[Congressional Record Volume 144, Number 151 (Wednesday, October 21, 1998)]
[Senate]
[Pages S12907-S12908]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




             OUR UNFINISHED WORK TO PROTECT PRIVACY RIGHTS

  Mr. LEAHY. Mr. President, the American people have a growing 
concern over encroachments on personal privacy. It seems that 
everywhere we turn, new technologies, new communications media, and new 
business services created with the best of intentions and highest of 
expectations also pose a threat to our ability to keep our lives to 
ourselves, to live, work and think without having giant corporations or 
government looking over our shoulders, or peeking through our keyholes.
  The current national media obsession with the Monica Lewinsky scandal 
has focused attention on abuses of power by independent counsel Kenneth 
Starr. I have been a prosecutor, and I am intimately familiar with the 
enormous power prosecutors wield. This power is generally circumscribed 
by a sense of honor and by professionalism, and for those for whom this 
is not enough, by the Bar's canons of ethics and disciplinary rules 
and, for federal prosecutors, the rules and regulations of the 
Department of Justice.
  Mr. Starr has a different view of these obligations, and privacy has 
been the first casualty. He began his investigation into the 
President's personal life by using the results of an illegal wiretap. 
The State of Maryland protects its residents from having private 
conversations tape recorded without their knowledge or consent. Mr. 
Starr condoned the deliberate flouting of that law by granting the 
perpetrator immunity and then using the illicit recordings to persuade 
the Attorney General to expand his jurisdiction.
  That was just the beginning. In February, Prosecutor Starr forced a 
mother to travel to the country's Capital to sit before a federal grand 
jury, with no right to have counsel present, and reveal the most 
intimate secrets of her daughter. That led me to introduce legislation 
to develop Federal prosecutorial guidelines to protect familial privacy 
and parent-child communications in matters that do not involve 
allegations of violent conduct or drug trafficking.
  Mr. Starr issued subpoenas to bookstores to pry into what we read and 
further encroached upon our First Amendment rights with subpoenas to 
reporters, at every step acting contrary to Justice Department 
guidelines. He intruded into the attorney-client privilege, and even 
required Secret Service agents to gossip about those whom they are 
sworn to protect, and whose privacy they have safeguarded for decade 
upon decade. Then all of the private information he gathered, all of 
the excruciating details of personal life, appeared almost 
contemporaneously in the public press, attributed to unidentified 
sources, despite the command of the law that all matters before a grand 
jury remain secret.
  The independent counsel law was passed with the best of intentions, 
with my support. I never imagined that the power would be so abused, 
and privacy so ignored. But that is the point. We must act to prevent 
abuses of privacy.
  Mr. Starr, by his gross excesses, has become a symbol of the threat 
to privacy and the threat to individual liberty from abuse of power and 
information. That threat has been amplified by the unseemly haste with 
which the Republican majority on the House Judiciary Committee voted to 
plaster the mud from Ken Starr's report all over the Internet, so that 
literally all the world would have a chance to peek through the 
keyhole. This intemperate action, in an unabashed effort to gain 
political advantage at the expense of privacy and dignity, should be a 
lesson to the American people that we need additional legal protection 
to protect their privacy.
  The far more pervasive problem is the incremental encroachment on 
privacy through the lack of safeguards on personal, financial and 
medical information about each of us that can be stolen, sold or 
mishandled and find its way into the wrong hands with a push of a 
button.
  The right of privacy is one of the most vulnerable rights in the 
information age. The digitalization of information and the explosion in 
the growth of computing and electronic networking offer tremendous 
potential benefits to the way Americans live, work, conduct commerce, 
and interact with their government. But the new technology also 
presents new threats to our individual privacy and security, in 
particular, our ability to control the terms under which our personal 
information is acquired, disclosed, and used.
  The threats are there, but so are the solutions, if we only take the 
time to look for them. For example, this Congress passed legislation 
that will make the United States government more accessible and 
accountable to the citizenry by directing Federal agencies to accept 
``electronic signatures'' for government forms that are submitted 
electronically. When the bill was reported out of committee, it 
established a framework for government use of electronic signatures 
without putting in place any privacy protections for the vast amounts 
of personal information collected in the process. I was concerned that 
citizens would be forced to sacrifice their privacy as the price of 
communicating with the government electronically. Senator Abraham and I 
corrected this oversight by adding forward-looking privacy protections 
to the bill, which strictly limit the ways in which information 
collected as a byproduct of electronic communications with the 
government can be used or disclosed to others.
  As I remarked when the bill passed, however, this is just the 
beginning of Congress's efforts to address the new privacy issues 
raised by electronic government and the information age. Congress will 
almost certainly be called upon in the next session to consider broader 
electronic signature legislation, and issues of law enforcement access 
to electronic data and mechanisms for enforcing privacy rights in 
cyberspace will need to be part of that discussion.
  The government also holds tens of millions of medical records of 
individuals covered by Medicare, Medicaid and other federal health 
programs. This information is routinely released by the government in 
individually-identifiable form for purposes such as medical research or 
in order to ferret out fraud

[[Page S12908]]

and abuse. These are laudable activities, but without setting strong 
standards for an entity to meet before gaining access to this 
information there is the possibility of misuse and abuse of this very 
sensitive personal information.
  We have a Federal Privacy Act in this country that has not been 
substantially changed since its passage almost 25 years ago. One 
purpose of the Privacy Act was to protect our citizens from government 
intrusion and the sharing of data across agencies without the knowledge 
or consent of the subject of the information. Yet, the Privacy Act 
contains a problematic ``routine use'' exception, which is already a 
huge loophole to use health and other information for any purpose.
  I first noted my concern with this loophole during congressional 
hearings in 1996 on the transfer by the FBI of background investigation 
files to the White House for former Republican White House employees. 
The FBI admitted that it made these transfers pursuant to the ``routine 
use'' exception. Ironically, more information from the confidential FBI 
background files were revealed to the public in the course of 
congressional hearings than from any action taken elsewhere. For 
example, it was a House Committee that first revealed the names of 
people whose file summaries were requested. It was also a House 
Committee that used information from a Clinton White House employee's 
file to embarrass him and it was a House Chairman who ``went public'' 
with the confidential FBI background memo from the employee's 
background file in a statement made on the floor of the House. That is 
why during those hearings, on September 25, 1996, I called for a 
reexamination of the Privacy Act and tightening of the routine use 
loophole.
  My concern is heightened by a July 16, 1998, published notice by the 
Health Care Financing Administration to add new ``routine uses'' to the 
Privacy Act. The proposal is very broad. In the name of combating fraud 
and abuse, this proposal would permit the release of individual 
specific information to any governmental or non-governmental entity 
that has anything to do with health care. This new HCFA ``routine use'' 
exception proposal turns our notion of privacy protection on its head, 
and makes more urgent the need for review of and restrictions on the 
``routine use'' of private medical and other information collected and 
held by the government.
  At a time when the Congress and the Administration are grappling with 
how best to protect the privacy of individually-identifiable medical 
records in the private health care sector, we better make sure that we 
have our own house in order. I introduced legislation in this Congress 
that would help protect the privacy of individually-identifiable 
medical records, and I plan to expand on that initiative in the next 
Congress to ensure that such records are not mishandled by Federal 
agencies.
  The next Congress will also need to consider how our privacy 
safeguards for personal, financial and medical information measure up 
to the tough privacy standards established by the European Union. The 
EU Data Protection Directive is set to take effect next week. That 
could be a big problem for American businesses, since the new rules 
require EU member countries to prohibit the transmission of personal 
data to or through any non-EU country that fails to provide adequate 
data protection as defined under European law. European officials have 
said repeatedly over the past year that the patchwork of privacy laws 
in the United States may not meet their standards. Our law is less 
protective than EU standards in a variety of respects on a range of 
issues, including requirements to obtain data fairly and lawfully; 
limitations on the collection of sensitive data; limitations on the 
purpose of data collection; bans on the collection and storage of 
unnecessary personal information; requirements regarding data accuracy; 
limitations regarding duration of storage; and centralized supervision 
of privacy protections and practices.
  The flow of information from Europe may not stop suddenly on Monday, 
but the clock is ticking. Europe is committed to enforcing the 
Directive. Our continued failure to address this issue could have 
serious economic consequences for U.S. firms and transborder data 
flows.
  When we do address this issue--hopefully early in the next Congress--
we may find that the problem is not that Europe protects privacy too 
much. We may find that the problem is our own failure to keep U.S. 
privacy laws up to date. The EU Directive is an example of the kind of 
privacy protection that American consumers need and do not have. It has 
encouraged European companies to develop good privacy techniques. It 
has produced policies, including policies on cryptography, that are 
consistent with the interests of both consumers and businesses.
  Even if we decide not to lock in the commands of the EU Data 
Directive, we can learn from it. Marc Rotenberg, the Director of the 
Electronic Privacy Information Center, made this point eloquently 
earlier this year, when he testified before the House Committee on 
International Relations: ``The EU Data Directive is not so much a 
problem as it is a reminder that our privacy laws are out of date.'' I 
agree with his conclusion that, in the end, ``we need stronger privacy 
safeguards not to satisfy European government, but to assure the 
protection of our own citizens.''
  There is a cartoonish quality to the excesses of Ken Starr and the 
ham-handedness of the House Republican leadership, who seem to be vying 
for the title of poster child for privacy reform legislation. This 
could lull us into a false sense that their sort of nonsense may be 
pernicious, but it is not something that affects the average citizen. 
Do not be misled. It bears repeating again and again that personal, 
financial and medical information of any American can fall into the 
wrong hands.
  Americans are rightly concerned about the adequacy of privacy 
protection in this country. Indeed, this is a matter that concerns all 
Americans in the most personal of ways.
  The European Union has responded to the demands of the information 
age with tough privacy standards. The privacy protections in our new 
digital signature legislation show that we can get ahead of the curve, 
anticipate problems and head them off even before they arise, if only 
we give the matter the attention it deserves.

                          ____________________