[Federal Register Volume 59, Number 29 (Friday, February 11, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-3185]
[[Page Unknown]]
[Federal Register: February 11, 1994]
_______________________________________________________________________
Part IX
Department of Commerce
_______________________________________________________________________
National Telecommunications and Information Administration
_______________________________________________________________________
Inquiry on Privacy Issues Relating to Private Sector Use of
Telecommunications-Related Personal Information; Notice
DEPARTMENT OF COMMERCE
National Telecommunications and Information Administration
[Docket No. 940104-4004]
Inquiry on Privacy Issues Relating to Private Sector Use of
Telecommunications-Related Personal Information
AGENCY: National Telecommunications and Information Administration
(NTIA), Commerce.
ACTION: Notice of Inquiry; Request for Comments.
-----------------------------------------------------------------------
SUMMARY: NTIA is conducting a comprehensive review of privacy issues
relating to private sector use of telecommunications-related personal
information associated with the National Information Infrastructure.
Public comment is requested on issues relevant to such a review. After
analyzing the comments, NTIA intends to issue a report, which may make
recommendations to the Information Infrastructure Task Force and
Congress in the area of telecommunications and information policy, as
appropriate.
DATES: Comments should be filed on or before March 14, 1994, to receive
full consideration.
ADDRESSES: Comments (seven copies) should be sent to the Office of
Policy Analysis and Development, NTIA, U.S. Department of Commerce,
14th St. and Constitution Ave., NW., room 4725, Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT: Carol Mattey or Lisa Leidig, Office of
Policy Analysis and Development, 202-482-1880.
AUTHORITY: National Telecommunications and Information Administration
Organization Act of 1992, Pubic Law 102-538, 106 Stat. 3533 (1992) (to
be codified at 47 U.S.C. 901 et seq.).
SUPPLEMENTARY INFORMATION:
I. Introduction1
---------------------------------------------------------------------------
\1\This Notice of Inquiry and Request for Comments is available
in electronic form on the NTIA Bulletin Board at 202-482-1199.
Please set your communications parameters to No parity, 8 data bits,
and 1 stop bit (N,8,1). Commenters are encouraged to file their
comments electronically at the same number.
---------------------------------------------------------------------------
1. Today, there is a thriving U.S. industry dealing in personal
information. Over 10,000 lists of data about individuals are available
for rent.2 According to one 1990 estimate, the business of selling
personal information was a $3 billion per year industry.3 Personal
computers can be used to access information services that provide a
wealth of information about individuals.4 Often such personal data
is being manipulated for purposes other than those originally intended
when collected, and the parties engaging in such activities have no
prior direct relationship with the individual about whom the
information pertains. Moreover, many Americans have little idea of what
information is being collected about them or the many possible uses of
such information.
---------------------------------------------------------------------------
\2\See Daniel Mendel-Black & Evelyn Richards, ``Peering Into
Private Lives,'' Wash. Post, Jan. 20, 1991, at H6; Jill Smolowe,
``Read This!!!!!!,'' Time, Nov. 26, 1990, at 62, 66 (referring to
the Direct Mail List Rate and Data published by the Standard Rate &
Data Service, which contains descriptions of over 10,000
commercially available lists).
\3\Smolowe, supra note 2, at 66.
\4\For instance, Mead Data Central, Inc., which operates the
legal data base ``Lexis,'' operates a data base entitled ``Lexis
Finder'' that is a nationwide white page directory of 111 million
individuals' addresses, telephone numbers, and other information.
Typical entries provide the names of individuals that reside at a
particular residence, their month and year of birth, their telephone
number, when that number was first listed in the telephone
directory, their dwelling type (e.g., single family, multi-family),
whether the residence is owned, and the median value of homes in the
applicable census tract. Dialog, Prodigy, and CompuServe also
provide access to data bases containing personal information about
individuals. See, e.g., Claudia H. Deutsch, ``Headhunting from a
Data Base,'' N.Y. Times, May 6, 1990, at C25; William M. Bulkeley,
``Bill Collectors Master Automated Arm-Twisting,'' Wall St. J.,
Sept. 10, 1990, at B1; Jeffrey Rothfeder, ``Is Nothing Private?,''
Bus. Wk., Sept. 4, 1989, at 74, 74-82.
---------------------------------------------------------------------------
2. The National Information Infrastructure (NII)--the evolving
seamless interactive web of communications networks, computers, data
bases, and consumer electronics in the United States--will accelerate
this trend even further.5 As the NII develops, Americans will be
able to access numerous commercial, scientific, and business data
bases, obtain government information and apply for government benefits,
select and customize entertainment programming, engage in retail,
banking, and other commercial transactions, express their views to
Federal, State, and local government officials, and engage in
productive employment, all from the comfort of their homes. With this
growth in the number of electronic transactions, the accelerated
collection of personal information, and the increase in the
interconnectivity of telecommunications networks and information
service providers, however, comes increasing public concern about
communications and personal privacy.6
---------------------------------------------------------------------------
\5\The phrase ``NII'' is used in this document as shorthand for
the Administration's vision of what this information superhighway
should be. Obviously, many telecommunications networks that are a
component of this vision already exist, and have been evolving for
many years. In recent years, U.S. companies have invested more than
$50 billion annually in telecommunications infrastructure. The
Administration's NII Initiative seeks to develop policies and
programs to spur the evolution of the existing infrastructure into a
``network of networks.'' For a further discussion of the NII, see
``The National Information Infrastructure: Agenda for Action,'' 58
FR 49,025 (1993) (Agenda for Action). The package is available on
Internet, in ASCII format through both FTP and Gopher. The FTP file
name is ``niiagenda.asc''. Address: ``ftp.ntia.doc.gov''. Login as
``anonymous''. Use your email address or guest as the password.
Change directory to ``pub''. The Gopher address is
``gopher.nist.gov''. Login as ``gopher''. Choose the menu item ``DOC
Documents''. Choose ``ntiaagenda.asc''.
\6\A 1993 Louis Harris & Associates public opinion survey found
that 83% of Americans are concerned about threats to personal
privacy, a five point rise over responses to an identical question
in a Harris survey a year earlier. ``Public's Privacy Concerns Still
Rising,'' Privacy & Am. Bus., Sept./Oct. 1993, at 3.
---------------------------------------------------------------------------
3. On September 15, 1993, the Clinton Administration announced the
formation of a federal interagency task force--the Information
Infrastructure Task Force (IITF)--that would work with Congress and the
private sector to propose policies and initiatives needed to accelerate
the deployment of the NII. One of the IITF's goals is to ensure that
the NII's operations are compatible with the legitimate privacy
interests of its users, while recognizing the legitimate societal need
for the flow of information.7
---------------------------------------------------------------------------
\7\``Agenda for Action,'' supra note 5, at 49,029.
---------------------------------------------------------------------------
4. One of the agencies participating in the IITF is the National
Telecommunications and Information Administration (NTIA), which is the
Executive Branch agency principally responsible for developing and
articulating domestic and international telecommunications policies. As
the principal advisor to the President on telecommunications policies,
NTIA conducts studies and makes recommendations regarding
telecommunications policies, activities, and opportunities, and
presents Executive Branch views on telecommunications matters to the
Congress, the Federal Communications Commission (FCC), state and local
governments, and members of the public.8
---------------------------------------------------------------------------
\8\NTIA was established by Executive Order in 1976. E.O. 12,046,
3 CFR 1978 Comp. (1978), reprinted in 47 U.S.C. Sec. 305 note (1988
& Supp. 1991). Congress codified NTIA's functions in the National
Telecommunications and Information Administration Organization Act
of 1992, Pub. L. No. 102-538, 106 Stat. 3522 (1992) (to be codified
at 47 U.S.C. 901 et seq.).
---------------------------------------------------------------------------
5. NTIA is undertaking this proceeding to examine the privacy
implications associated with private sector use of personal information
associated with the NII.9 Consistent with NTIA's communications
and information policy function, we focus our inquiry on potential uses
of information generated by interactive multimedia and by telephone
usage and transactions utilizing the telephone, known as telephone
transaction generated information (TTGI). We ask whether any
overarching principles can be developed that would apply to all firms
in the telecommunications sector. Moreover, we consider the issues that
arise when such telecommunications-related information is used to
create and disseminate detailed dossiers about individuals. We then
address the role of industry self-regulation for providers of
telecommunications and information services. Finally, we solicit
comment on other countries' actions to ensure the privacy of
information transmitted over telecommunications networks, and how any
U.S. policies in this area will affect the international arena. The
record developed in this proceeding will be used to develop
recommendations in the area of communications and information policy
for presentation to the IITF and Congress, as appropriate.
---------------------------------------------------------------------------
\9\While there are equally important issues relating to
governmental (as opposed to private sector) access to personal
information and transactional records associated with the NII, such
questions are outside the scope of this inquiry. Likewise, we do not
address issues relating to encryption and unauthorized access to the
content of communications transmitted over the NII.
---------------------------------------------------------------------------
II. Privacy in a Changing Environment
6. A critical question is what exactly should the right to privacy
entail in today's information economy.10 In a seminal law review
article in 1890, Samuel Warren and Louis Brandeis defined the right of
privacy as ``the right to be left alone.''11 In more recent years,
privacy has been defined by one academic as ``the claim of individuals,
groups, or institutions to determine for themselves when, how, and to
what extent information about them is communicated to others.''12
---------------------------------------------------------------------------
\1\0In the discussion that follows, we consider the right to
privacy only as it pertains to the collection and dissemination of
personally identifiable information about individuals, and not in
the sense used in Supreme Court cases involving abortion,
contraception, and other personal behavior.
\1\1Samuel D. Warren & Louis D. Brandeis, ``The Right of
Privacy,'' 4 Harv. L. Rev. 193, 205 (1890).
\1\2Alan F. Westin, ``Privacy and Freedom'' 7 (1970).
---------------------------------------------------------------------------
7. There is no single privacy law in the United States; rather,
U.S. privacy law is a patchwork of constitutional, statutory,
regulatory, and common law protections.13 While the Supreme Court
has held that the Fourth Amendment restricts the ability of government
to collect information from places in which an individual has a
reasonable expectation of privacy, there is no constitutional right to
be free from analogous intrusions by private sector parties. Tort law
limits intrusive collection of private information, penalizes
unwarranted disclosure of such information, and protects against
disclosure of erroneous information about individuals. A number of
statutes, at both the federal and state level, protect individuals from
governmental misuse of personal information, while other statutes adopt
``fair information principles'' for private sector record keepers in
specific industries.14
---------------------------------------------------------------------------
\1\3See generally Wayne Madsen, ``Handbook of Personal Data
Protection'' (1992); National Telecommunications & Information
Administration, U.S. Dep't of Commerce, NTIA Rep. 82-98, ``Privacy
Protection Law in the United States'' (1982).
\1\4See, e.g., Cable Communications Policy Act of 1984, 47
U.S.C. 551 (1988) (1984 Cable Act); Video Privacy Protection Act of
1988, 18 U.S.C. Secs. 2710-2711 (1988) (Video Act). See discussion
infra at paras. 16-18.
---------------------------------------------------------------------------
8. In 1974, Congress established the Privacy Protection Study
Commission to undertake a broad study of whether privacy rights were
being adequately protected in the emerging information society.15
In its final report, issued in 1977, the Commission concluded that
federal privacy laws should advance three concurrent policy goals--
---------------------------------------------------------------------------
\1\5See Section 5 of the Privacy Act of 1974, Pub. L. No. 93-
579, 88 Stat. 1897 (codified at 5 U.S.C. 552a (1988)) (Privacy Act).
Among other things, the Commission was directed to examine the
standards and procedures in force for the protection of personal
information in data banks and information systems of private
organizations, and to determine whether the principles of the
Privacy Act should be applied to such organizations. For a further
description of the Privacy Act, see discussion infra at para. 41.
---------------------------------------------------------------------------
To minimize intrusiveness by creating a proper balance
between what an individual is expected to divulge to a record-keeping
organization and what he or she seeks in return;
To maximize fairness by opening up record-keeping
operations in ways that will minimize the extent to which recorded
information about an individual is itself a source of unfairness in any
decision about him or her; and
To create legitimate, enforceable expectations of
confidentiality by creating and defining obligations with respect to
the uses and disclosures that will be made of recorded information
about an individual.16
---------------------------------------------------------------------------
\1\6See Privacy Protection Study Commission, ``Personal Privacy
in an Information Society'' 14-15 (1977).
---------------------------------------------------------------------------
9. Today, more than fifteen years later, there have been further
advances in telecommunications and information technology. Given the
proliferation of computerized data collection and the prospect of
converging technologies--computers, telephones, and mass media--it is
time to reconsider what privacy means in developing electronic
communities.
10. The Administration has a broad vision of a future NII that will
enable people in their homes, schools, places of business, and
elsewhere to benefit from improved communications and access to
information resources. In such a world, the collection and
dissemination of information can serve many useful social and economic
purposes. At the same time, each new communications and information
service potentially affects the privacy interests of individuals and
businesses. What are the First Amendment implications of regulating the
dissemination of information by individuals or businesses?
11. What technology is available now, or in the foreseeable future,
that could have an impact on the privacy expectations of
telecommunications users? Should the ability of technology to enhance,
or threaten, privacy have a bearing on what expectations of privacy are
deemed ``reasonable''? Can privacy laws or policies be developed that
are technology-neutral? How can we ensure that whatever privacy
protections that are in place apply equally to all Americans that use
the NII, both younger and older, the wealthy, the middle class and the
disadvantaged, and the technologically literate and the uneducated?
12. As the components of the NII develop, it may become
increasingly difficult to define the rights and responsibilities of
stakeholders. Today, one set of privacy requirements applies to
traditional cable operators; other rules apply to telecommunications
common carriers (with even more specialized rules that apply to the
Regional Bell Operating Companies and AT&T); and other firms that
provide telecommunications and information services are subject to no
restrictions on how they use personal information. Are there any
overarching principles that can be extended across specific services in
the telecommunications sector? Given the convergence of different
industries within this sector, is there a need for a more comprehensive
approach to privacy regulation? Can ``fair information principles'' be
extended to interactions between individuals in an electronically wired
nation?
III. Multimedia Transactions
13. The NII could ultimately provide access to interactive
multimedia, integrated digital streams of video, audio, text, and
graphics that will allow an instantaneous dialogue between the user and
the system for the transmittal of information. Interactive multimedia
encompasses such services as video on demand, participatory television,
electronic publishing, interactive video games, teleshopping,
telebanking, videoconferencing, remote medical testing and evaluation,
and distance learning.\17\ For example, using devices with the
attributes of a telephone, a television, a camcorder, and a personal
computer, students ultimately may be able to browse through the
collections of any library in the country and collaborate on research
projects with others hundreds of miles away, individuals may be able to
experience special family events like a christening or wedding even
though they cannot attend in person, and citizens may be able to
participate in electronic town meetings. In addition, small businesses
as well as large may take advantage of the latest in computer
technology to design products and provide useful services, and
consumers may be able to shop for the best prices in town on groceries,
furniture, clothing, or other consumer items.
---------------------------------------------------------------------------
\17\Some of these services are already currently available in
some form, while others are in the developmental stage.
---------------------------------------------------------------------------
14. Of necessity, usage of such multimedia services may create the
electronic equivalent of a paper trail capturing many details of a
person's life. Moreover, as more and more everyday interactions take
place on-line, it will become even easier to compile, package, and sell
information about individuals than presently is the case. The existence
of more extensive transactional data may enable both large and small
firms to conduct more effective targeted advertising and market
research, which could facilitate the ability of individuals to access
the products and services they desire. At the same time, people may be
uncomfortable with the notion that ``someone'' may be keeping track of
every interaction they engage in with the outside world.
A. Existing Legal Framework
15. Several laws are relevant to the use of transactional records
associated with communications media. Three of these laws--the 1984
Cable Act, the Cable Television Consumer Protection Act of 1992 (1992
Cable Act), and the Video Act--in essence adopt ``fair information
principles'' for the use of cable subscriber data and video cassette
rental and sale data. In contrast, the Electronic Communications
Privacy Act of 1986 (ECPA) imposes no restrictions on private sector
use of transactional data.
16. The 1984 Cable Act precludes cable operators or third parties
from monitoring the viewing habits of cable subscribers. Under the
subscriber privacy provisions of that Act,\18\ cable operators are
required to inform their subscribers at the time of entering into a
contractual arrangement, and annually thereafter, of the nature of the
``personally identifiable information'' they collect about subscribers,
their data disclosure practices, and subscriber rights to inspect and
correct errors in such data. Cable operators are prohibited from using
the cable system to collect personally identifiable information about
their subscribers, except that which is necessary to render cable
service, without subscriber consent, and are generally barred from
disclosing such data to third parties without written or electronic
consent.\19\ Cable operators may sell their mailing lists to third
parties only if they have given their subscribers an opportunity to
limit such disclosure, and the disclosure does not reveal the viewing
habits or other transactions of the subscriber.\20\
---------------------------------------------------------------------------
\18\47 U.S.C. 551.
\19\Government entities may obtain subscriber data from cable
companies only after obtaining a court order reflecting a judicial
finding that the data sought is likely to reveal criminal activity.
Subscribers must be notified of the government's request for
information and provided with an opportunity to contest it prior to
issuance of the court order.
\20\Numerous state laws apply similar restrictions on use of
cable subscriber data. See, e.g., Cal. Penal Code 637.5 (Deering
1993) prohibiting cable company from disclosing any information
regarding a subscriber, without consent); D.C. Code Ann. Sec. 43-
1845 (1981) (requiring cable provider to ``exercise the highest
possible standard of care in protecting the privacy of data in its
possession with respect to any individual subscriber's financial
transactions, viewing selections, and utilization of other computer-
based interactive services.''). See generally Robert E. Smith,
``Compilation of State and Federal Privacy Laws'' (1992).
---------------------------------------------------------------------------
17. The 1992 Cable Act extended the protections of the 1984 Cable
Act to new wire and radio services that may be provided over cable
facilities, such as personal communications services (PCS). It also
requires cable operators to take actions necessary to prevent
unauthorized access to personal information by persons other than the
subscriber or cable operator.\21\
---------------------------------------------------------------------------
\21\Pub. L. 102-385, Sec. 20, 106 Stat. 1497 (to be codified at
47 U.S.C. 551(a)(2), (c)(1)).
---------------------------------------------------------------------------
18. The Video Act protects the privacy of video cassette rentals
and sales.\22\ Among other things, the law prohibits disclosure of the
fact that individuals have rented specific videos. Congress enacted
this law in part in reaction to the well-publicized disclosure of
Robert Bork's video rental history when he was under consideration for
the Supreme Court. The law prohibits video tape service providers from
disclosing to anyone the titles of video cassettes rented or purchased
by a particular individual without the customer's consent,\23\ although
they may release customer mailing lists and the subject matter (but not
specific titles) of customer selections if the customer has been given
the opportunity to object to such disclosure.\24\
---------------------------------------------------------------------------
\22\18 U.S.C. 2710-2711.
\23\Government entities are barred from obtaining customer
transaction information unless they obtain a court order
demonstrating probable cause to believe the data is relevant to law
enforcement activities.
\24\Numerous state laws apply similar restrictions. See, e.g.,
Conn. Gen. Stat. Ann. Sec. 53-450 (West 1992) (``All personally
identifiable information contained in the circulation records of any
person renting videotape cassettes shall be confidential.''); Md.
Code Ann. art. 27, Sec. 583 (1993) (prohibiting disclosure of the
identity of customers and their choices of video tapes). See
generally Robert E. Smith, ``Compilation of State and Federal
Privacy Laws'' (1992).
---------------------------------------------------------------------------
19. ECPA was enacted in 1986 to address new technologies not
anticipated by the 1968 federal wiretap law.\25\ While that law
generally prohibits eavesdropping and the interception of the content
of electronic mail, radio communications, data transmissions, and
telephone calls without consent, it imposes no restrictions on the
internal use by providers of an ``electronic communication
service''\26\ of transactional records pertaining to such
communications.\27\ As a consequence, such service providers are free
to make any use of the identity of the parties to the communication or
the fact of the communication. Moreover, while the ECPA specifies
standards and procedures for court authorized electronic surveillance
by government entities,\28\ and government access to stored electronic
communications,\29\ it does not restrict the dissemination of
transactional data that is maintained in electronic storage to non-
governmental entities. Indeed, a service provider is expressly
permitted to disclose transaction information concerning a subscriber
to any person, for any purpose, without notice or subscriber
consent.\30\
---------------------------------------------------------------------------
\25\18 U.S.C. Secs. 2510-2520, 2701-2709 (1988). Among other
things, the ECPA extended the prohibition on unauthorized
interception of wire telephone conversations to cellular (but not to
cordless) telephones, and extended such protections to stored
electronic communications.
\26\The ECPA defines an ``electronic communication service'' as
``any service which provides to users thereof the ability to send or
receive wire or electronic communications.'' 18 U.S.C.
Sec. 2510(15).
\27\18 U.S.C. 2511. See also S. Rep. No. 99-541, 99th Cong., 2d
Sess. 13 (1986) reprinted in 1986 U.S.C.C.A.N. 3555, 3567.
\28\18 U.S.C. 2516.
\29\18 U.S.C. 2703.
\30\18 U.S.C. 2703(c)(1)(A).
---------------------------------------------------------------------------
B. Areas of Inquiry
20. NTIA solicits comment on the extent to which the foregoing laws
would apply to multimedia services that will be delivered over the NII,
and if not, how they provide a useful model for new legislation.
Commenters are specifically asked to provide a legal analysis of
whether the cable subscriber privacy protections of the 1984 Cable Act,
as amended by the 1992 Cable Act, would apply to telephone companies
delivering multimedia services over switched broadband networks.
Commenters also are asked to provide a legal analysis of whether firms
that provide video on demand would be considered ``video tape service
providers'' as defined in the Video Act, 47 U.S.C. 2710(a)(4).
21. As a policy matter, what principles should apply to the
handling of transactional records associated with multimedia services
delivered over the NII? Should multimedia service providers be required
to obtain affirmative consent from NII users for the collection and
dissemination of personal information, and how should this type of
presumptively restricted information be defined? What should the user
be deemed to consent to by subscribing to or ordering NII multimedia?
22. Without consent, should any secondary uses of personal
information derived through the use of NII multimedia be permissible?
As a technical matter, is there any way a user could monitor subsequent
usage of personal information to ensure that such usage is consistent
with his or her expectations? Should there be a requirement that
transactional records be destroyed after some designated period of
time? How will these requirements be enforced, and what right of
redress will individuals have?
23. Should the ECPA be amended to impose restrictions on the use of
transactional records associated with electronic communications
services? What costs would such restrictions place on businesses, and
what impact would restrictions on information collection and
dissemination have on individuals?
IV. Telephone Transaction Generated Information
24. Existing telecommunications networks generate a vast amount of
personal information about telephone usage and transactions related to
telephone service, which is likely to increase as more advanced
services are offered. There are many forms of TTGI: white pages
information, yellow pages information, new telephone service orders,
aggregate telephone traffic information, calling number identification,
other network information,31 call detail records,32 and
billing and credit information. Today, some telephone companies are
subject to restrictions on the use and disclosure of telephone
transactional data, while other firms that have access to such
information are subject to no restrictions at all.33 Given that
the networks of telecommunications carriers are part of the backbone of
the NII, NTIA is interested in determining what policies, if any,
should govern the secondary use of telephone transaction generated
information. In the discussion below, we focus on two forms of TTGI:
Customer Proprietary Network Information (CPNI) and Automatic Number
Identification (ANI).
---------------------------------------------------------------------------
\3\1Other network information includes customer premises
equipment information, pay-phone information, calling card
validation data, stored network facility arrangements, and bulk
calling line identification.
\3\2Call detail records include the date and time of call, the
number called, the calling number, the geographic location of the
called number, the duration of the call, and the charge.
\3\3In contrast, law enforcement agencies must obtain a subpoena
to obtain telephone toll records, demonstrating that such records
are likely to reveal criminal activity.
---------------------------------------------------------------------------
A. Existing Legal Framework
1. Customer Proprietary Network Information
25. When initially establishing telephone service for a customer,
telephone companies obtain information such as the subscriber's name,
billing address, and desired network services. Over time, telephone
companies maintain service records and billing records, which include
the monthly charges for network services, call detail for toll calls,
and, if applicable, call detail for local calls. Such information,
known as CPNI, is one form of telephone transaction generated
information.
26. Currently, there are no federal statutes governing the
secondary use of such information, but there are FCC rules governing
use of CPNI by AT&T and the Bell Operating Companies (BOCs). Those
rules prohibit the BOCs and AT&T from transferring the CPNI of
customers with more than twenty lines to affiliated personnel engaged
in the marketing of customer premises equipment (CPE) or unregulated
enhanced services unless they have the customer's permission. BOCs and
AT&T are allowed to make any use of the CPNI of smaller business and
residential customers without customer authorization. Upon customer
request, the BOCs and AT&T are required to release CPNI to unaffiliated
CPE vendors or enhanced services providers (ESPs) on the same terms and
conditions as made available to their affiliates.34
---------------------------------------------------------------------------
\3\4See Computer III Remand Proceedings: Bell Operating Company
Safeguards and Tier 1 Local Exchange Company Safeguards, 6 FCC Rcd
7571, 7609-14 (1991) (Computer III Remand); Furnishing of Customer
Premises Equipment by the Bell Operating Telephone Companies and the
Independent Telephone Companies, 2 FCC Rcd 143, 151-53 (1987);
Furnishing of Customer Premises Equipment and Enhanced Services by
American Telephone and Telegraph Co., 102 FCC 2d 655, 691-94 (1985),
modified in part on recon., FCC 86-341, Mimeo No. 36818 (rel. Aug.
7, 1986). For further background on the development of the FCC's
CPNI rules, see Amendment to Sections 64.702 of the Commission's
Rules and Regulations, 2 FCC Rcd 3072, 3093-98 (1987) (Third
Computer Inquiry), on recon., 3 FCC Rcd 1150, 1161-64 (1988),
further recon., 4 FCC Rcd 5927 (1989), rev'd, California v. FCC, 905
F.2d 1217 (9th Cir. 1990). Restrictions of the use of CPNI exist in
a number of states. See, e.g., Cal. Pub. Util. Code Sec. 2282.5
(Deering 1993); Mich. Comp. Laws Sec. 484.2305 (1992).
---------------------------------------------------------------------------
27. The FCC's CPNI rules apply only to the seven BOCs and AT&T.
Those rules were adopted largely to address competitive concerns based
on the potential advantage the BOCs and AT&T might have when they
provide unregulated enhanced services or terminal equipment and
regulated ``basic'' telecommunications services on an integrated
basis,35 rather than to protect customer privacy concerns.36
There are no restrictions on the use of CPNI by the more than 1,000
independent telephone companies, nonwireline cellular carriers,
interexchange carriers (IXCs) other than AT&T, ESPs, or other
businesses engaged in the provision of telecommunications and
information services.
---------------------------------------------------------------------------
\3\5CPNI can be used to identify new customers for enhanced
services or terminal equipment, such as subscribers moving into the
area or adding service locations, before competitors become aware of
them, and to prepare targeting marketing presentations. Unaffiliated
ESPs and terminal equipment vendors have alleged that the BOCs use
CPNI to gain an unfair competitive advantage. For instance, a BOC
could use CPNI to identify small businesses using outside answering
services in order to market its own answering service to those
businesses.
\3\6In the Computer III Remand decision, the FCC concluded that
customer privacy concerns would be raised if CPNI were released to
unaffiliated third parties without a customer's permission, but not
if such CPNI were used within the carrier's own affiliated business
operations. 6 FCC Rcd at 7611-12 n.159.
---------------------------------------------------------------------------
2. Automatic Number Identification
28. According to the Direct Marketing Association, on a typical
business day in 1993, approximately 60 million toll free telephone
calls were placed on the 1.8 million 800 numbers in the United
States.37 According to one estimate, more than 274 million calls
were placed to 900-number services in 1991, with over 14,000 pay-per-
call programs being offered by approximately 5,000 pay-per-call service
providers.38
---------------------------------------------------------------------------
\3\7Direct Marketing Association, Inc., ``Facts & Stats on
Telephone Marketing in America'' 29 (May 1993) (on file at NTIA).
\3\8William W. Burrington & Thaddeus J. Burns, ``Hung Up on the
Pay-Per-Call Industry?: Current Federal Legislative and Regulatory
Developments,'' 17 Seton Hall Legis. J. 359, 364 (1993). In 1992,
the revenues of the 900-number industry were estimated to be $550
million, with 60% of those revenues derived from entertainment
services, including horoscopes, soap opera updates, jokes, celebrity
call-in lines, and games, 15% from live group conversation lines, 7%
from political polling, 5% from product and event promotion, 5% from
adult-oriented lines, and 8% from other uses. See Cindy Skrzycki,
``FTC Issues Final Regulations for 900-Number Industry,'' Wash.
Post, July 28, 1993, at D5; Direct Marketing Association, supra note
37, at 30.
---------------------------------------------------------------------------
29. Interexchange carriers offering 800-number and 900-number
services provide their customers--that is, firms with 800 and 900
numbers--with monthly statements providing call detail for all calls
billed to them, including the telephone number of the calling party. In
addition, interexchange carriers provide real-time Automatic Number
Identification to those 800- and 900-number customers that choose to
subscribe to this feature.39 Firms that subscribe to 800- and 900-
number services use ANI for billing and routing, account management,
and security purposes. For instance, mail order retailers can expedite
transactions by retrieving the account information of a repeat customer
as soon as the call is received, while these and other businesses can
use such services to route large customers to their assigned account
executive.
---------------------------------------------------------------------------
\3\9ANI is an access signaling protocol used by local exchange
carriers (LECs) that automatically identifies the calling party's
telephone number. It was originally developed to provide telephone
subscribers with equal access to all long distance carriers, by
enabling those carriers to identify customers handed off from the
LECs.
A more advanced version of this technology that incorporates
Signalling System Seven (SS7) is used to provide Caller ID, a
service that enables telephone subscribers to see the telephone
number of the calling party before the call is answered. Because the
focus of NTIA's inquiry is on commercial use and misuse of personal
information, and Caller ID is primarily marketed to residential
customers, we do not examine Caller ID in this proceeding.
---------------------------------------------------------------------------
30. There are no FCC restrictions on the use or sale of ANI data
gathered from interstate calls. The FCC received comments on ANI in
1992 in its Caller ID proceeding,40 but has taken no further
action to date.
---------------------------------------------------------------------------
\4\0Rules and policies regarding calling number identification
services, CC Docket No. 91-281.
---------------------------------------------------------------------------
31. The only state that regulates the use or sale of ANI data of
which NTIA is aware is New York. New York's Public Service Commission
has issued terms and conditions concerning intrastate ANI, which became
effective in December 1992.41 Under these terms and conditions,
ANI information associated with an intrastate service in New York
cannot be used to establish marketing lists or to conduct marketing
calls. Firms may not resell or disclose ANI information to third
parties unless there is prior written consent from the subscriber.
Firms are allowed to gather ANI, however, for billing and collection,
routing, screening, to ensure network performance, to complete a
telephone subscriber's call or transaction, and for services directly
related to the telephone subscriber's original call.42
---------------------------------------------------------------------------
\4\1State of New York Public Service Commission, Opinion and
Order Concerning ANI Terms and Conditions No. 92-37 App. 2 at 1-2
(Dec. 3, 1992).
\4\2These terms and conditions are similar to those proposed in
the Telephone Consumer Privacy Protection Act of 1993, H.R. 3432,
discussed in the next subsection.
---------------------------------------------------------------------------
B. Proposed law
32. Rep. Edward Markey, Chairman of the House Subcommittee on
Telecommunications and Finance of the House Committee on Energy and
Commerce, has introduced the Telephone Consumer Privacy Protection Act
of 1993 (H.R. 3432), which would regulate the usage of CPNI and ANI
data. The bill would amend the Communications Act to bar all local
exchange carriers from using CPNI (1) to provide any service other than
telephone exchange or telephone toll service, (2) to identify or
solicit potential customers for services other than that from which the
information is derived, or (3) to provide customer premises equipment.
LECs would be prohibited from disclosing CPNI to affiliates or other
persons that are not employees of the carrier, unless required by law
or requested by the customer. The legislation would prohibit LECs from
discriminating between affiliated and unaffiliated service or equipment
providers in providing access to individual and aggregate CPNI. The
bill also would require LECs to provide subscriber list information
(e.g., subscriber name and address) on nondiscriminatory and reasonable
terms to any person upon reasonable request.
33. The Telecommunications Infrastructure Act of 1993 (S. 1086) has
a similar provision governing the use of CPNI. S. 1086 would apply the
restriction more broadly, however, to all telecommunications
carriers,43 rather than to local exchange carriers. Moreover, S.
1086 would give subscribers the power to limit the disclosure of
subscriber list information.
---------------------------------------------------------------------------
\4\3S. 1086 defines a ``telecommunications carrier'' as any
provider of telecommunications services.
---------------------------------------------------------------------------
34. H.R. 3432 also would amend the Communications Act to bar
persons that use ANI (i.e., providers of 800 and 900 services) from
reusing or selling the telephone number or billing data provided
through ANI without first orally notifying the calling party and
providing that party the option of limiting or prohibiting such reuse
or sale. Otherwise, such information may only be used to perform the
services or transactions intended by the original call, or for other
limited uses, such as ensuring network security and performance.
However, firms with 800 and 900 numbers would be permitted to use ANI
to offer customers with whom they have an established customer
relationship a product or service directly related to that previously
acquired by that customer. Common carriers would be required to report
violations of these provisions to the FCC, and the FCC would be
authorized to order the termination of ANI service to the offending
party.
35. A bill that is pending in the Senate (S. 612) would impose
similar restrictions on the use of ANI by amending the federal wiretap
statute. However, unlike the House bill, S. 612 specifies that ANI
recipients may use such information for any lawful purpose if per call
blocking at no charge (or per line blocking in states that have adopted
such a requirement prior to the act's enactment) is available to the
calling party. S. 612 also would impose civil penalties on parties that
use information in violation of the statute's ANI requirements.
C. Areas of Inquiry
36. NTIA solicits comment on how CPNI will evolve as the NII
develops, and how should its treatment evolve. Is it correct to assume,
as the FCC did when it adopted the current CPNI rules for provision of
enhanced services in 1991,44 that there are no significant privacy
concerns when CPNI is made available to different divisions within a
single integrated company? To what extent do the competing rationales
associated with regulating access to CPNI--maintaining competitive
equity between the BOCs and AT&T and unaffiliated ESPs, protecting
customer privacy, and permitting efficient marketing and provision of
enhanced services--apply to other types of carriers, such as
competitive access providers, IXCs, cellular telephone service
providers, and cable companies, that will be part of the NII? We note
in this regard that rationales for regulating use of CPNI based on
competitive concerns suggest a focus on ``dominant'' providers (i.e.,
those with market power), while customer privacy rationales would seem
to suggest a broader application of such regulatory protections.
---------------------------------------------------------------------------
\4\46 FCC Rcd at 7611-12 n.159.
---------------------------------------------------------------------------
37. When consumers purchase goods or services through an 800
number, they ordinarily orally disclose their name, telephone number,
credit card number, billing address, and other information necessary to
complete the transaction. Similarly, individuals that call 900 numbers
are aware that a charge for that call will appear on their telephone
bill. How is individual privacy additionally threatened by the
potential passage of ANI to firms with 800 and 900 numbers? Is it
reasonable to allow NII service providers to use ANI information to
market new products or services to established customers? Should the
answer to this question differ, depending on whether the individual has
previously disclosed his or her telephone number to the called party,
either orally or in writing? Should firms that offer 800- and 900-
number services be required to notify callers at the outset of the
conversation that their telephone number has been recorded? Do states,
other than New York, have restrictions on the intrastate use and sale
of ANI data, and is there a need for federal legislation in this area?
38. Does H.R. 3432 strike an appropriate balance between telephone
subscriber privacy interests, and the desire of information gatherers
to use customer information to provide services over the NII? Should
NII users have easy access to some forms of TTGI (such as white page
directory information), but not others? Should the burden be on the
telephone subscriber to direct that transactional information not be
used (the so-called opt-out approach), or on the party that gathers the
information to obtain consent for the use of such information (the opt-
in approach), and what specific consent mechanism should be used in
either case? What costs would such restrictions impose on businesses?
As a matter of policy, should any restrictions on the use of TTGI apply
to all telecommunications carriers, rather than LECs?
39. NTIA solicits comment on whether NII network operators and
service providers should be required to inform their customers, at the
time service is initially established and periodically thereafter, what
TTGI is accumulated about them, and how that information is used or
disseminated to third parties. How would compliance with such rules be
enforced, and what body should enforce them? If the end result of such
restrictions is that less information is collected and disseminated in
our society, what impact would that have on individuals, businesses,
and the NII?
V. Development of Personal Profiles
40. Enhanced information and computing technology, and the greater
interconnectivity of telecommunications networks, will allow greater
access to a broad range of record systems containing health, financial,
academic, government, employment, telephone and other information that
may be of a highly sensitive and personal nature. Easy and often
anonymous access to such information raises concerns that anyone will
be able to download information about individuals from different data
bases and compile that information into detailed personal dossiers.
A. Existing Legal Framework
41. In order to create a personal profile, a two-step process is
required--accessing the information and ``matching up'' the information
for each individual. The Privacy Act of 197445 and a 1988
amendment to that Act--the Computer Matching and Privacy Protection Act
of 1988 (Matching Act)46--provide federal guidelines governing the
compilation, use, and dissemination of personal information gathered by
government agencies.
---------------------------------------------------------------------------
\4\55 U.S.C. 552a.
\4\65 U.S.C. 552a(o)-(q) (1988).
---------------------------------------------------------------------------
42. The Privacy Act's matching provisions regulate the conditions
under which federal agencies may match personal information held in
their data bases with data stored in other data bases. Such matching
often is done in order to verify the eligibility of individuals for
federal benefits. For example, a government agency may ``match'' its
employee list with a list of persons receiving public assistance. The
match would identify persons who are earning an income and improperly
receiving public assistance at the same time. Such matching, without
regulation, may result in indiscriminate swapping of data files.
43. Under the Matching Act, matching takes place under the
``routine use'' exception to the Privacy Act's limitation on use of
personal information.47 Agencies are required, before matching, to
enter into written, inter-agency agreements specifying the purpose of
the match, the records to be matched, and a cost/benefit analysis of
the match. The Matching Act creates an important procedural framework
of notice to individuals, the right to a hearing before government
benefits are cut off or denied, and mandatory reporting requirements
for agencies that match records.
---------------------------------------------------------------------------
\4\7The Privacy Act prohibits government use of personal data,
without consent, for a purpose other than that for which it was
originally collected. It contains 12 exceptions to this principle,
including a ``routine use'' exception that permits disclosures
without consent for purposes compatible with, but not identical to,
the reason for the data file's creation. 5 U.S.C. 552a(b)(3).
---------------------------------------------------------------------------
44. No federal or state laws regulate private sector matching of
personal information. However, some existing federal and state laws
restrict the accessibility of certain types of personal information.
For instance, as previously discussed, federal law restricts disclosure
of cable subscription and video tape rental or sale information.48
Such restrictions, when coupled with similar restrictions on the
release of other types of personal information such as credit ratings
and credit card usage,49 to some extent limit the information that
can be used to create personal profiles. The existing legal framework,
then, addresses only the first step of the matching process in the
private sector by limiting access to information.
---------------------------------------------------------------------------
\4\8As discussed supra in notes 20 and 24, numerous state laws
restrict the use of cable subscriber data and video cassette rental
records.
\4\9See, e.g., Fair Credit Reporting Act Sec. 604, 15 U.S.C.
Sec. 1681b (Supp. 1993) (requiring that consumer reports go only to
companies that will use them for credit, insurance, employment, or
``a legitimate business need''); Cal. Civil Code Sec. 1785.1
(Deering Supp. 1993) (regulating consumer credit reporting agencies
that gather credit-oriented information for consumer reports to
third parties); Mass. Gen. Laws Ann. ch. 93, Secs. 51-52 (West 1993)
(limiting credit-report access to third parties and content in
consumer credit reports). See generally Robert E. Smith,
``Compilation of State and Federal Privacy Laws'' (1992).
---------------------------------------------------------------------------
B. Areas of Inquiry
45. NTIA solicits comment on whether existing federal laws would
adequately deter invasions of personal privacy resulting from the
compilation of telecommunications-related data, such as records of
interactive media and telephone usage, obtained through the NII. Should
federal legislation restrict private sector computer matching of such
data? If so, for what purposes would the Matching Act serve as a useful
model? Does computer matching create new information that should be
subject to greater privacy restrictions than those applicable to each
separate piece of information used in the match? Is privacy threatened
by the act of gathering information about an individual from several
different sources, or only when the resulting personal profile is used
for purposes beyond the individual's knowledge and ability to control?
46. Market forces have an impact on the actions of businesses and
consumers. For instance, Lotus Development Corporation and one of the
nation's largest credit reporting bureaus, Equifax, abandoned plans to
market a data base on a CD-ROM called ``Marketplace: Households'' in
the face of widespread public criticism.50 In 1990, New York
Telephone abandoned plans to rent directory information such as name,
address, and telephone number from 4.7 million listings to retailers,
telemarketers, and others selling products and services in the face of
800,000 requests to be excluded from such lists.51 Will consumer
concern about the existence of personal profiles deter companies from
developing such profiles? If so, what impact would that have on
individuals and society?
---------------------------------------------------------------------------
\5\0The proposed data base would have contained such personal
information as the names, estimated incomes, purchasing habits, and
marital status of 120 million Americans. See, e.g., Charles Piller,
``Privacy in Peril,'' Macworld, July 1993, at 8, 11; Mendel-Balck &
Richards, supra note 2, at H1.
\5\1Comm. Daily, June 19, 1990, at 5.
---------------------------------------------------------------------------
VI. Role of Self-Regulation
47. In response to growing customer concern about privacy issues,
many companies are developing their own corporate privacy codes and
other initiatives to bolster customer confidence in their services. In
the telecommunications area, Pacific Bell, one of the Regional Bell
Operating Companies, issued a comprehensive telephone customer privacy
code in December 1992.52 MCI as a matter of policy does not sell
or rent its customer lists or information about customers to third
parties.53 Among information providers, Prodigy, one of the
largest commercial on-line services, has a formal policy governing its
use of personal information about subscribers.54 NTIA solicits
comment on what other companies in the telecommunications and
information field are doing to address their customers' privacy
concerns. What has been the experience to date of companies that have
privacy policies? Should companies be required to provide their
customers with notice of their internal practices and policies
regarding collection and use of personal information? To what extent
can we expect that marketplace forces will adequately resolve conflicts
over privacy interests, and how will this occur?
---------------------------------------------------------------------------
\5\2``Pacific Bell's Customer Privacy Guidelines'' (Sept. 1993)
(on file at NTIA); see also ``Profile of Pacific Bell and its 1992
Customer Privacy Policy,'' Privacy & Am. Bus., Sept./Oct. 1993, at
12, 13.
\5\3Letter from Gerald J. Kovach, Senior Vice President,
External Affairs, MCI, to Chairman Edward Markey, House Subcommittee
on Telecommunications and Finance (May 20, 1992) (on file at NTIA).
\5\4Prodigy Services Co., ``Policy on Protecting Member
Privacy'' (on file at NTIA).
---------------------------------------------------------------------------
48. Many non-commercial networks have informally developed norms
for conduct that are voluntarily adhered to by users. Users that engage
in unacceptable behavior may be ``flamed'' by other users.55 On
many bulletin boards, the system operator retains discretion to banish
users who post offensive messages. Is such self-regulation in
electronic communities adequate to protect the individual's right to
privacy over the NII?
---------------------------------------------------------------------------
\5\5``Flaming'' is the practice of users sending electronic mail
messages that confront and chastise the addressee.
---------------------------------------------------------------------------
VII. International Issues
49. The NII will be part of evolving global networks and therefore
must be coordinated with international requirements in order to
facilitate the competitiveness of U.S. firms. Many of our major trading
partners in Europe, for instance, have formal data protection
commissions that oversee implementation of national laws governing the
information practices of both public sector and private sector parties.
Thus, the United States needs to evaluate how the policies regulating
the privacy of personal information transmitted over telecommunications
networks in other countries will affect individuals and commerce in the
United States, and vice versa.
A. International Privacy Guidelines
50. International interest in advancements in computerization and
related privacy issues began in the late 1960s. Since then, different
nations have followed varying approaches to privacy. As previously
noted, U.S. privacy law is a patchwork of constitutional, statutory,
regulatory, and common law protections, and voluntary self-regulation.
The European approach to the privacy of electronic information has been
to favor omnibus data protection regulations that apply to both the
public and private sectors and are overseen by state-controlled privacy
boards. The Organization for Economic Cooperation and Development
(OECD), whose membership consists of twenty-four industrialized
countries, including the United States, Canada, most Western European
countries, and Japan, has adopted guidelines for the protection of
personal data that permit both the U.S. and European approaches.
African, South American, and Central American countries have not yet
adopted any data protection laws, but some are studying the
issue.56
---------------------------------------------------------------------------
\5\6See Olga Estadella-Yuste, ``Transborder Data Flows and the
Sources of Public International Law,'' 16 N.C.J. of Int'l L. & Com.
Reg. 379, 429-30 (Fall 1991).
---------------------------------------------------------------------------
51. In the discussion that follows, we focus on the major
international instruments pertaining to privacy adopted by the OECD and
the Council of Europe (COE), and under consideration by the European
Community (EC), rather than the laws of specific countries.57
These international agreements--which generally recognize that the free
flow of information is critical to transborder economic activity--
provide a framework for adoption of domestic legislation by member
nations.
---------------------------------------------------------------------------
\5\7For list of privacy laws in particular countries, see id. at
392 n.56, 395 n.79.
---------------------------------------------------------------------------
1. Organization for Economic Cooperation and Development
52. The OECD has been active since the 1970s in considering the
impact of computers and telecommunications technologies on the
international flow of data. In 1978, it instructed a ``Group of
Experts'' to develop a set of basic guidelines to govern transborder
data flow and the privacy of personal data. The Group of Experts
adopted ``Guidelines on the Protection of Privacy and Transborder Data
Flows'' in 1980.58 All twenty-four OECD member countries have
accepted the OECD Guidelines, which are strictly voluntary. In the
United States, over 175 corporations have provided written statements
of support for the OECD Guidelines.59
---------------------------------------------------------------------------
\5\8Organization for Economic Cooperation and Development,
``Recommendation of the Council Concerning Guidelines Governing the
Protection of Privacy and Transborder Flows of Personal Data,'' OECD
Doc. C(80)58 final, reprinted in 20 I.L.M. 422 (OECD Guidelines).
The OECD guidelines include the following eight principles:
There should be limits on the collection of personal
data, and it should be obtained fairly and lawfully and, where
appropriate, with the data subject's consent.
Personal data should be accurate, complete, current,
and relevant to the purposes for which it is obtained.
Personal data should be used for legitimate, specified
purposes and the data subject should be notified of any changes in
those purposes.
Personal data should not be used for purposes other
than those for which it was originally intended, except with the
consent of the data subject or legal authorization.
Personal data should be protected by reasonable
security safeguards.
There should be a policy of openness about practices
and policies related to the collection and use of personal data.
Individuals should have the ability to examine and
correct data relating to them upon request.
Organizations should have a data controller who is
responsible for complying with the above principles.
\5\9See Letter from Nanette Di Tosto, U.S. Council for
International Business, to Larry Irving, Assistant Secretary for
Communications and Information, NTIA, U.S. Department of Commerce
(Oct. 19, 1993) (on file at NTIA). Other aspects of transborder data
flow are regulated by the OECD's ``Declaration on Transborder Data
Flow.'' See Estadella-Yuste, supra note 56, at 405.
---------------------------------------------------------------------------
2. Council of Europe
In 1980, the Council of Europe, whose membership consists of the
twelve EC countries and nineteen other European countries, adopted
``fair information practices'' similar to those of the OECD regulating
the collection, storage, and automated processing of personal data, and
transborder data flow. Those principles, set forth in the ``Convention
for the Protection of Individuals With Regard to Automatic Processing
of Personal Data'' which was opened for signature in 1981,60
establish standards that must be enacted into domestic law by signatory
countries. Twenty of the thirty-one Council of Europe members have
signed the convention, and thirteen have ratified it. Ten of the twelve
EC member states have ratified the convention and enacted domestic data
protection laws.61 The COE Convention permits, but does not
mandate, signatory countries to refuse to transfer data to other
countries that do not provide equivalent data protection.62
---------------------------------------------------------------------------
\6\0Council of Europe, Convention for the Protection of
Individuals with Regard to Automatic Processing of Personal Data,
Jan. 28, 1981, Europ. T.S. No. 108, reprinted in 20 I.L.M. 317 (COE
Convention). The COE Convention includes principles analogous to the
OECD principles discussed supra note 58, with some difference in
emphasis, plus two additional principles: the collection of personal
data should be for general purposes and specific uses that are
socially acceptable, and data should be preserved no longer than
necessary for the purpose for which it is stored.
\6\1Nanette Di Tosto, U.S. Council for International Business,
Remarks before the International Data Protection Landscape 2 (July
23, 1993). Belgium, for instance, is in the process of establishing
a national registry of all information data bases. Belgium law
requires that individuals have access to personal information
contained in such data bases and have a right to be informed at the
moment of data collection about what information is being collected.
A. Pipers, ``Personal Data Protection in Belgium Now,'' Lecture
Before the Council of Europe, Consultative Committee of the
Convention for the Protection of Individuals with Regard to
Automatic Processing of Personal Data (Jan. 18, 1993) (on file at
NTIA). One commenter has concluded that most social research will
cease in Belgium once these requirements become fully operational.
Erik Von Hove, ``Legislation on Privacy Protection and Social
Research'' 11 (Sept. 1993) (paper presented at the Council of
Europe's International Conference of Data Protection and Privacy
Commissioners, on file at NTIA).
\6\2France and the United Kingdom have banned data transfer in
specific cases based on the lack of, or inadequacy of, data
protection laws in the receiving country. The U.K. ban involved the
transfer of direct marketing lists to the United States. See Joel R.
Reidenberg, ``Rules of the Road for Global Electronic Highways:
Merging the Trade and Technical Paradigms,'' 6 Harv. J.L. & Tech.
287, 290-91 & n.13 (Spring 1993); Estadella-Yuste, supra note 56, at
402 n.125. See generally George B. Trubow, ``The European
Harmonization of Data Protection Laws Threatens U.S. Participation
in Trans Border Data Flow,'' 13 Nw. J. Int'l L. & Bus. 167 (Spring/
Summer 1992); Joel E. Reidenberg, ``Privacy in the Information
Economy: A Fortress or Frontier for Individual Rights,'' 44 Fed.
Comm. L.J. 195, 200-201 & nn.20-23 (1992).
In addition to the international instruments discussed above,
the United Nations has adopted its own set of guidelines relating to
computerized personal files and transborder data flows, which are
similar to the OECD Guidelines and COE Convention. See Estadella-
Yuste, supra note 56, at 385 & n.23, 391.
---------------------------------------------------------------------------
54. The Council of Europe continues to respond to new privacy
issues brought about by technological innovation. Its Committee of
Experts on Data Protection has studied a number of areas that pose
challenges to privacy, including telemetry (the use of remote cameras,
sound detectors, and other means to collect personal data without the
consent, or even the knowledge, of the data subject), interactive
media, and electronic mail.63
---------------------------------------------------------------------------
\6\3See Council of Europe, ``New Technologies: a Challenge to
Privacy Protection?'' (1989); Colin J. Bennett, ``Regulating
Privacy'' 245 (1992).
---------------------------------------------------------------------------
3. European Community Directives
55. In 1990, the EC proposed a new directive that would create
another set of international privacy guidelines, which would be
mandatory for all EC Member States.64 Among other provisions, the
1990 Proposed Directive adopted an ``opt-in'' approach requiring
companies to notify and obtain consent from each individual regarding
the use of personal data pertaining to them. This directive would have
allowed Member States to block the transborder flow of data to any
country whose privacy regulations are determined to be inadequate.
---------------------------------------------------------------------------
\6\4Commission of the European Communities, Proposal for a
Council Directive Concerning the Protection of Individuals in
Relation to the Processing of Personal Data, COM(90)314 final--SYN
287, reprinted in 1990 O.J. (C277/3) (1990 Proposed Directive).
---------------------------------------------------------------------------
56. U.S. businesses objected to the 1990 Proposed Directive because
it would place potentially costly, bureaucratic restrictions on the
collection, use, alteration or transfer of personal data files. The
United States government argued that this directive would potentially
hinder the ability of U.S. companies to communicate with their
subsidiaries and customers in Europe. The German, U.K., and French
governments also spoke out against the directive.65
---------------------------------------------------------------------------
\6\5Id., art. 24.
---------------------------------------------------------------------------
57. In 1992, the EC proposed a revised privacy directive that has
not yet been adopted, but addresses some of the major concerns of U.S.
industry.66 In particular, the revised proposal is less
restrictive than the original with respect to transborder data flow. In
determining whether the destination country affords a sufficient degree
of privacy protection, nations may consider the specific circumstances
of each data transfer on a case-by-case basis, rather than on an
overall country assessment, taking into account the nature of the data,
the purpose and duration of processing, and professional rules.67
---------------------------------------------------------------------------
\6\6Commission of the European Communities, Amended Proposal for
a Council Directive on the Protection of Individuals with Regard to
the Processing of Personal Data and on the Free Movement of Such
Data, COM(92) 422 final--SYN 287 (1992 Privacy Directive).
\6\7Id., art. 26.
---------------------------------------------------------------------------
58. The 1992 Privacy Directive would require EC member countries to
have independent supervisory authorities for the protection of personal
data. These advisory bodies would monitor implementation of national
laws adopted as a result of the EC privacy directive and would have the
power to bring action against infringements of the law.68
---------------------------------------------------------------------------
\6\8A number of European countries have already established data
commissions to fulfill this role. See also discussion supra at note
61.
---------------------------------------------------------------------------
59. The 1992 Privacy Directive also acknowledges contractual
provisions that protect data subjects' rights, but still does not
recognize voluntary self-regulation, practiced widely by U.S.
industry.69 It considers intracorporate data transfers between and
among a company and its overseas subsidiaries and affiliates to be
communications to a third party and subject to privacy regulations.
Member States therefore still would be able to block the transborder
flow of intracorporate data, if the privacy regulations in the country
receiving the data are determined to be inadequate. The 1992 Privacy
Directive has not been ratified due to remaining concerns within the EC
business community over such issues as how to determine the adequacy of
foreign data protection laws.
---------------------------------------------------------------------------
\6\9The EC has commissioned a study of U.S. privacy policies to
determine the effectiveness of self-regulation by private industry
in the United States. The 1992 Privacy Directive would allow trade
associations to create codes of conduct within the framework of the
Directive. See 1992 Privacy Directive, arts. 28, 30. Such codes
would not be comparable to self-regulation as practiced by U.S.
industry, however, as those codes would be approved and enforced by
the supervising body in the country.
---------------------------------------------------------------------------
60. In addition to the 1992 Privacy Directive, the EC is
considering a proposed directive that would harmonize regulations in
Member States designed to protect the privacy of telephone
subscribers.70 Generally, the proposed ISDN Directive would allow
telephone companies to collect and store only that information that is
necessary to provide requested services, require subscriber's consent
to provide such information to third parties, guarantee adequate
protection against unauthorized access, and require telephone companies
to provide a call blocking option for calling line identification.
---------------------------------------------------------------------------
\7\0Proposal for a Council Directive Concerning the Protection
of Personal Data and Privacy in the Context of Public Digital
Telecommunications Networks, in Particular the Integrated Services
Digital Network (ISDN) and Public Digital Mobile Networks, SYN 288
(ISDN Directive).
---------------------------------------------------------------------------
4. Areas of Inquiry
61. NTIA solicits comment on whether U.S. industry believes that
the OECD Guidelines and the COE Convention are adequate instruments to
protect individuals' right to privacy over telecommunications networks.
Should there be any change in U.S. international privacy policy beyond
individual firms' support for voluntary OECD guidelines related to
transborder data flows? What impact would ratification of the EC's 1992
Privacy Directive or ISDN Directive have on the NII? Would the United
States need to adopt additional privacy laws applicable to the private
sector to ensure that, as the NII develops, it is not excluded from
exchanging personal information with the EC? Could problems arise for
international calls originating in the United States if the EC requires
specific technologies or policies to be implemented that are different
from those in use in the United States? For example, deployment of SS7
is necessary in order for calling parties to block transmittal of their
telephone number to called parties. Different standards exist for
technological solutions to privacy concerns such as encryption. To what
extent does international network configuration have an impact on
privacy considerations? What privacy policies have been adopted by
individual countries that could serve as useful models for the United
States as it develops its privacy policies for the NII?
B. International Trade Agreements: GATT/NAFTA
62. Issues relating to privacy will continue to be a growing
international trade issue as other countries and regions develop their
own information networks. The protection of individual privacy is
mentioned in both the GATT Telecommunications Annex and the
telecommunications chapter of the North American Free Trade Agreement
(NAFTA). Both documents focus on the right of users and service
providers to access and use the public telecommunications network on a
nondiscriminatory basis. However, under both GATT and NAFTA, laws or
regulations that protect privacy of individuals in the processing and
dissemination of personal data are permissible so long as they are not
applied in a discriminatory manner or as a disguised restriction on
trade.71 Will such provisions adequately limit the ability of a
signatory country to impose its own privacy framework on other
signatory countries, while allowing for a free flow of information?
Given that the telecommunications networks that are part of the NII
extend across U.S. borders into Canada and Mexico, will the United
States need to consider how those countries address privacy issues as
we develop our policies in this area?
---------------------------------------------------------------------------
\7\1The GATT exception for privacy states that ``A Party may
take such measures as are necessary to ensure the security and
confidentiality of messages. . . .'' GATT Doc. MTN.TNS/W/FA, at 18
(1990). The NAFTA states that any Party to the agreement may pass
any measure to ``ensure the security and confidentiality of
messages,'' or to ``protect the privacy of subscribers to public
telecommunications transport networks or services.'' North American
Free Trade Agreement, art. 1302(5) (1992), Hein's No. KAV 3417.
---------------------------------------------------------------------------
VIII. Conclusion
63. NTIA hereby requests comments in this inquiry to be filed on or
before March 14, 1994.
Dated: February 7, 1994.
Larry Irving
Assistant Secretary of Commerce for Communications and Information.
[FR Doc. 94-3185 Filed 2-10-94; 8:45 am]
BILLING CODE 3510-60-P