while some facially vague and broad tests have the merit
of being tied to an existing body of clarifying and narrowing caselaw,
that's hardly the case here.
Maybe for lack of anything better, the public / private concern
distinction may remain sensible as to the genuinely hard and
necessarily vague government employee speech cases, but its track
record hardly seems to encourage expanding it elsewhere.
E. Potential Consequences
All this discussion is not just academic or just applicable to
information privacy speech restrictions. The argument that certain
speech should be more restrictable because it's not ``political
speech,'' not ``high-value speech,'' or not of ``legitimate public
interest'' is routinely marshaled in favor of a broad range of speech
restraints.
Businesses criticized by disgruntled consumers have already argued
that such consumer criticism doesn't relate to speech on matters of
genuinely ``public concern,'' and should therefore be restrictable even
if it's true or if it's mere opinion.77 Likewise, supporters
of campus speech codes have argued that this speech too, is of low
value.78 Allowing tort liability under the disclosure tort
for speech on supposedly ``private matters'' (such as a person's
criminal history or failure to pay his debts 79) would
provide strong support for allowing tort liability under the
intentional interference tort for speech on ``private matters'' (such
as a business's unfair practices or breaches of warranty), or for
allowing universities to suppress speech that they find supposedly
valueless.
---------------------------------------------------------------------------
\77\ See, e.g., Paradise Hills Assocs. v. Procel, 1 Cal. Rptr. 2d
514, 521 (Ct. App. 1991).
\78\ See, e.g., Richard Delgado, Campus Antiracism Rules:
Constitutional Narratives in Collision, 85 Nw. U. L. Rev. 343 (1991).
\79\ See, e.g., Mason v. Williams Discount Ctr., Inc., 639 S.W.2d
836 (Mo. Ct. App. 1982).
---------------------------------------------------------------------------
VI. COMPELLING INTEREST
The last argument for many proposed information privacy speech
restrictions is that the government interest behind the restriction is
just so great. Speech that reveals personal information about others,
the argument goes, violates their basic human rights, strips them of
their dignity, causes serious emotional distress, interferes with their
relations with family, friends, acquaintances, and business associates,
and puts them at risk of crime.
Moreover, such speech itself undermines other rights of
constitutional stature, such as the right to privacy or free speech
itself. The government must be able to step in and prevent this, even
at the cost of creating a new free speech exception.
A. Countervailing Constitutional Rights
Let me begin by discussing the ``constitutional tension'' argument,
which comes in two flavors: (1) Because the Constitution has been
interpreted as protecting privacy (possibly including information
privacy 80), attempts to restrict speech in the name of
protecting information privacy involve a ``tension'' between two
constitutional values.81 (2) Information privacy speech
restrictions ``promote[] some of the same values protected by the First
Amendment,'' because ``[g]ranting people privacy, recognizing that
despite their entering into the public debate on an issue . . . they
remain a private person to some degree, encourages people to come
forward and engage in the debate.'' 82
---------------------------------------------------------------------------
\80\ See Whalen v. Roe, 429 U.S. 589, 605 (1977).
\81\ See also Melvin v. Reid, 112 Cal. App. 285, 291 (1931).
\82\ Sean M. Scott, The Hidden First Amendment Values of Privacy,
71 Wash. L. Rev. 683, 687, 710 (1996). See also Paul M. Schwartz,
Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609, 1701-02,
1651 (1999).
---------------------------------------------------------------------------
I have elsewhere argued at length against this sort of analysis,
83 but for now let me make two observations about it. First,
the speech vs. privacy and speech vs. speech tensions are not tensions
between constitutional rights on both sides. The Constitution
presumptively prohibits government restrictions on speech and perhaps
some government revelation of personal information, but it says nothing
about interference with speech or revelation of personal information by
nongovernmental speakers.
---------------------------------------------------------------------------
\83\ Eugene Volokh, Freedom of Speech and the Constitutional
Tension Method, 3 U. Chi. L. Sch. Roundtable 223 (1996).
---------------------------------------------------------------------------
If, for instance, a private group organizes a boycott of a
newspaper to pressure it into dropping a columnist whose work the group
finds offensive, 84 the group is not thereby violating the
columnist's First Amendment rights; he has a constitutional right to
speak free from government restraint, but not free from private censure
or private pressure.
---------------------------------------------------------------------------
\84\ See, e.g., Jill Stewart, Free This Man; Can Black
Conservatives Speak Their Minds in America? Ask KABC Talk-Show Host
Larry Elder, the Target of a Black Nationalist Group in L.A., New Times
(L.A.), July 3, 1997 (describing boycott of sponsors of black
conservative talk show host Larry Elder's radio show, aimed at getting
the radio station to take him off the air); James Warren, Andy Rooney
Suspended, But Denies Racist Comment, Chi. Trib., Feb. 9, 1990, Sec. 1,
at 3 (describing public pressure that caused CBS to suspend 60 Minutes
commentator Andy Rooney for allegedly making a racist comment); Jerry
Berger, Kennedy Decries Reagan Civil Rights Policies, United Press
Int'l, Jan. 18, 1988, available in LEXIS, News Library, UPI File
(describing public pressure that caused CBS to fire Jimmy ``The Greek''
Snyder on similar grounds).
---------------------------------------------------------------------------
Likewise, information privacy speech restrictions involve a tension
between a constitutionally secured right to speak free of government
restriction and a proposed statutory or common-law right to speak free
of private revelation of private information. The fact that the
proposed statutory or common-law right is in one way analogous to a
constitutional right does not give it constitutional stature.
Second, as the boycott example shows, changing First Amendment
doctrine to let free speech rights be trumped by other ``constitutional
values'' derived by analogy from constitutional rights would permit a
broad range of speech restrictions. Lots of speech has the effect, and
often the purpose, of discouraging people from exercising their speech
rights in certain ways.
Political bullies try to silence their opponents not only by
revealing embarrassing private information about them, but also by
calling them nasty (but nonlibelous) names, citing their interracial
marriages as evidence that they are traitors to their race,
85 attacking them with bitter and unfair parodies, or saying
things aimed at undermining their business affairs.
---------------------------------------------------------------------------
\85\ See, e.g., Amy Wallace, He's Either Mr. Right or Mr. Wrong,
L.A. Times, Mar. 31, 1996, at 12.
---------------------------------------------------------------------------
Depending on the era, the risk of having your arguments called
``Communist,'' ``un-American,'' ``racist,'' or ``sexist'' (even if your
arguments really don't fall into those categories) has discouraged many
people from expressing viewpoints that might draw such rhetoric--and I
suspect that the rhetoric was often used precisely to deter people from
expressing certain viewpoints. Who among us hasn't at times decided to
stay quiet in order to avoid having to deal with our opponents'
vituperation?
The logic of the argument I quoted, if accepted, would thus justify
restriction on all these kinds of speech. And yet our right to use
speech to pressure others into not speaking is a fundamental aspect of
the First Amendment; recall that a recurring (and correct) argument of
those who fight against advocacy of evil ideas--even advocacy that is
concededly constitutionally protected against government suppression--
is that such speech should be deterred by social ostracism and
condemnation.
Likewise, accepting the other constitutional tension argument,
which urges that speech be restricted when it undermines the unwritten
constitutional ``value'' of privacy, would provide strong support for
restrictions on speech that vehemently criticizes a religion and
thereby discourages people from publicly adhering to it (and thus
supposedly undermines the explicitly constitutionally described values
of religious freedom), 86 speech that urges people to treat
others unequally (and thus undermines equality), speech that tries to
pressure people into not exercising their property or contractual
rights (and thus undermines private property rights or the obligation
of contracts), and so on.87 A rule that constitutional
rights to protection from the government may be turned into
justification for government restrictions on speech by private actors
would have a broad effect indeed.
---------------------------------------------------------------------------
\86\ Cf., e.g., Kunz v. New York, 340 U.S. 290, 295, 302 (1951)
(Jackson, J., dissenting).
\87\ See generally Volokh, supra note 82, at 231-34, 237-38.
---------------------------------------------------------------------------
B. Dignity, Emotional Distress, and Civil Rights
Other arguments for information privacy speech restrictions claim
that the speech injures people's dignity or emotionally distresses
them. This injury is sometimes also characterized as an interference
with people's basic ``civil right'' not to have others know or say
certain things about them.88
---------------------------------------------------------------------------
\88\ See, e.g., Directive 95/46/EC, art. 1(1) 1995 O.J. (L.281) 31
(describing protection of informational privacy as a matter of ``the
fundamental rights and freedoms'' ``of natural persons''); Talk of the
Nation: Online Privacy (NPR radio broadcast, June 30, 1998) (quoting
Todd Lappin, senior associate editor of Wired magazine) (``[I]t's
really the job of all of us to get a consensus in Congress that'll give
us basic legal rights so we have some control over our names and over
our personal information. This is a civil rights and a human rights
struggle . . .'').
---------------------------------------------------------------------------
But is it constitutional for the government to suppress certain
kinds of speech in order to protect dignity, prevent disrespectful
behavior, prevent emotional distress, or to protect a supposed civil
right not to be talked about? Under current constitutional doctrine,
the answer is generally no: Even offensive, outrageous, disrespectful,
and dignity-assaulting speech is constitutionally
protected.89
---------------------------------------------------------------------------
\89\ See, e.g., Cohen v. California, 403 U.S. 15 (1971) (public
profanity); Texas v. Johnson, 491 U.S. 397 (1989) (flag burning);
Hustler Magazine v. Falwell, 485 U.S. 46 (1988) (scurrilous, personal
attack in print); Brandenburg v. Ohio, 395 U.S. 444 (1969) (racist
advocacy); Collin v. Smith, 578 F.2d 1197 (7th Cir. 1978) (Nazi parade
in a part of town where many Holocaust survivors lived); Kunz v. New
York, 340 U.S. 290 (1951) (vitriolic attacks on Catholicism and
Judaism); Cantwell v. Connecticut, 310 U.S. 296 (1940) (vitriolic
attack on Catholicism).
---------------------------------------------------------------------------
And there is good reason for this approach. If the government can
declare it to be my ``civil right'' to prohibit others from saying the
truth about me behind my back, then the arguments for many speech
restrictions would be considerably strengthened. The government could
similarly declare it a civil right to have others not say insulting
things about me (and my kind) in print or in broadcasts, where I may
directly see or hear such speech; other countries have indeed done
this.
Similarly, say that true statements--statements about past crimes,
current sexual orientation, credit history, and the like--can be
restricted because of the danger that they will change people's
attitudes about their subject. Why wouldn't sociological or political
claims that the government considers false or misleading (group libel
or seditious libel) 90 or statements of opinion (general
bigoted or antigovernment advocacy) be likewise restrictable, on the
grounds that they may change people's attitudes about a group, and that
there's a ``compelling governmental interest'' in preventing such
changed attitudes?
---------------------------------------------------------------------------
\90\ Cf., e.g., United States v. Cooper, 25 F. Cas. 631, 639
(C.C.D. Pa. 1800).
---------------------------------------------------------------------------
It's conceivable that as to some kinds of speech, for instance the
revelation of the names of rape victims or the unauthorized
distribution of pictures of a person naked or having sex, courts will
find that the speech is so valueless and so distressing that there is
indeed a compelling interest in restricting it. Though I empathize with
the reasons for such restrictions, I reluctantly oppose them, precisely
because of the dangers discussed in Part V and earlier in this
section--``lack of legitimate public concern'' and ``severe emotional
distress,'' while intuitively appealing standards, are so vague and
potentially so broad that accepting them may jeopardize a good deal of
speech that ought to be protected.
But while these narrow restrictions would merely increase the risk
that more speech might be restricted in the future, other proposed
restrictions cheerfully embrace this possibility. Broad readings of the
disclosure tort would restrict speech about elected officials that many
voters would (rightly or wrongly) find quite relevant, or restrict
speech about people's past crimes, which many of the people's neighbors
may find important.
Likewise, many of the proposals to restrict communication of
consumer transactional data would apply far beyond a narrow core of
highly private information, and would cover all transactional
information, such as the car, house, food, or clothes one buys. I don't
deny that many people may find such speech vaguely ominous and would
rather that it not take place, and I acknowledge that some people get
extremely upset about it. But knowing that some business somewhere
knows what car you drive 91 is just not in the same league
as, say, knowing that all your neighbors (and thousands of strangers)
have heard that you were raped.
---------------------------------------------------------------------------
\91\ Cf., e.g., Gindin, supra note 1, at 1157.
---------------------------------------------------------------------------
If such fairly modest offense or annoyance is enough to justify
speech restrictions, then the compelling interest bar has fallen quite
low. And watering down the threshold for when an interest becomes
``compelling'' will of course have an impact far beyond information
privacy speech restrictions.
C. Keeping the Internet Attractive to Consumers
Some have argued that privacy restrictions are needed to keep
Internet access attractive to consumers: Consumers are so concerned
that online sites will collect and reveal information about them, the
argument goes, that they are being deterred from engaging in e-
commerce, and thus e-commerce in particular and the economy in general
is suffering.92
---------------------------------------------------------------------------
\92\ Cf. generally Joel R. Reidenberg & Francoise Gamet-Pol, The
Fundamental Role of Privacy and Confidence in the Network, 30 Wake
Forest L. Rev. 105 (1995).
---------------------------------------------------------------------------
But fostering economic growth and increasing Internet use, while
laudable goals, can hardly be ``compelling government interests''
justifying content-based bans on certain kinds of speech, at least if
the ``compelling'' threshold is to have any meaning. And the potential
consequences of accepting this sort of justification for restricting
speech are both clear and dire: The same rationale, after all, would
easily justify bans on TV broadcasts that warn of cyberspace privacy
risks, since such speech even more directly frightens consumers away
from e-commerce and other Internet use.
Furthermore, if this is really such a great concern (which is far
from clear, given the explosive growth of e-commerce even in the
absence of noncontractual information privacy speech restrictions), it
stands to reason that many Internet businesses would invest a lot of
effort into preventing such consumer alienation: They'll promise not to
communicate consumer information, set up enforcement mechanisms aimed
at giving consumers confidence that such promises will be kept,
distribute software that helps protect people's privacy through
technological means, and so on. The availability of these alternatives
further undercuts the case for restricting First Amendment rights in
order to protect e-commerce.93
---------------------------------------------------------------------------
\93\ Cf. Reno v. ACLU, 521 U.S. 844, 885 (1997) (rejecting on
similar though slightly different grounds a similar argument in support
of restrictions on sexually themed speech).
---------------------------------------------------------------------------
D. Preventing Misconduct and Crime
1. Discrimination.
Speech that reveals some kinds of information about people may make
it easier for the listeners to act illegally or supposedly unfairly
towards those people. One commonly given example is the risk that
certain health-related information might fall into the hands of your
health insurance company. ``Say that the insurance company learns that
you eat a lot of pizza and steak, and therefore concludes that you'll
probably have higher cholesterol and a higher risk of heart disease,''
the argument goes; ``it might then raise your rates.'' Another example
is the risk that information about people's past crimes, alcoholism, or
drug abuse will become known to employers, who will then refuse to hire
these people.94
---------------------------------------------------------------------------
\94\ See, e.g., James Rachels, Why Privacy Is Important, 4 Phil. &
Pub. Aff. 323, 324 (1975) (``Revealing a pattern of alcoholism or drug
abuse can result in a man's losing his job or make it impossible for
him to obtain insurance protection . . .'').
---------------------------------------------------------------------------
I can certainly see why people might be offended by their insurance
company ``snooping'' on them this way. I can also see why it might be
in the unhealthy eaters' financial interest (and I should mention that
I love meat and cheese) not to be identified as such, so they can be
subsidized by the healthy eaters with whom they pool their risk.
Similarly, closet smokers would prefer, if possible, that life
insurance companies not be able to identify them as smokers. But the
question is not just whether the communication of this information is
offensive or financially costly to its subjects, but rather whether the
government may suppress such communication.
If discrimination in insurance based on the insureds' eating habits
is legal, as it is with respect to smoking habits, then it's hard to
see how the risk of such lawful discrimination can justify restricting
speech. True, one's buying habits are not a perfect proxy for one's
eating habits (maybe the buyer is a healthy eater who is buying the
pizza entirely for his roommate), but insurance is all about using
imperfect but lawful predictors.
Being above twenty-five and being a good student don't perfectly
predict whether someone will drive safely; smoking and being older
don't perfectly predict whether someone will die soon; but virtually
nothing perfectly predicts anything else. Likewise, many employers
might consider a person's criminal record, alcoholism, or drug abuse
relevant to whether they should entrust their property, their clients'
well-being, 95 or a $100 million oil tanker to that person.
---------------------------------------------------------------------------
\95\ Employers not only have moral and business reasons to make
sure that they don't hire people who might abuse their customers, but
legal reasons, too: A negligent failure to discover that an employee
has a criminal record may lead to liability for negligent hiring if the
employee later attacks a customer. See, e.g., Carlsen v. Wackenhut
Corp., 868 P.2d 882, 888 (Wash. App. 1994).
---------------------------------------------------------------------------
But even if the government outlaws discrimination based on
insureds' eating habits, or discrimination based on a person's
alcoholism, drug use, or criminal past, 96 the basic First
Amendment rule is that while the government may restrict conduct, it
generally can't restrict speech simply because some people may at some
time be moved by the speech to act illegally.97 The law has
plenty of tools to fight such discrimination directly. They are not
perfect tools, but under the First Amendment the government may not try
to compensate for their imperfection by suppressing speech.
---------------------------------------------------------------------------
\96\ See N.Y. Corr. Law Sec. Sec. 752, 753 (generally barring
employment discrimination based on criminal record); Wisc. Stat. Ann.
Sec. Sec. 111.31, 111.32 (same).
\97\ See, e.g., Brandenburg v. Ohio, 395 U.S. 444 (1969).
---------------------------------------------------------------------------
The government may not suppress advocacy of discrimination based on
race, criminal history, alcoholism, drug use, or pizza consumption,
even though such advocacy may lead some people to actually engage in
such discrimination. Likewise, the government may not suppress speech
about particular people's criminal history, alcoholism, drug use, or
pizza consumption, even though such speech may lead some people to
engage in the discrimination.
2. Fraud and violent crime.
In a few cases, revealing certain information about people may make
it easier for others to defraud or otherwise victimize them.
Under what circumstances the government may restrict speech that
facilitates the commission of crime is a difficult and so far largely
uninvestigated question.98 It arises in many cases which
have nothing to do with revelation of personal information, because
personal information is just one of many kinds of information that can
make it easier for people to commit crimes. For instance, the most
prominent recent case that upheld a restriction on crime-facilitating
speech involved a lawsuit against the publisher of a murder-for-hire
manual.99
---------------------------------------------------------------------------
\98\ See U.S. Department of Justice, 1997 Report on the
Availability of Bombmaking Information, available at ; Kent
Greenawalt, Speech, Crime, and the Uses of Language (1989); Eugene
Volokh, Crime-Facilitating Speech (in progress).
\99\ See Rice v. Paladin Press, 128 F.3d 233 (4th Cir. 1997).
---------------------------------------------------------------------------
Moreover, even crime-facilitating speech that's focused on
particular targets may involve information that few would consider
especially private: For example, if we're concerned about speech that
facilitates fraud or theft, publishing information about a business's
security vulnerabilities or a list of the business's computer passwords
may create as much risk of fraud as publishing a person's social
security number would.
I won't try to resolve this question here, but only want to offer
three observations. First, the fact that speech facilitates crime
doesn't always justify restricting the speech (even if it sometimes
might): Consider, for instance, normal chemistry books, which may be
used by criminals to learn how to make explosives, 100 or
detective stories that describe particularly effective ways to commit a
crime.
---------------------------------------------------------------------------
\100\ See, e.g., U.S. Department of Justice, supra note 97 (listing
a chemistry book from the respected Telford Press and books on
explosives from the U.S. Bureau of Mines and the Association of
Australian State Road Authorities among sources ``useful to individuals
bent upon constructing bombs and other dangerous weapons'').
---------------------------------------------------------------------------
Second, the strongest argument for restricting speech that reveals
crime-facilitating personal information is that the speech facilitates
crime, not that it reveals personal information. It is therefore
probably most useful to analyze such speech as a kind of crime-
facilitating speech, rather than as a specimen of revelation of
personal data.
Third, the crime facilitation concern at most supports narrow
restrictions on the particular kinds of speech that materially risk
facilitating crime.101 Whatever support there may be for a
general right to suppress either speech that reveals embarrassing
personal information or speech that reveals information about a
person's purchases, the fact that a few kinds of such speech may
facilitate crime can't justify these broad restrictions.
---------------------------------------------------------------------------
\101\ Cf. Florida Star v. B.J.F., 491 U.S. 524, 537, 539 (1989);
id. at 542 (Scalia, J., concurring in part and concurring in the
judgment).
---------------------------------------------------------------------------
CONCLUSION
I have made three arguments:
1. Despite their intuitive appeal, restrictions on speech that
reveals personal information are constitutional under current doctrine
only if they are imposed by contract, express or implied. There might
possibly be room for restrictions on revelations that are both
extremely embarrassing and seem to have virtually no redeeming value,
such as unauthorized distribution of nude pictures or possibly the
publication of the names of rape victims, and perhaps for speech that
makes it substantially easier for people to commit crimes against its
subjects. Even these, though, pose significant doctrinal problems.
2. Asking courts to expand the doctrine to create a new exception
may give supporters of information privacy speech restrictions much
more than they bargained for. All the proposals for such expansion--
whether based on an intellectual property theory, a commercial speech
theory, a private concern speech theory, or a compelling government
interest theory--would, if accepted, become strong precedent for other
speech restrictions, including ones that have already been proposed.
The analogies between the arguments used to support information privacy
speech restrictions and the arguments used to support the other
restrictions are direct and powerful.
And accepting the principles that the government should enforce a
right to stop others from speaking about us and that it's the
government's job to create ``codes of fair information practices''
controlling private parties' speech may shift courts and the public to
an attitude that is more accepting of government policing of speech
generally. The risk of unintended consequences thus seems to me quite
high.
3. People who generally oppose any broad diminution of free speech
protections but who think information privacy speech restrictions must
be upheld, can try to set forth their proposed new exception and its
supporting arguments as carefully and narrowly as possible. I hope
their attempt to craft such a well-cabined, narrow rationale for any
such new exception will be helped by this Article, which highlights
some of the analogies that generally pro-speech-restriction forces
might use to expand any exception that is created. Maybe with a very
carefully drawn exception, my fears about the unintended consequences
of recognizing such exceptions won't come to pass.
But some people may reluctantly conclude that the risk is just too
great. We protect a good deal of speech we hate because we fear that
restricting it will jeopardize the speech we value. Some people may
likewise conclude that it's better to protect information privacy in
ways other than speech restriction--through contract, technological
self-protection, market pressures, restraints on government collection
and revelation of information, and social norms--than to create a new
exception that may eventually justify many more restrictions than the
one for which it is created.
Mr. Stearns. Professor Rubin?
STATEMENT OF PAUL RUBIN
Mr. Rubin. Thank you, Mr. Chairman and members of the
subcommittee. I thank you for letting me testify.
Mr. Stearns. Could you just pull one of the microphones up
to you?
Mr. Rubin. Oh, I am sorry.
Mr. Stearns. That is fine.
Mr. Rubin. Thank you for inviting me to testify today.
Mr. Stearns. Maybe just a shade closer. Good.
Mr. Rubin. I am currently in the process of completing a
major study of the issue of privacy for the Progress and
Freedom Foundation. My testimony and the forthcoming study is
concerned with the commercial market for personal information
that is used for advertising and marketing purposes, so I want
to confine my remarks to that segment of the issue.
In my written testimony, I make five basic points. First,
consumers receive large benefits from the commercial use of
information. Advertising revenues support many valuable
services that are provided free over the Internet, and we all
know what some of these are. Information makes it possible to
target advertising messages to consumers' interests, and the
result is, as Professor Cate indicated, better information;
reduces the amount of spam and other undesired messages,
because advertisers are better able to target us if they have
this information.
Second, the way information is used on the Internet is
highly impersonal. Humans do not see or handle the information.
It is generated and manipulated by computers. So we have this
intuition that somebody knows something, but in many cases, the
knowledge is embedded on a computer somewhere; no person has
access to the information. The typical unit of commerce in
online advertising is an ad based on 1,000 browsers. So it is a
large block of potential viewers rather than an individual.
Third point: despite consumer concerns, there does not
appear to be actual evidence of harm to consumers from the
legal use of information for marketing and advertising
purposes. I want to stress that it is the legal information, so
there are illegal uses, of course, but the legal use does not
seem to have led to any harm. We have heard some stories from
members of the committee this morning on, for example, medical
records and so forth, but these are not commercial use of
information. From the commercial use, there seems to be no
evidence.
In a year-end summary dealing with privacy issues, C-NET, a
leading new economy news source, said despite the fears and
concerns, there were no publicized horror stories that resulted
from a privacy invasion. As I said, illegal use of information
such as credit card fraud and identity theft do cause real
harms. These are already, of course, against the law and do not
appear to be closely related to online activities. James Hust,
the Inspector General of the U.S. said with respect to identity
theft this is not an Internet crime and never was, and the FTC
is on record--officials of the FTC are on record also
indicating that there is no higher level, no evidence of a
higher level of fraud or identity theft based on the Internet
than based on other sources of information.
The fourth point: we have heard people say that privacy is
good business, and I think it is good business, and what you
expect if something is good business, you expect business to
respond, and we have a lot of evidence that business is, in
fact, responding to privacy concerns. I have some charts here.
The first chart indicates that in several cases, firms have
undertaken some action which has later turned out to bother
consumers; consumers protested, and the firms have canceled the
action solely based on consumer response. Probably the best-
known is Double-Click's purchase of Abacus, which was canceled
because of consumer concerns about the use of information.
So there is a mechanism there. Second, there are voluntary
standards organizations, numerous voluntary standards
organizations; trustee; BBB Online; the Direct Marketing
Association has principles of privacy; and accounting firms
provide privacy audits; again, a market response to privacy
issues. There is also something about to come online, P3P,
which has been mentioned and may go a long way toward
alleviating privacy concerns.
And then, we see firms beginning to advertise privacy as
well. Part of this morning's Post has an article: Earthlink
resorts to restroom ads, but the restroom ads referred to in
the Post deal with privacy. So firms are perceiving that
privacy is something consumers want, and not only are they
posting privacy policies on their Websites, but they are
actually advertising that they offer better privacy.
Fourth, there are lots of technologies that consumers can
use: cookie rejection technologies, anonymous browsers, so
there are alternatives out there for consumers particularly
concerned with privacy.
The fifth point: regulation of the market for personal
information is potentially very costly. Congress should proceed
cautiously based on a careful evaluation of the benefits and
costs. Based on the evidence thusfar available, the case for
new regulation is weak. The market seems to be rapidly evolving
to meet privacy concerns. Regulation of the market would entail
cost in terms of fewer consumer choices. It would also have an
adverse effect on innovation and competition. These costs are
likely to outweigh potential benefits which appear small,
because there is little evidence that consumers are now being
harmed by misuse of this information.
Thank you.
[The prepared statement of Paul Rubin follows:]
Prepared Statement of Paul H. Rubin,1 Professor of Economics
and Law, Emory University
---------------------------------------------------------------------------
\1\ Paul Rubin is Professor of Economics and Law at Emory
University and Senior Fellow at The Progress & Freedom Foundation. The
views expressed here are his own.
---------------------------------------------------------------------------
Mr. Chairman and Members of the Subcommittee: I appreciate the
opportunity to testify on ``Privacy in the Commercial World.'' I am
currently in the process of completing a major study of this issue for
The Progress & Freedom Foundation.
Recent advances in information technologies have reduced the costs
of collecting, storing, retrieving and transmitting information of all
kinds. While the economic and social impacts of these advances have
been overwhelmingly positive, they have also raised concerns on the
part of individuals about who has access to their personal information
and how it is being used. These concerns, in turn, have led to calls
for new government regulation.
In order to decide whether regulation is in order, and, if so, what
form it should take, basic public policy questions need to be answered:
Are there market failures in the market for personal
information?
If market failures exist, how do they adversely affect
consumers?
Can such failures be remedied by government regulation?
Would the benefits of government regulation exceed the costs?
Are specific legislative and/or regulatory proposals cost-
effective in achieving their goals.
The purpose of the PFF study is to make a start toward answering
these questions.
My testimony--and the forthcoming PFF study--is concerned with the
commercial market for personal information that is used for advertising
and marketing purposes. Thus, it does not specifically address a number
of other issues that are sometimes discussed under the overall umbrella
of ``privacy,'' but raise different concerns.
My work does not address particularly sensitive types of
information, such as health information, personal financial information
or information about children. These types of information are already
subject to regulatory programs specifically tailored for them.
I also do not address illegal uses of information, such as credit
card fraud and identity theft. These are serious crimes, and impose
significant costs on consumers and businesses. However, they are
already against the law. Identity theft is a Federal crime, and a crime
in 22 states,2 and the use of someone else's credit card is
illegal in all 50 states.
---------------------------------------------------------------------------
\2\ CALPIRG, ``Nowhere to Turn: Victims Speak Out On Identity
Theft,'' available on the CALPIRG Website, http://www.pirg.org/calpirg/
consumer/privacy/idtheft2000/toppage1.htm visited January 12, 2001.
---------------------------------------------------------------------------
Moreover, the incidence of these crimes does not appear to be
related to online activities. In a recent article, for example, Betsy
Broder, Assistant Director for Planning and Information at the FTC is
quoted as saying: ``The Internet is probably not as large a part of the
problem [of identity theft] as people suspect.'' 3 Ms.
Broder also said ``None of the statistics show a greater vulnerability
of consumers who are shopping online.'' 4 This is consistent
with the findings of a study of 66 victims of identity theft, which
found that only two of the 66 (about three percent) ``had reason to
believe that the thief had obtained their information via the
Internet.'' 5 The Inspector General of the United States,
James Huse, has said, with respect to identity theft, ``This is not an
Internet crime and never was.'' 6
---------------------------------------------------------------------------
\3\ Quoted in Danielle Sessa, ``The Best Way to . . . Keep Safe,''
The Wall Street Journal, Nov. 27, 2000, R25.
\4\ Quoted in Susan Stellin, ``Using Credit Cards Online Remains
Safe Despite High-Profile Security Lapses,'' New York Times October 16,
2000.
\5\ CALPIRG, ``Nowhere to Turn: Victims Speak Out On Identity
Theft,'' available on the CALPIRG Website, http://www.pirg.org/calpirg/
consumer/privacy/idtheft2000/toppage1.htm visited January 12, 2001, p.
6.
\6\ Scott Bernard Nelson, ``Identity Crisis,'' The Boston Globe,
August 27, 2000. He does add: ``But technology has created new ways of
storing and selling personal information and it's likely to create more
and more headaches in the future.''
---------------------------------------------------------------------------
Finally, my testimony does not concern government collection and
use of information. Because, as a nation, we are concerned about the
misuse of government power, government is constitutionally constrained
in its ability to obtain information about individuals, as when it uses
software such as ``Carnivore'' to search emails. It is also justifiable
to hold government to a stricter standard with respect to the
information it controls, because government has mandatory access to
much of that information.
THE COMMERCIAL USE OF PERSONAL INFORMATION
Data on individuals has been used by marketers and advertisers long
before the advent of the Internet. But, the Internet has increased the
flow of personal information and, in the process, raised the level of
individuals' concerns about privacy.
On the Internet, targeted advertising is accomplished by examining
individuals' online activities, developing an understanding of their
interests, and then matching and delivering relevant advertisements.
This is accomplished by compiling individuals' web-browsing activities
and applying database technologies and statistical models that yield
demographic and interest profiles, commonly referred to as consumer
profiles. Advertisements relevant to consumers' profiles are then
inserted in the Web pages they visit.
Advertising firms, such as DoubleClick and 24/7, deliver targeted
advertisements to Internet users that visit popular Websites. Website
operators receive advertising revenues based on pages viewed and
advertisements delivered. Advertising is a major source of revenue for
Websites such as search engines, directories and portals, and is
growing rapidly. U.S. companies spent $3.5 billion on Web advertising
in 1999. Revenue in the second quarter of 2000 was $2.1 billion.
Advertising spending on the Web is predicted to increase to $16.5
billion by 2005, making online spending eight percent of the total
amount spent on advertising. 7 This advertising in turn
fuels billions of dollars in online purchases.
---------------------------------------------------------------------------
\7\ The Standard, ``Net Ads Keep on Ticking,'' by Stacey Lawrence,
September 4, 2000. Available on-line at: http://www.thestandard.com/
research/metrics/display/0,2799,18155,00.html. Visited September 20,
2000.
---------------------------------------------------------------------------
Advertisers use personal data to identify individuals who are more
interested than the average in purchasing some product or service. The
search begins with the product, and seeks out individuals who might
have an interest in the product. A seller does not ask ``What can I
sell to Paul Rubin?'' Rather, a seller asks an advertiser such as
DoubleClick or 24/7 to ``Put my ad on 1,000,000 pages viewed on
computers of persons more likely than average to want a new car'' and
perhaps Paul Rubin's computer turns out to be one of those selected.
But, no human makes this determination; rather, it is made by various
computers connecting with each other. Moreover, the unit of commerce in
the online advertising market is typically 1000 persons, not any
individual. 8
---------------------------------------------------------------------------
\8\ ``All rates are expressed in cost per thousand (CPM) ad banner
impressions.'' From DoubleClick's Rate Card, http://
www.doubleclick.net:80/us/advertisers/media/network/info/rate-
card.asp?asp__object__1=& , visited February 22, 2001.
---------------------------------------------------------------------------
CONSUMER BENEFITS
Consumers benefit from this advertising in numerous ways. First,
advertising revenues support many valuable services that are provided
to consumers at no charge. These services include free email and pages
from firms like Yahoo! customized to contain information of direct
interest to the particular individual.9 The amount of free
information available on the Internet is truly remarkable, and this
information is paid for through advertising. Internet advertising firms
such as DoubleClick provide customized advertising to smaller Websites
that use the revenues from this advertising to support themselves.
Larger firms, such as AOL and Yahoo!, can internally provide the same
services that DoubleClick and its competitors provide for the smaller
sites.
---------------------------------------------------------------------------
\9\ I use a free customized page from Yahoo! as my own homepage.
This contains information in many categories that I have selected:
headlines on selected topics from Reuters and AP; information about
chosen stocks and stock indices; weather in selected cities; and movies
in my neighborhood. Many other categories are also available. For all
of this information, much more detail is available from a mouseclick.
---------------------------------------------------------------------------
Second, consumers benefit from receiving information that is
targeted to their interests. Consumers value learning about products
they are likely to buy. Even if some advertising does not lead directly
to a purchase, the information may still enable a consumer to compare
prices among products, or to determine what products are available.
Targeted advertising reduces the likelihood that consumers will be
bothered with information that is of no interest to them, and marketers
have an incentive to avoid sending messages to consumers who aren't
interested. Consumers are likely to avoid Websites that routinely
display useless information, or to ignore, delete or screen out
messages from marketers who send the irrelevant emails commonly
described as ``spam.'' Thus, both consumers and advertisers have an
interest in better targeting of advertising messages.
Generally, markets work better with better information. As the cost
of information goes down, market participants will obtain more of it
and will consequently make better decisions. For example, if merchants
can better estimate demand, they are less likely to purchase excess
inventories, reducing costs and even lessening swings in overall
economic activity. Similarly, geographic computer-based information can
enable bricks-and-mortar merchants to put their new stores in the
places that best serve consumers, and to stock the most useful
merchandise for nearby consumers in those stores. Such examples can be
multiplied without limit--all agents in the economy will benefit from
better information. Electronic information has led to a major reduction
in the cost of information and therefore a major increase in the amount
of information available to the economy, and any policy that reduces
the amount of such information below the efficient amount will have
detrimental effects on the economy.
Finally, an important characteristic of information is that--in
contrast to many other goods--it can be used many times without being
used up. If I know something and tell you, then we both know it. This
``public good'' characteristic is an important reason for the
productivity of information. For the type of commercial information
discussed here, advertisers, credit institutions, and insurance
companies use the same information, and it is useful to all of them.
Indeed, the various information users cooperate in generating this
information because they all find it valuable.
Thus, if there are externalities associated with the commercial use
of information, they are more likely to be positive than negative. This
means that it is more likely that not enough information is available
than that too much information is available. Regulation that would
reduce the use and availability of information would exacerbate this
problem.10
---------------------------------------------------------------------------
\10\ It is sometimes argued that information should be used only
for the purpose for which was collected. In fact, this is part of the
European Union Directive on the Protection of it Personal Data.
However, this restriction on information use imposes a real cost on the
economy, in that many productive uses would be denied.
---------------------------------------------------------------------------
IS THERE MARKET FAILURE?
From an economic point of view, regulation of the market for
information should only be undertaken if the market is not functioning
correctly. Market failure in this context would mean that consumers'
preferences concerning the amount and use of their information are not
being accurately transmitted and responded to in the marketplace. If
the market is working well, there is no need for government
intervention.
Consumer Harm
Given widespread consumer concerns about privacy and perceptions
that personal information may be subject to misuse, it is noteworthy
that there does not appear to be actual evidence of harm to consumers
from the legal use of information for marketing and advertising
purposes. In an economy with 281 million individuals, there does not
even appear to be much in the way of anecdotal evidence of harms
resulting from violations of privacy in connection with such marketing
activities. For example, in a year-end summary for 2000 dealing with
privacy issues, CNET, a leading ``New Economy'' news source, indicated
that there were no mishaps involving commercial use of personal
information in 2000: ``Despite the fears and concerns, there were no
publicized horror stories that resulted from a privacy invasion.''
11
---------------------------------------------------------------------------
\11\ Patricia Jacobus, ``Privacy heats up but doesn't boil over,''
CNET News, December 22, 2000, available online at http://news.cnet.com/
news/0-1005-200-4238135.html?tag=st.cn.sr.ne.1, visited December 25,
2000.
---------------------------------------------------------------------------
Much of the anecdotal evidence of ``harm'' that does exist concerns
activities that have nothing to do with the use of information for
marketing purposes. For example, a New York Times magazine article by
Jeffrey Rosen 12 provides anecdotes about individuals who
have been harmed by invasions of their privacy, but none concern misuse
of advertising data. He discusses, for example, Monica Lewinsky's
emails and various archives kept by chat rooms, and employer monitoring
of email and surfing. None of his evidence or examples of harm apply to
marketing or advertising information.
---------------------------------------------------------------------------
\12\ Jeffrey Rosen (2000), ``The Eroded Self,'' New York Times
Magazine, April 30, p. 46.
---------------------------------------------------------------------------
It might be argued that, even though there has been no harm thus
far, there might be in the future. But, given the absence of harm thus
far, the risk would seem to be small.
Consumer Interaction with Websites
Perhaps part of the reason we see no evidence of consumer harm is
that there are a variety of market mechanisms now available to
consumers to make known their preferences with respect to the use of
their personal information.
Reputation Effects. Consumers are not without recourse if firms use
their information in ways they don't like. Consumers can simply stop
doing business with the offending firm, and the evidence shows they are
quite willing to do so. In fact, reputation effects are powerful, and
the evidence shows that when a firm does something that is perceived as
harming its reputation with consumers, the firm suffers a substantial
loss in value.13
---------------------------------------------------------------------------
\13\ For a summary of the literature, see Kari Jones and Paul H.
Rubin, ``Effects of Harmful Environmental Events on the Reputations of
Firms,'' Advances in Financial Economics (forthcoming), 2001, edited by
Mark Hirschey, Kose John and Anil K Makhija, available online at http:/
/papers.ssrn.com/paper.taf?ABSTRACT__ID=158849.
---------------------------------------------------------------------------
Reputation effects can be expected to be particularly strong among
firms operating on the Internet, where communication between consumers
is easy and inexpensive. Consumers quickly learn about what they
perceive as misdeeds by a firm:
When Amazon appeared to have engaged in ``dynamic pricing''
(what economists call price discrimination) consumers learned
about it quickly and many became irate.14 Such
pricing is probably efficient, 15 but nonetheless
the firm has promised not to engage in this practice.
---------------------------------------------------------------------------
\14\ David Streitfeld, ``On the Web, Price Tags Blur,'' Washington
Post, September 27, 2000. Amazon denies that it was engaged in dynamic
pricing or price discrimination.
\15\ Paul Krugman (2000), ``What Price Fairness?'', New York Times
October 4.
---------------------------------------------------------------------------
In 1997, America Online had plans to sell telephone numbers of
its subscribers to telemarketers, but cancelled those plans in
response to angry reactions from subscribers.16
---------------------------------------------------------------------------
\16\ This and the following two examples are from Jessica Litman,
``Information Privacy/Information Property,'' 52 Stanford Law Review,
1283-1313, May, 2000, at 1305-6.
---------------------------------------------------------------------------
In 1998, CVS pharmacy arranged for another company to contact
consumers who failed to refill prescriptions. Again, consumer
dissatisfaction led to the plans being called off.
In 1999, RealNetworks was forced to change its software when
it was learned that its product, RealJukebox, collected
information on users' habits.
Yahoo! eliminated the reverse telephone number search from its
search site in response to consumer unhappiness.17
---------------------------------------------------------------------------
\17\ This and the following two examples are from Daniel J. Solove,
``Privacy and Power: Computer Databases and Metaphors for Information
Privacy,'' p. 27, available online through SSRN.Com, 56-57.
---------------------------------------------------------------------------
Lotus cancelled plans to sell data about 120 million citizens.
Lexis-Nexis also cancelled plans to sell information about
millions of persons.
More recently, a firm called N2H2, which makes filtering
software, has stopped selling information about Websites
visited by students, because many felt that such sales were
improper.18
---------------------------------------------------------------------------
\18\ Associated Press, ``Internet Co. Drops Data Selling Plan,''
Feb. 22, 2001. Note that the plan did not sell personally identifiable
information.
---------------------------------------------------------------------------
Finally, there is the well-known story of DoubleClick's
cancelled plan to link online and personally identifiable
information through its acquisition of Abacus
Direct.19
---------------------------------------------------------------------------
\19\ Discussed at numerous places. See for example Diane Anderson
and Keith Perine, ``Marketing the Double Click Way,'' The Standard,
March 13, 2000.
---------------------------------------------------------------------------
The critical point is that when businesses use information in ways
that consumers do not like, they quickly learn about it, and the firms
are forced to stop. Such reputational penalties may be among the
strongest protections available to consumers. The main asset that on-
line marketers own is their reputation with consumers. Any use of
information in a way that reduces the value of that reputation would be
counterproductive for the firm. Moreover, the very nature of
information on the Internet means that consumers are likely to learn
about such uses.
This suggests that arguments about asymmetric information, such as
have been advanced by Peter Swire, are incorrect.20 Such
arguments claim that consumers will not have adequate incentives to
learn about the policies of any Website with respect to privacy, and
therefore Websites will not have adequate incentives to provide
appropriate privacy protections. This may be true for many consumers.
However, as discussed above, if they find privacy policies
unsatisfactory, when they do learn about them, the market reaction will
be strongly adverse. This provides a sufficient incentive to Websites
to provide their customers with satisfactory privacy policies.
---------------------------------------------------------------------------
\20\ See Peter Swire, ``Markets, Self-Regulation, and Government
Enforcement in the Protection of Personal Information,'' in Privacy and
Self-Regulation in the Information Age, U. S. Department of Commerce,
Washington, DC, 1997, http://www.ntia.doc.gov/reports/privacy/
selfreg1.htm.
---------------------------------------------------------------------------
We also see firms taking many positive steps to protect their
reputations. IBM, Microsoft, Disney, Intel, Compaq, Novell, Procter &
Gamble, and American Express do not advertise on Websites that do not
have privacy policies.21 Presumably, this is to protect
their reputations. As a method of protecting reputations, firms are
increasingly hiring ``chief privacy officers'' (CPOs) and giving them
substantial power and discretion in setting company policies. Alan
Westin, a well-known privacy expert, offers a training course for this
position.22 There are now about 100 CPOs, and it is
estimated that there will be 500 by the end of next year.23
---------------------------------------------------------------------------
\21\ ``It's Time for Rules in Wonderland,'' Business Week, March
20, 2000; ``Towards Digital eQuality--The Second Annual Report of the
US Government's Work Group On Electronic Commerce'', December, 1999.
\22\ http://www.pandab.org/.,visited November 13, 2000.
\23\ Kemba J. Dunham, ``The Jungle: Focus on Recruitment, Pay and
Getting Ahead: A New Playing Field,'' The Wall Street Journal March 20,
2001.
---------------------------------------------------------------------------
Technologies of Choice. There are numerous technologies now
available that allow consumers to address their privacy concerns:
Basic browsers now allow some customization with little
effort. For example, Netscape allows a user four options with
respect to cookies. Microsoft also offers some control.
Other options allow control of cookies. From one site,
approximately forty programs that allow control of cookies can
be downloaded.24 These programs allow one to refuse
certain cookies, or to easily delete cookies after they are
received.
---------------------------------------------------------------------------
\24\ Downloaded on October 25, 2000 from ZDNet Downloads (http://
www.zdnet.com/down
loads/), a popular source for software, using a search for ``cookie''
---------------------------------------------------------------------------
There are also several services that allow anonymous surfing,
including Anonymizer.com, IDZap.Com, iPrivacy.com, SafeWeb,
SilentSurf.com, and others as well. These services offer
different levels of control over information, depending on the
consumer's preferences and willingness to bear the
inconvenience costs of protecting information.
In addition, American Express now offers a ``one-time'' credit
card number, good only for one purchase, designed for Internet
use. Since Websites selling products to consumers using this
card never have access to information about the consumer,
privacy is protected.
Consumers concerned about privacy are able to use any of these
services, some free, to protect their information online.25
---------------------------------------------------------------------------
\25\ Some of these are discussed in Don Clark, ``Privacy: You Have
No Secrets,'' The Wall Street Journal, October 23, 2000 and Lorrie
Faith Cranor, ``Agents of Choice: Tools That Facilitate Notice and
Choice about Web Site Data Practices'', available online from http://
www.research.
att.com/~lorrie/#publications.
---------------------------------------------------------------------------
Importantly, the World Wide Web Consortium (W3C), a consortium of
488 members (as of December 22, 2000), including the largest players on
the Internet, such as Microsoft, America Online and Cisco,
26 is in the process of drafting a major private privacy
protocol, the Privacy Preferences Project, P3P.27 If P3P is
successful, it will provide standardized information in machine-
readable form about each Website's privacy policy. Individuals will
then be able to configure their own browsers to deal with the Website.
Major players in the Internet world are participants in this endeavor.
Moreover, Microsoft will begin incorporating P3P standards in its
software.28 It will also be available as a downloadable
plug-in.29 This will solve one side of the ``chicken-and-
egg'' problem. Since the software will be available to consumers,
Websites will have a ready-made audience if they install the other side
of the package. Lessig 30 also discusses the possibility of
P3P leading to increased negotiation and customization of privacy
policies, as do several others.
---------------------------------------------------------------------------
\26\ For the W3C homepage, see http://www.w3.org. For the list of
members, see http://www.w3.org/Consortium/Member/List, visited December
22, 2000.
\27\ http://www.w3.org/P3P/.
\28\ ``New Tools to Help Web Surfers Protect Privacy,'' Associated
Press, June 22, 2000.
\29\ Elizabeth Weise, ``Privacy plug-in will ask: `Do you want to
go there?' '' USA Today, July 11, 2000.
\30\ Lawrence Lessig, ``The Architecture of Privacy,'' 1998,
Online, http://cyber.law.harvard.edu/works/lessig/
architecture__priv.pdf.
---------------------------------------------------------------------------
There are other technologies on the horizon that may provide other
solutions. One is the evolution of ``trusted systems.'' These are
envisioned as computer protections that limit the way in which data can
be copied. While they are being developed to protect intellectual
property, such as music, movies and books, it may be possible for these
technologies to be adapted to protect consumer information as
well.31
---------------------------------------------------------------------------
\31\ Jonathan Zittrain, ``What the Publisher Can Teach the Patient:
Intellectual Property and Privacy in an Era of Trusted Privication, 52
Stanford Law Review 1201-1250, May 2000.
---------------------------------------------------------------------------
Voluntary Standards. Voluntary standards, defined and enforced by
third parties or by consortia of Web operators, are an important
mechanism to inform consumers that a Website meets certain minimum
standards. Such standards improve the functioning of the market and are
not merely an attempt by industry to ward off government regulation.
There are already several voluntary programs in existence that
certify that a Website meets certain privacy standards:
A Website can voluntarily join TRUSTe, for example.
32 If it does, a link is put on the website and by
clicking on this link, a visitor can view the site's privacy
policy. TRUSTe audits Websites to ensure compliance with stated
privacy policies. As of December 22, 2000, 1,570 firms were
members of TRUSTe.33
---------------------------------------------------------------------------
\32\ Website: http://www.truste.org.
\33\ Found at http://www.truste.org/users/users__lookup.html
visited December 22, 2000.
---------------------------------------------------------------------------
The Better Business Bureau also has a certifying program,
BBBOnLine, that performs similar functions.34
---------------------------------------------------------------------------
\34\ http://www.bbbonline.org/
---------------------------------------------------------------------------
The Direct Marketing Association has various voluntary
standards in place, including a method consumers can use to
have their names removed from email lists, and members of the
association must meet certain requirements regarding privacy on
the Web.35
---------------------------------------------------------------------------
\35\ http://www.the-dma.org.
---------------------------------------------------------------------------
Finally, auditing firms, such as PriceWaterhouseCoopers,
perform privacy audits and put a box on a website indicating
that the site conforms with its stated privacy
policy.36
---------------------------------------------------------------------------
\36\ Bob Tedeschi ``Sellers Hire Auditors to Verify Privacy
Policies and Increase Trust,'' New York Times, September 18, 2000.
---------------------------------------------------------------------------
There is evidence that voluntary standards in the U.S. actually
work better than mandatory standards imposed by the European
Commission.37 For example, although ``opt-out'' is required
in Europe, only 20 percent of Websites actually offer this option to
consumers; in the U.S., 60 percent of sites offer this choice. About
twice as many U.S. sites (62 percent) as European sites (32 percent)
have posted privacy policies. Although all members of the EU now have
data-privacy commissioners and agencies, these agencies seem unable to
enforce privacy regulations. Thus, it appears that voluntary self-
regulation provides more privacy protection than does mandatory
government-imposed regulation.
---------------------------------------------------------------------------
\37\ Ben Vickers, ``Europe Lags Behind U.S. on Web Privacy: More
American Firms Let Customers Guard Data, Study Finds,'' The Wall Street
Journal, February 20, 2001.
---------------------------------------------------------------------------
THE BENEFITS AND COSTS OF REGULATION
The discussion above suggests that the market is responding well to
consumers privacy concerns. Firms have incentives to provide consumers
the desired levels of privacy protection and consumers have tools
available to inform themselves about, and control the use of, their
data. In addition, there seems to be little if any evidence that
consumers are suffering harm from the commercial use (or misuse) of
their personal information. While every regulatory proposal should be
subjected to a detailed benefit-cost analysis, the absence of serious
market failure or consumer harm suggests that the potential benefits of
new regulation will be very small.
The costs, on the other hand, can be significant, because
regulation is a cumbersome, inflexible tool and because we do not now
have the knowledge base to regulate intelligently in this area. As I
discuss below, regulation can have adverse effects on both innovation
and competition and slow the development of the Internet economy.
It is a cliche to say that the Internet is dynamic. But, it is
true. Any regulation at this time would freeze some aspects of the
Internet in their current state. Even if the regulators were able to
devise perfect regulations for today's environment, these regulations
would quickly become obsolete as the Internet changes. The P3P release
is P3P 1.0, indicating that, like software in general, the drafters
expect that the privacy policies embedded in the document will change
over time. Indeed, at several places in the document itself there are
indications of directions for change in future versions. Change is the
normal state of affairs for the Internet and for software and other
products that interact with the Internet.
Once an inefficient regulatory scheme is in place, however, it
becomes very difficult to change. This suggests moving with great
caution in this area. The FTC has recommended that Congress pass a law
regulating four aspects of privacy: Notice, Choice, Access and
Security.38 These may be the correct elements for a privacy
policy to address. But they also may not be, and the FTC has not done
the analysis necessary to show that they are. If it should turn out
that other policies are better, the Internet would nonetheless be
locked into the FTC's choices. The FTC's desire that all Websites
structure their privacy policy in the terms dictated by the FTC would
have the effect of freezing in place a particular policy. This policy
may not be the best policy now, and almost certainly will not be the
best policy for the future.
---------------------------------------------------------------------------
\38\ Federal Trade Commission (2000), Privacy Online: Fair
Information Practices in the Electronic Marketplace, May 2000. For
comments on the FTC's proposal, see Orson Swindle, ``Privacy in a
Digital World: Industry Must Lead, or Government Will Follow,'' The
Progress & Freedom Foundation, March 2001 (attached).
---------------------------------------------------------------------------
Effect on Choice
Regulation of this sort is of necessity the ``one size fits all''
variety. This might be justified if all consumers had similar or
identical preferences. But, it is difficult to justify what are in
essence mandatory product design regulations if preferences differ
substantially, as is the case with respect to privacy. Some consumers
view privacy protection as a good thing, but others welcome the
advertising information they receive when they give out information
about themselves. As an industry source puts it, ``What's an invasion
of privacy to one consumer is a great deal to another.'' 39
When preferences do differ in such significant ways, then some
consumers must be harmed by regulation.
---------------------------------------------------------------------------
\39\ Margaret Barnett, The Profilers: Invisible Friends, The
Industry Standard, March 13, 2000, p. 221.
---------------------------------------------------------------------------
With respect to Internet privacy, the FTC itself acknowledges that
consumers differ in their privacy preferences: ``According to one
panelist, survey research consistently indicates that roughly one-
quarter of the American public is ``intensely'' concerned about privacy
and that another quarter has little or no concern; the remaining fifty
percent view this issue pragmatically.'' 40 These
differences are documented carefully in a survey on Internet privacy by
AT&T.41 For example, those most concerned about Internet
privacy--those the AT&T report calls ``privacy fundamentalists''--can
already protect themselves using a variety of techniques discussed
above. On the other hand, some consumers are so little concerned with
privacy issues that they are willing to have all of their Web surfing
monitored. AllAdvantage.com pays consumers to monitor their browsing,
and some consumers (presumably those less concerned with privacy
issues) are apparently willing to join this program.42
Dash.com provides discounts to consumers who allow monitoring. Many
other companies provide discounts and benefits of various kinds to
consumers who are willing to share their information. Thus, consumers
have radically different preferences regarding Internet privacy, and
markets are now satisfying all types of preferences. Privacy
regulations could have the effect of making some business plans
infeasible and thereby depriving consumers of goods and services that
are now available.
---------------------------------------------------------------------------
\40\ In its 1998 Report, Part II, at 2.
\41\ Lorrie Faith Cranor, Joesph Reagle, and Mark S. Ackerman,
``Beyond Concern: Understanding Net Users' Attitudes About Online
Privacy,'' AT&T Labs-Research Technical Report TR 99.4.3, 1999http://
www.research.att.com/library/trs/TRs/99/99.4/
\42\ http://www.alladvantage.com/home.asp?refid=
---------------------------------------------------------------------------
The AT&T Report also finds that consumers have very different
privacy preferences regarding different types of information. For
example, consumers are less willing to provide Social Security and
credit card numbers than other types of information. Similarly, 78
percent would accept cookies to provide a customized service; 60
percent would accept a cookie for customized advertising; and 44
percent would accept cookies that convey information to many Web sites.
This means that any standardized privacy notice would have to be
exceedingly complex--so complex that few people would be willing to
read it. Moreover, different pages within the same site might require
different policies, so virtually each mouse click would require reading
a new notice. On the other hand, a protocol such as P3P could provide
customized settings for each type of information and each potential
use, based on consumers filling out a one-time form when configuring
their browsers. Of course, some consumers would choose not to do so and
would merely accept the defaults.
Effect on Innovation
Regulation will affect potential new uses of the Internet. Uses
that might otherwise develop will be hindered by excessive regulation.
The costs in terms of lost innovation are difficult, if not impossible,
to quantify, because we are not likely to know about potential new uses
that do not come into being because of regulation. Nonetheless, these
costs are real, and probably larger than the measurable, direct costs
of regulation.
For example, the Internet is becoming more available on handheld
units, also called Personal Digital Assistants (PDAs), and on Web-
enabled cell phones. Technologies for such uses are becoming
increasingly easy to use. Some are wireless: Websites are broadcast to
users. Additionally, it is possible to download Websites to handhelds
in the process of synchronizing the PDA with a desktop computer. There
are even new technologies that may make Web information available
through audio means. But the interaction of these new technologies with
privacy policies is problematic. One difficulty is provision of
notification policies on a PDA or mobile telephone screen; these
screens are too small and too slow to display meaningful notice
information. Having notice policies read aloud by an audio-enabled
Website would be even more impractical.
Moreover, it is commonly agreed that a major innovation in the use
of the Internet is the increasing extent to which it will be possible
to track the geographic location of individual consumers, using mobile
phones or PDAs with GPS chips.43 One advantage of the
technology (and one of its sources) is a desire by the government to
better deliver emergency services to injured persons. Chips in mobile
telephones and other devices and PDAs will have tracking abilities. The
chips will enable individuals to obtain personalized information
relevant to their location, such as driving directions or the location
of restaurants or movies. General Motors is planning to use this
technology to send information to users of its OnStar vehicle-based
navigation system.44 Privacy issues are important with these
devices. Palm is developing an opt-in program for location chips.
DoubleClick will not begin delivering ads until privacy issues are
worked out. TRUSTe is developing standards for privacy policies. Of
course, the difficulties with presenting privacy policies on small
screens applies to these uses as well.
---------------------------------------------------------------------------
\43\ Discussed, for example, in Anick Jesdanun, ``Wireless Tracking
Device Coming Soon,'' AP, October 29, 2000 and Pui-Wing Tam, ``. . . K
now Where We Are,'' Wall Street Journal, November 13, 2000.
\44\ Rachel Konrad, General Motors to `push' ads to drivers,'' CNET
News.com, January 8, 2001.
---------------------------------------------------------------------------
There are at least two lessons from the story of this technology.
First, industry is already responding to privacy concerns in developing
this technology, because it is responding to consumer preferences.
Second, if a government-mandated privacy policy were in place, it could
retard or even entirely stop the development of these technologies. For
example, if there were a law mandating notice and standards for notice,
the requirements could be inconsistent with the size of screen
available, and certainly with audible websites. If this were so, then
consumers could lose the benefits of a valuable technology. This
potential loss, should it occur, would not even be recognized; people
do not miss technologies that do not exist.
Effect on Competition
Regulation of privacy has competitive implications as well. More
stringent regulatory requirements would have the effect of reducing
advertising, which typically benefits new entrants and small firms
relative to large, established firms.45 This would be
particularly true for Internet advertising, where established firms
have lists of their own customers and visitors to their Websites, but
new firms must purchase such lists. The existence of a market for
customer lists and other such information makes it easier for entrants
to begin competing. If regulation should reduce the scope of this
market or increase the cost of information, then competition from new
entrants would be reduced.
---------------------------------------------------------------------------
\45\ John E. Calfee, Fear of Persuasion: A New Perspective on
Advertising and Regulation, American Enterprise Institute, Washington,
1997.
---------------------------------------------------------------------------
New privacy standards would also make entry more difficult by
increasing the fixed costs of doing business. Every online marketer
would be required to hire an attorney at least to write a ``notice''
about privacy policies; full-time CPOs earn between $120,000 and
$175,000 per year.46 Allowing access and enforcing security
would also be costly. All of these costs are ``fixed'' costs, and so
are higher per unit of output for small than for large firms. Thus, any
such regulations would serve at least in part as a barrier to entry
against small firms, and as a source of protection for large
established firms. These policies would lead to increased prices and
reduced service and, thus, harm consumers.
---------------------------------------------------------------------------
\46\ Kemba J. Dunham, ``The Jungle: Focus on Recruitment, Pay and
Getting Ahead: A New Playing Field,'' The Wall Street Journal March 20,
2001.
---------------------------------------------------------------------------
In the Internet economy, small startup companies with new ideas and
new business models have been a particularly important source of
innovation. Regulations mandating privacy policies or other regulations
are particularly likely to be harmful in this environment.47
---------------------------------------------------------------------------
\47\ Discussed in Peter P. Swire and Robert E. Litan (1998), None
of Your Business: World Data Flows, Electronic Commerce, and the
European Privacy Directive, Washington: Brookings Institution Press, at
78-79.
---------------------------------------------------------------------------
CONCLUSION
To summarize, regulation of the market for personal information
should proceed cautiously, based on a careful evaluation of the
benefits and costs of any specific regulatory proposal. Based on the
evidence thus far available, the case for new regulation is weak. The
market seems to be rapidly evolving to meet consumers' privacy
concerns. Innovative new ways to address these concerns are rapidly
becoming available.
Regulation of the market for personal information would entail
costs in terms of fewer consumer choices. It would also have an adverse
effect on innovation and competition. These costs are likely to
outweigh the potential benefits, which appear to be small, because
there is little evidence that consumers are now being harmed by misuse
of marketing and advertising information.
Mr. Stearns. Ms. Singleton?
STATEMENT OF SOLVEIG SINGLETON
Ms. Singleton. Thank you, Mr. Chairman, for this
opportunity to offer a historical perspective on the law of
privacy. I will try to do this in 5 minutes, which should be
interesting.
My remarks mainly pertain to broad privacy laws that are
not targeted at sectors where there are special contractual and
sort of professional issues like medicine or to specific real
harms like identity theft. My remarks are, rather, relevant to
sort of broad privacy legislation affecting businesses across
the board.
Let me begin my summing up what we can learn from privacy
in the Nineteenth Century. There's essentially two aspects to
Nineteenth Century privacy cases. There's some limited case law
involving the private sector, and there's also, of course,
Constitutional cases involving the Fourth Amendment.
Let me start with the private sector. There was a sort of
nascent common law of privacy in the private sector at that
time. For example, privacy was often recognized as an element
in disputes over physical property rights such as easements and
nuisances and that sort of thing. There was a lot of building
going on in America during that time, and so, frequently,
privacy questions would come up when two buildings were built
very close together.
Now, the bit here that is relevant to today's debate about
privacy is that when you see these privacy cases that
essentially identify privacy with physical property rights,
there is no First Amendment problem. And that is because the
property often helps us find boundaries of free speech, too.
For example, you have a right to read books, obviously, but you
can't go and steal books out of your neighbor's house or any
other kind of information. So in that respect, privacy and
First Amendment are quite consistent with one another.
Now, I am going to change tracks a little bit and talk
about some of the privacy cases in the Constitution from the
Nineteenth Century. Sometimes, in the debate about privacy and
business today, one hears the assertion that privacy rights in
the Constitution show that government has a strong interest in
regulating privacy in the commercial sector. But actually,
Constitutional privacy cases are rarely very relevant to the
debate about privacy in business.
In the Nineteenth Century, and this continues today, courts
do not apply the Fourth Amendment to the private sector, and
essentially, the Fourth Amendment should not be a basis for
asserting privacy rights against either journalists or
commercial businesses where there is no State action, and the
private sector enjoys Constitutional rights of free speech.
Obviously, the police don't have a kind of Constitutional right
to free speech to come into your home and search your things
without a warrant. So again, on that traditional understanding
of the Fourth Amendment, there is no conflict with free speech.
Now, I will jump ahead to privacy in the early Twentieth
Century, which is where you first begin to see a tension
between privacy and the First Amendment. Beginning in the early
Twentieth Century, courts began to accept a concept of privacy
that was detached from physical property rights a little bit
akin to defamation or intellectual property but more expansive.
Now, over the years, many of those privacy torts were
applied against journalists, and so, for the first time, we see
serious free speech and privacy issues. And over the years,
some of the privacy torts have been construed very narrowly by
the courts. Some of them are referred to today as dying torts,
although some of them still seem to be going strong.
Now, the concept of privacy based on the mere fact that
information was spread asserted a new kind of property right in
information, and Gene has already talked a little bit about
this. This assertion is too broad, though, to make sense.
Unlike copyright, the new right to own information about
yourself or to control it amounts to a claim of ownership of
facts and opinions and ideas about one's own actions, and
unlike defamation, which lets you sue when someone disseminates
false information, a right to own or control information about
yourself gives you a veto power over truthful information.
Now, to jump ahead to today's debate, what has not been
widely recognized and which makes this history of privacy and
journalism relevant to the debate today is it hasn't been
widely recognized the extent to which businesses, like
journalists, rely on the freedom of information to produce
goods and services. Also, consumers rely on information
produced by businesses to learn about products. Economic
studies have shown that advertising and marketing alert
consumers to flaws in existing products; to the existence of
new competitors and choices in the marketplace and help bring
down prices.
But many proposed privacy laws would be even much more
extreme than the privacy rule attack that was initially made
upon journalism. The journalists were attacked only for
disseminating information to a broad public, whereas, in the
case of the laws proposed today for commercial business,
rather, the target is just the mere having the information or
just the act of possessing it, although it may be disseminated
only to legitimate businesses for their special purposes.
So in the historical context, then----
Mr. Stearns. Ms. Singleton, can we have you wrap up?
Ms. Singleton. Yes, I will.
Mr. Stearns. And then, we are going to take a break and
just go vote.
Ms. Singleton. I will just summarize my main points. The
Fourth Amendment should not be a basis for asserting privacy
rights against commercial businesses, because no State action
in the private sector enjoys Constitutional rights of free
speech. And the second is the idea that people own or have a
right to control the information about themselves is a radical
departure from the free flow of information that has made the
U.S. the world's leading economy. Thank you.
[The prepared statement of Solveig Singleton follows:]
Prepared Statement of Solveig Singleton, Senior Policy Analyst,
Competitive Enterprise Institute
Mr. Chairman, my name is Solveig Singleton and I am a lawyer and
senior analyst at the Competitive Enterprise Institute. Thank you for
this chance to comment on the history of privacy law and commercial
enterprises. Based on my research,1 I offer the following
observations:
\1\ Most of this research is documented in Solveig Singleton,
``Privacy Versus the First Amendment: A Skeptical Approach,'' XI
Fordham Intellectual Property, Media & Entertainment L. J. 97 (Autumn
2000).
---------------------------------------------------------------------------
The Fourth Amendment should not be a basis for asserting
privacy rights against journalists or commercial businesses,
for there is no ``state action'' and the private sector enjoys
constitutional rights of free speech.
The idea that people own or have a right to control
information about themselves has no historical justification;
it is a radical and extreme departure from the free flow of
information that has made the U.S. the world's leading economy.
Today, we take shocking uses of ``private'' information by
journalists in stride; less sensibly, we fret about electronic
databases and learning tools--although these represent a
natural and beneficial evolution away from reliance on gossip
and guesses about people's preferences.
U.S. Privacy Law in the Nineteenth Century. In the nineteenth
century, as today, the law of privacy consists of two different sets of
rules. First, there is the Fourth Amendment of the U.S. Constitution,
which protects our rights against brutal searches from the government.
Obviously, in the nineteenth century and today, it was not applied to
the private sector.2 The private sector has no power to
seize and search one's property without consent under color of law.
This remains true today. Note that there was and is no conflict between
the Fourth Amendment and the First Amendment's rights of free speech.
One might say that the Fourth Amendment is an example of a modified
free speech right; 3 just as the Supreme Court recognized
that Jehovah's Witnesses cannot be compelled to pledge allegiance to
the flag, we cannot compel people to show the content of their papers
and homes without a showing of probable cause. This makes the Fourth
Amendment a very inappropriate basis for asserting expansive privacy
rights against journalists or businesses today, who are not the
government and who do enjoy free speech rights.
---------------------------------------------------------------------------
\2\ Ibid at 99.
\3\ Ibid. at 104.
---------------------------------------------------------------------------
Second, there was a common law of privacy in the private sector.
For example, privacy was recognized as an element in disputes over
physical property boundaries and easements or nuisances, for example,
when two buildings were built close together.4 Because these
private sector cases identify privacy with physical property rights,
there is no conflict between the First Amendment and privacy; property
rights mark the boundaries of free speech rights, too.5
One's right to read books does not give one a right to steal books--or
letters--from a neighbor's house or out of his pocket.
---------------------------------------------------------------------------
\4\ Ibid at 107-114.
\5\ John O. McGinnis, ``The Once and Future Property-Based Vision
of the First Amendment, 63 The U. of Chicago L. Rev. 49 (1996).
---------------------------------------------------------------------------
Privacy in the Early Twentieth Century. The concept of a right to
privacy detached from physical property rights was not unknown during
the early part of nineteenth century,6 but it was not
recognized in the courts until the early part of the twentieth century.
A famous law review article by Brandeis & Warren calling for creation
of a privacy tort for use against the press was cited in some of these
cases.7 Over the years, many of the four privacy torts that
sprang up were often directed against journalists. It became obvious in
these cases when no violation of physical property or a contract has
occurred, privacy is in conflict with free speech rights. Over the
years, privacy torts have been constrained narrowly by the courts; some
are referred to as ``dying torts.'' 8
---------------------------------------------------------------------------
\6\ For example, a sort of privacy right closely akin to
intellectual property was protected by cases involving the reprinting
of letters. Blackstone speaks of defamation by pictures, a tort closely
akin to the modern privacy of placing someone in a ``false light.''
Singleton at 110.
\7\ Ibid. at 105-106.
\8\ Ibid. at 111, 114.
---------------------------------------------------------------------------
The concept of privacy suit based on the mere fact that information
was spread asserted a sort of new property right in information. This
expanded right has not prospered in the legal system, for it is a
troubling one. Taken literally, it would obliterate the practice of
journalism and much ordinary conversation. Unlike intellectual
property, the new right amounts to a claim of ownership of facts and
ideas. Unlike defamation, which lets you sue when someone disseminates
false information, a right to own or control information about oneself
gives you a veto power over truthful information.9 And,
unlike intellectual property law, an expanded view of privacy is not
sanctioned by the Constitution.
---------------------------------------------------------------------------
\9\ Ibid. at 114.
---------------------------------------------------------------------------
Within U.S. legal history, there is little support for the concept
that people own information about themselves and much support for the
idea that facts and ideas and opinions are and should remain free to be
communicated. This observation holds even as the focus of privacy has
shifted from journalism to business. Journalist too is a commercial
enterprise. And what has not been well-recognized by policymakers is
the extent to which businesses, like journalists, rely on the freedom
of information to produce goods and services, and the extent to which
consumers rely on information produced by commercial enterprises to
learn about those products. Economic studies have produced substantial
evidence that advertising and marketing alerts consumers to flaws in
existing products, to the existence of new competitors and choices in
the market, and helps bring down prices.10
---------------------------------------------------------------------------
\10\ See generally John E. Calfee, Fear of Persuasion: Advertising
and Regulation (Agora Association, 1997).
---------------------------------------------------------------------------
Broad privacy principles are represented as a moderate step towards
giving consumer's ``choice.'' In fact, these broad principles are a
radical and extreme departure from the American tradition of the free
flow of information. Writing broad privacy principles into a law for
the commercial sector would amount to a sudden massive expansion of
copyright or defamation law, a step that Congress would not dream of.
Even supposedly moderate ``opt-out'' measures are far more radical
than they seem. The evolution of formal information networks such as
consumer credit reporting has important benefits for the public as a
whole. Even the poor or those who are not well known in a given
community may buy on credit, a relatively recent and beneficial
development. The existence of credit reports gives consumers an
incentive to make payments on time, which means that businesses can
lower the losses they suffer from default. Note, however, that had a
statute imposing an opt-out rule been in place in the late nineteenth
century when all this began, credit reporting could never have evolved!
All of the bad debtors would have opted out! Similarly, on the Internet
today, Amazon.com and other e-commerce distributors rely on commercial
services to confirm that the addresses and names of their customers are
valid, to weed out fraud. But this would be impossible if the database
were full of holes and gaps left by opt-outs, well-meaning or sinister.
The Evolution of Databases from The Late Nineteenth Century to Today.
Within the U.S. legal tradition that commercial enterprises are
generally free to learn about and communicate with their customers, the
way in which they have done so has evolved over time. Economists have
documented how formal networks for checking credit and assessing the
reliability of goods have grown out of informal networks. Dun &
Bradstreet, which reports on the creditworthiness of businesses,
originated with Lewis Tappan, who managed credit accounts in his
brother's silk business and who exchanged letters with 180
correspondents throughout the country about the creditworthiness of
businesses in their communities.11 Forty years ago
community-based nonprofit organizations handled consumer credit
reporting, now handled by three nationwide for-profit
firms.12
---------------------------------------------------------------------------
\11\ Daniel B. Klein, ``Knowledge, Reputation, and Trust by
Voluntary Means,'' in Reputation: Studies in the Voluntary Elicitation
of Good Conduct, ed. Daniel B. Klein (Ann Arbor: University of Michigan
Press, 1997): 7.
\12\ Ibid.
---------------------------------------------------------------------------
The formalization of the collection of information about consumers
portends nothing sinister. Databases are a natural entrepreneurial
adaptation to a more urban world, freed of small-town gossip.
This holds true of Internet web sites, who are at a tremendous
disadvantage compared to real-space businesses. For decades, the
ordinary shopkeeper with a little store on the streeet can stand at the
counter and watch people come it. He can see if they are regulars or
strangers, if they are locals or tourists, German or Spanish, young or
old, male or female. Do they look longingly at the stuffed monkeys, but
comment that the price is just a little too high? Are they missing the
display in the back? The operator of a web site has none of this
information. It is as if he is deaf, dumb, and blind. And thus he has
little chance of improving his service to customers, unless he hits
upon their needs by sheer dumb luck. Thus, cookies were born. They are
more properly viewed as the eyes and ears of the Internet than as some
kind of sinister surveillance device.
Many of the same arguments that were deployed against the
journalist are today deployed against business uses of information. But
they have no more merit than in their original context. For example, it
is alleged that the transmission of information in itself and
represents a threat to human autonomy and dignity. But writing a story
about Madonna is not the same thing as seizing and torturing her.
Receiving an unwanted advertisement in the mail is not akin to stealing
someone's identity. The fact that we tolerate the rights of journalists
to promulgate stories that once would have been considered shocking and
indecent is a good sign that human beings are as always tough,
adaptable creatures. We are not going to wither away because Safeway
knows we bought lettuce. Some may be a little wary of the Internet--but
if that has any basis in reality it is the fear of real crimes like
identify theft, which are already illegal and for which have little to
do with legitimate businesses use of information.
The fact of the matter is, human beings, whether they are
consumers, voters, or businesses, rarely make better decisions with
less information. Laws that view the spread of information itself as
the enemy will not target any real problems, and will do considerable
harm.
Mr. Stearns. Thank you, and the committee will take a 15-
minute break and resume.
[Brief recess.]
Mr. Stearns. If I can have the attendees sit down, the
committee will come to order.
We will continue with our panel, and we will start with Mr.
Rotenberg, if you would be so kind as to give us your opening
statement.
STATEMENT OF MARC ROTENBERG
Mr. Rotenberg. Thank you very much, Mr. Chairman. I
appreciate the opportunity to be here today. I am director of
the Electronic Privacy Information Center. I have also been on
the faculty at Georgetown Law Center, where I have taught
privacy law for more than 10 years, and I have edited two books
on privacy that are in use in U.S. law schools today which I
would be happy to make available to the committee and the staff
if that would be useful.
What I do in my testimony is to outline what I think are
the broad themes of the development of privacy law in the
United States. And this really is based on my work and research
and my teaching over the years to try to give you a framework
to understand what it is when we talk about privacy law. The
first point that I make in my testimony is that the concept of
the protection of privacy in law is very much an American
tradition. It is not only in our Fourth Amendment that
establishes the warrant process before the government may
conduct a search but even in the Brandeis-Warren tort, which
was described a moment ago.
When that was first announced and reviewed by legal
scholars in the early part of this century, people described it
as the American tort, something unique to the U.S. legal
system, to provide people a right of action against other for
private acts, and the fair information practices which have
also been discussed and provide the framework for many of the
modern-day privacy laws both in the United States and around
the world.
Those principles were first articulated in the United
States in the early 1970's, and they provided the underpinnings
for our Privacy Act, which safeguards the information that is
held by Federal agencies and is, in many ways, the most robust
privacy law in the United States. So it is critical to
understand in this discussion that our starting point I don't
think is really do we regulate? Don't we regulate? You know,
what is the appropriate role of government? It is with the
understanding that privacy, as a right in law, is very much a
part of the American tradition.
The second point I would like to make is that what privacy
laws typically do is to allocate rights and responsibilities.
They are not simply, as Gene Volokh has suggested, a
restriction on the right to talk about others. There are, in
privacy laws, elements sometimes that place limitations on
disclosure, and they may, in certain circumstances, I agree,
raise First Amendment issues.
But if you look at the whole structure of a privacy law,
whether it is the Fair Credit Reporting Act of 1970 or the
cable subscriber privacy provisions in the Cable Act of 1984,
you will see a number of different elements. One of the most
interesting elements in a privacy law, somewhat paradoxically,
is the requirement of transparency, of openness, to give
individuals the right, for example, to obtain a copy of their
credit report to see if the information that is being kept
about them is accurate and complete, so that when they go to
obtain a home mortgage or a car loan, that decision is being
made based on accurate information.
And so, for example, when Fred Cate is describing the
importance of access to accurate information in commercial
markets, part of that accuracy comes about because individuals,
by virtue of privacy laws, have the right to get access to
information about them that is being used for decisions that
affect their economic and employment opportunities.
The third point I would like to make, and this may surprise
you a little bit, but it is very much my view that in the
modern era of privacy law in the United States, as new
technology has evolved, it is not the case that Congress has
generally stood back and allowed the technology to go forward
and then wrestled with the privacy issue. It is rather the case
that Congress has typically established privacy safeguards at
the beginning, before new commercial services were widely
adopted. This was true, for example, in 1984, when you did the
Cable Act and included the subscriber privacy provisions. It
was true in 1986 with electronic mail. The video rental
industry, which began the late 1980's; you remember the Judge
Bork bill to protect the privacy of video rental records? You
did the Telecommunications Act in 1996; included new provisions
to protect the privacy of customer billing information.
What is remarkable about the discussion concerning privacy
on the Internet is that this is really the first instance with
a new technology that Congress has decided not to legislate at
the front end to protect consumer privacy and to rely instead
on a mixture of self-regulatory and industry-directed
initiatives. Now, I think it is an important question to
explore how successful those initiatives have been, but I would
like to suggest to you that one of the reasons that you may be
seeing such high levels of public concern today that you see,
you know, the consumer protests, literally, public protests of
new consumer products is resulting in part because we have not
yet established in law clear privacy standards to protect these
new types of commercial transactions, and I think that is a
real risk.
I make several other points in my statement, but one key
point which I would like to draw your attention to concerns the
use of technology. And it is my view that technology plays a
very important role in protecting privacy. In fact, the first
book we did was titled Technology and Privacy: the New
Landscape. And there is a chapter in there that talks about the
role of privacy-enhancing techniques.
My own organization has been a big advocate of strong
encryption; techniques to protect your identity. But I have
come to believe that it is vitally important that if you are
going to talk about technical solutions to the privacy issue
that you understand very clearly what the technology does and,
in particular, what the impact is on the collection and use of
personal information. P3P, which is an industry-backed effort,
in my view, is not a privacy technology. It does not limit the
collection of personal information. It facilitates the
collection of personal information.
And this is an important issue for you to consider as you
look at new proposals and new legislation. I think there are
other technical methods that could do a better job of
protecting online privacy.
As I said, Mr. Chairman, there are a few other points in my
statement. I suggest also that you should look closely at the
issue of whether Federal preemption is appropriate. In fact, it
has not generally been done by tradition in the privacy field.
It was not done recently with the financial regs or with the
medical regs. I understand the interstate commerce concern, but
I think you should look at some of the history here.
And finally, on the First Amendment issue, I agree with
Professor Volokh. There is a real question there. But even
Professor Volokh, in his article for the Stanford Law Review, I
think acknowledges that some of these privacy terms, viewed as
part of an implied contract, an understanding that information
provided for a purpose won't be disclosed for another purpose,
are probably acceptable. And that is really all we are arguing
on this point: in the context of a particular business
relationship, if you provide information for a particular
purpose, you would reasonably expect it would not be used for
other purposes.
So thank you very much, and I will be pleased to answer
your questions.
[The prepared statement of Marc Rotenberg follows:]
PREPARED STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER
I appreciate the opportunity to appear before the Committee today
to discuss privacy issues. My name is Marc Rotenberg. I am Executive
Director of the Electronic Privacy Information Center in Washington,
and I have taught the Law of Information Privacy at Georgetown since
1990. As both an advocate and academic, I have participated in many of
the leading privacy debates in this country. In the spirit of this
hearing, I will focus my comments on several general observations about
privacy law. I'd like to emphasize at the start that this is an
enormously interesting and important topic and I appreciate the
decision of the Committee to begin with a discussion at a high level.
1. The Protection of Privacy in Law is Central to the American Legal
Tradition
The protection of privacy in law is one of the great contributions
of the American legal system. When the framers of the Bill of Rights
set out in the Fourth Amendment a legal procedure that placed a judge
between the authority of the state and the rights of the citizen, they
established a structure that today distinguishes democratic governments
from dictatorships. It is without question a burden to the police that
they may not freely seize evidence, intercept phone calls, or detain
individuals without probable cause, but this is a burden that every
Constitutional democracy accepts as a fundamental requirement to
safeguard the rights of it citizens.
But it is not just with respect to government that our country has
established rights of privacy in law; we have done so also with respect
to actions among private individuals, the practices of business, the
use of new technology, and the collection and use of personal
information for commercial purposes. When Brandeis and Warren first set
out the right of privacy in the famous 1890 law review article it came
to be known as the ``American tort.'' The privacy tort became the basis
for privacy claims that were recognized in state courts, state
legislatures, and eventually Congress.
Our tradition of protecting privacy rights in law has carried
forward with each new technology. From the telephone, to computers,
cable television, electronic mail, video tape rentals. Our privacy
laws, like all laws, are imperfect. But they reflect at their core a
belief that we have the ability, through our government and our legal
institutions, to control the technologies that we create, to ensure the
we can obtain the benefits of new technology and preserve important
political values.
So, when privacy and consumer advocates testify in support of
restrictions on government surveillance, safeguards for financial
records, and protections for consumers in electronic commerce, it is
with full regard and understanding of the American legal tradition. The
burden of justifying the self-regulatory approach falls squarely on its
supporters. The first lesson of US law is that the presumption favors
legal safeguards.
I make this point at the outset because there is a tendency in the
policy debates about privacy to ask the question whether to
``regulate'' or what is the ``appropriate role'' of government. The
better starting point is with the recognition that in the United States
we have long understood that privacy is a right protected in law.
2. Privacy Law Allocates Rights and Responsibilities and Ensure
Fairness and Transparency in the Collection and Use of Personal
Information
Next we should consider what we mean when we discuss privacy laws.
Some believe that privacy laws are simply a restriction on the right to
speak freely. There is an aspect of privacy protection that may, in
some circumstances, limit the disclosure of certain types of personal
information obtained in the context of certain relations. But to view
privacy law as only a restriction on publication is to misunderstand
the structure, history and purpose of privacy laws in the United
States.
Typically, privacy laws set out a range of rights and
responsibilities for the collection and use of personal information.
The Fair Credit Reporting Act, for example, does not simply limit the
disclosure of information contained in a credit report, it also places
on the credit reporting agency an obligation to ensure that the
information is correct and timely, and it provides the subject of the
credit report the opportunity to inspect the record and correct it if
necessary. These responsibilities help ensure that information
collected is used for its intended purposes and that determinations,
such as whether a person qualifies for a car loan or can obtain a home
mortgage, are based on accurate information.
The rights and responsibilities that provide the basis of privacy
laws have come to be known as ``Fair Information Practices.'' Although
the specific elements that make up Fair Information Practices may vary
somewhat, what is significant is the high degree of commonality of
these principles, across subject matter, technologies, and
jurisdictions. In many respects this is not surprising. The goal is
simply to fairly allocate the responsibilities to safeguard personal
information.
Not only have Fair Information Practices played a significant role
in framing privacy laws in the United States, these basic principles
have also contributed to the development of privacy laws around the
world and even to the development of important international guidelines
for privacy protection. The most well known of these international
guidelines are the Organization for Economic Co-operation and
Development's Recommendations Concerning and Guidelines Governing the
Protection of Privacy and Transborder Flows of Personal Data (``OECD
Guidelines''). Fair Information Practices also provided the basis for
the recently concluded Safe Harbor arrangement between the United
States and Europe.
3. Privacy Laws Respond to New Technologies
It is critical to understand that the recent history of privacy law
in the United States is largely a story of efforts by Congress to pass
laws to safeguard privacy as new technologies emerge. There is for
example, the Federal Wiretap Act of 1968, the Act that limits the
monitoring of private communications. There is also the Privacy Act of
1974 that established a legal framework for the records collected by
the federal government and addressed the specific concern of Big
Brother monitoring by means of automated databases. There are the
privacy subscriber provisions of the Cable Act of 1984 (cable
television), the Video Privacy Protection Act (video rental records),
the Electronic Communications Privacy Act of 1998 (electronic mail),
the Polygraph Protection Act of 1988 (lie detectors), and the Telephone
Consumer Protection Act of 1991 (auto-dialers and junk faxes), the
Children's' Online Privacy Protection of 1999 (Children's' data
obtained by companies operating on the Internet). In addition, many
laws at the state level are designed to further limit the monitoring of
private activities in the United States.
Privacy laws have come about in response to challenges posed by
new technologies. But the aim is rarely to limit the technology or to
stifle a new business; it is instead to ensure that the data collection
is fair, transparent, and subject to law. This approach builds consumer
confidence, establishes a stable business environment, and allows for
the benefits of new technology while safeguarding key interests.
4. Privacy Protection by Self-regulation is a Recent Development
Until about 1996, if one were asked to describe the US approach to
privacy protection for personal information, you would likely have said
there is ``omnibus'' protection with respect to records held by the
federal government and ``sectoral'' protection concerning the private
sector. The point is that the Privacy Act of 1974 covered all federal
agencies, while regulation in the private sector had been done on a
more piecemeal basis. The contrast with the European approach was also
understood: Europe had adopted an ``omnibus'' approach for private
sector records, based in part on the need to harmonize national law as
part of the establishment of the European Union. In the United States
there was little discussion of privacy protection through ``self-
regulation.'' There were a few efforts by trade groups to establish
privacy practices, most notably the Mail Preference Service of the
Direct Marking Associations, but these efforts typically came about as
means to hold off legislation.
Beginning in 1996 an effort began to develop a more comprehensive
self-regulatory approach to privacy protection. Companies posted
policies, privacy seals were announced, new organizations were
established to review privacy practices, and the FTC said it would take
action against firms that failed to follow their privacy policies. This
was done for several reasons, including growing public concern about
the loss of privacy, fear that legislation restricting certain business
practices might be adopted, and recognition that the European Union
might limit the transfer of personal information about European
consumer to American firms unless steps were take to establish stronger
privacy safeguards.
It may be too soon to say whether this new ``self-regulatory''
approach will over time effectively protect the privacy of American
consumers. The FTC last year concluded that while progress had been
made, legislation was nonetheless required. But there are several
recent developments that deserve further consideration by the Committee
if there is going to be a meaningful evaluation of self-regulation.
Here are five issues that I believe call into question the effectives
of self-regulation:
The redefinition of privacy. There has been a sharp departure
from the bundle of rights associated with Fair Information
Practices to a narrow characterization of privacy as simply
``notice and choice'' that is at odds with the tradition of
privacy law in the US. Privacy notices appear to operate more
like disclaimers or warning labels than any actual assurance of
protection.
The development of intrusive new marking practices. Profiling,
tracking, and monitoring of American consumers have become far
more widespread as a result of the self-regulatory approach to
privacy. It is not clear yet what the impact will be on
educational or employment opportunities, but there is always
that risk, in the absence of legislation, that once permanent
dossiers on Americans are created they will be used for
purposed completed unrelated to the original collection.
The ability of the FTC to operate as an effective privacy
agency. The FTC appears to lack the statutory authority, the
resources, and the reporting requirements that are required to
operate effectively on privacy issues. There are too many
complaints, too little adjudication, and too little oversight.
The ability to respond to new technologies. In the next few
years we are going to see the development of new technologies
that both hold great promise for innovation and technical
achievement as well as significant risk to personal privacy.
The use of genetic information, for example, poses new
challenge that may be addressed more effectively through
privacy legislation than the ``notice and choice'' approach.
Growing public concern about the loss of privacy. At least one
measure of success for a policy approach must be public
support. There is little evidence to indicate that the public
favors the self-regulatory approach to privacy protection.
While I remain very skeptical about self-regulation to protect
privacy, I want to emphasize that establishing a right of privacy in
law does not necessarily extensive regulation. There are many privacy
of only a few pages that extraordinarily effective. The Subscriber
privacy provision in the Cable Act of 1984, for example, is one of the
most effective privacy laws in the US. It provides a very good model
going forward for emerging privacy issues in the commercial world.
5. Genuine Privacy Enhancing Technologies (PETs) Limit or Eliminate the
Collection of Personally Identifiable Information
My fifth point is that technology does have a role to play in
privacy protection, but it is critical to think carefully about the
collection and use of personal information in evaluating various
technical methods. To say simply ``there must be technological
solutions to technological problems'' really does not tell us anything.
Some technologies clearly exacerbate the loss of privacy, others may
help restore privacy.
Over the last several years I have become particularly interested
in the development of Privacy Enhancing Technologies (PETs). I have
presented papers at international conferences and worked closely with
several of the leading technical innovators in the world. I believe
that there are methods that enable commerce and communication and that
respect privacy. In my view, the goal is to promote genuine Privacy
Enhancing Technologies that limit or eliminate the collection of
personally identifiable information. Anonymity, for example, is
critical to the future of privacy.
Of all the various approaches to online privacy, P3P may be the
most problematic. It is the one privacy standard that provides no
inherent privacy protection. It can as easily be used to extract data
from consumers as it could be used to limit the collection of data. And
I think this is fairly well understood by the industry groups that
favor P3P. They do not believe that this standard will pose any
significant obstacles to their plans for collecting and using persona
information.
A better approach would seek to both enable commerce and to limit
the collection of personal information. We have many examples of this
in the physical world, from the metro card to movie tickets to the cash
in our wallets. Privacy technologies should not hinder commerce but
they should also not force consumers to trade privacy to participate in
commerce.
6. Free Expression and Privacy Protection are Complimentary Values
On the question of the privacy and freedom of expression, this is
clearly not a zero-sum relationship. This can be shown by the fact that
there are many countries today with little regard for personal privacy
or freedom of expression. The success of the US legal system is to
preserve both interests, to safeguard free expression and to protect
individual privacy.
There are also a series of cases that make clear that privacy and
the First Amendment are complimentary interests. In MacIntyre v. Ohio,
for example, the Supreme Court struck down an ordinance that required
the publisher of a handbill to place her actual name on the pamphlet.
In so doing, the Court recognized that the freedom to express ones
views includes also the right to withheld ones identity. There are many
other examples in American law where we safeguard privacy to promote
free expression and freedom of association. It's worth noting, for
example, that the freedom to vote as one wishes in a democratic society
is safeguarded by the privacy of the voting booth.
There are tough cases where the First Amendment and privacy
interests collide. The Supreme Court, for example, must determine this
term whether the press may publish the contents of a private telephone
call obtained by means of an unlawful wiretap. EPIC, my own
organization, dedicated to both the protection of privacy and the
promotion of free speech, struggled with the question on which side we
would file an amicus. In the end, we decided it was too difficult a
case. But recognizing that there are, in some instances, difficult case
does not mean as a general matter that it is not possible to protect
privacy and to promote free expression.
7. Federal Privacy Legislation Typically Does Not Preempt State Law
The issue of federal preemption is arising increasingly in
discussions about privacy protection. It is important to understand
that as a general matter, federal privacy law operates as a baseline
and does not preempt stronger state statutes. This is clear from laws
such the Video Privacy Protection Act of 1988 and the subscriber
privacy provision in the Cable Act of 1984. This approach was
reaffirmed recently in the privacy provisions of the Financial
Modernization Act of 2000 and the HIPAA regulations.
There are important reasons in our form of government to continue
to allow the states to operate as ``laboratories of democracy.''
Congress may fail to act or it may act in such a way that reduces or
limits the protections that a state might otherwise choose to provide
for its citizens. States may also innovate and explore different
approaches to common problems. California, for example, has recently
passed legislation to address emerging privacy concerns and Maryland is
now looking at new legislation that would provide important new
protections.
8. Public Support for Privacy Protection is a Significant Consideration
in the Legislative Process
In understanding the protection of privacy in America it is
critical to keep in mind the central role that the Congress and the
state legislatures have played in safeguarding privacy. In some
instances, it has been the courts that have established rights of
privacy, but more often it has been the legislature that has set out by
means of statute the rights and responsibilities associated with the
use of personal information in the commercial realm.
My belief is that there is today widespread public support to
establish Fair Information Practices for the collection and use of
personal information in the commercial sector. There is a strong
American tradition to protect privacy in law, many legislative
precedents and broad based public support. The question is whether
Congress will accept the challenge and act to safeguard this right,
described by Justice Brandeis ``as the most comprehensive of all rights
and the one most cherished by a free people.''
I appreciate the opportunity to appear before the Committee today
and will be pleased to answer your questions.
Mr. Stearns. Professor Feldblum?
STATEMENT OF CHAI R. FELDBLUM
Ms. Feldblum. Thank you, Mr. Chairman, and members of the
subcommittee.
My name is Chai Feldblum. I am a law professor at
Georgetown University Law Center and director of the Federal
Legislation Clinic, where we have worked on the issue of
medical privacy for a number of years for various
organizations. But I am testifying here today in my personal
capacity as a law professor--although I am used to answering
questions and being grilled by students. I don't know; I guess
the new generation of students is quite different--to talk
about my experiences in employment discrimination and medical
privacy. And instead of talking about the minute details of
those areas, of which there are many, instead of getting bogged
down in that to sort of step back and talk about conceptually
why it makes sense for government to regulate in these areas.
Now, my written testimony gives you a description of the
privacy requirements of the ADA, and I am not going to repeat
those here. Basically, employers cannot ask questions of
employees about their medical conditions at certain stages of
the application process. They can collect a whole range of
medical information before actually hiring somebody. That
medical information has to be kept confidential, and employees
with medical conditions are forced to disclose those conditions
to their employers if they want reasonable accommodations.
So what I want to focus on is why is government regulation
of privacy in this way appropriate? I think that when
government regulates conduct that it is otherwise permitted to
regulate, such as employment discrimination, it can also
regulate speech that would lead directly to such
discrimination. So, for example, government can say you can't
refuse to hire someone because she is pregnant. You also can't
refuse to ask someone if she is going to become pregnant.
Similarly, you can't ask applicants about their medical
conditions if that means they won't get a fair chance to be
considered for a job, but you can certainly find out about
their medical information if that means they are not going to
be qualified. None of us want to have 911 operators unable to
hear. I mean, that is not the point.
Now, in the area of medical privacy, the context that we
are dealing with is that patients believe that they have a
confidential relationship with their medical professional, and
yet, that expectation is compromised every day by the
interconnected research, medical, treatment, payment, quality
system that we live in. The California Health Care Foundation
has done a fascinating presentation of where our medical
information actually goes, and I would absolutely recommend
that presentation to everybody.
Now, of course, a certain amount of individually
identifiable health care information has to flow through our
medical system. As someone who has represented disability
organizations, I can tell you that people with disabilities
have a very pragmatic view of this issue. Bottom line: they
want a health care system that is effective and efficient. But
precisely because the interaction in the medical system starts
with a contractual relationship between the patient and the
provider, the individual must feel assured of certain ground
rules that their information will, in fact, be used
appropriately.
Now, let me end by saying that Congress, in 1996, did tell
the Department of Health and Human Services to implement nine
standards, and these were standards about transaction codes and
identifiers and data security, et cetera. I think it made sense
for Congress to interact in this way with the private parties
because the only way to have consistent, uniform standards in
the health care system is if, in fact, government intervenes
and says everyone has to abide by these standards. That is what
eight of those standards were about.
But at the same time, government has to make sure that
privacy protections are built in as well. That is the ninth
standard.
Well, I very much appreciate that you are looking at this
issue, and I look forward to answering any of your questions.
Mr. Stearns. You roughly have 2 minutes left.
Ms. Feldblum. Oh, I do. My thing over here says stop.
Mr. Stearns. I just checked.
Ms. Feldblum. Well, then, I am going to give you my last
two paragraphs.
Mr. Stearns. There you go.
Ms. Feldblum. And I know that if you had gone home without
them, it just would not have been the same.
I know that there is controversy about the regulations that
have been put out, but for purposes of this big picture
hearing, I want to stress the need to analyze privacy within
the specific context of which the perceived need to regulate
arises, and if there is anything that you get from this hearing
and to me anything about doing--thank you; I know you agree, a
big picture hearing as opposed to a hearing on a particular
bill, it is to focus on the context in which that privacy
concern arises.
In the health care arena, that context is a longstanding
belief between patient and doctor that medical information
should be kept confidential juxtaposed with the reality of a
complex health care treatment, payment, research, quality and
marketing system that uses a significant amount of individually
identifiable information without patients' explicit consent
although with some patients' dimly sensed fear.
The role of government, I believe, is to bring clarity and
confidence to this area. Thus, the goal of any system of
privacy regulation should be to enhance the treatment, payment,
research and quality aspects of our health care system through
creating a workable privacy system that gives patients trust
and ensure that health care entities can engage in the
marketing necessary to their financial health consistent with
consumer consent.
Now, I can assure you as someone who has worked in this
area for 6 years that there is a lot of debate and a lot of
detail within that sentence. What is a workable system? But I
think there is a common principle that there is a role for
government to ensure that there are uniform, consistent
standards and confidence and trust in the system. That is what
you should do in the medical privacy area, and consistent with
the context of these other areas, that is what you should do in
other areas as well.
Thank you.
[The prepared statement of Chai R. Feldblum follows:]
PREPARED STATEMENT OF CHAI R. FELDBLUM, PROFESSOR OF LAW, GEORGETOWN
UNIVERSITY LAW CENTER
Mr. Chairman and Members of the House Subcommittee on Commerce,
Trade, and Consumer Protection:
Thank you for inviting me to testify today regarding ``Privacy in
the Commercial World.'' My name is Chai Feldblum. I am a Professor of
Law at Georgetown University Law Center, and Director of the Law
Center's Federal Legislation Clinic. I created the Clinic in 1993 with
the goal of training law students to be ``legislative lawyers'': that
is, lawyers who are equally at ease with law and with politics. My goal
is to train lawyers who are steeped in law and who like reading legal
text, and at the same time, who are sophisticated about politics, know
how to speak and write in ``English'' rather than in ``law,'' and who
like the particular world of political negotiation. The goal is to
produce lawyers who will actually be helpful to you and your staff as
you create legislation to address the needs of our country.1
---------------------------------------------------------------------------
\1\ For an explication of ``legislative lawyering,'' see ``Five
Circles of an Effective Coalition'' and ``What is Legislative
Lawyering?'' available at http://www.law.georgetown.edu/clinics/flc.
---------------------------------------------------------------------------
I also wear the traditional hat of an academic professor. My
academic legal writings have been primarily in the area of civil
rights, with a focus on disability law and sexual orientation and the
law.
I appear before you today as an amalgam of those roles. In my life
before teaching, I was the principal lawyer representing the disability
community in the drafting and negotiating of the Americans with
Disabilities Act--including those provisions impacting on privacy and
confidentiality. As Director of the Federal Legislation Clinic, I have
represented the National Association of People with AIDS (NAPWA), in
its capacity as co-chair of the Privacy Working Group of the Consortium
of Citizens with Disabilities.2 For six years, we have
worked on behalf of the disability community toward passage of
comprehensive federal medical privacy legislation. More recently, the
Clinic has represented the Family Violence Prevention Fund, which is
also concerned with enhancing medical privacy in this
country.3
---------------------------------------------------------------------------
\2\ The Consortium for Citizens with Disabilities (CCD) is a
Washington-based coalition of approximately 100 national disability,
consumer, advocacy, provider and professional organizations that
advocate on behalf of 54 million children and adults with disabilities
and their families. As advocates for persons with disabilities, CCD
supports strong privacy protections that give health consumers
confidence that their information will be used appropriately and that
permit the continued viability of medical research and delivery of
quality health care.
\3\ The Family Violence Prevention Fund is a leading national
organization that advocates on behalf of the millions of women and
children who are the victims of domestic violence each year. The Fund
runs several major programs that deal specifically with health care and
domestic violence. As advocates for people affected by domestic
violence, the Fund supports privacy protections that will give victims
confidence that their personal information will be used appropriately.
---------------------------------------------------------------------------
Today, however, I wish to draw on those experiences to share with
you some general observations about protecting the privacy of our
nation's citizens.4 I am less familiar with the academic and
advocacy debate regarding proposals to regulate consumer information
databanks developed by businesses (the subject of some of the writing
of my co-panelists), and more familiar with the debate regarding
privacy as it relates to employment discrimination and medical
information. What I hope to do, therefore, is share with you some
observations on the latter forms of privacy, and perhaps extrapolate
from that some observations on privacy in general.5
---------------------------------------------------------------------------
\4\ Thus, I appear before you today in my personal capacity.
\5\ My observations with regard to employment discrimination and
medical privacy should not be taken to mean that I do not believe there
are also serious policy considerations for applying privacy regulation
to consumer databases of non-medical information. Indeed, while I
consider the work of my colleague, Eugene Volokh, see below, to be of
superb quality, I believe Congress must be cautious in chilling in its
own action in anticipation of some speculative long-term constitutional
concern. While I have touted the advantages of Congress drafting a
narrowly circumscribed bill to address a real, documented public policy
evil to be remedied, so as to avoid creating an inviting target for the
Supreme Court to further narrow Congressional power, see testimony of
Chai R. Feldblum before the Senate Judiciary Committee on the Religious
Liberty Protection Act, September 9, 1999, I have never believed that
Congress should fail to act when there is a clearly defined public
policy problem and the recommended legislative response is not clearly
unconstitutional. Of course, as Congress acts, it is useful to have the
background analysis of scholars such as my co-panelists who may
entertain some doubts about such actions.
---------------------------------------------------------------------------
A useful place to start is a sentence from my co-panelist Eugene
Volokh's May 2000 article on freedom of speech and information privacy:
`` `[P]rivacy' is a word with many meanings, and with such words both
judges and laypeople often shift from one meaning to the other even in
cases where the meanings have little in common.'' 6 I
completely agree with that observation. While I do not necessarily
agree with my co-panelist's subsequent conclusion that harmful
analogies are more likely be drawn if the privacy of consumer
information databases are regulated, 7 I believe he has
helped enhance the practical debate about privacy by illuminating its
various meanings and components.8 What I would like to do is
focus on two areas where the concerns are somewhat different, I
believe, than those that arise in the context of consumer information
databases. The best way for Members of Congress to carry out the hard
work of figuring out what legislation to pass (and how to craft such
legislation) depends, I believe, on developing a sensitive
understanding of the context in which various privacy concerns arise.
---------------------------------------------------------------------------
\6\ Eugene Volokh, Freedom of Speech and Information Privacy: The
Troubling Implications of a Right to Stop People from Speaking About
You, 52 Stan. L. Rev. 1049, 1102 (2000) (hereinafter Freedom of
Speech).
\7\ Volokh argues that ``once restrictions on people's speech are
accepted in the name of `privacy,' people will likely use them to argue
for other restrictions on `privacy' grounds, even when the matter
involves a very different sort of `privacy.' '' Id. at 1102. By
contrast, my colleague at Georgetown University Law Center, Julie
Cohen, has written some interesting pieces presenting a different point
of view. See Julie E. Cohen, Examined Lives: Informational Privacy and
the Subject as Object, 52 Stan. L. Rev. 1373 (2000); Julie E. Cohen,
Privacy, Ideology, and Technology: A Response to Jeffrey Rosen, 89 Geo.
L. J. xx (2001)(forthcoming). See also Janlori Goldman, Privacy &
Individual Empowerment in the Interactive Age, Visions of Privacy:
Policy Choices for the Digital Age (C. Bennett & R. Grant eds. 1999).
\8\ The work of my other co-panelists has also been of significant
use in this regard. See, e.g., Solveig Singleton, Privacy Versus the
First Amendment: A Skeptical Approach, 11 Fordham Intell. Prop. Media &
Ent. L. J. 97 (2000) (hereinafter Privacy); Fred H. Cate, The Changing
Face of Privacy Protection in the European Union and the United States,
33 Ind. L. Rev. 173 (1999); Wayne Madsen, David L. Sobel, Marc
Rotenberg, David Banisar of The Electronic Privacy Information Center,
Cryptography and Liberty: An International Survey Of Encryption Policy,
16 J. Marshall J. Computer & Info. L. 475 (1998).
---------------------------------------------------------------------------
The two areas on which I would like to focus are employment
discrimination and medical privacy. Again, I do not plan to focus on
the minute details of these areas (and there are a number of very
minute details in each of these areas, I assure you), but rather, on
the broad conceptual reasons for the enactment of legislation in these
areas. Indeed, in both employment discrimination and medical privacy,
Congress has already acted to some extent--and there are lessons to be
drawn from those enactments.
During passage of the Americans with Disabilities Act (ADA),
Congress chose to draw on Section 504 of the Rehabilitation Act of
1973, a law that prohibits programs that receive federal funds from
discriminating on the basis of disability. That law, and the
regulations issued pursuant to the law, provided Congress with a 17-
year track record of substantive non-discrimination principles on the
basis of disability. Section 504 was not focused on privacy, and yet
the law included some important privacy components that were carried
over to the ADA.
Congress recognized that people with hidden disabilities (such as
breast cancer or HIV infection or diabetes) often do not get the chance
to be fairly considered for a job because the employer finds out--
through questioning at an interview or through a medical examination or
questionnaire--that the applicant has a particular medical condition.
In such cases, the employer may choose not to hire the person because
of unsubstantiated fears regarding the person's possible absentee rate
or the response of co-workers, or because of possibly substantiated
fears of higher health care costs that might be associated with that
individual. In either case, in such circumstances the individual is
judged not on the merits of his or her ability to do the job, but
rather on ramifications that (justly or unjustly) flow from the
individual's medical condition.
In some cases, of course, an individual's medical condition will
impact directly on the person's ability to perform the job. For
example, we all want our airline pilots to be able to see, our truck
drivers to be able to drive, and out ``911 operators'' to be able to
hear.
The ADA thus creates privacy rules that ensure applicants are
provided a fair chance to be considered for a job, but also ensures
that employers are permitted to hire only qualified employees. Under
this framework, employers may not ask job applicants to disclose their
medical conditions during the initial stages of an application process.
Rather, after a conditional job offer is extended, employers may ask
applicants to respond to questions about their medical conditions (or
to take a physical examination)--and based on that information,
employers may refuse to hire employees who are not qualified for the
relevant jobs.9
---------------------------------------------------------------------------
\9\ 42 U.S.C. Sec. 12112(a)-(c). The ADA had originally
incorporated a stricter rule which permitted employers to request from
applicants only that medical information which was directly related to
the job. After negotiations with the business community and the Bush
Administration, however, that provision was modified to allow employers
to request any medical information. Chai Feldblum, Medical Examinations
and Inquiries Under the Americans with Disabilities Act: A View from
the Inside, 64 Temple Law Review 521, 535-537 (1991) (hereinafter
Medical Examinations). The key protection for people with disabilities,
however, is that the medical information must demonstrate they are not
qualified for the job. Whether a person is qualified for a job will
depend on whether there are reasonable accommodations that will enable
the person to perform the job functions. 42 U.S.C. Sec. 12112(b)(5)(a);
see generally, Chai Feldblum, Antidiscrimination Requirements of the
ADA, Implementing the Americans with Disabilities Act: Rights and
Responsibilities of All Americans (L. Gostin & H. Beyer eds. 1992).
---------------------------------------------------------------------------
Once employers have collected medical information about applicants
through such questioning or examinations, that information must be kept
confidential.10 In addition, if an employer seeks medical
information from an employee on the job, 11 that information
similarly must be kept confidential. What that means is the following.
If medical information indicates that an applicant is not qualified to
perform a job, or that an employee is no longer qualified to perform
the job, the medical information may be used to refuse to hire or to
fire that applicant or employee. This includes, obviously, disclosing
the medical information to the relevant person with employment
authority. However, if the medical information does not indicate that
an applicant or employee is unqualified for a job, then that
information cannot be circulated within the employment
setting.12
---------------------------------------------------------------------------
\10\ 42 U.S.C. Sec. 12112(c)(3)(B).
\11\ After an employee is on-the-job, medical inquiries may only be
made if they are job-related. 42 U.S.C. Sec. 12112(c)(4)(A); Feldblum,
Medical Examinations, at 538-540.
\12\ The only individuals who may gain access to these records are:
supervisors who may be informed regarding necessary restrictions or
reasonable accommodations; first aid and safety personnel, when
appropriate, and government officials investigating compliance. 42
U.S.C. Sec. 12112(c)(3)(B). According to regulations issued by the
Equal Employment Opportunity Commission, employers may also provide
such information to worker's compensation offices upon the filing of a
claim by an employee. See EEOC Interpretive Guidance to 29 C.F.R.
Sec. 1630.14(b).
---------------------------------------------------------------------------
There is a flip side to the confidentiality requirements of the
ADA. Many people with medical conditions wish to keep their conditions
private, and do not wish either their employer or their co-workers to
know of their conditions. Often, this does not pose a problem. However,
in certain circumstances, an employee is required by law to divulge his
or her condition, even if such disclosure is personally difficult for
the individual. These circumstances arise when an employee seeks a
modification of an employment practice or procedure (a ``reasonable
accommodation'') because of his or her medical condition. Thus, for
example, if an employee has a health condition that requires her to
receive a two-hour treatment once a week, and she seeks time off to
receive that treatment--she must disclose the existence and nature of
her health condition in order to receive the benefit of the reasonable
accommodation requirement under the ADA.13
---------------------------------------------------------------------------
\13\ EEOC Interpretive Guidance to 29 C.F.R. Sec. 1630.9.
---------------------------------------------------------------------------
What can we extrapolate from these employment requirements? As I
noted, it is important to view privacy issues in the context in which
they arise. When government regulates conduct that it is otherwise
permitted to regulate (for example, prohibiting discrimination in
employment contracts based on race, sex, or disability), I believe it
is also permitted to regulate speech that would directly contribute to
such discrimination. Thus, the government may not only prohibit an
employer from discriminating on the basis of pregnancy, but may also
prohibit an employer from asking a prospective job applicant if she is
planning to become pregnant.14 Similarly, employers may be
restricted in the questions they ask of applicants regarding their
medical conditions during the application process.15 These
restrictions should be narrowly tailored, however, to the harm sought
to be prevented by the government. For example, such tailoring is
evident in the structure of the ADA, which permits employers to seek
medical information prior to actually hiring an individual.
---------------------------------------------------------------------------
\14\ See EEOC Sex Discrimination Guidelines, 29 C.F.R. Sec. 1604.7
(1983); King v. TWA, 738 F.2d 255 (8th Cir. 1984).
\15\ I do not believe there is much disagreement that speech which
effectively constitutes an act of discrimination is within government's
legitimate power. For example, government may not only prohibit
employment discrimination based on race, but may also prohibit an
employer from running an ad that seeks ``whites only'' for a job. The
more complicated question is whether, consistent with the First
Amendment, government may also prohibit employers from engaging in
speech that might lead directly to such discrimination. As noted, I
believe government may legitimately do so. In some cases, however, the
context in which this speech arises may well be determinative. For
example, in U.D. Registry, Inc. v. California, 40 Cal.Rptr. 2d 228 (Ct.
App. 1995), a state court held that the government could not prohibit
only credit reporting agencies from disclosing information regarding
certain housing actions, which were otherwise a matter of public
record. While I have some questions regarding the outcome of this case,
the fact that the relevant information already existed in the public
domain was critical to the court's decision.
---------------------------------------------------------------------------
The context of the employment relationship also justifies the fact
that government compels certain speech on the part of some employees
with disabilities. As a general matter, of course, government may not
compel speech on the part of its citizens.16 But if an
individual enters a contractual relationship with an employer, in which
certain facets of that relationship are regulated by the government,
then that individual can be expected to conform to expectations in the
relationship that have been established through the government
regulation. Thus, for example, although an individual must forgo some
privacy rights if she wishes to take advantage of the reasonable
accommodation requirement of the ADA, that trade seems both appropriate
and within the government's power.
---------------------------------------------------------------------------
\16\ See Wooley v. Maynard, 430 U.S. 705 (1977); West Virginia
State Board of Education v. Barnette, 319 U.S. 624 (1943).
---------------------------------------------------------------------------
A contractual relationship also exists in the area of medical
privacy more generally. That relationship has led some commentators,
who are otherwise leery of governmental regulation of privacy, to view
medical privacy in a different light. Let me take two of my co-
panelists as an example. Eugene Volokh has observed that ``one sort of
limited information privacy law--contract law applied to promises not
to reveal information--is eminently defensible under free speech
doctrine.'' 17 Volokh notes that this protection should also
cover implied contracts and explains the relevance of this for the
medical context:
---------------------------------------------------------------------------
\17\ Volokh, Freedom of Speech, at 1057.
---------------------------------------------------------------------------
This explains much of why it's proper for the government to
impose confidentiality requirements on lawyers, doctors,
psychotherapists, and others: When these professionals say
``I'll be your advisor,'' they are implicitly promising that
they'll be confidential advisors, as least so long as they do
not explicitly disclaim any such implicit promise.18
---------------------------------------------------------------------------
\18\ Id. at 1058.
---------------------------------------------------------------------------
A similar observation is made by Singleton in her critique of
analyzing privacy primarily as a ``right to `control' information about
oneself.'' 19 As Singleton observes:
---------------------------------------------------------------------------
\19\ Singleton, Privacy, at 122.
---------------------------------------------------------------------------
This idea is familiar in medical and legal ethics and perhaps
in other special professional relationships. In these
relationships the expectations makes sense. The legal and
medical professions understand that clients and patients will
not confide in them without the right of confidentiality. Even
if this right did not exist by statute, it is implicit in the
agreements under which a doctor treats his patients or the
lawyer counsels his clients. This understanding is informed by
decades or even centuries of custom.20
---------------------------------------------------------------------------
\20\ Id. at 122-123.
---------------------------------------------------------------------------
The reality, of course, is that the confidential relationship
patients believe they have with their medical professionals is
compromised every day by the reality of the interconnected medical,
research, payment, and marketing system that we live in. The California
HealthCare Foundation has developed a fascinating presentation that
graphically displays the flow of our medical information in our
existing interconnected systems.21 Thus, for example, during
and following one visit to a hospital, a patient's individually-
identifiable health information may be sent to a lab, a pharmacy, a
pharmacy wholesaler, a drug company, a marketer, an imaging center, a
primary care group administrator, a third party administrator, an
insurance company, a research institution, a public health department,
a medical information bureau, a life insurer, a state insurance board,
an oversight or accreditation board, and an employer.
---------------------------------------------------------------------------
\21\ I watched this presentation at a conference sponsored by the
California HealthCare Foundation in December 2000. It is one I would
whole-heartedly recommend to Members of Congress and their staff. A
useful summary graphic of ``sample data flow'' was developed by the
Georgetown University Health Privacy project, based on the presentation
of the California HealthCare Foundation, and is attached to this
testimony.
---------------------------------------------------------------------------
Of course, a certain amount of individually-identifiable health
information must flow freely in our health care system in order for the
system to work efficiently, effectively, and at a high level of
quality. As someone who has represented disability organizations over
the years, I can assure you that people with disabilities have a very
pragmatic view of this issue. People with medical conditions tend to
interact a significant amount with the medical system. Hence, they want
an effective, efficient, and high quality health care system, together
with the best that increased research and disease management can offer.
But disability rights advocates do not experience their desire for
medical privacy to be in conflict with their desire for an effective
health care system, and thus they do not view these interests as
needing to be ``balanced'' against each other. Rather, precisely
because the interaction with the medical system is, at first onset, a
contractual relationship--the interaction works best if patients feels
assured of certain ground-rules: that their individual medical
information will not be disclosed to entities that may use that
information to harm them; that their information will be used, within
the health care system, in an ``appropriate manner;'' 22
that they will be provided information about what those ``appropriate''
uses will be, and that they will have the opportunity to review their
own medical records. Thus, establishing an effective system of privacy
regulation can enhance the operation of the health care system by
increasing individuals= trust and confidence in the initial medical
contractual relationship.23
---------------------------------------------------------------------------
\22\ I put ``appropriate'' in quotation marks because the debate
over health care privacy regulation sometimes concerns the scope of the
activities over which patients should be able to control transfer of
their individually identifiable information. There are many activities
that patients may not realize, at first blush, are ``appropriate'' uses
of their medical information, and yet, such activities may be quite
essential for the workings of the health care system. For this reason,
the debate often focuses on what providers and plans may legitimately
demand--as a pre-condition for treating a patient or paying for such
treatment--as they enter the contractual relationship with the patient.
\23\ A national survey released in January 1999 found that one in
six Americans engages in some form of ``privacy protective behavior''
because he or she is afraid of confidentiality breaches regarding
sensitive medical information. These activities include withholding
information from health care providers, providing inaccurate
information, doctor-hopping to avoid a consolidated medical record,
paying out of pocket for care that is covered by insurance, and
avoiding care altogether. California Healthcare Foundation, National
Survey: Confidentiality of Medical Records (January 1999). The survey
was conducted by Princeton Survey Research Associates. Results are
available at http://www.chcf.org/conference/survey.crfm.
---------------------------------------------------------------------------
As in the area of employment discrimination, Congress has already
acted to some extent in the area of medical privacy--although there is
work that still needs to be done. In 1996, Congress directed the
Department of Health and Human Services (HHS) to develop nine
administrative simplification standards for use in the health care
system. These standards were to address: ``transaction codes and
medical data code sets; consistent identifiers for patients, providers,
health plans, and employers; claims attachments that support a request
for payment; data security; enforcement'' and ``information privacy.''
24 As the General Accounting Office described this
Congressional mandate: ``Taken together, the nine standards are
intended to streamline the flow of information integral to the
operation of the health care system while protecting confidential
health information from inappropriate access, disclosure, and use.''
25
---------------------------------------------------------------------------
\24\ Ms. Leslie G. Aronovitz, Director, Health Care-Program
Administration and Integrity Issues, U.S. General Accounting Office,
Testimony before the Senate Committee on Health, Education, Labor, and
Pensions, February 8, 2001, at 2. The mandate on HHS to implement an
information privacy standard was triggered only if Congress failed to
enact comprehensive medical privacy legislation by August 21, 1999. Of
the nine standards required to be issued, HHS has issued a regulation
governing electronic transactions (on August 17, 2000) and a regulation
governing information privacy (on December 28, 2000).
\25\ Id.
---------------------------------------------------------------------------
Congress' action to date in this area reflects, I believe, an
appropriate interaction between government and private contractual
parties in the health care system. Given the interconnectedness of our
health care system, and the increasing use of computer technology, all
parties benefit if there are consistent and uniform standards that will
be used by all parties to health care transactions. To create such
uniformity and consistency--and hence, administrative simplification--
government must intervene through the establishment of standards to
which all parties must conform. However, as government facilitates the
uniform entry of our medical information into this administratively
simplified system, it must simultaneously ensure that privacy
standards, policies, and protections are built into the system as well.
Congress took that initial step in 1996, and the Department of
Health and Human Services fulfilled its obligation in 2000. While I, as
others, are disconcerted that the process will be reviewed yet again,
26 I have no doubt that, as Secretary of HHS Tommy G.
Thompson has stated, after reviewing public comments, he intends to
``put strong and effective health privacy protections into effect as
quickly as possible.'' 27 I believe the Secretary, as well
as the heath care industry, clearly recognize that effective privacy
protection facilitates and enhances the doctor-patient relationship.
---------------------------------------------------------------------------
\26\ See Robert Pear, ``Health Secretary Delays Medical Records
Protections,'' NY Times, February 27, 2001, at A14 (reporting that HHS
Secretary Tommy G. Thomson announced he would seek additional public
comment on the privacy regulation issued by HHS in December 2000).
\27\ Id.
---------------------------------------------------------------------------
The reality, of course, is that Congress has not yet acted to
ensure that medical privacy protection will exist--as a reality--in all
contexts in which problems of disclosure may arise. For example, the
mandate Congress handed to HHS covered only a select group of entities
in the health care system (health care providers, health plans, and
health care clearinghouses), and did not cover a range of other
entities (such as employers, educational institutions, and financial
institutions) that also obtain medical information. While the
regulation issued by HHS makes some effort to address subsequent
disclosures by such entities, I believe most observers consider there
is room for improvement in this area.
The actions that Congress has previously taken in the area of
medical privacy, together with the work that remains to be
accomplished, provides us with some general observations on the role of
government in this arena. As I stated at the outset, ``privacy'' must
be viewed within a specific context. In the health care arena, that
context is a long-standing belief between patient and doctor that
medical information should be kept ``confidential,'' juxtaposed with
the reality of a complex health care treatment, payment, research,
quality and marketing system that uses a significant amount of
individually identifiable health care information without patients'
explicit knowledge (albeit presumed by some patients with some dimly
sensed fear). The role of government, I believe, is to bring clarity
and confidence to this area. The goal of any system of privacy
regulation must be to enhance the treatment, payment, research, and
quality aspects of our health care system through creating a workable
privacy system that provides patients with trust in their health care
system, and at the same time, ensures that health care entities can
engage in the marketing necessary to their financial health in a manner
consistent with consumer consent.
Obviously, this is not necessarily an easy project. For example,
while I doubt many observers of the current health care privacy debate
would quibble with the first part of my previous sentence, I expect
there would still be debate regarding what is a ``workable system'' of
privacy regulation, what requirements ``enhance'' research or simply
make life more ``convenient'' for researchers, and whether one uniform
federal standard, with no state variations, is an essential component
of such a system. Moreover, I am sure there would be disagreement
regarding the extent of marketing that should be permitted without
consumer consent. Nevertheless, I believe there is a shared conceptual
principle that it is legitimate for government to intervene in this
area so as to enhance patient trust in the health care system. The fact
that this may be a hard job for government to do has never been a
reason not to tackle it.
Let me conclude with some comments on an area that represents one
of those ``hard jobs'' that need to be tackled--and that brings
together some of my observations on employment discrimination and
medical privacy. We are blessed to be living in a century where amazing
medical and scientific advances are made every year.28 The
success of the Human Genome Project is one example of such an
astonishing scientific breakthrough. But the researchers in that
project, and in comparable private sector projects, correctly warn us
that ``genetic testing'' and ``genetic markers'' must be treated with
caution. The existence of a ``genetic marker'' does not necessarily
mean an individual will develop a particular disease.29
Moreover, employers and insurance companies may begin to view genetic
information as useful information to compile, and then act upon such
information for purposes that the general public, and Congress, may
well find objectionable.30 The principles that I articulated
above should, I believe, lead Congress to clearly prohibit unjustified
discrimination based on genetic markers for health conditions (as well
as for the health conditions themselves), and to ensure that any
medical privacy regulation clearly encompasses protection for genetic
information.
---------------------------------------------------------------------------
\28\ Of course, the existence of such breakthroughs only makes the
reality of ``medical mysteries'' that much more heartbreaking. See,
e.g., Jerome Groopman, Second Opinion: Stories of Intuition and Choice
in the Changing World of Medicine (2000); Jeff Wheelwright, The
Irritable Heart: The Medical Mystery of the Gulf War (2001); Hillary
Johnsen, Osler's Web: Inside the Labyrinth of the Chronic Fatigue
Syndrome Epidemic (1996). Nevertheless, medical advances continue to
help a large number of individuals.
\29\ For background information on the Human Genome Project and
genetic research generally, see the website of the National Human
Genome Research Institute at the National Institutes of Health,
available at http://www.nhgri.nih.gov.
\30\ Certain evidence seems to indicate that such activities are
already taking place. See, e.g., U.S. Equal Employment Opportunity
Commission, ``EEOC Petitions Court to Ban Genetic Testing of Railroad
Workers in First EEOC Case Challenging Genetic Testing Under Americans
with Disabilities Act,'' available at http://www.eeoc.gov/press/2-9-01-
c.html.
---------------------------------------------------------------------------
Thank you for your attention. I look forward to responding to your
questions.
Mr. Stearns. Thank you.
Let me start with my questions. Professor Volokh, this is
perhaps a more legal question, but I think our committee should
tackle this and get the nuances here. What legal considerations
would creating a property right in personal information
trigger?
Mr. Volokh. Sure; this is one of the arguments that is
sometimes made in support of information privacy speech
restrictions, that they just create a property right in
personal information. The Supreme Court has said that certain
kinds of speech restrictions--specifically, copyright law is
the best example--are justifiable on an intellectual property
rationale. But in that case, Harper and Row v. Nation
Enterprises, where the Court upheld copyright law, it said many
times that the reason that copyright law is Constitutional is
precisely because it distinguishes facts, which nobody can own
under copyright law, from expression of those facts.
So if you are a historian, and you uncover some facts about
a person or about something else, you have no property right in
those facts. You do have a property right in the book that you
used to express those facts, so nobody can copy literally or
even paraphrase the book, but they can borrow the facts from
your book. That is the fundamental rule of intellectual
property law, but it is also a fundamental rule, as I read
Harper and Row, of First Amendment law: that to the extent the
intellectual property rules do survive First Amendment
scrutiny, it is precisely because they do not create a monopoly
in facts.
And also, if you think about what are the implications of
saying that somebody has a property right in personal
information? If somebody really does have a property right in
personal information, that is like a property right to stop
other people--not just in the business context but also, say,
in the press context--from writing about this person, from
communicating that information.
Mr. Stearns. So I am on a computer. I go to a site----
Mr. Volokh. Yes.
Mr. Stearns. [continuing] they send a cookie, and they
start to track me, and they provide--they have a pretty good
idea all about me in terms of from a marketing standpoint. At
what point do I have a right to ask that they tell me what they
are doing with it and to say I want to opt out?
Mr. Volokh. Okay; I think that there are two distinctions
here. One is between data gathering of certain kinds.
Mr. Stearns. Okay; which is----
Mr. Volokh. So, for example, if they pop a virus in your
computer----
Mr. Stearns. Right.
Mr. Volokh. [continuing] well, that would clearly be
something that can be regulated.
Mr. Stearns. Okay.
Mr. Volokh. But the other distinction is between disclosure
requirements----
Mr. Stearns. Okay.
Mr. Volokh. [continuing] and actual restrictions on
communication. I think it would be quite Constitutional for
Congress to say that before somebody----
Mr. Stearns. Starts tracking you.
Mr. Volokh. [continuing] gathers information, they have to
explain what they are doing.
Mr. Stearns. So Constitutionally, I would have a right for
them to put up a dialog box saying that I have the right to opt
out?
Mr. Volokh. It would be Constitutional for Congress to
create this as a statutory right.
Mr. Stearns. Okay; so, it would be Constitutional.
Mr. Volokh. But I should mention the opt-out thing. I mean,
it seems to me the site has to have the right to say look: if
you want to use our site, you have to understand that we are
going to reveal this information. So I think the opt out is the
customer's right not to use that site.
Mr. Stearns. Let me follow up. Can you take us through the
Constitutional tests that a court would apply regarding a law
restricting commercial speech? What would qualify as compelling
in your mind?
Mr. Volokh. Sure; if we are talking about commercial
speech, which is a legal bit of shorthand that really means
commercial advertising, then, there is this four-part so-called
Central Hudson test which demands only a substantial government
interest to justify restriction on commercial advertising. Most
of this data gathering and communication does not involve
commercial advertising or commercial speech under the Court's
precedents.
Just like the Wall Street Journal reports speech about
commerce; reports speech about commercial entities, that is not
commercial speech. The Wall Street Journal is fully protected
as to its data that it contains even though not as to the
advertisements.
Likewise with this information that is gathered about
people. If there is an advertisement that is sent to people,
that is commercial speech. That can be restricted under this
more lenient test. But if all we are talking about is
communication of information about people, that is not
commercial speech, and that requires the highest level of
Constitutional scrutiny.
Mr. Stearns. So I am on the Website, and after 3 or 4
months, I am starting to get all of this advertising. It is
coming into my Website, and, you know, I don't know where it is
coming from.
Mr. Volokh. Yes.
Mr. Stearns. It is not only the mundane stuff, but it is
starting to get more nuanced into all kinds of things----
Mr. Volokh. Yes.
Mr. Stearns. [continuing] I don't want to have on my
Website, and I don't understand how it got there. So is that
commercial speech Constitutionally acceptable, and can I object
to that?
Mr. Volokh. Yes; if it is advertisement that is being sent
to you, not just communication about you to other people but
advertisements, commercial advertisements being sent to you,
that is commercial speech. Congress has somewhat more
flexibility in restricting that. So, for example, Congress
could certainly require that commercial ads have some
disclosure requirement, for example, explaining where it is
coming from, maybe even where they got the data from you and
such.
Mr. Stearns. Because I see all of this come on, and I don't
know where it is coming from. And, you know, it is okay and
doesn't bother me, but after awhile, it does start to bother
me.
Mr. Volokh. Yes; and one thing that Congress could do--and
again, it is an interesting question as to whether, as a policy
matter, it is a good idea for it to do, but it could give you
the right to say stop sending me this stuff.
Mr. Stearns. Right, like spamming.
Mr. Volokh. There is a Supreme Court case--exactly; there
is a Supreme Court case 30 years ago called Rowen v. Post
Office Department that had to do with paper spam.
Mr. Stearns. Okay; one question, and then, I am done.
Professor Cate, and perhaps this is a question for each of
you to answer just yes or no to, if I can, pin you down here as
law professors.
As a member of the FTC's Online Access and Security
Advisory Committee, you closely studied the issue of access and
security as it relates to online Websites. What problems did
the committee see with the access and security as it relates to
consumer data? Does that make sense?
Mr. Cate. Yes, it makes perfect sense. I would like to be
able to answer yes or no to that. But there were obviously
numerous problems. That is one reason the committee never
reached a consensus or a resolution on that issue; beginning
with the problem of, first of all, how do you authenticate who
you are providing access to? If somebody comes to you and says
I want access to my information, how do you know who they are?
A second problem of do you have to bring together more
information in order to provide them access? So, for example,
if you collect information in three different ways or three
different sides, you never bring it together for any purpose
whatsoever, marketing or others. Would access requirements
require that the business profile you in order to respond to
your request for access; you know, a third being the related
security issues: how do you protect the security of that
transaction?
A fourth concern, particularly in the online environment,
being, as this committee well knows, computers, you know, tend
to collect a lot of information, much of which is never used
for any purpose. For example, you know, there are backup tapes
that record virtually all of the access to any Website. I am
sure that is true for the Congress as well. That is not used
for any purpose at all. Yet, that is certainly personally
identifiable information about you. Would an access request
require that the institution, the business, go back and mount
all of those tapes and run them in order to find data which is
not used for any purpose whatsoever?
And, you know, I guess finally the fifth issue raised in
that committee's discussion is what information would you have
access to? You know, only personally identifiable information?
How about calculated information? If I know that you purchase
beer, statistically, that means you are likelier to purchase
diapers. Don't ask me why. That just happens to be true.
So, if I have calculated that you are likely to have
children--does that mean I have to disclose that to you?
If it is a credit score, do I have to tell you how I
arrived at that score? If it publicly available information,
you know, I matched some information about you with data from
the public record, do I have to give you access to that
information even though I am not the custodian of it and can't
correct it in any event? And what if it is information that you
can't correct in any event, for example, records of past
transactions? You want to say you did not make that purchase at
my store. You know, you can want to say that all you want.
Unfortunately, you know, if I believe you did, and I can
support that, I am not going to change it. Should access be
provided to that type of information?
Mr. Stearns. Well, my time has expired.
Ms. DeGette?
Ms. DeGette. Thank you, Mr. Chairman.
I would like to follow up on the Chairman's question a
little bit to you, Professor Volokh. I am not so concerned
about advertising that comes onto folks' Websites. What I am
concerned about is the topic of the discussion today, which is
privacy. And from what I heard you say in your opening
statement, it sounds like your view is that there is really
pretty much an unrestricted First Amendment right to privacy
which you can have either an expressed or an implied contract
by the providers to restrict that somewhat, but if there is no
contract, then, what it sounds to me you are saying is that
once someone gives over, say, their medical records or their
financial records that there is an unrestricted First Amendment
right. Is that not accurate?
Mr. Volokh. My view, being kind of an extremist by
temperament, my view is that----
Ms. DeGette. I noticed that.
Mr. Volokh. Exactly; is that in fact, once information is
revealed without any contractual obligation to somebody, that
person is free to pass it on.
Ms. DeGette. So, for example, if I give my medical records
to somebody, and then, they, without my knowledge, transfer
them to someone else, that third party, in your view, has an
unrestricted First Amendment right to disseminate those
records----
Mr. Volokh. Yes.
Ms. DeGette. [continuing] anywhere they want, and Congress
could pass no law to control that action?
Mr. Volokh. A very similar question is before the U.S.
Supreme Court right now. It has to do with whether the media
are entitled to publish information that was illegally
gathered, in that case by intercepting cellular conversations
but turned over to them. And I think the answer is, for
example, if a newspaper get somebody's record, they are
entitled to publish it.
Ms. DeGette. So your answer to my question is yes, that is
your view.
Mr. Volokh. My view is but there is also another
possibility.
Ms. DeGette. Yes or no.
Mr. Volokh. My personal view, yes.
Ms. DeGette. What do you think about that, Mr. Rotenberg?
And then, I will ask you, Professor Feldblum.
Mr. Rotenberg. I think it is generally correct, but there
are competing legal principles, and one competing legal
principle is the privacy tort, particularly with regard to the
disclosure of private facts. Now, that tort creates First
Amendment questions, because that is the issue that you have to
consider. If I know, for example, that someone is AIDS-
positive, and I publish this information, it is a true fact.
Assuming it is a true fact, all First Amendment theory says why
would we restrict the publication of true fact? There is no
defamation.
But if you go back to the concept articulated in the
Brandeis and Warren article, we might restrict the publication
of true facts because of the harm that it does to the
individual as a person, whether or not there is identifiable
economic damage, that somehow, we value the person's integrity,
their autonomy and their dignity. And so we have, in American
common law, recognized this privacy tort. We have created a
very high standard. The disclosure has to be very highly
offensive.
And just, you know, by way of counterexample, one of the
cases I teach is a case called Legg v. Wal-Mart.
Ms. DeGette. Right.
Mr. Rotenberg. It concerns a woman who went into a Wal-Mart
to have her vacation film developed. It included some pictures
of her in the shower, of her and a friend taking a shower
without any clothing on. She got back from Wal-Mart and a
notice which said I am sorry; we can't process this film. She
didn't think anything of it until she later learned that
pictures from that roll of film were circulating in the
community, because the technician who had access to that roll
of film had gone ahead, developed the pictures, and circulated
them.
And she brought an action against Wal-Mart. There was
nothing in the agreement with Wal-Mart that said that they were
prohibited from disclosing this information. The question that
was put to the Minnesota Supreme Court was does she have a
right of privacy----
Ms. DeGette. And what was the answer?
Mr. Rotenberg. And the answer was yes.
Ms. DeGette. Thank you.
Professor Feldblum?
Ms. Feldblum. Yes; I think you have touched on exactly what
I thought was the weakness when I read my colleague's article.
I believe that the government does have a right to restrict
that information of the newspaper or some other third party
because they have a compelling interest in protecting that
information, and it is narrowly tailored to that.
The contract model gets you only so far in the medical
world. It is the reason why we have to be concerned that only
gets you so far in terms of binding individuals. I believe
Congress can bind not only the physician or the hospital to
their express or implied contracts but also other entities that
get that information, even though it is a burden on their
speech. But you can burden speech when it is narrowly tailored
to a compelling government interest, and in my mind, this is
one of those.
Ms. DeGette. Thank you. Ms. Feldblum, let me follow up. I
spoke in my opening statement about these new HIPAA regulations
and have been hearing from a lot of businesses that they will
be overburdensome and costly. I would be interested, and I know
you were involved in the development of those regulations, and
I am wondering what your thoughts are on that and if you have
been thinking of ways we could streamline them to make them
more workable.
Ms. Feldblum. I think they will cost money. The bottom line
is things cost money when you actually change norms. There is a
norm right now in the medical community which is that
information flows very freely, and it flows that way because
people think that they are all doing a good thing.
You know, often, they are, but sometimes, it doesn't make
sense to have all that information flowing in that way. What
the health industry said to Congress in 1996--well, they had
been saying it for some time--is we have got so much
information going on out there, and we have people putting it
in all of these different formats, and that is a problem for
us. So we want you, government, to intervene and create
standards about what the data codes should look like and what
the identifiers----
Ms. DeGette. Well, my time has expired.
Ms. Feldblum. Yes, I see.
Ms. DeGette. So I would like to get an answer, which would
be are you involved or willing to look at ways we can modify
those regulations to make them more workable for industry?
Ms. Feldblum. I believe that the comments actually took in
those concerns already and that they have been modified. I
think it is unfortunate that the Secretary is opening it up for
comment again. I will be involved in this 30-day comment, and
if we get something better, I am all for it.
Ms. DeGette. Great; thank you.
Mr. Stearns. Thank you. I thank my colleague.
Mr. Buyer?
Mr. Buyer. Thank you.
In my mind, when it comes to issues of privacy, it is
easier for me to understand this when there is a contract or
physical property. I am going to move into a difficult arena
for me, and I am going to turn to you, Professor Volokh, only
because I remember your testimony to us before the Judiciary
Committee, and I appreciated your past witnessing.
What are some examples of an implied contract with an
inferred privacy where there would be an unjust enrichment?
Mr. Volokh. A classic example of an implied contract, I
think, would be a situation where----
Mr. Buyer. Well, Wal-Mart immediately comes to my mind.
Mr. Volokh. Exactly, exactly. I am not sure unjust
enrichment is present there, but I don't think it needs to be
present in order for the government to be able to act, either
through a standard contract claim. You could have a claim on an
implied contract without unjust enrichment; or through special
tailored legislation.
I'd be happy to talk further to the unjust enrichment
question, but I just don't think it is necessary as a doctrinal
matter.
Mr. Buyer. An example, then. If we are to do absent
physical property or a contract, in the arena of a privacy
tort, is it possible to have an inferred privacy?
Mr. Volokh. I think the term inferred usually arises in the
context of a contract; that is, a promise on somebody's part.
Mr. Buyer. Right, and I am saying absent that.
Mr. Volokh. Right; I oppose----
Mr. Buyer. If the courts are going to be narrowly
constrained?
Mr. Volokh. Yes.
Mr. Buyer. Is it possible to have an inferred privacy
absent?
Mr. Volokh. I oppose the Warren-Brandeis privacy tort. I
think that there have been quite a few cases in which it has
been applied in a way that, as people would predict, involved
judges telling newspapers what they may and may not publish. I
think that is not a good thing for a judge to do.
Mr. Buyer. People believe--they have these expectations----
Mr. Volokh. Yes.
Mr. Buyer. [continuing] of privacy.
Mr. Volokh. Yes.
Mr. Buyer. Is it possible to have an inferred privacy,
absent--I mean, in a privacy tort, can you have an inferred
privacy?
Mr. Rotenberg. If I may answer, Mr. Buyer, I think the
Internet today provides a wealth of very interesting examples
to answer the question that you are asking, and the reason for
this is that there is a great deal of surreptitious data
collection taking place by Websites, by firms that do
advertising profiling, the so-called Web bugs that are related
to HTML tags that make it possible to track and collect data
about individuals without their knowledge. Now, this is a very
interesting type of data collection, because I think you could
fairly say that there is really no contractual relationship,
and what was quite significant about the Double-Click example
is that an advertiser really exists apart from the customer. I
mean, the client of the advertiser is the company for whom the
product is being advertised.
But when this type of data collection occurs, it raises
privacy issues of the Brandeis-Warren tort variety. And, in
fact, claims that were brought in State courts against
companies like Double-Click, and I don't mean to single them
out because there were others as well, were based on the theory
that you are talking about now, that you have this type of
collection of information; a use that occurs; arguably, a form
of unjust enrichment; I have seen that alleged--without a
preexisting relationship.
Now, I think, a) this is a serious privacy issue, but b)
the better approach, rather than going back and forth with a
privacy tort state-by-state, is a general privacy law for this
activity based on fair information practices that makes more
open, more transparent when that data collection is occurring,
makes it fairer.
Mr. Buyer. May I ask, Professor Feldblum----
Ms. Feldblum. Yes?
Mr. Buyer. [continuing] do you believe it is possible
absent, in torts privacy, to have an inferred privacy cause of
action?
Ms. Feldblum. I think it is very hard to imagine an
inferred privacy without some contractual engagement at some
point. I think where you are going to find----
Mr. Buyer. I am trying to find the boundaries. That is why
I asked the question.
Ms. Feldblum. I think that where the differences will be is
how far we are willing to see that contract extend; that is,
somebody might say here is the contract and then that is it,
and I think I would be someone who might say yes, that is the
initial contract, but actually, there are other ramifications
from that contract in terms of other people they interconnect
with, and therefore, then, we get a privacy issue.
And that is when the context of the area makes a
difference. It might be a difference if it is medical privacy,
and they are interconnected there versus that I shop at Books a
Lot. I mean, and that is a policy question, then, for you guys
to decide.
Mr. Buyer. Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
Mr. Doyle?
Mr. Doyle. Thank you, Mr. Chairman.
Professor Volokh, you seem to get a lot of questions. I am
not an attorney, so bear with me. I want to make sure I got
this right. My desire to keep certain factual information about
myself private violates your First Amendment right to speak
about me. Did I get that right?
Mr. Volokh. Not quite. Let me offer a friendly amendment.
The government stepping in and suppressing people's speech to
effectuate your desire, that would violate their speech rights.
If the government goes and, as Professor Feldblum suggested,
and tells a newspaper you may not publish this story, because
it conflicts with the subject's desire to keep the information
private, then, indeed, that is the government restraining the
freedom of speech and of the press.
Mr. Doyle. I have got you. So it is not inquiring minds
have a First Amendment right to know; it is inquiring minds
want to know. You are not saying that my desire to keep certain
things private about myself violates your First Amendment
rights.
Mr. Volokh. Oh, no, absolutely. If you are just doing it
through technological self-help or through contract or through
not revealing certain information, that is perfectly right. It
is when the government steps in and tries to enforce that
through coercive sanctions; that raises First Amendment
questions.
Mr. Doyle. Got you.
Professor Cate, you were not serious about that beer and
diaper thing, were you?
Mr. Cate. Yes, I was.
Mr. Doyle. That is incredible.
Mr. Rotenberg, that is all I have.
Mr. Doyle. Let me ask you a question. We have talked a
little bit about, you know, back in 1996 that companies started
this self-regulatory approach to privacy, and here we are 5
years later, and FTC has basically come on the side that maybe
the self-regulation hasn't progressed as much as it should. In
your view, do you think the private sector has made a
legitimate effort, a good faith effort to institute standards
of behavior, or do you think they could be doing a better job?
Mr. Rotenberg. Well, I think both statements are true. In
other words, I think they have made a good faith effort. I
think there has been progress. But I also think they could be
doing a better job.
What I tried to do in my testimony, because this is
obviously an area that you are going to come back to, I think,
how well does self-regulation work, is to suggest a few issues
you might want to consider.
Now, one thing that concerns me about this process of self-
regulation is what I see as a redefinition of privacy. you
know, we may sort of disagree about where the privacy rules
apply, but I do not think there would be broad disagreement
about fair information practices. That basic set of principles
that can be found in a lot of places in U.S. law has been
shortened, and today, we talk a lot about notice and choice, I
mean, as a formulation for self-regulation. I think that is a
very significant change in how we talk about privacy
protection.
Mr. Doyle. Thank you.
Professor Feldblum, you know, when we talk about commercial
matters, I am not near as troubled as when we talk about
medical matters, and again, I am trying to understand the legal
issues. I mean, there is an implied privacy between a patient
and their doctor that when you are sitting down discussing your
medical situations with your doctor, you have a right to expect
that that is not going to become public information.
Yet, I know--I live in Pittsburgh--the University of
Pittsburgh Medical Center is undertaking this effort through
this new technology project to be able to share information not
only with doctors in their system but outside the system, so
that when you go to a doctor, instead of waiting for film to be
sent over and records that, you know, they can plug right into
what standard, a system that can pull up all of that
information.
But in the medical community, isn't this always done with
some sort of waiver release? In other words, can my records
actually be accessed by someone without me signing a medical
waiver saying I give permission to send my records somewhere?
Ms. Feldblum. Oh, absolutely. I mean, that is what happens
all the time right now. You will get----
Mr. Doyle. Doesn't that seem----
Ms. Feldblum. Doesn't that seem odd? Well, you do sign
waivers for things like payment and sometimes research. But,
you see, what the medical community will say to you, and I
think there is some value to this. One of the pluses about
negotiating is hopefully, you learn and understand the other
side is that they need some of that free flow of information.
And if it was simply dependent on the consumer, the patient,
agreeing, you would have too many people opting out, and then,
that would hurt the quality of the system. That would hurt the
quality of the information.
Mr. Doyle. Give me an example of why they need the free--
like, for instance, if I want to apply for a life insurance
policy, I give a medical waiver saying, you know, check my
medical records to make sure I am not going to die tomorrow.
But I am saying give me an example of how stopping the free
flow of information between doctors that I have not given any
permission to do is a benefit----
Ms. Feldblum. Right.
Mr. Doyle. [continuing] to consumers and/or the hospital.
Ms. Feldblum. The point, the idea is that the way research
and quality and disease management work the best is by bringing
in a lot of information. I think it was Congresswoman DeGette's
point that sometimes, greater information actually helps the
consumer, and the medical industry will say you may not realize
that if you allow your medical information to be used, you will
be helped with your diabetes as well, and you might not be
smart enough now in the moment to realize you should give up
that information.
So I believe, and my work in this area has made me believe,
that we have to make sure that privacy regulation is workable
for the industry, but that does include, No. 1, making sure
that patients know where that information is going and that
they do sign. Now, that is a sort of compelled consent, because
if they don't sign, they don't get treated. But at least there
is some information being given to them and that in areas where
the industry can prove, look, we need this information; we need
it under the compelled consent, it has to be under a separate
consent where if I don't sign, you can't refuse to treat me.
And to be honest, that is what the HIPAA regulations have
essentially done.
Mr. Doyle. Thank you.
Thank you, Mr. Chairman.
Mr. Stearns. Thank you.
Mr. Shimkus?
Mr. Shimkus. Thank you. I think this is a family show, and
I don't think I want to be effectuating my desire, as was
stated. That was supposed to be funny.
I guess it didn't work. I am not a lawyer either, and I
don't even pretend to be one.
And I am going to take this question, but I really enjoyed
it. Let me state that. And I think it has caused a lot of
questions. My opening statement said how do you balance? There
are a lot of benefits to the consumers for trading of
information, but there will be benefits to the business to keep
the individual's records also.
In another subcommittee that Chairman Upton chairs, we are
addressing the Webpages, domain names, and my personal interest
is a move, if possible, to a .xxx domain name for that type of
material, trying to address how do we skip away from the First
Amendment debate on the people being able to go to those areas
and for people to reap benefits from the publication of that
smut, as a lot of us will characterize it, while protecting our
children?
And with a .xxx domain name, filtering and technology could
better support that, but you are not, in essence, infringing, I
don't think. So I want to pose that to those who want to
respond. I know Professor Volokh is ready to respond to that.
What do you think are the First Amendment consequences? And
then, it would translate into privacy because of the cookie
issue and the tracking and all the other events.
Mr. Volokh. Just by sheer accident, it turns out that this
is also an area that I have studied.
Mr. Shimkus. I knew that.
Mr. Volokh. But the Supreme Court, in Reno v. ACLU, said
that the Government has very limited power controlling
information online, even if it is sexually explicit
information. Outside of the narrow zone of obscenity and child
pornography, that speech is Constitutionally protected.
One of the things that the Supreme Court highlighted is
there is filtering technology that parents can use to shield
their children at home. I have argued that the Court may have
overstated the utility of that technology; that the filtering
technology is not perfect, and I think it is very important to
realize that it is not perfect and never will be perfect. But
it is probably the best solution, both from a Constitutional
perspective--it may be the only Constitutionally available
solution for parents, essentially, to use this technology and
perhaps for the government to facilitate its development if
necessary.
But what is more, as a technical matter, given the amount
of offshore sexually explicit material which we might like to
control, but we can't really, filtering is a necessary
requirement, because filtering is the only--the technological
option is the only mechanism for controlling all the access
that your child might have, whether domestic or foreign,
because, of course, on the Internet, nobody can tell if it is
domestic or foreign.
So I think filtering, with all its flaws, is the best
solution both technically, practically and Constitutionally.
Mr. Shimkus. Following up on the actual--the ICAN, which is
a pseudo-government entity----
Mr. Volokh. Yes.
Mr. Shimkus. [continuing] that assigns domain names----
Mr. Volokh. Yes.
Mr. Shimkus. [continuing] what about their requiring--two
issues: requiring pushing sexually explicit sites into a
specific domain name, and then, there is, again, would be
copyright issues as far as forcing them from their name of
choice that they have been using and everybody has familiarity
with to another domain?
Mr. Volokh. You know, I am not an ICAN expert, but while I
understand that there is talk, excuse me, of the .xxx suffix--
--
Mr. Shimkus. Yes, we had a hearing on that.
Mr. Volokh. Yes.
Mr. Shimkus. And it didn't go as well as I would have
liked.
Mr. Volokh. I think while ICAN can set up that system, I
think it becomes much harder for ICAN, then, to say and, by the
way, you can't have sexually explicit material on any other
things. So it is one thing for them to create a special domain
name. It is another thing for them to start policing what is
going to happen on other domain names. Even setting aside the
legal question that happens if they say oh, we are going to
revoke your .com address because we find pornography on your
site, there is a whole host of practical questions: how are
they going to figure out what is on your site? How are they
going to hold a trial on whether it is sexually explicit? What
happens if you have links from your site to some other site
with links to .xxx?
So while I think this might be a channeling mechanism by
which the job of filter providers could be made easier, because
it would be a win-win-win for everybody, I don't think it would
work as a coercive mechanism.
Mr. Shimkus. Mr. Rotenberg?
Mr. Rotenberg. Yes; well, let me just say we participated
in the Communications Decency Act litigation. We have also
looked at the filtering issue. In fact, we have a publication
called Filters and Freedom that looks at the strengths and
weaknesses. But I very much agree with Gene on this. I mean, I
think you can set out the domain and try to encourage its
voluntary use, which would be beneficial, but at the point that
you tried to, in effect, cordon off speech and say that certain
speech, by government regulation, can only occur on certain
places of the Internet, I think that would be very problematic
and probably not permissible.
Mr. Shimkus. My time is up. I yield back to you, Mr.
Chairman.
Mr. Stearns. I thank my colleague.
Mr. Terry?
Mr. Terry. Thank you, Mr. Chairman.
This has really been a----
Mr. Stearns. Mr. Terry, let me go to this side and pick up
Mr. Gordon.
Mr. Gordon. Thank you, Mr. Chairman.
This has been an interesting and a diverse panel, as it
should be.
To sum up what you have talked a long time about probably
isn't completely fair to you, but, you know, anyway, let me
just sort of, if I could, lay out what I see as sort of some
parameters here. I guess it is Dr. Volokh. Basically, it seems
to me you are saying that you don't have a right to stop or I
don't have a right to stop someone from talking about me once
it's out in the public domain, but it would seem that, as an
individual, you know, we have the right to pull our blinds at
night. We have the right to close the door.
Mr. Volokh. Absolutely.
Mr. Gordon. We have the right to, under certain
circumstances, have our divorce sealed. We have the right to,
in contracting with someone in a business deal, saying that if
you divulge this information, then the business deal is null
and void.
And, Ms. Singleton, you say that to think that to own the
right to control information about yourself is a radical
thought. It would seem to me that it would be radical to think
that you can't, but again, that is where you are, it would
seem.
And then, Dr. Feldblum is more pragmatic in that, you know,
let's take things, as you say, in context. We will figure them
out as we go along.
Now, as legislators, you know, I am trying to find out what
our field of play is. We can doing nothing, or we can do,
obviously, something. Now, getting outside of the realm of what
you think ought to be done--that is our decision--what I am
interested in knowing is how far we can go. You know, what is
our outside limit? We know that our outside limit on doing
nothing is doing nothing. Now, our outside limit on doing
something is what I would like to find out. Whether we go that
far is another matter.
So why don't we start with the three individuals I just
mentioned, and hopefully, we will have time to talk to others
in trying to succinctly tell us if we chose to go forward with
legislation, how far could we go, in your opinion,
Constitutionally?
Mr. Volokh. Sure. One is disclosure requirements. Again,
this is what you could do. There may be some practical problems
with it, but you could require that sites reveal their privacy
policy. Another thing that you could do is that you could set
up default contractual terms that are waiveable by the site,
but they would have to be waived in a very explicit way that is
evident to people. So, say, there are certain kinds of
transactions where the default assumption that people engage in
is no, you are not going to reveal--you are not going to pass
along these photographs that I send you.
And if that is so, then, if you want to have a different
rule, Website operator, you have got to make it absolutely
clear that the users know and have an option not to do business
with you.
A third thing is--and here, I agree with Professor
Rotenberg--there are certain kinds of surreptitious data
gathering. An extreme example would be them planting a virus on
your computer or having them collect data in a situation where
there is really absolutely no reason to think that there is any
data being collected. Those kinds of data gathering
restrictions, I think, would be permissible, because they are
not focusing on disclosure. They are more like saying no, you
cannot peek into my windows using a telescope.
So, requirements that a site disclose its policies; setting
up default provisions in the contract that will be enforced
unless the provisions are disclaimed; and restrictions on
certain kinds of surreptitious data gathering.
Mr. Gordon. That's for preventive measures, though.
Mr. Volokh. Pardon?
Mr. Gordon. Preventive measures up front is what you are--
--
Mr. Volokh. Yes, yes, exactly.
Mr. Gordon. And, Ms. Singleton, it is sort of Katy, bar the
door with you. Are there any limits? Is there any action that
you think that we could take legally, whether it was good
policy or not, but it was legal?
Ms. Singleton. I would say generally, from a Constitutional
standpoint, the more targeted the legislation is to a specific,
identifiable harm, such as identity fraud, the more likely it
is to pass Constitutional muster. The further you move toward
sort of omnibus rules that are applying even in situations
where there has not necessarily been any harm to consumers that
has been identified, that might be a different story, but a lot
of it depends on the details of the legislation, the costs it
imposes on industry, and a lot of those, frankly, are unknowns
at this point.
Mr. Gordon. So is there a Constitutional right not to have
costly measures placed on you?
Ms. Singleton. The question in the free speech case as it
comes up is how much of a burden is it on the dissemination of
truthful information? Are you restricting----
Mr. Gordon. So why should cost be a matter? It should be,
maybe, a policy matter, and I think it should be, but why
should it be a Constitutional matter?
Ms. Singleton. I guess because cost is part of the picture
in terms of what the impact will be on speech. Will there be,
essentially, chunks of speech that for cost reasons no longer
are permitted to exist or move around, even though there is no
particular harm being done by those bits of speech?
Mr. Gordon. Okay.
Ms. Singleton. I hope that answers it.
Ms. Feldblum. I would say to the three areas that Eugene
noted would be Constitutionally allowable, I would add three
others. One that I think you can put prohibitions on further
redisclosure, even with someone whom you are not in that direct
contractual relationship with, and that is part of what we have
talked about.
Two, I think in some situations, I don't think we should
allow that default contractual rule to be waived. And the
medical profession, I think, is a classic example, because of
the need and power, sort of, situation, and I am not sure what
I would think in terms of other commercial settings, but I
would not do it as an absolute rule that that can be waived,
that default contractual obligation for confidentiality.
And three, besides the mandated disclosure, I think in
certain areas, an informed consent is, in fact,
Constitutionally appropriate as well. Again, I think that fits
well in the medical arena. Whether that also fits in as a
required opt-in in a commercial, I think, is more of a policy
question.
Mr. Gordon. The benevolence of the Chairman may allow you
to talk some more to other candidates, but in case he doesn't,
I would like to ask that each of you submit to the committee a
written statement as to what you think are the Constitutional
furtherest bounds that we could go in legislating. If you want
to add to that why you think maybe we shouldn't, then, that is
fine. But I would like to find out what the field of play is,
and then, hopefully, ultimately, we can maybe find some common
denominators.
Mr. Stearns. The time of the gentleman has expired.
Is that acceptable, doable, feasible for you folks to do
that. I think it would be very helpful for the committee.
Mr. Terry?
Mr. Terry. Thank you, Mr. Chairman.
I think all of our questions here are focused on trying to
find that boundary or at least the lowest common denominator of
what should be done, what could we do Constitutionally,
legally, without restraining trade.
Let me work some of that. Can I have an hour? Since I am
the last to ask questions?
Mr. Stearns. Will that do it?
Mr. Terry. I will try and do it within the 4\1/2\ minutes
that are left.
Mr. Stearns. I would say to the gentleman we are going to
do a second round.
Mr. Terry. Okay.
Mr. Stearns. I think, with the panel's indulgence, there
are not that many members, so we are going to do a quick second
round which would be an additional 10 or 15 minutes.
Mr. Terry. I think one of the areas I would like to
explore, but I am going to try and discourage, is it seems to
me that perhaps there should be a sliding scale. Of course, we
want higher protections on sensitive material like medical
information, but yet, should commercial information about my
buying habits of diapers and beer have this same heightened
scrutiny and protection? And I would probably say right here
without exploring it more that no, there should be probably a
laxer standard on my purchase of Bud Light and Pampers. And by
the way, more young people drink beer, and more young people
have small children in diapers: case in point.
And so, let's go with that. Mr. Cate, I want to explore
some of these boundaries of when there should be some rules
protecting commercial information in place, and I am going to
kind of give examples of how that information can be, then,
redisclosed throughout the system and see if maybe higher
standards should be put in place as the information is
disseminated.
Let's say I go to the grocery store, and I use my credit
card. It is issued by my bank. And, Professor, let's say, for
example, you in answering this question, and I want your
personal opinion, are my bank and the credit card issuer. Is it
appropriate for you, then, to have software that would be able
to read that when I use my credit card or my debit card to
purchase at the grocery store that I buy Pampers and Bud Light?
Is that appropriate that you even have that technical ability?
And should I, as a consumer, when I sign up for my credit card,
know that you may have software where you are going to know
that I am specifically buying that brand or diapers generically
but that brand specifically? Is that appropriate?
Mr. Cate. Yes, it is appropriate.
Mr. Terry. Should there be laws in place that I know that
that is occurring?
Mr. Stearns. Mr. Cate. It is appropriate that it occurs,
and it is appropriate that you should know.
Mr. Terry. All right; is it appropriate that perhaps
Congress adopts some policy and law that mandates it on
Professor Cate Bank and Credit Card Company?
Mr. Cate. Well, let me say the answer to that is yes but,
and if I can just have, you know, 5 seconds to say the but,
which is you can send out all the notices in the world to
customers, and they will throw them away with enormous glee.
And so, if the effect of that notice is simply to impose a $1
billion cost--although it does subsidize the Post Office, which
is not an unimportant issue--but not to educate the public,
then, I think that it is not advisable, although it is clearly
legally permissible.
Mr. Terry. And I will tell you right now: I want to make
sure that when I open up my credit card bill that I don't have
a bunch of trashy coupons in there. Give me a Pampers coupon,
because I am spending a heck of a lot of money on diapers. So I
want you to be able to target it to me.
Now, let's say Professor Volokh is actually--you are just
the shell. You just issue the darn card to me. You hire a
separate business to actually do all of the contracting. Should
he have the right, that company that is not you but your
contracting agent, have that power, the software, the
technology to be able to gather my specific buying needs,
although my contract is with you?
Mr. Cate. I believe that he should.
Mr. Terry. And either two of you, you can now expand on it.
Mr. Cate. But he can speak for himself now.
Mr. Volokh. Well, it seems to me that if the Cate Bank
makes this promise to you that they are, let's say, not going
to reveal it further or some such, then, they had better ask me
to make the same promise to them, because otherwise, they might
be liable to you.
Mr. Terry. Should I know that you are part of that process
up front?
Mr. Volokh. Well, it is an interesting question, because I
think for most consumers, the exact financial structure or the
exact business structure is not terribly relevant. I think with
most consumers, my guess is--and here, you are reaching policy
rather than Constitutional law--I think what consumers would
like to know is what purposes their information is going to be
used for. And it seems to me that----
Mr. Terry. And that is the point I am getting to, actually,
because if it just keeps coming back to me that since you are
the one who is really going to send me out my bill with the
coupons in it, because you have hired another company that
actually prints and does all of that, which is the real world,
if it keeps coming back to me, is there a lower standard than
that?
Mr. Volokh. A lower standard?
Mr. Terry. Of privacy and regulation, maybe just an opt-out
type of policy instead of an opt-in type of policy.
Mr. Volokh. I would think that----
Mr. Terry. Or just basic disclosure?
Mr. Volokh. I think there is a lot, especially given how
much consumers are concerned about business, and it is
interesting you mention credit cards. It is a very competitive
business. A lot of people want your credit card business.
Mr. Terry. And this is a lot of----
Mr. Volokh. Exactly.
Mr. Terry. [continuing] when we get feedback from the
business world on rights of privacy, it is usually in the----
Mr. Volokh. Yes; I would think that there are a lot of
banks that would have a lot of incentive to say we are going to
give you a high-privacy credit card, and we are going to
promise that we are going to give you privacy; we are going to
promise that we are going to use the information only for these
very limited purposes. We are going to make all of our
contractors promise the same thing to us, so that we can hold
them to this obligation, too.
So it seems to me that the business world may do a good
enough job if it is. If it does not, then, I think you could
impose requirements that credit card companies facilitate
consumer shopping by making it clear to the consumers what
their privacy policies are.
Mr. Terry. But I am running out of time, but the next phase
of that would be selling my name to Anheuser Busch or whoever
owns Pampers.
Mr. Volokh. I thought you had an hour.
Mr. Terry. What is that?
Mr. Volokh. Well, I think if we promised----
Mr. Terry. And I think that is what a lot of people are
worried about.
Mr. Volokh. Yes.
Mr. Terry. But with the consumer, heck, if I get something
at a discount from Pampers----
Mr. Volokh. Yes.
Mr. Terry. [continuing] I like that idea. But where do we
draw the line in the process?
Mr. Volokh. It seems to me that providing disclosure of
what is going to happen and thus providing meaningful consumer
choice will allow consumers to decide: do they want the high-
privacy, no-coupons, I just want to be as sheltered as possible
credit card? Or do they want the go ahead; I don't care if
people know I am buying the beer, especially if they want to
send me more coupons? It seems to me that disclosure does
provide consumers with more choice.
Mr. Terry. I appreciate that, Mr. Chairman.
Mr. Stearns. The gentleman from Massachusetts, Mr. Markey?
Mr. Markey. I thank the gentleman very much.
See, the point is that most people would not care if anyone
found out that you were buying Pampers for your children. But
your mother would care if you found out that she was buying
Pampers for herself, Okay? That is a much more sensitive issue,
very sensitive, incontinence pads for 2 million elderly women.
They haven't told their daughters. That is a different issue.
So, yes, you don't care maybe necessarily.
But on the other hand, your mother is very sensitive about
that. Only her husband knows; no one else, her sisters, her
children. So what are we going to do for her? What rights does
she have?
So, I want to give her a lot of rights, to be honest with
you, because she built the country. She doesn't want that
information disclosed; she has a right to keep it private. So I
am very respectful of her; very embarrassed, because it goes
right to her dignity, her pride. She can't control herself.
So where are those lists, and how do we get names off those
lists? How hard is it to get your names off those lists?
So, we kind of have this duality, you know. On the one
hand, you have got the industry coming before this committee
saying we need more copyright protection for all of their
information. Don't let anyone disclose it. It would be terrible
if anyone ever took our information and sold it, you know. Look
at Napster. That Napster is going to ruin us, you know. We
listen attentively.
Then, the individual says, oh, by the way, I want a
copyright on my own personality, my own information. You can't
do that, says the very same industry. You are not entitled to
copyright your information. That is different, Okay? But don't
let them take mine.
The industry comes in here, and they say you have got to
have the top-notch, No. 1 encryption technology available to
every consumer, security all the way, all the way from your
house to my bank, my Internet company. Security, very
important. But once I get the information, you shouldn't have
any privacy. Now, from a consumer's perspective, they say,
well, I do support state-of-the-art encryption, because I don't
want the kid across the street cracking in and finding out what
I am doing. But I don't want you to do it either. I am only
transacting, you know, for this one little deal.
So there is a duality here. The industry says copyright
good, security good; privacy bad, privacy bad. But we need the
same high standards, because from the consumer's perspective,
they see the same issues, okay, that the industry does. And the
paradox is quite obvious. So begin, then, Professor Volokh, you
begin with the question of your children. Did we make a good
decision in passing the Children's Online Privacy Act here,
saying that parents have to be consulted whenever any
information on a commercial site has been gathered about a
child under the age of 13 that could be reused for purposes
other than that which the parent intended? Do you think that
was a good law, first, to pass, Professor?
Mr. Volokh. I actually have no opinion specifically on that
law, because I think that the situation with children revealing
information, because children are incapable of consenting, is
actually a much more difficult question.
Mr. Markey. No, what I am saying is what is your view then?
Is that a good law for us to pass?
Mr. Volokh. Believe it or not, actually, I don't have an
opinion, and in my article, I actually specifically say it is
an interesting question that I haven't examined.
Mr. Markey. No, I don't believe you don't have an opinion.
I mean, otherwise, you shouldn't have been invited, to be
honest with you, Okay? Because that is too simple a question,
to be honest with you, okay, for somebody who his holding
himself out as an expert. What about children under the age of
13, Professor? Should parents have to give their approval if a
commercial Website is going to reuse the information for
purposes other than that which the parents intended?
Mr. Volokh. I believe I wasn't--I'm sorry.
Mr. Stearns. Professor, hold on. Just a comment.
Mr. Volokh. Yes.
Mr. Stearns. I would say to the gentleman from
Massachusetts we asked these people to come here for their
legal interpretation and not necessarily for their personal
interpretation, for what it is worth.
Mr. Markey. I appreciate that, but, Professor, that is
hard, because they have rapt audiences in law school that hear
both their legal and personal opinions, and so, they are
usually packaged almost in a way that is so intertwined that it
is impossible to really separate them as a student, okay, but
as a Congressman, I am in a position--Father Drinan was my dean
in law school. And then, in my second year, he wins for
Congress. So I was so intimidated by him. But then, 6 years
later, I got to be a Congressman, too. And so, whenever he
voted yes, I could vote no, you know, if you know what I mean,
okay?
And I have to admit: it was gratifying, although in
retrospect, he was probably right on everything.
But at least I was able to question more, you know,
intensively any position which he had.
So all I am asking, Professor, quite simply is would you
personally, as you hear the question, give that child audience
more protection?
Mr. Volokh. Representative, I was invited here, I thought,
to comment on those matters that I thought I was competent to
comment on. In my article, I specifically said that this is an
issue that is very tough that I have not spent the time
necessary to think about it, because whenever children are
involved, especially with questions of consent, that raises all
sorts of difficult questions. It seems to me the only
responsible thing for me to say is to admit that I have not
thought about this enough to have formed an opinion.
Mr. Markey. Okay; well, let me just say that--okay, you can
play that.
My view--I will say my view. I think children should be
protected, and it came out unanimously out of this committee,
and I don't think you are going to get much dissent across this
country. You may be the only person in the country without a
view on that issue.
Really, but that is okay. I mean, I don't mind that you
want to take that position, because of course, that immediately
begs the question of whether or not 14-year-olds should be
protected, okay? You don't have to have a view on that, either,
but I would say yes, 14-year-olds should also be protected. We
didn't do that. We only did it up to 13. And then, how about
16-year-olds? And I would say 16 years old as well, okay?
Looking at it from a societal perspective, you know, that they
should be protected.
And then, you just keep going. You keep asking the same
question over and over again, okay? And that is what we do as a
matter of public policy. But you can start from one perspective
and say okay, on the one hand, you know, maybe this information
should be out there free and, you know, unrestricted. But then,
if you take it from the other perspective, you are saying no,
it should be restricted, because you have got this special
category down here, and then, you have to decide how far up you
are going to take the special category, which is the much
tougher question, because it doesn't fit into a uniform
philosophy. And, of course, that is the most valuable
information to us: what doesn't fit into a uniform philosophy?
Mr. Stearns. I would tell my colleague we are going to do a
second round.
Mr. Markey. Excellent. I am ready. Excellent.
Mr. Stearns. I am going to start and ask Ms. Singleton:
emergence and diffusion of certain new technologies, such as
the Internet, have triggered today's debate on information
privacy. Would you please place the relationship between new
technologies and privacy debates in historical perspective?
Ms. Singleton. Yes; let me do this very quickly. One of the
interesting things that began to happen in the early Twentieth
Century is that credit reporting became professionalized. It
was originally done sort of as a nonprofit activity to help
poor people get access to credit, and today, it has become
professionalized and become, you know, a professional thing.
Now, this goes to my point that privacy legislation, even
relatively minimal opt-out, is not nearly as moderate as it
appears on the surface, because if there had been an opt-out
rule in place during the period of time in which credit
reporting was developed, there simply would not be credit
reporting. All of the people with bad debts would simply have
opted out.
To move up to another example today involving the Internet,
just a few years ago, identification and authentication became
a very important function that e-commerce companies needed to
have. Amazon.com, for example, when they get an order from a
customer, they check the name and address against a massive
commercial data base with pretty much everyone's name and
address in it and absolute as updated and accurate is possibly
can be.
And if people were allowed to opt out of this data base,
its value as a commercial enterprise, once it was full of holes
and gaps and so on, people opting out, whether for well-meaning
purposes or because they want to conceal who they are, would
essentially make this authentication and identification much
less useful.
So I think there again, as we think about the evolution of
technology, it is important to realize that there are uses of
information that are very innovative that haven't been thought
of yet, some of which could turn out to be tremendously
beneficial to consumers and which even relatively moderate
legislation might foreclose.
Mr. Stearns. Mr. Rubin, Professor Rubin, in your study, you
identified no market failures. Do market failures primarily
result from information asymmetry? And if so, how does
information sharing relate to market failure?
Mr. Rubin. Information asymmetry is one----
Mr. Stearns. You might define a couple of terms.
Mr. Rubin. Information asymmetry is when one party knows
something, and the other party does not know it, but as it is
used in economics, which is my field, by the way; I am the only
non-attorney here, I think--as it is used in economics, it
means that people are, in those circumstances, less willing to
transact. So if I know there is an information asymmetry, I may
be unwilling to transact.
But the way to solve information asymmetries is to create
more information. And so, the free flow of information actually
is likely to solve problems of information asymmetry.
Now, with respect to the Internet, you might argue that in
the early days of the Internet, when people did not understand
data collection and didn't understand that information was
being collected, there may have been more of a problem. But
now, all of the surveys show that people are fully aware of the
fact that data is collected. This creates an incentive for
Websites to post privacy policies, for example, and tell people
how the information is being used, which creates an incentive
to eliminate the information asymmetry because it makes people
more willing to engage in transactions.
And so, in a sense, the market is solving that problem by
the posting of privacy policies, and the FTC study showed, for
example, that 100 percent of the most commonly visited Websites
did post privacy policies, not because they have been mandated
to but because it is in their own interest to do so. So in a
sense, the market has been solving that problem.
Mr. Stearns. But the problem is you go to some of these
sites, and the privacy request is way down, and you have to
scroll all the way down. And then, it is a light gray line. And
then, they put another light overtone on the light gray line.
And so, you have got to see that, and you have got to double-
click on the privacy. Then, up it comes, the dialog box.
So, I mean, they are volunteering, but they are
volunteering in a rather clever way or a way that is an
obtrusive, so that the average person doesn't even know that
they have a privacy policy.
Mr. Rubin. But if people want privacy policies, a natural
reaction when you go to a site where you can't find it is to
simply leave that site, to assume that it doesn't have one, or
it's not worth my looking for it. If people are concerned about
privacy policies, then sites have incentives to make them
available and to make them more easily available, because
otherwise, they are going to lose consumers.
Ms. DeGette. Will the gentleman yield?
Mr. Stearns. I will yield.
Ms. DeGette. But what if they don't see the privacy
disclaimer, so they just assume that privacy is included? Isn't
that also a possibility?
Mr. Rubin. Well, I think it is less of a possibility now,
because as I say, the surveys show that people are concerned
about privacy. I don't think people have an expectation that
the default is they are going to protect privacy.
Ms. DeGette. Has there been research done on that?
Mr. Rubin. I haven't seen specific research, but there are
all of the surveys that do show people concerned about privacy,
which means yes, I guess that would indicate that people don't
expect information to be kept private without a disclaimer,
because they are concerned about the way Websites use
information.
Mr. Stearns. Let me just indulge myself with one other
question for you. Please define the free rider problem and
explain its relevance to the information privacy debate.
Explain what you mean by free rider problem.
Mr. Rubin. Free rider problem is where someone can benefit
from something without contributing. So, for example, if
information, collecting lots of information, is valuable for
the credit reasons and the other reasons that we have talked
about, so that creating lots of information can create a
marketplace, but I, myself, would prefer to benefit from that
marketplace and not contribute that information, then, I would
be what is considered a free rider.
So I might say it is good if Websites can make these
determinations, but I don't want to tell them my information. I
am going to benefit from the things that are provided without
contributing; then, that would be a free rider, and under
certain circumstances, you would have a free rider problem in
the provision of such information.
Mr. Stearns. Okay; my time has expired.
Ms. DeGette?
Ms. DeGette. Thank you, Mr. Chairman.
To follow up, Professor Rubin, I think that to make the
studies more pedagogically sound, it might be interesting to
research consumer attitudes when they don't see a privacy
disclaimer, because I would opine, based on nothing except for
common sense, that people going into certain types of sites--
financial sites or where they are going to be disclosing
personal information--may well still assume that there would be
some privacy given, for example, similar to when they went to
the doctor, and there is not, on your regular medical form, a
privacy disclosure, but yet, people assume that their doctors
will keep their medical records private.
So I think that would be some useful research to conduct,
and I would hope that it is being done.
Mr. Cate, I have a couple of questions for you. I wanted
you to expand a little bit on your written testimony where you
talk about how requiring a customer's consent exacerbates the
harmful impact of many privacy laws on consumers. How do you
see that happening?
Mr. Cate. Well, I provide seven or eight examples in the
testimony.
Ms. DeGette. Right.
Mr. Cate. So let me just touch on a few of those----
Ms. DeGette. Thank you.
Mr. Cate. [continuing] and try to make them clearer.
One of them, of course, is if consent requires repeated
contacts or requests to the consumer. So, for example, even
under the Gramm-Leach-Bliley law, the average American
household gets 20, 30, 40 notices. That is with a cost that is
paid for by consumers. That is an environmental burden that is
borne by all of us as citizens, and it is a burden for people
who say they don't like the junk mail they get already; they
are now getting more junk mail mandated by Congress. So that is
a clear burden on consumers that the opportunity for consent,
the mandated opportunity for consent, exacerbates.
I think, for example, in the health privacy rules that are
out now, we see even more of that. That is where, for example,
the length of that notice, the fact that notice will be
interposed between the patient and the physician at every
occasion; I mean, even the mundane question, you know, I go to
the pharmacy to pick up a prescription for my wife, but, of
course, I can't do that under those HIPAA rules, because only
she can consent, and her consent is required by regulation for
her to receive that prescription.
So, now, she has got to go to the pharmacy to pick up that
prescription and sign that form first. I think that is a real
burden.
Ms. DeGette. What is your view on that, Professor Feldblum?
Ms. Feldblum. My view is that sometimes, Professor Volokh's
approach of not talking when you don't know it all the way
through is a good one. The HIPAA regulations specifically dealt
with that and, in fact, have set it up so that other people can
go to the pharmacy to pick up.
Ms. DeGette. How will that work under the HIPAA rules?
Ms. Feldblum. Because there isn't the ongoing consent each
time. You consent for that information to go for certain
purposes, and you consent for other people to do that on your
behalf.
Ms. DeGette. So you think his wife would be able to go pick
up that prescription?
Ms. Feldblum. Absolutely, absolutely.
Mr. Cate. Not the first time.
Ms. Feldblum. I completely stand by that.
Ms. DeGette. Not the first time, but subsequently after she
signed the thing?
Mr. Cate. Absolutely; that is right.
Ms. DeGette. But you think that is an undue burden?
Mr. Cate. I think that is an example of a burden.
Ms. DeGette. Okay.
Ms. Feldblum. And to your question of the expectations of
privacy, you are right. People think when they go to the doctor
that that information is going to be kept private. And, in
fact, until we have these regulations effective, they, in fact,
don't really know where that information is going. So the
problem we currently have in the medical system is also the
problem that exists in your question about some of those sites.
People don't know enough, and as Eugene Volokh said, the one
thing Congress can do without any concerns is mandating some
more clear disclosure. And that is, in fact, what the HIPAA
regs do.
Ms. DeGette. Let me get back, Professor, for a minute to
the H.R. 10 privacy restrictions. Is it your view that under
that law that that law requires repeated notices to customers?
Because as I say, I was on that conference committee, and that
was not my sense.
Mr. Cate. That law requires that those notices be delivered
annually, yes.
Ms. DeGette. And you think that that is an undue burden?
Mr. Cate. There is no question, because, for example, there
could be no use of information at all; you know, I am not
making any third-party use; I am not distributing it to anyone;
I am not marketing. Therefore, there is no opt-out right
involved. There is nothing at all that the consumer can do
based on this other than, of course, stop engaging in the
service. And there can be no change in the information used
from year to year. But still, that notice has to be sent out.
Ms. DeGette. Mr. Chairman, I just want to say that I think
this was a great first start on this privacy question. We
obviously had a breadth of opinions here, and I, myself, having
sat through many law school classes where the professors
grilled me--am very, very happy to have my little comeuppance.
So thank you all for coming today.
Mr. Stearns. Mr. Terry?
Mr. Terry. Thank you.
I said earlier that I don't see a problem with having
completely different standards for what we think as a
traditional commercial transaction versus a medical
transaction. Is that appropriate legally and public policy-wise
in your opinions?
Ms. Feldblum. Well, two things: one, and I think it was
sort of referenced by Representative Markey's comment: often,
there is an integration of those in a way that can be
complicated. So I think that while, as a conceptual matter,
yes, there are different harms, given our system of credit and
finances and educational institutions sort of being connected
in with some medical information, it means that you have got to
think through all of those elements.
The second is really more a matter of, you know, really
what both Ms. Singleton and Professor Volokh have written
about, which is the conceptual question of how much control
should you have over your own information? And for people who
feel that strongly, it really doesn't matter that much about
whether it's that they're taking a particular medical drug or
that they like to buy a certain type of, you know, videos, you
know, even action videos.
You know, I am someone personally who I don't really--you
know, I like getting coupons for things that I care about,
right?
Mr. Terry. Right.
Ms. Feldblum. On the other hand, if I am sitting and making
policy for everybody, I think I need to think about what sort
of control do I want to give these folks consistent with not
messing up the commercial system? Because that is going to help
everyone as well.
So, yes, there are differences, but there is integration of
that information, and two, you have to legislate for the
general public.
Mr. Rotenberg. I think the problem is actually somewhat
more complicated than this, and the reason is that when you are
talking about a sectoral approach to privacy focusing on
subject matter--I mean, we agree that medical information is
more sensitive than commercial information--it puts aside the
significance of technology. Now, consider, for example, the
privacy protections associated with the use of the telephone
system. You pick up the telephone, and you call up Safeway, and
you say do you have any diapers left? You call up your doctor,
and you say do I need to get that prescription refilled,
because this problem is continuing.
The privacy protection that exists for your telephone call,
whether you are calling Safeway about the diapers or your
doctor about the prescription is the same. Now, it may be the
case that if someone intercepts the call and discloses the fact
that you were talking about diapers, it wouldn't be
embarrassing, or it could be the case that even the medical
information isn't embarrassing. But it is interesting that if
you look at the development of privacy law, video rental
tapes--probably most of the tapes that you rent, not that
sensitive. But some may be. The law provides comprehensive
protection across this new technology in which consumers
operate, and I think it is very important to keep this in mind,
because there is a tendency when thinking about privacy
protection, and I think it is common sense to sort of
distinguish and say, well, some things are very sensitive; some
things are not. Let's focus on what is sensitive. It makes
sense.
But when you talk about the integrated nature of technology
that allows both sensitive and nonsensitive information to be
exchanged, I think you need a more comprehensive approach, and
that is why I would not recommend, actually, going based on
subject matter in trying to define privacy.
Mr. Terry. Let's continue, because I think there will be a
variety of opinions. I respectfully disagree. I just don't see
how you actually physically do it in the real world, because in
order to treat everything equally, we have to move to the
strictest standard, and I can't believe that I would have to
sign a--I mean, literally, take a consent form to go to the
grocery store and use my debit card. I mean, if we want to take
that to the extreme that----
Mr. Rotenberg. But I don't think you would.
Mr. Terry. Well, it depends. If there may be something
that, you know, if you move to the strictest standard, you
would.
But let's keep going down the field, because we have got to
explore the boundaries of what we can do.
Ms. Singleton. Yes; I think that there is one potential
problem with sectoral legislation, and that is you may have a
situation, as you have with Gramm-Leach-Bliley and the new
medical privacy standards, where there are companies where
their same data base is governed both by the Gramm-Leach-Bliley
Act and by the new medical privacy rules, and those rules set a
different legal standard.
So what does the company do there? In some cases, one
standard may be higher than the other one, in which case you
just comply with the higher standard. But in some other cases,
it is not really that clear, and the standards are just
different. So that is one problem, and I think the answer to
that is when you do sectoral legislation to narrowly target
that legislation at a specific, identifiable harm such as
fraud.
Now, some people would say why don't we just have
legislation all across the board to solve that problem? And my
answer to that is because that is way too broad. Its impact on
the economy would be enormous and very difficult to even grasp
at this point. And plus, it also has a really big impact on
small businesses potentially.
Mr. Stearns. Do you want to make your--his time has
expired. Do you want to make your comment short?
Mr. Rubin. I will try to make them short.
I think there is a difference between information that
starts with a person and says what do we know about Paul Rubin
as opposed to most of the commercial information, which starts
with a product and says how can we find Websites of consumers
who are interested in buying this product? So medical
information, much of it, would fit into the first category, and
the sort of commercial information I am talking about fits into
the second, and I think that may be a way to think about a
differentiation.
Mr. Stearns. Thank you. Time has expired.
Before I have my colleague from Massachusetts finish up our
great hearing here, he mentioned Congressman Drinan. He came
here, as I recollect, a professor from Georgetown.
Mr. Markey. No, from Boston College.
Ms. Feldblum. From Boston College. He is now a professor at
Georgetown.
Mr. Markey. Downward social mobility.
Mr. Stearns. And Mr. Markey mentioned how much reverence
and awe he had of him, and I am reminded of an expression that
we all know as Members of Congress: the first 6 months, we
wonder how we got here. And then, the next 6 months, we wonder
how the rest of them got here.
Mr. Markey. As he introduces me!
Mr. Stearns. Mr. Markey.
Mr. Markey. Thank you, Mr. Chairman, I appreciate it very
much.
Not only that: Boston College is number 10 in the AP
basketball ratings, and Georgetown is number 16, okay?
So it was the only small little area of advantage they
maintained over us, and now, it is complete domination.
So we're quite happy--with the exception of their privacy
division in the law school--and that one Constitutional law
professor emeritus, you know, Father Drinan, they are the--so
here's the way it is. And Professor Rubin said, you know, most
of these sites now have a privacy policy, and they do post
their privacy policy. We have a privacy policy, it says, okay?
Then, you read way down here. It says--by the way, after
you have hired lawyers at $700 an hour to write a 14-paragraph
privacy policy with double negatives just driven throughout the
entire thing just so that they can prove they went to law
school, and down here, after you get to the bottom line, they
could have just said you have no privacy. We reserve the right,
of course, to sell this stuff, okay? But it is their policy,
though. It is their policy. And who the hell is going, you
know, to read 10 paragraphs on every single site they go into?
So, obviously, that doesn't work. The free market--yes,
they put it up, but it is like an attractive nuisance. It is
misleading in a lot of ways, do you know what I am saying? You
are sucking people in where they shouldn't be going, because
they aren't going to go through all 10 paragraphs.
And the thing is, well, financial, of course. It is the
financial. You know, you might have been writing the check for
your kid's Ritalin or your kid's child psychiatrist on the
checks for the last, you know, number of years. That is
medical, okay? More sensitive; you don't want the whole
neighborhood, you know. You promised your daughter you are not
going to tell anybody, you know, much less everybody in town
can get it as a direct mail, you know, from the financial
institution.
And the same thing is true for the medical exams, for the
insurance, you know. That is also very sensible. So the
financial oftentimes is nothing more than the genetic makeup of
the family's medical history for the last 30 years, you know,
just sitting here if you can go through the medical. So it is
hard sometimes to tease it out, in other words. It is basically
inextricably intertwined inside of those financial data.
And Citigroup, somehow or other, in Germany figures out how
to do it, but they just can't figure out how to do it in the
United States when these higher privacy standards are put on
the books.
So let me go down with just a very quick question to each
one of you. You basically disclosed what Federal contracts you
might have. What private contracts do any of you have, any
financial interests that you might have in your life apart from
your law school careers that would influence to oppose the most
stringent privacy policies? Can you tell me which companies,
any consulting contracts that you have--we will go right down
the line--with outside groups?
Mr. Stearns. With the indulgence of my colleague, as I
recollect, and, counsel, you can correct me if I am wrong, when
they came here, did they fill out--was that our policy?
Mr. Markey. No, I have their forms. I have their forms
right here. This only deals with their Federal contracts. It
doesn't deal with their private sector contracts.
Mr. Stearns. Well, what I am just saying is that what they
filled out is all we requested from them.
Mr. Markey. Oh, they don't have to give this to me right
now. I am asking them as a favor to tell me. It is just a
question. They don't have to tell me.
Mr. Stearns. So this is a voluntary----
Mr. Markey. Right.
Mr. Stearns. [continuing] exercise here.
Mr. Markey. Right.
Mr. Stearns. In which he is asking you to divulge personal
information about your privacy.
Mr. Markey. Exactly. Now, you have got it. You have got my
point.
Mr. Stearns. He wants to know things about you personally.
Mr. Markey. I want to know things about them, you know.
Mr. Stearns. So under his timeframe, you can say that it
will take you awhile to get it----
Mr. Markey. Yes.
Mr. Stearns. [continuing] and you will get back to him----
Mr. Markey. You can say that.
Mr. Stearns. Or do whatever you like.
Mr. Markey. But I think that they all probably know where
their income comes from each month, so can you tell us? Can you
just go down the line, and then, you know, we can all hear?
Mr. Cate. Well, I am perfectly happy to answer your
question if the question is what consulting contracts I have. I
am senior counsel for information law to a law firm in
Indianapolis by the name of Ice, Miller, and that is the only
ongoing consulting relationship that I have.
Mr. Markey. Do they have any clients that you are writing--
--
Mr. Cate. I am sure they have many clients.
Mr. Markey. [continuing] memos on at their request on this
issue of privacy?
Mr. Cate. They do have clients that I work for, yes.
Mr. Markey. Can you list a couple of those clients?
Mr. Cate. I cannot list those publicly, I am afraid.
Mr. Markey. They like their privacy, don't they?
Mr. Cate. No, I think they protect the confidentiality of
their relationship with their attorneys.
Mr. Markey. As I am saying, the public would call that
privacy. The law firm has a different word for it.
Mr. Stearns. If the chairman would just indulge, the
gentleman from Massachusetts is an attorney, and isn't there a
client privilege that----
Mr. Markey. That is exactly my point.
Mr. Stearns. [continuing] you are trying to divulge here a
client privilege?
Mr. Markey. That is exactly my point.
Mr. Stearns. That is a contractual relationship that they
have with their clients which they don't want to divulge, and
so, I suspect that you are putting them on the spot here by
doing that, which I know you are trying to make a point.
Mr. Markey. Well, we can go down, and we can just see how
many times they want to invoke client-lawyer privilege, because
this is not exactly national security here that you are writing
memos on the privacy policy for private sector firms, okay?
This is not something that I think we would put in the highest
category. We would put this down on the lowest category: I am
on espn.com finding out where BC is this week compared to
Georgetown, okay? But the fact that private sector companies
need privacy memos, okay, doesn't seem to me that it would be
the highest level of privacy protection; not up there with
medical and financial, for certain. I would put it in the lower
category.
Mr. Stearns. Well, the gentleman's time has expired. So,
saved by the bell.
Mr. Markey. I don't think that's fair, Mr. Chairman.
Ms. DeGette. That is not right.
Mr. Markey. That is not fair to me. They should all have
the right to say no, I don't want to tell you. I think I have
the right to have a no.
Mr. Stearns. I think the Chairman also has a right to say
that time has expired when the member's time has expired.
Ms. DeGette. Mr. Chairman, I will ask unanimous consent to
let these witnesses answer the question. You haven't cut any
other member off today.
Mr. Stearns. Well, no, but I think in a free discussion
here I would say to my colleague that we have had an
opportunity to understand Mr. Markey's point, and I don't
necessarily want to take these witnesses who have come here, to
ask them to divulge personal information.
Mr. Markey. I don't want them to. I want them to say no, I
don't want to disclose it. Don't you understand? No, no, no,
no, no, and then, I am happy. It is over. It will be under 10
seconds.
Ms. DeGette. Does that mean, Mr. Chairman, you are
objecting to my unanimous consent request?
Mr. Markey. I don't want to tell you; I don't want to tell
you; I don't want to tell you.
Mr. Stearns. No, what I am saying is that even by them
saying that they don't want to answer, that is putting them in
a position which I don't think they should have to be put in,
and that is my prerogative as the Chairman, and that is where I
stand.
Mr. Markey. I don't think you can do that, Mr. Chairman. I
really do believe that they have a right and the ability as law
school professors to protect themselves. How about in writing?
How about if you would each give it to me in writing? How about
if I asked them all, because I can see the reluctance that is
sitting down there. Nobody is raising up their hands saying I
don't have a problem.
Mr. Stearns. I think that is a very good compromise.
Mr. Markey. But if you send it in writing, I would very
much appreciate it.
Mr. Stearns. Okay.
Mr. Markey. Would all of you agree to send it in writing?
Mr. Volokh. I am sorry. Actually, because it was suggested
that our failure to say anything is reluctance to that, I would
be very happy to say: I have----
Mr. Markey. He doesn't want to let you.
Mr. Volokh. Fair enough if he forbids you from----
Mr. Stearns. His time has expired, and I am saying as a
nice compromise here that I suggest that we follow up with Mr.
Markey's suggestion that if you would like to submit in writing
to the chairman and the committee, and we will get this to Mr.
Markey post haste. And thank you very much for your testimony.
The committee is adjourned.
[Whereupon, at 1:03 p.m., the subcommittee was adjourned.]
[Additional material submitted for the record follows:]
Indiana University School of Law--Bloomington
March 8, 2001
The Hon. Cliff Stearns
Chairman
Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515
Dear Chairman Stearns: Thank you once again for the opportunity to
participate in the Subcommittee's March 1, 2001, hearing on Privacy in
the Commercial World. It was a privilege to be invited, and I
particularly appreciate your foresight in holding such an open and
wide-ranging discussion of privacy issues, and your thoughtfulness and
consideration when moderating the discussion.
We were asked during the hearing to respond in writing to two
additional questions. First, you asked us to respond to Mr. Gordon's
inquiry about the constitutional bounds of Congress' authority to
legislate in the area of privacy. I attach a supplemental statement
that attempts to do so.
Second, you referred to us Mr. Markey's request that we disclose
any ``on-going consulting contracts'' to which we are parties. I am
happy to reiterate what I said during the hearing: I have worked on
privacy issues with many businesses, professional groups, associations,
academic institutions, not-for-profit organizations, government
agencies, think-tanks, and even a recent political campaign. My only
on-going consulting contract is with the Indianapolis law firm of Ice
Miller, where I have served since 1997 as senior counsel for
information law.
Finally, I am aware that the next privacy-related hearing before
the Subcommittee concerns European privacy protections and their impact
on consumers and businesses in Europe and the United States. Again, I
applaud you for taking up this important subject, because I believe
there has been considerable misunderstanding about how privacy law is
actually applied within Europe, and regrettable inattention to the
impact of European privacy law on European citizens. I would like to
comment on four points in particular.
First, many of the requirements of the EU data protection directive
have not been enforced. For example, the directive requires European
nations to condition the collection, March 7, 2001 use, or transfer of
personal information on ``opt-in'' consent. This is rarely done in
practice. Privacy scholar Amitai Etzioni tells of regularly asking his
European audiences if anyone has ever been asked to ``opt-in.'' To
date, Etzioni reports only one positive response--from a man who was
asked for ``opt-in'' consent by Amazon.com, a U.S. company. ``It seems
that this EU directive is one of those laws that is enacted to keep one
group--privacy advocates and their followers--happy and, as a rule, is
not enforced so that commerce and life can continue.'' Amitai Etzioni,
``Protecting Privacy,'' Financial Times, April 9, 1999, at 18.
A January 2001 study by Consumers International bears out Etzioni's
conclusion. The study found that while U.S. and European Web sites
collect personal information at nearly comparable rates (66 percent in
the United States; 63 percent in Europe), U.S. sites provide better
privacy protection, despite having no specific legal obligation to do
so, than European sites, which are subject to comprehensive legal
requirements. In fact, the study concluded: ``US-based sites tended to
set the standard for decent privacy policies.'' Consumers
International, Privacy@net: An International Comparative Study of
Consumer Privacy on the Internet at 6 (2001) (emphasis added).
A second observation is that when restrictive privacy rules
actually have been enforced, for example, as part of national data
protection laws that predated the directive, they have contributed to
significant economic and social costs. The financial services sector
provides some of the clearest examples. Restrictive national privacy
laws have acted as a barrier to competition, giving the dominant
incumbent a monopoly over the information it possesses about its
customers, and denying new market entrants the information needed to
provide and market financial services. As a result, financial services
are provided by far fewer institutions--one-tenth the number that serve
U.S. customers, despite the fact that the pan-European market has
almost one and one-half times as many households. This means that
European consumers have fewer choices of companies and services, fewer
locations at which they can obtain financial services, and fewer ATMs--
one-third the number in the United States--at which they can obtain and
deposit funds.
Restrictive privacy laws also mean that consumers cannot take
advantage of their complete credit histories, thereby restricting the
mobility of consumers, because of the difficulty of obtaining credit
from new institutions. As a result, economist Walter Kitchenman writes,
in Europe ``consumer lending is not common, and where it exists, it is
concentrated among a few major banks in each country, each of which has
it own large databases.'' Walter F. Kitchenman, The European Union
Directive on Privacy as a Barrier to Trade (2000). In fact, European
consumers, although they outnumber their U.S. counterparts, have access
to one-third less credit as a percentage of gross domestic product.
Moreover, the absence of standardized, complete consumer data reduces
lender confidence and impedes the securitization and pooling of loans,
thereby furthering limiting the availability of credit and driving up
its price. Consumers also pay more for other financial services and
products because of the lack of competition, the difficulty of
obtaining service from another institution without a portable credit
history, and the absence of other efficiencies made possible through
information-sharing.
Third, if U.S. lawmakers don't hear loud complaints from European
businesses about restrictive privacy laws, it likely reflects not only
the limited extent to which at least the EU data protection directive
is being enforced, but also the fact that many dominant companies
welcome the anticompetitive impact of such laws. By keeping competitors
out and making it harder for customers to take their business
elsewhere, European privacy laws help dominant incumbents maintain
their stranglehold on markets. In France, for example, the EU country
with the strictest financial privacy laws, seven banks control more
than 96 percent of banking assets. The seven dominant French banks
already own extensive databases--they have no need to share information
about their customers with anyone. And the fact that this system
restrains innovation, hurts customer choice, and increases price is not
a great concern to those banks because the same system also restrains
competition and makes it easier to hold customers and capital captive.
Finally, European and U.S. markets differ in many significant ways.
The vast potential European market is, in fact, divided into many
smaller markets by languages, cultures, and, at least until the euro is
in widespread use, currencies. Moreover, the longstanding practical and
legal restraints on the productive use of information have contributed
to shaping radically different customer expectations in Europe than in
the United States. For example, until recently, telephone bills in many
EU countries did not include a listing of long-distance calls.
Europeans just did not expect to have that type of tool for evaluating
the accuracy of telephone charges. U.S. consumers, by contrast, have
lengthy experience with expecting the businesses with which they deal
to keep detailed call and charge records, so that the customer can
verify that bills are accurate. And, of course, Europe does not have a
``First Amendment'' or a tradition of constitutional protection for
information flows.
I mention these four points only to highlight the importance of
your inquiry and the need for caution before attempting to emulate
European-style privacy protection.
Thank you again both for the opportunity to participate in last
week's hearing and for your foresight in carefully scrutinizing a wide
range of issues about the current privacy debate, before attempting to
reach any conclusion about whether further legislation is necessary or,
if so, what the nature of that legislation may be. If I can be of any
service, I hope you will not hesitate to contact me.
Yours sincerely,
Fred H. Cate
Professor of Law and Harry T. Ice Faculty Fellow
Enclosure
U.S. House of Representatives
Committee on Energy and Commerce
Subcommittee on Commerce, Trade, and Consumer Protection
supplemental statement of professor fred h. cate
Mr. Chairman: You asked the witnesses in the March 1, 20001,
hearing on Privacy in the Commercial World to respond to Mr. Gordon's
inquiry about the constitutional bounds of Congress' authority to
legislate in the area of privacy. This statement attempts to do so.
I read the Constitution and the Supreme Court's jurisprudence as
permitting Congress to legislate privacy protection only when it has a
constitutional basis for doing so (in this case, the interstate
commerce clause), and when that legislation meets the requirements of
the First Amendment. First Amendment review is required of any law--
privacy-related or otherwise--that limits the ability of individuals or
nongovernmental institutions to engage in expression. That limit does
not have to take the form of a direct prohibition to trigger First
Amendment scrutiny, although most privacy laws have that effect.
Strict Scrutiny
Of course, not all restrictions on expression trigger the same type
of First Amendment review. This point was largely obscured in last
week's hearings, due perhaps to the fact that the Supreme Court's
jurisprudence in this area is not always clear or consistent. As a
general mater, however, direct government restraints, prior restraints,
restraints based on the viewpoint of the expression or, in many cases,
the content of the speech, require strict scrutiny, the highest form of
scrutiny applied by the Court. Under this standard, which is the one
that the Supreme Court has most frequently applied when reviewing
privacy laws, the government bears the burden of showing that the law
is (1) necessary to serve a compelling interest, and that the law (2)
imposes no greater burden than is necessary to achieve that purpose.
The need to evaluate both the purpose of the law and how narrowly it is
tailored is why most of us at last week's hearing focused on what harm
a privacy law is intended to prevent or remedy, and what cost or other
burdens privacy law imposes on consumers and businesses. A privacy law
that does not respond to a specific, significant harm will not be found
to serve a compelling interest, and a law that imposes unnecessary
costs, or costs in excess of the benefits it generates, will not be
found to be the least restrictive means of achieving the government's
interest. In either case, the Court would almost certainly strike down
the law as unconstitutional. Moreover, it is important to reiterate
that it is the government's responsibility under the First Amendment to
demonstrate both the importance of the interest and the precision with
which the law is tailored.
Intermediate Scrutiny
Although most privacy laws have been reviewed under strict
scrutiny, not all have. Some courts have applied various forms of
intermediate scrutiny, usually on the basis that the expression
affected by the privacy law was commercial in nature. Although specific
tests vary in detail, all intermediate scrutiny tests require that the
government demonstrate that the law is intended to serve an important
or substantial government interest, and that the law be narrowly
tailored to achieving that interest. As you know, Professor Volokh
testified, and I agree with him, that intermediate scrutiny was
inappropriate for reviewing privacy laws and regulations because, even
though the expression affected occurred in a commercial context, it was
not ``commercial speech'' (i.e., it did not propose a commercial
transaction). Some lower courts have nevertheless reviewed privacy laws
or regulations under intermediate scrutiny. When they have done so,
however, they have tended to find that the law or regulation failed
even this level of scrutiny. In other words, they applied intermediate
scrutiny because there was no need to apply strict scrutiny: The
restriction being challenged could not survive even the lower standard
of review.
The most recent example of this type of scrutiny was the decision
of the U.S. Court of Appeals for the Tenth Circuit in U.S. West, Inc.
v. Federal Communications Commission. The appellate court struck down
the Commission's rules requiring that telephone companies obtain
explicit consent from their customers before using data about those
customers' calling patterns to market products or services to
them.1 The court found that the FCC's rules, by limiting the
use of personal information when communicating with customers,
restricted U.S. West's speech and therefore were subject to First
Amendment review. Although the court applied intermediate scrutiny, it
determined that under the First Amendment, the rules were presumptively
unconstitutional unless the FCC could prove otherwise by demonstrating
that the rules were necessary to prevent a ``specific and significant
harm'' on individuals, and that the rules were ``. . . no more
extensive than necessary to serve [the stated] interests . . .''
2
Although we may feel uncomfortable knowing that our personal
information is circulating in the world, we live in an open
society where information may usually pass freely. A general
level of discomfort from knowing that people can readily access
information about us does not necessarily rise to the level of
substantial state interest under Central Hudson [the test
applicable to commercial speech] for it is not based on an
identified harm.3
The court found that for the Commission to demonstrate that the
``opt-in'' rules were sufficiently narrowly tailored, it must prove
that less restrictive ``opt-out'' rules would not offer sufficient
privacy protection, and it must do so with more than mere speculation:
Even assuming that telecommunications customers value the
privacy of [information about their use of the telephone], the
FCC record does not adequately show that an opt-out strategy
would not sufficiently protect customer privacy. The
respondents merely speculate that there are a substantial
number of individuals who feel strongly about their privacy,
yet would not bother to opt-out if given notice and the
opportunity to do so. Such speculation hardly reflects the
careful calculation of costs and benefits that our commercial
speech jurisprudence requires.4
The court found that the FCC had failed to show why burdensome
``opt-in'' rules were necessary, and therefore struck down the rules as
unconstitutional. The Supreme Court declined to review the
case.5
The Dominance of First Amendment Rights
The result in U.S. West is not surprising, because, whether
analyzed under strict or intermediate scrutiny, privacy laws and
regulations rarely survive constitutional review. For example, the
Supreme Court has accorded privacy rights little protection when
confronted with freedom of association claims of groups such as the
American Communist Party.6 The Supreme Court has struck has
down ordinances that would require affirmative consent before receiving
door-to-door solicitations,7 before receiving Communist
literature,8 even before receiving ``patently offensive''
cable programming.9 The words of the Court in the 1943 case
of Martin v. Struthers--involving a local ordinance that banned door-
to-door solicitations without explicit (``opt-in'') householder
consent--are particularly apt: ``Whether such visiting shall be
permitted has in general been deemed to depend upon the will of the
individual master of each household, and not upon the determination of
the community. In the instant case, the City of Struthers, Ohio, has
attempted to make this decision for all its inhabitants.''
10
Similarly, the Court often has demonstrated little concern for the
privacy interests of unwilling viewers or listeners, rejecting claims
against broadcasts of radio programs in Washington, D.C.
streetcars,11 R-rated movies at a drive-in theater in
Jacksonville, Florida,12 and a jacket bearing the phrase
``Fuck the Draft'' worn in the corridors of the Los Angeles County
Courthouse.13 And plaintiffs rarely win suits brought
against the press for disclosing private information. When information
is true and obtained lawfully, the Supreme Court repeatedly has held
that the state may not restrict its publication without first meeting
strict scrutiny. Under this requirement, the Court has struck down laws
restricting the publication of confidential government
reports,14 and of the names of judges under
investigation,15 juvenile suspects,16 and rape
victims.17 Even if information published by the press is
subsequently proved to be false, the Supreme Court has demonstrated
extraordinary deference to First Amendment expression rights and little
concern for the privacy interests involved.18
In fact, when privacy rights conflict with free expression rights
before the Court, the latter prevail, virtually without exception. The
dominance of the free expression rights over privacy interests is so
great that Peter Edelman has written:
[T]he Court [has] virtually extinguished privacy plaintiff's
chances of recovery for injuries caused by truthful speech that
violates their interest in nondisclosure . . . If the right to
publish private information collides with an individual's right
not to have that information published, the Court consistently
subordinates the privacy interest to the free speech
concerns.19
This is true irrespective of whether the speaker is an individual
or an institution.
The Impact on Congress
So what does this mean for Congress? I believe it necessitates that
whenever Congress restricts the flow of information in an effort to
protect privacy it must demonstrate (1) what harms it is acting to
prevent or remedy, (2) that such harms are serious enough to constitute
a substantial or compelling government interest, (3) that the law is
not broader, or does not regulate appreciably more expression, than is
necessary to achieve that interest, and (4) that there are not other
tools (such as technologies or market solutions) that would achieve the
same end with less interference with information flows. The precise
test (i.e., whether the interest must be ``compelling'' or
``substantial'' and whether the legislation must be the ``least
restrictive means'' or merely ``narrowly tailored'' to achieve that
interest) will depend upon the nature both of the expression restricted
and of the legislation itself, but effectively all restrictions on the
collection, use, or disclosure of information by the private sector
will have to survive this basic First Amendment review.
This is a very high, but not impossible, burden. As a practical
matter, it means that Congress cannot legislate to protect individuals
from embarrassment or a ``general level of discomfort'' as a result of
the disclosure of true information about them. It also means that
Congress cannot broadly restrict uses of information that do not cause
harm in an effort to target those that do.
On the other hand, the First Amendment does not restrict Congress
from facilitating the creation and enforcement of private contracts.
For example, Congress has broad discretion under the First Amendment to
require disclosures, provided that those requirements do not interfere
with expression to such an extent, or impose such high costs, that they
constitute an unconstitutional restraint on expression. The Supreme
Court has also found that Congress has significantly broader latitude
to act to protect children, provided that the law is not so overbroad
that it impinges on adult's expression. This explains why the
Children's Online Privacy Protection Act may be constitutional under
the First Amendment as applied to children, but similar restrictions
would be unconstitutional if applied to adults. Moreover, Congress has
broad--although not unlimited authority--to regulate the government's
use of information (i.e., to require privacy policies on government Web
sites, or to reduce the amount of personal information the government
collects from citizens). Congress can fund the development of privacy
protecting technologies (either directly or through tax incentives or
other subsidies), and sponsor commissions or other research initiatives
about privacy issues. Congress can help educate citizens about the
steps that we--and often, only we--can take to protect our own privacy.
Conclusion
The First Amendment is often lamented as a regrettable restraint on
the ability of Congress and other governmental bodies to act in the
best interest of the citizenry and protect the public. It may sometimes
have that effect. But I view it differently. The First Amendment
reflects the fact that expression, and the information that is
essential to expression, are so integral to our democracy and our
economy, that laws affecting them always pose a great risk to citizens
and consumers. Even when motivated by the most noble of purposes, those
laws can result in untold damage, especially if they are not precisely
targeted. Moreover, laws regulating expression and information are
often attractive to policymakers and to the public; such laws
frequently respond to immediate concerns and they usually do not
require the expenditure of taxpayer dollars.
The First Amendment reflects a constitutional calculation that
because of the attractiveness of laws limiting expression and the great
risks that they pose, the government should only be allowed to enact
and enforce such laws when they are necessary to prevent or remedy a
specific, significant harm, and when they are closely tailored to
affect only that expression that causes the harm. Viewed in this light,
the First Amendment does not limit Congress' authority to restrict
expression when necessary to prevent substantial harms. It only limits
Congress' authority to restrict expression when that restriction is not
necessary or is designed to serve a less important purpose.
Notes
1 U.S. West, Inc. v. Federal Communications Comm'n, 182
F.3d 1224, 1235 (10th Cir. 1999), cert. denied, 528 U.S. 1188 (2000).
2 Id. at 1235 (quoting Rubin v. Coors Brewing Co., 514
U.S. 476, 486 (1995)) (emphasis added).
3 Id. (emphasis added).
4 Id. (emphasis added).
5 U.S. West, Inc. v. Federal Communications Comm'n, 528
U.S. 1188 (2000).
6 Communist Party of the U.S. v. Subversive Activities
Control Board, 367 U.S. 1 (1961); Scales v. United States, 367 U.S. 203
(1961); Noto v. United States, 367 U.S. 290 (1961).
7 Martin v. Struthers, 319 U.S. 141 (1943).
8 Lamont v. Postmaster General, 381 U.S. 301 (1965).
9 Denver Area Educational Telecommunications Consortium,
Inc. v. Federal Communications Comm'n, 518 U.S. 727 (1996).
10 Martin v. Struthers, 319 U.S. at 141.
11 Public Utilities Commission v. Pollack, 343 U.S. 451
(1952).
12 Erznoznik v. City of Jacksonville, 422 U.S. 205
(1975).
13 Cohen v. California, 403 U.S. 15 (1971).
14 New York Times Co. v. United States, 403 U.S. 713
(1971).
15 Landmark Communications, Inc. v. Virginia, 435 U.S.
829 (1978).
16 Smith v. Daily Mail Publishing Co., 443 U.S. 97
(1979).
17 Florida Star v. B.J.F., 491 U.S. 524 (1989); Cox
Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975).
18 Hustler Magazine, Inc. v. Falwell, 485 U.S. 46
(1988); Time, Inc. v. Hill, 385 U.S. 374 (1952).
19 Peter B. Edelman, ``Free Press v. Privacy: Haunted by
the Ghost of Justice Black,'' 68 Texas Law Review 1195, 1198 (1990).
______
Response for the Record of of Solveig Singleton, The Competitive
Enterprise Institute
Question (1) Below I will summarize my view of the outer
constitutional limits of Congressional action on privacy (noting,
however, that the most Congress can do is probably not what Congress
should do).
Opt-in. An opt-in regime is probably a violates of rights of free
speech as applied to many cases, for it will in effect operate as a ban
on the exchange of truthful information in many cases.
Opt-out. Opt-out is more likely to pass constitutional muster.
There may be some contexts where opt-out is unconstitutional, for
examples, if it restricts the use of information from public records.
In addition, the Court might find, consistent with copyright cases,
that it is inconsistent with free speech principles to create a
property right in facts.
Default Contract Terms. Congress could clarify the default rules
for a contract that is silent on the matter of privacy. This would not
restrict speech, so long as companies remained free to set their own
terms differently from the default.
Notice. Congress could require companies to give notice of their
privacy practices.
Question (2) Below I offer information in response to the question
about consulting clients and my work on privacy.
Some think tanks such as AEI and Brookings do permit industry
consulting. But my former employer, the Cato Institute, for whom I
worked when I first formed my views on privacy, has an explicit rule
prohibiting consulting related to analysts' policy topics with
interested for-profit companies or associations that represent for-
profit companies. The Competitive Enterprise Institute, where I
presently work, also assumes that such consulting is inappropriate.
Thus I have never worked as an industry consultant on privacy or any
other topic that I also work on in the policy world.
I have, worked as a consultant to a number of non-profit public
policy groups on privacy. These groups are the Mackinaw Center, the
Foundation for Economic Education (a small market-oriented group that
works with students and academics), the National Center for Policy
Analysis (a conservative group based in Texas), and the Democracy
Online Task Force (meeting in Washington, D.C.). This is an all-
inclusive list.
�