[Congressional Record Volume 146, Number 154 (Thursday, December 14, 2000)]
[Senate]
[Pages S11777-S11779]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




              REPORT CARD OF THE 106TH CONGRESS ON PRIVACY

  Mr. LEAHY. Mr. President, I rise today, as Chairman of the Senate 
Democratic Privacy Task Force, to speak about the privacy rights of all 
American citizens and the failure of this Congress to address the 
important issues threatening these fundamental rights of the American 
people.
  When he announced the creation of the Democratic Privacy Task Force 
earlier this year, the Senate Democratic Leader, Senator Tom Daschle, 
said, ``The issue of privacy touches virtually every American, often in 
extremely personal ways. Whether it is bank records or medical files or 
Internet activities, Americans have a right to expect that personal 
matters will be kept private.'' Yet, our laws have not kept pace with 
sweeping technological changes, putting at risk some of our most 
sensitive, private matters, which may be stored in computer databases 
that are available for sale to the highest bidder. As Senator Daschle 
stated, ``That is wrong, it's dangerous, and it has to stop.''
  In leading the Democratic Privacy Task Force, I took this charge to 
heart and determined that an important first step in formulating 
workable and effective privacy safeguards was to make sure we 
understood the scope of the problem, both domestically and 
internationally, the status of industry self-regulatory efforts and the 
need for legislative solutions. At the announcement of the Privacy Task 
Force, I noted that we would focus on Internet, financial and medical 
records privacy, explaining that, ``It is important to come to grips 
with the erosion of our privacy rights before it becomes too late to 
get them back. We need to consider a variety of solutions, including 
technological one, and we need to look at the appropriate roles for 
private as well as public policy answers.''
  To this end, the Senate Democratic Privacy Task Force sponsored 
several member meetings and briefings on administrative steps underway 
in the Clinton-Gore Administration to protect people's privacy, 
industry self-regulatory efforts, and other specific privacy issues. 
These meetings included a discussion with White House privacy experts 
Peter Swire, Chief Counselor for Privacy at the Office of Management 
and Budget, and Sally Katzen, Counselor to the Director at the Office 
of Management and Budget, on the status of multilateral negotiations on 
implementation of the EU Privacy Directive and the effects on U.S. 
business. At another meeting, officials from OMB and the Department of 
Treasury described financial privacy issues. Yet another meeting 
provided a public forum for industry executives representing various 
seal programs to describe the successes and pitfalls of internet 
privacy self-regulatory activities. These task force meetings focused 
on relevant and pressing issues affecting consumer privacy in this 
country, prompting many Democratic members to look at legislative 
solutions.
  Democrats have worked to enhance consumer privacy protections through 
the introduction of several legislative proposals--some with bipartisan 
support-- regarding medical, financial, and online privacy and identity 
theft. Democratic Senators who have sponsored privacy legislation this 
Congress include, Senators Boxer, Breaux, Bryan, Byrd, Cleland, 
Daschle, Dorgan, Dodd, Durbin, Edwards, Feinstein, Feingold, Harkin, 
Hollings, Inouye, Johnson, Kennedy, Kerry, Kohl, Lautenberg, Mikulski, 
Murray, Robb, Rockefeller, Sarbanes, Schumer, Torricelli, and 
Wellstone.
  Despite the best efforts of Democratic Senators to heed the public 
call for greater privacy protection and to bring privacy issues to the 
forefront of our legislative agenda, the Republican majority has failed 
to bring all sides and stakeholders together to craft workable and 
effective safeguards in any of the areas where privacy rights are most 
at risk, namely, for internet activities, medical records or financial 
information.
  During this Congress, for example, instead of focusing on ways to 
enhance privacy safeguards, the largest number of hearings (thirteen) 
and innumerable briefings held by the Senate Judiciary Committee or its 
subcommittees were directed at dissecting the manner in which the 
Department of Justice handled the investigation and prosecution of 
certain cases involving national security-related information and 
campaign financing. In the eyes of some members, the convictions 
obtained were proof of success, and in the eyes of others they were 
not. In our next Congress, it is my hope that we will not be distracted 
by such partisan pursuits, but that our time will be better spent on 
crafting privacy legislation that will make a real difference in the 
lives of every American. This is no easy task and will require both 
hard work and the commitment of member and staff time, but the next 
Congress should not shy away from this important issue, as has this 
one.
  The right to privacy is a personal and fundamental right protected by 
the Constitution of the United States. The digitalization of 
information and the explosion in the growth of computing and electronic 
networking offer tremendous potential benefits to the way Americans 
live, work, conduct commerce, and interact with their government. Yet, 
new technologies, new communications media, and new business services 
created with the best of intentions and highest of expectations 
challenge our ability to keep our lives to ourselves, and to live, work 
and think without having personal information about us collected and 
disseminated without our knowledge or consent. Indeed, personal 
information has become a valuable and widely traded commodity by both 
government and private sector entities, which may used the information 
for purposes entirely unrelated to its initial collection. Moreover, 
this information may be stolen, sold or mishandled and find its way 
into the wrong hands with the push of a button or click of a mouse.
  The American people are becoming more aware of this problem and are 
growing increasingly concerned with expanding encroachments on their 
personal privacy. American consumers are demanding better privacy 
protection and simply avoiding those markets perceived to pose the most 
risk to privacy interests.
  New technologies bring with them new opportunities, both for the 
businesses that develop and market them, and for consumers. It does not 
do anyone any good for consumers to hesitate to use any particular 
technology because they have concerns over privacy.

[[Page S11778]]

That is why I believe that good privacy policies make good business 
policies. Consumer concerns can be a serious drag on the marketplace, 
and the Congress may help bolster consumer confidence by putting in 
place the appropriate legislative privacy safeguards. Let me outline 
some of the areas in which I have introduced privacy legislation and 
will continue to work for constructive solutions.

  While many emerging technologies challenge privacy protection, the 
greatest modern threat may be found online. Concerns over the privacy 
of online interaction easily dominate both the media and the public. 
The American public has a number of concerns when they go online. They 
worry whether their privacy will be protected, whether a damaging 
computer virus will attack their computer, whether a computer hacker 
will steal their personal information, adopt their identity and wreak 
havoc with their credit, whether their kids will meet a sexual predator 
and whether government or private sector entities are surreptitiously 
monitoring their online activities and communications.
  Unfortunately, these concerns are merited, and will continue to 
increase as online technology evolves. As the recent popularity of 
peer-to-peer sharing software, used in the Napster service, 
demonstrates, the way in which people use the personal computer is 
changing. Increasingly, personal information, such as diaries, 
finances, and schedules, will not be stored on hard drives, but instead 
on Internet-based files. Combined with the reality that a substantial 
amount of our information is being carried over the ``Wireless Web,'' 
access to our personal information--by private and by public snoopers--
is also growing exponentially.
  I proposed S. 854, the Electronic Rights for the 21st Century Act or 
the E-Rights bill, to address these concerns. This legislation would 
have modified the blanket exception in current law allowing electronic 
communications service providers to disclose a record or other 
information pertaining to a subscriber to any non-governmental entity 
for any purpose or use. Due to this exemption, ISPs and OSPs may sell 
their subscriber lists or track the online movements of their 
subscribers and sell that information--all without the subscribers' 
knowledge or consent. The E-RIGHTS Act would have cut back on this 
exemption by requiring ISPs to give subscribers an opportunity to 
prohibit disclosure of their personal information and enumerating the 
situation in which the information may be used or disclosed without 
subscriber approval. Serious consideration of this proposal would have 
provided a constructive basis for discussion of online privacy, a 
discussion that has been postponed until the next Congress.
  Enhanced privacy protection for confidential information held by 
bankrupt firms is necessary. Internet users are often promised basic 
privacy protection, only to have their expectations disappointed and 
their personal information put up for sale or disseminated in ways to 
which they never consented. Sadly, expectations and assumptions are not 
always safe online. For example, Toysmart.com, an online toy store, 
recently filed for bankruptcy and its databases and customer lists were 
put up for sale as part of the liquidation of the firm's assets. This 
personal customer information was put on the auction block even though 
Toysmart.com's privacy statement promised that ``[w]hen you register 
with toysmart.com, you can rest assured that your information will 
never be shared with a third party.''
  The Toysmart.com situation exemplifies the need for our privacy laws 
to recognize the dangers online services pose and to keep pace with the 
Internet's increased usage and ever evolving technology. I introduced, 
along with Senators Torricelli, Kohl and Durbin, S. 2758, ``The Privacy 
Policy Enforcement in Bankruptcy Act of 2000'' specifically to address 
the problems created by Toysmart.com. Currently, the customer databases 
of failed Internet firms can be sold during bankruptcy, even in 
violation of the firm's stated privacy policy. This is unacceptable. 
The Act would prohibit the sale of personally identifiable information 
held by a failed business if the sale or disclosure of the personal 
information would violate the privacy policy of the debtor in effect 
when the personal information was collected, providing at least a 
modicum of protection for privacy rights online. It was my hope that 
the majority would support this legislation and effect swift passage so 
that we could at least make some progress in the protection of 
important privacy rights. Unfortunately the majority has chosen to 
ignore this legislation, along with other numerous privacy initiatives, 
with the consequence that is has gone nowhere.
  Enhanced privacy protection from unreasonable government searches and 
surveillance is another area that requires attention. Internet users 
are concerned about whether their privacy rights are threatened by 
prodding surveillance technology, as demonstrated by the public outcry 
over the ``Carnivore'' program. Carnivore is used by the Federal Bureau 
of Investigation to monitor the Internet activity of suspected 
criminals and is completely undetectable as it intercepts the suspect's 
email, web, and chat-room activity. Fortunately, the ``Carnivore'' 
program is capable of filtering protected or unnecessary information 
from that which should be intercepted. Nevertheless, concerns persist 
over the capabilities represented by this electronic surveillance 
technology and its potential invasiveness.
  The E-RIGHTS Act, S. 854, which I introduced in April, 1999, contains 
a number of provisions designed to update our fourth amendment rights 
in the face of technological advances and new surveillance 
technologies. This legislation enhances privacy protections in several 
areas by strengthening procedures for law enforcement access to private 
information stored on Internet networks, location information for 
cellular telephones, decryption assistance for encrypted intercepted 
communications and stored data, communications occurring over 
conference calls when the target of a wiretap order has dropped off the 
call, and information obtained under pen register and trap and trace 
orders. Once again, no action was taken on this legislation despite my 
continued efforts to urge the Judiciary Committee to take it up.
  Just as the widespread dissemination of personal information through 
online services deserves Congressional attention, the rapid expansion 
of the financial services industry requires affirmative action to 
protect private, financial information. In November 1999, President 
Clinton signed into law the landmark Financial Modernization Act of 
1999, which updated our financial laws and opened up the financial 
services industry to become more competitive, both at home and abroad. 
I supported this legislation because I believed it would benefit 
businesses and consumers. It makes it easier for banking, securities, 
and insurance firms to consolidate their services, cut expenses and 
offer more products at a lower cost to all. But it also raises new 
concerns about our financial privacy.
  In the financial services industry, conglomerates are offering a wide 
variety of services, each of which requires a customer to provide 
financial, medical or other personal information. And nothing in the 
law prevents subsidiaries within the conglomerate from sharing this 
information for uses other than the use the customer thought he or she 
was providing it for. In fact, under current Federal law, a financial 
institution can sell, share, or publish savings account balances, 
certificates of deposit maturity dates and balances, stock and mutual 
fund purchases and sales, life insurance payouts and health insurance 
claims.
  As President Clinton recently warned: ``Although consumers put a 
great value on privacy of their financial records, our laws have not 
caught up to technological developments that make it possible and 
potentially profitable for companies to share financial data in new 
ways. Consumers who undergo physical exams to obtain insurance, for 
example, should not have to fear the information will be used to lower 
their credit card limits or deny them mortgages.'' I strongly agree.
  Senators Boxer, Bryan, Durbin, Feingold, Harkin, Mikulski and Robb, 
and I introduced the Financial Information Privacy and Security Act of 
1999, S. 1924, to give this Congress the historic opportunity to 
provide for the privacy of every American's personal financial 
information in the wake of

[[Page S11779]]

enactment of the financial modernization legislation. Our legislation 
was designed to protect the privacy of financial information by 
directing the Federal Reserve Board, Office of Thrift Supervision, 
Federal Deposit Insurance Corporation, Office of the Comptroller of the 
Currency, and the Securities and Exchange Commission to jointly 
promulgate rules requiring financial institutions they regulate to: (1) 
inform their customers what information is to be disclosed, and when, 
to whom and for what purposes the information is to be disclosed; (2) 
allow customers to review the information for accuracy; and (3) for new 
customers, obtain the customers' consent to disclosure, and for 
existing customers, give the customers a reasonable opportunity to 
object to disclosure. These financial institutions could use 
confidential customer information from other entities only if the 
entities had given their customers similar privacy protections.
  In addition, the bill would have provided individuals the civil right 
of action to enforce their financial privacy rights and to recover 
punitive damages, reasonable attorneys fees, and other litigation 
costs. Privacy rights must be enforceable in a court of law to be truly 
effective.
  I also joined with Senators Sarbanes, Bryan, Dodd, Durbin, Edwards, 
Feinstein, Harkin, Kerry and Robb to introduce the Financial 
Information Privacy Protection Act of 2000, S. 2513. This bill was the 
Clinton Administration's proposal to give consumers real control over 
the use and disclosure of their financial and health-related 
information held by financial institutions.
  I had hoped that these efforts would be just the beginning of this 
Congress's efforts to address the many financial privacy issues raised 
by ultra competitive marketplaces in the information age. It is clear 
that Congress needs to update our privacy laws in the evolving 
financial services industry to protect the personal, confidential 
financial information of all American citizens.
  Unfortunately, our Republican colleagues on the Senate Banking 
Committee did not feel the same way. This important financial privacy 
protection never saw the Senate floor, leaving confidential financial 
information disturbingly vulnerable.
  Just as troubling as the rejection of financial information 
protections is this Congress' failure to establish safeguards for the 
privacy of medical records. Undoubtably, maintaining the 
confidentiality of medical records is of the utmost importance. Medical 
records contain the most intimate, sensitive information about a 
person. For the past three Congresses, I have introduced comprehensive 
medical privacy legislation. In March 1999, I introduced S. 573, the 
Medical Information Privacy and Security Act, with Senators Kennedy, 
Daschle, Dorgan, Inouye, Johnson, Kerry and Wellstone, to establish the 
first comprehensive federal medical privacy law. This bill would close 
the existing gaps in federal privacy laws to ensure the protection of 
personally identifiable health information. Sadly, this legislation has 
gone nowhere, like all medical privacy legislation this Congress.
  In fact, Congress gave itself three years to establish medical 
records privacy legislation, but by the August 21, 1999 deadline, 
comprehensive medical records privacy rules did not exist. Instead the 
Department of Health and Human Services, as directed by Congress, 
drafted its own version. These placeholder privacy rules are better 
than no rules at all, but in the long run, Congress--not a federal 
agency--should set the basic standards on medical privacy, so that 
different administrations do not keep reducing the protections. I had 
hoped that the administrative rule-making process may finally prod 
Congress into action on a full-fledged policy, but as this Congress 
nears its conclusion, my optimism is waning.
  Even this past summer, when the Senate had an opportunity to protect 
the privacy of genetic information, it failed to do so. Senator Daschle 
introduced an amendment, which I supported, to the FY 2001 Labor HHS 
Appropriations bill that would have protected private genetic 
information from insurance companies and employers using such 
information to discriminate against individuals or raise insurance 
premiums. The Senate failed to adopt the amendment and failed, once 
again, to protect essential privacy rights.
  Congress has spent too long defining the problem instead of fixing 
it. We have not moved tangibly toward solutions in the six years since 
I convened the first hearings on technology and medical records in 
1993. Since then a number of bills have been introduced--by myself and 
others--but we have been unable to get the attention of the majority to 
move this legislation.
  In 1996 we tried to include medical privacy protections in the Health 
Insurance Portability and Accountability Act of 1996, HIPAA. Majority 
Leader Bob Dole at the time agreed with us that ``a compromise of 
privacy'' that sends information about health and treatment to a 
national data bank, without a person's approval, would be something 
that none of us would accept. What we settled for in 1996 was a 
provision requiring Congress to enact medical privacy legislation by 
August 21 of 1999. If the deadline was not met, which it was not, the 
Administration then would be required to issue regulations by February 
21, 2000, to protect the privacy of electronic records, but not paper-
based medical records. This is the current, pitiful state of medical 
records privacy protection and it is clearly unacceptable.
  The inexcusable failure to provide comprehensive medical records 
privacy for three-years and the obstruction of the Financial 
Information Privacy Act of 1999 are just two examples of this Congress' 
failure to affirmatively and aggressively protect the fundamental 
privacy rights of American citizens.
  I regret that this Republican-led Congress has not chosen to act on 
even one of the multiple legislative proposals protecting consumer 
privacy during the 106th Congress. It is my hope that we put partisan 
politics aside in the 107th Congress and take a hard look at how we can 
and should protect the fundamental right of privacy in the 21st 
Century. As each day passes, new financial services, new online 
services, and new medical data bases are taking shape and institutional 
practices employing these new technologies are taking root. Unless we 
decide that privacy is worth protecting--and soon--the erosion of our 
privacy rights will become irreversible.

                          ____________________