[Federal Register Volume 59, Number 29 (Friday, February 11, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-3185]


[[Page Unknown]]

[Federal Register: February 11, 1994]


_______________________________________________________________________

Part IX





Department of Commerce





_______________________________________________________________________



National Telecommunications and Information Administration



_______________________________________________________________________




Inquiry on Privacy Issues Relating to Private Sector Use of 
Telecommunications-Related Personal Information; Notice
DEPARTMENT OF COMMERCE

National Telecommunications and Information Administration
[Docket No. 940104-4004]

 
Inquiry on Privacy Issues Relating to Private Sector Use of 
Telecommunications-Related Personal Information

AGENCY: National Telecommunications and Information Administration 
(NTIA), Commerce.

ACTION: Notice of Inquiry; Request for Comments.

-----------------------------------------------------------------------

SUMMARY: NTIA is conducting a comprehensive review of privacy issues 
relating to private sector use of telecommunications-related personal 
information associated with the National Information Infrastructure. 
Public comment is requested on issues relevant to such a review. After 
analyzing the comments, NTIA intends to issue a report, which may make 
recommendations to the Information Infrastructure Task Force and 
Congress in the area of telecommunications and information policy, as 
appropriate.

DATES: Comments should be filed on or before March 14, 1994, to receive 
full consideration.

ADDRESSES: Comments (seven copies) should be sent to the Office of 
Policy Analysis and Development, NTIA, U.S. Department of Commerce, 
14th St. and Constitution Ave., NW., room 4725, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: Carol Mattey or Lisa Leidig, Office of 
Policy Analysis and Development, 202-482-1880.

AUTHORITY: National Telecommunications and Information Administration 
Organization Act of 1992, Pubic Law 102-538, 106 Stat. 3533 (1992) (to 
be codified at 47 U.S.C. 901 et seq.).

SUPPLEMENTARY INFORMATION:

I. Introduction1
---------------------------------------------------------------------------

    \1\This Notice of Inquiry and Request for Comments is available 
in electronic form on the NTIA Bulletin Board at 202-482-1199. 
Please set your communications parameters to No parity, 8 data bits, 
and 1 stop bit (N,8,1). Commenters are encouraged to file their 
comments electronically at the same number.
---------------------------------------------------------------------------

    1. Today, there is a thriving U.S. industry dealing in personal 
information. Over 10,000 lists of data about individuals are available 
for rent.2 According to one 1990 estimate, the business of selling 
personal information was a $3 billion per year industry.3 Personal 
computers can be used to access information services that provide a 
wealth of information about individuals.4 Often such personal data 
is being manipulated for purposes other than those originally intended 
when collected, and the parties engaging in such activities have no 
prior direct relationship with the individual about whom the 
information pertains. Moreover, many Americans have little idea of what 
information is being collected about them or the many possible uses of 
such information.
---------------------------------------------------------------------------

    \2\See Daniel Mendel-Black & Evelyn Richards, ``Peering Into 
Private Lives,'' Wash. Post, Jan. 20, 1991, at H6; Jill Smolowe, 
``Read This!!!!!!,'' Time, Nov. 26, 1990, at 62, 66 (referring to 
the Direct Mail List Rate and Data published by the Standard Rate & 
Data Service, which contains descriptions of over 10,000 
commercially available lists).
    \3\Smolowe, supra note 2, at 66.
    \4\For instance, Mead Data Central, Inc., which operates the 
legal data base ``Lexis,'' operates a data base entitled ``Lexis 
Finder'' that is a nationwide white page directory of 111 million 
individuals' addresses, telephone numbers, and other information. 
Typical entries provide the names of individuals that reside at a 
particular residence, their month and year of birth, their telephone 
number, when that number was first listed in the telephone 
directory, their dwelling type (e.g., single family, multi-family), 
whether the residence is owned, and the median value of homes in the 
applicable census tract. Dialog, Prodigy, and CompuServe also 
provide access to data bases containing personal information about 
individuals. See, e.g., Claudia H. Deutsch, ``Headhunting from a 
Data Base,'' N.Y. Times, May 6, 1990, at C25; William M. Bulkeley, 
``Bill Collectors Master Automated Arm-Twisting,'' Wall St. J., 
Sept. 10, 1990, at B1; Jeffrey Rothfeder, ``Is Nothing Private?,'' 
Bus. Wk., Sept. 4, 1989, at 74, 74-82.
---------------------------------------------------------------------------

    2. The National Information Infrastructure (NII)--the evolving 
seamless interactive web of communications networks, computers, data 
bases, and consumer electronics in the United States--will accelerate 
this trend even further.5 As the NII develops, Americans will be 
able to access numerous commercial, scientific, and business data 
bases, obtain government information and apply for government benefits, 
select and customize entertainment programming, engage in retail, 
banking, and other commercial transactions, express their views to 
Federal, State, and local government officials, and engage in 
productive employment, all from the comfort of their homes. With this 
growth in the number of electronic transactions, the accelerated 
collection of personal information, and the increase in the 
interconnectivity of telecommunications networks and information 
service providers, however, comes increasing public concern about 
communications and personal privacy.6
---------------------------------------------------------------------------

    \5\The phrase ``NII'' is used in this document as shorthand for 
the Administration's vision of what this information superhighway 
should be. Obviously, many telecommunications networks that are a 
component of this vision already exist, and have been evolving for 
many years. In recent years, U.S. companies have invested more than 
$50 billion annually in telecommunications infrastructure. The 
Administration's NII Initiative seeks to develop policies and 
programs to spur the evolution of the existing infrastructure into a 
``network of networks.'' For a further discussion of the NII, see 
``The National Information Infrastructure: Agenda for Action,'' 58 
FR 49,025 (1993) (Agenda for Action). The package is available on 
Internet, in ASCII format through both FTP and Gopher. The FTP file 
name is ``niiagenda.asc''. Address: ``ftp.ntia.doc.gov''. Login as 
``anonymous''. Use your email address or guest as the password. 
Change directory to ``pub''. The Gopher address is 
``gopher.nist.gov''. Login as ``gopher''. Choose the menu item ``DOC 
Documents''. Choose ``ntiaagenda.asc''.
    \6\A 1993 Louis Harris & Associates public opinion survey found 
that 83% of Americans are concerned about threats to personal 
privacy, a five point rise over responses to an identical question 
in a Harris survey a year earlier. ``Public's Privacy Concerns Still 
Rising,'' Privacy & Am. Bus., Sept./Oct. 1993, at 3.
---------------------------------------------------------------------------

    3. On September 15, 1993, the Clinton Administration announced the 
formation of a federal interagency task force--the Information 
Infrastructure Task Force (IITF)--that would work with Congress and the 
private sector to propose policies and initiatives needed to accelerate 
the deployment of the NII. One of the IITF's goals is to ensure that 
the NII's operations are compatible with the legitimate privacy 
interests of its users, while recognizing the legitimate societal need 
for the flow of information.7
---------------------------------------------------------------------------

    \7\``Agenda for Action,'' supra note 5, at 49,029.
---------------------------------------------------------------------------

    4. One of the agencies participating in the IITF is the National 
Telecommunications and Information Administration (NTIA), which is the 
Executive Branch agency principally responsible for developing and 
articulating domestic and international telecommunications policies. As 
the principal advisor to the President on telecommunications policies, 
NTIA conducts studies and makes recommendations regarding 
telecommunications policies, activities, and opportunities, and 
presents Executive Branch views on telecommunications matters to the 
Congress, the Federal Communications Commission (FCC), state and local 
governments, and members of the public.8
---------------------------------------------------------------------------

    \8\NTIA was established by Executive Order in 1976. E.O. 12,046, 
3 CFR 1978 Comp. (1978), reprinted in 47 U.S.C. Sec. 305 note (1988 
& Supp. 1991). Congress codified NTIA's functions in the National 
Telecommunications and Information Administration Organization Act 
of 1992, Pub. L. No. 102-538, 106 Stat. 3522 (1992) (to be codified 
at 47 U.S.C. 901 et seq.).
---------------------------------------------------------------------------

    5. NTIA is undertaking this proceeding to examine the privacy 
implications associated with private sector use of personal information 
associated with the NII.9 Consistent with NTIA's communications 
and information policy function, we focus our inquiry on potential uses 
of information generated by interactive multimedia and by telephone 
usage and transactions utilizing the telephone, known as telephone 
transaction generated information (TTGI). We ask whether any 
overarching principles can be developed that would apply to all firms 
in the telecommunications sector. Moreover, we consider the issues that 
arise when such telecommunications-related information is used to 
create and disseminate detailed dossiers about individuals. We then 
address the role of industry self-regulation for providers of 
telecommunications and information services. Finally, we solicit 
comment on other countries' actions to ensure the privacy of 
information transmitted over telecommunications networks, and how any 
U.S. policies in this area will affect the international arena. The 
record developed in this proceeding will be used to develop 
recommendations in the area of communications and information policy 
for presentation to the IITF and Congress, as appropriate.
---------------------------------------------------------------------------

    \9\While there are equally important issues relating to 
governmental (as opposed to private sector) access to personal 
information and transactional records associated with the NII, such 
questions are outside the scope of this inquiry. Likewise, we do not 
address issues relating to encryption and unauthorized access to the 
content of communications transmitted over the NII.
---------------------------------------------------------------------------

II. Privacy in a Changing Environment

    6. A critical question is what exactly should the right to privacy 
entail in today's information economy.10 In a seminal law review 
article in 1890, Samuel Warren and Louis Brandeis defined the right of 
privacy as ``the right to be left alone.''11 In more recent years, 
privacy has been defined by one academic as ``the claim of individuals, 
groups, or institutions to determine for themselves when, how, and to 
what extent information about them is communicated to others.''12
---------------------------------------------------------------------------

    \1\0In the discussion that follows, we consider the right to 
privacy only as it pertains to the collection and dissemination of 
personally identifiable information about individuals, and not in 
the sense used in Supreme Court cases involving abortion, 
contraception, and other personal behavior.
    \1\1Samuel D. Warren & Louis D. Brandeis, ``The Right of 
Privacy,'' 4 Harv. L. Rev. 193, 205 (1890).
    \1\2Alan F. Westin, ``Privacy and Freedom'' 7 (1970).
---------------------------------------------------------------------------

    7. There is no single privacy law in the United States; rather, 
U.S. privacy law is a patchwork of constitutional, statutory, 
regulatory, and common law protections.13 While the Supreme Court 
has held that the Fourth Amendment restricts the ability of government 
to collect information from places in which an individual has a 
reasonable expectation of privacy, there is no constitutional right to 
be free from analogous intrusions by private sector parties. Tort law 
limits intrusive collection of private information, penalizes 
unwarranted disclosure of such information, and protects against 
disclosure of erroneous information about individuals. A number of 
statutes, at both the federal and state level, protect individuals from 
governmental misuse of personal information, while other statutes adopt 
``fair information principles'' for private sector record keepers in 
specific industries.14
---------------------------------------------------------------------------

    \1\3See generally Wayne Madsen, ``Handbook of Personal Data 
Protection'' (1992); National Telecommunications & Information 
Administration, U.S. Dep't of Commerce, NTIA Rep. 82-98, ``Privacy 
Protection Law in the United States'' (1982).
    \1\4See, e.g., Cable Communications Policy Act of 1984, 47 
U.S.C. 551 (1988) (1984 Cable Act); Video Privacy Protection Act of 
1988, 18 U.S.C. Secs. 2710-2711 (1988) (Video Act). See discussion 
infra at paras. 16-18.
---------------------------------------------------------------------------

    8. In 1974, Congress established the Privacy Protection Study 
Commission to undertake a broad study of whether privacy rights were 
being adequately protected in the emerging information society.15 
In its final report, issued in 1977, the Commission concluded that 
federal privacy laws should advance three concurrent policy goals--
---------------------------------------------------------------------------

    \1\5See Section 5 of the Privacy Act of 1974, Pub. L. No. 93-
579, 88 Stat. 1897 (codified at 5 U.S.C. 552a (1988)) (Privacy Act). 
Among other things, the Commission was directed to examine the 
standards and procedures in force for the protection of personal 
information in data banks and information systems of private 
organizations, and to determine whether the principles of the 
Privacy Act should be applied to such organizations. For a further 
description of the Privacy Act, see discussion infra at para. 41.
---------------------------------------------------------------------------

     To minimize intrusiveness by creating a proper balance 
between what an individual is expected to divulge to a record-keeping 
organization and what he or she seeks in return;
     To maximize fairness by opening up record-keeping 
operations in ways that will minimize the extent to which recorded 
information about an individual is itself a source of unfairness in any 
decision about him or her; and
     To create legitimate, enforceable expectations of 
confidentiality by creating and defining obligations with respect to 
the uses and disclosures that will be made of recorded information 
about an individual.16
---------------------------------------------------------------------------

    \1\6See Privacy Protection Study Commission, ``Personal Privacy 
in an Information Society'' 14-15 (1977).
---------------------------------------------------------------------------

    9. Today, more than fifteen years later, there have been further 
advances in telecommunications and information technology. Given the 
proliferation of computerized data collection and the prospect of 
converging technologies--computers, telephones, and mass media--it is 
time to reconsider what privacy means in developing electronic 
communities.
    10. The Administration has a broad vision of a future NII that will 
enable people in their homes, schools, places of business, and 
elsewhere to benefit from improved communications and access to 
information resources. In such a world, the collection and 
dissemination of information can serve many useful social and economic 
purposes. At the same time, each new communications and information 
service potentially affects the privacy interests of individuals and 
businesses. What are the First Amendment implications of regulating the 
dissemination of information by individuals or businesses?
    11. What technology is available now, or in the foreseeable future, 
that could have an impact on the privacy expectations of 
telecommunications users? Should the ability of technology to enhance, 
or threaten, privacy have a bearing on what expectations of privacy are 
deemed ``reasonable''? Can privacy laws or policies be developed that 
are technology-neutral? How can we ensure that whatever privacy 
protections that are in place apply equally to all Americans that use 
the NII, both younger and older, the wealthy, the middle class and the 
disadvantaged, and the technologically literate and the uneducated?
    12. As the components of the NII develop, it may become 
increasingly difficult to define the rights and responsibilities of 
stakeholders. Today, one set of privacy requirements applies to 
traditional cable operators; other rules apply to telecommunications 
common carriers (with even more specialized rules that apply to the 
Regional Bell Operating Companies and AT&T); and other firms that 
provide telecommunications and information services are subject to no 
restrictions on how they use personal information. Are there any 
overarching principles that can be extended across specific services in 
the telecommunications sector? Given the convergence of different 
industries within this sector, is there a need for a more comprehensive 
approach to privacy regulation? Can ``fair information principles'' be 
extended to interactions between individuals in an electronically wired 
nation?

III. Multimedia Transactions

    13. The NII could ultimately provide access to interactive 
multimedia, integrated digital streams of video, audio, text, and 
graphics that will allow an instantaneous dialogue between the user and 
the system for the transmittal of information. Interactive multimedia 
encompasses such services as video on demand, participatory television, 
electronic publishing, interactive video games, teleshopping, 
telebanking, videoconferencing, remote medical testing and evaluation, 
and distance learning.\17\ For example, using devices with the 
attributes of a telephone, a television, a camcorder, and a personal 
computer, students ultimately may be able to browse through the 
collections of any library in the country and collaborate on research 
projects with others hundreds of miles away, individuals may be able to 
experience special family events like a christening or wedding even 
though they cannot attend in person, and citizens may be able to 
participate in electronic town meetings. In addition, small businesses 
as well as large may take advantage of the latest in computer 
technology to design products and provide useful services, and 
consumers may be able to shop for the best prices in town on groceries, 
furniture, clothing, or other consumer items.
---------------------------------------------------------------------------

    \17\Some of these services are already currently available in 
some form, while others are in the developmental stage.
---------------------------------------------------------------------------

    14. Of necessity, usage of such multimedia services may create the 
electronic equivalent of a paper trail capturing many details of a 
person's life. Moreover, as more and more everyday interactions take 
place on-line, it will become even easier to compile, package, and sell 
information about individuals than presently is the case. The existence 
of more extensive transactional data may enable both large and small 
firms to conduct more effective targeted advertising and market 
research, which could facilitate the ability of individuals to access 
the products and services they desire. At the same time, people may be 
uncomfortable with the notion that ``someone'' may be keeping track of 
every interaction they engage in with the outside world.

A. Existing Legal Framework

    15. Several laws are relevant to the use of transactional records 
associated with communications media. Three of these laws--the 1984 
Cable Act, the Cable Television Consumer Protection Act of 1992 (1992 
Cable Act), and the Video Act--in essence adopt ``fair information 
principles'' for the use of cable subscriber data and video cassette 
rental and sale data. In contrast, the Electronic Communications 
Privacy Act of 1986 (ECPA) imposes no restrictions on private sector 
use of transactional data.
    16. The 1984 Cable Act precludes cable operators or third parties 
from monitoring the viewing habits of cable subscribers. Under the 
subscriber privacy provisions of that Act,\18\ cable operators are 
required to inform their subscribers at the time of entering into a 
contractual arrangement, and annually thereafter, of the nature of the 
``personally identifiable information'' they collect about subscribers, 
their data disclosure practices, and subscriber rights to inspect and 
correct errors in such data. Cable operators are prohibited from using 
the cable system to collect personally identifiable information about 
their subscribers, except that which is necessary to render cable 
service, without subscriber consent, and are generally barred from 
disclosing such data to third parties without written or electronic 
consent.\19\ Cable operators may sell their mailing lists to third 
parties only if they have given their subscribers an opportunity to 
limit such disclosure, and the disclosure does not reveal the viewing 
habits or other transactions of the subscriber.\20\
---------------------------------------------------------------------------

    \18\47 U.S.C. 551.
    \19\Government entities may obtain subscriber data from cable 
companies only after obtaining a court order reflecting a judicial 
finding that the data sought is likely to reveal criminal activity. 
Subscribers must be notified of the government's request for 
information and provided with an opportunity to contest it prior to 
issuance of the court order.
    \20\Numerous state laws apply similar restrictions on use of 
cable subscriber data. See, e.g., Cal. Penal Code 637.5 (Deering 
1993) prohibiting cable company from disclosing any information 
regarding a subscriber, without consent); D.C. Code Ann. Sec. 43-
1845 (1981) (requiring cable provider to ``exercise the highest 
possible standard of care in protecting the privacy of data in its 
possession with respect to any individual subscriber's financial 
transactions, viewing selections, and utilization of other computer-
based interactive services.''). See generally Robert E. Smith, 
``Compilation of State and Federal Privacy Laws'' (1992).
---------------------------------------------------------------------------

    17. The 1992 Cable Act extended the protections of the 1984 Cable 
Act to new wire and radio services that may be provided over cable 
facilities, such as personal communications services (PCS). It also 
requires cable operators to take actions necessary to prevent 
unauthorized access to personal information by persons other than the 
subscriber or cable operator.\21\
---------------------------------------------------------------------------

    \21\Pub. L. 102-385, Sec. 20, 106 Stat. 1497 (to be codified at 
47 U.S.C. 551(a)(2), (c)(1)).
---------------------------------------------------------------------------

    18. The Video Act protects the privacy of video cassette rentals 
and sales.\22\ Among other things, the law prohibits disclosure of the 
fact that individuals have rented specific videos. Congress enacted 
this law in part in reaction to the well-publicized disclosure of 
Robert Bork's video rental history when he was under consideration for 
the Supreme Court. The law prohibits video tape service providers from 
disclosing to anyone the titles of video cassettes rented or purchased 
by a particular individual without the customer's consent,\23\ although 
they may release customer mailing lists and the subject matter (but not 
specific titles) of customer selections if the customer has been given 
the opportunity to object to such disclosure.\24\
---------------------------------------------------------------------------

    \22\18 U.S.C. 2710-2711.
    \23\Government entities are barred from obtaining customer 
transaction information unless they obtain a court order 
demonstrating probable cause to believe the data is relevant to law 
enforcement activities.
    \24\Numerous state laws apply similar restrictions. See, e.g., 
Conn. Gen. Stat. Ann. Sec. 53-450 (West 1992) (``All personally 
identifiable information contained in the circulation records of any 
person renting videotape cassettes shall be confidential.''); Md. 
Code Ann. art. 27, Sec. 583 (1993) (prohibiting disclosure of the 
identity of customers and their choices of video tapes). See 
generally Robert E. Smith, ``Compilation of State and Federal 
Privacy Laws'' (1992).
---------------------------------------------------------------------------

    19. ECPA was enacted in 1986 to address new technologies not 
anticipated by the 1968 federal wiretap law.\25\ While that law 
generally prohibits eavesdropping and the interception of the content 
of electronic mail, radio communications, data transmissions, and 
telephone calls without consent, it imposes no restrictions on the 
internal use by providers of an ``electronic communication 
service''\26\ of transactional records pertaining to such 
communications.\27\ As a consequence, such service providers are free 
to make any use of the identity of the parties to the communication or 
the fact of the communication. Moreover, while the ECPA specifies 
standards and procedures for court authorized electronic surveillance 
by government entities,\28\ and government access to stored electronic 
communications,\29\ it does not restrict the dissemination of 
transactional data that is maintained in electronic storage to non-
governmental entities. Indeed, a service provider is expressly 
permitted to disclose transaction information concerning a subscriber 
to any person, for any purpose, without notice or subscriber 
consent.\30\
---------------------------------------------------------------------------

    \25\18 U.S.C. Secs. 2510-2520, 2701-2709 (1988). Among other 
things, the ECPA extended the prohibition on unauthorized 
interception of wire telephone conversations to cellular (but not to 
cordless) telephones, and extended such protections to stored 
electronic communications.
    \26\The ECPA defines an ``electronic communication service'' as 
``any service which provides to users thereof the ability to send or 
receive wire or electronic communications.'' 18 U.S.C. 
Sec. 2510(15).
    \27\18 U.S.C. 2511. See also S. Rep. No. 99-541, 99th Cong., 2d 
Sess. 13 (1986) reprinted in 1986 U.S.C.C.A.N. 3555, 3567.
    \28\18 U.S.C. 2516.
    \29\18 U.S.C. 2703.
    \30\18 U.S.C. 2703(c)(1)(A).
---------------------------------------------------------------------------

B. Areas of Inquiry

    20. NTIA solicits comment on the extent to which the foregoing laws 
would apply to multimedia services that will be delivered over the NII, 
and if not, how they provide a useful model for new legislation. 
Commenters are specifically asked to provide a legal analysis of 
whether the cable subscriber privacy protections of the 1984 Cable Act, 
as amended by the 1992 Cable Act, would apply to telephone companies 
delivering multimedia services over switched broadband networks. 
Commenters also are asked to provide a legal analysis of whether firms 
that provide video on demand would be considered ``video tape service 
providers'' as defined in the Video Act, 47 U.S.C. 2710(a)(4).
    21. As a policy matter, what principles should apply to the 
handling of transactional records associated with multimedia services 
delivered over the NII? Should multimedia service providers be required 
to obtain affirmative consent from NII users for the collection and 
dissemination of personal information, and how should this type of 
presumptively restricted information be defined? What should the user 
be deemed to consent to by subscribing to or ordering NII multimedia?
    22. Without consent, should any secondary uses of personal 
information derived through the use of NII multimedia be permissible? 
As a technical matter, is there any way a user could monitor subsequent 
usage of personal information to ensure that such usage is consistent 
with his or her expectations? Should there be a requirement that 
transactional records be destroyed after some designated period of 
time? How will these requirements be enforced, and what right of 
redress will individuals have?
    23. Should the ECPA be amended to impose restrictions on the use of 
transactional records associated with electronic communications 
services? What costs would such restrictions place on businesses, and 
what impact would restrictions on information collection and 
dissemination have on individuals?

IV. Telephone Transaction Generated Information

    24. Existing telecommunications networks generate a vast amount of 
personal information about telephone usage and transactions related to 
telephone service, which is likely to increase as more advanced 
services are offered. There are many forms of TTGI: white pages 
information, yellow pages information, new telephone service orders, 
aggregate telephone traffic information, calling number identification, 
other network information,31 call detail records,32 and 
billing and credit information. Today, some telephone companies are 
subject to restrictions on the use and disclosure of telephone 
transactional data, while other firms that have access to such 
information are subject to no restrictions at all.33 Given that 
the networks of telecommunications carriers are part of the backbone of 
the NII, NTIA is interested in determining what policies, if any, 
should govern the secondary use of telephone transaction generated 
information. In the discussion below, we focus on two forms of TTGI: 
Customer Proprietary Network Information (CPNI) and Automatic Number 
Identification (ANI).
---------------------------------------------------------------------------

    \3\1Other network information includes customer premises 
equipment information, pay-phone information, calling card 
validation data, stored network facility arrangements, and bulk 
calling line identification.
    \3\2Call detail records include the date and time of call, the 
number called, the calling number, the geographic location of the 
called number, the duration of the call, and the charge.
    \3\3In contrast, law enforcement agencies must obtain a subpoena 
to obtain telephone toll records, demonstrating that such records 
are likely to reveal criminal activity.
---------------------------------------------------------------------------

A. Existing Legal Framework

1. Customer Proprietary Network Information
    25. When initially establishing telephone service for a customer, 
telephone companies obtain information such as the subscriber's name, 
billing address, and desired network services. Over time, telephone 
companies maintain service records and billing records, which include 
the monthly charges for network services, call detail for toll calls, 
and, if applicable, call detail for local calls. Such information, 
known as CPNI, is one form of telephone transaction generated 
information.
    26. Currently, there are no federal statutes governing the 
secondary use of such information, but there are FCC rules governing 
use of CPNI by AT&T and the Bell Operating Companies (BOCs). Those 
rules prohibit the BOCs and AT&T from transferring the CPNI of 
customers with more than twenty lines to affiliated personnel engaged 
in the marketing of customer premises equipment (CPE) or unregulated 
enhanced services unless they have the customer's permission. BOCs and 
AT&T are allowed to make any use of the CPNI of smaller business and 
residential customers without customer authorization. Upon customer 
request, the BOCs and AT&T are required to release CPNI to unaffiliated 
CPE vendors or enhanced services providers (ESPs) on the same terms and 
conditions as made available to their affiliates.34
---------------------------------------------------------------------------

    \3\4See Computer III Remand Proceedings: Bell Operating Company 
Safeguards and Tier 1 Local Exchange Company Safeguards, 6 FCC Rcd 
7571, 7609-14 (1991) (Computer III Remand); Furnishing of Customer 
Premises Equipment by the Bell Operating Telephone Companies and the 
Independent Telephone Companies, 2 FCC Rcd 143, 151-53 (1987); 
Furnishing of Customer Premises Equipment and Enhanced Services by 
American Telephone and Telegraph Co., 102 FCC 2d 655, 691-94 (1985), 
modified in part on recon., FCC 86-341, Mimeo No. 36818 (rel. Aug. 
7, 1986). For further background on the development of the FCC's 
CPNI rules, see Amendment to Sections 64.702 of the Commission's 
Rules and Regulations, 2 FCC Rcd 3072, 3093-98 (1987) (Third 
Computer Inquiry), on recon., 3 FCC Rcd 1150, 1161-64 (1988), 
further recon., 4 FCC Rcd 5927 (1989), rev'd, California v. FCC, 905 
F.2d 1217 (9th Cir. 1990). Restrictions of the use of CPNI exist in 
a number of states. See, e.g., Cal. Pub. Util. Code Sec. 2282.5 
(Deering 1993); Mich. Comp. Laws Sec. 484.2305 (1992).
---------------------------------------------------------------------------

    27. The FCC's CPNI rules apply only to the seven BOCs and AT&T. 
Those rules were adopted largely to address competitive concerns based 
on the potential advantage the BOCs and AT&T might have when they 
provide unregulated enhanced services or terminal equipment and 
regulated ``basic'' telecommunications services on an integrated 
basis,35 rather than to protect customer privacy concerns.36 
There are no restrictions on the use of CPNI by the more than 1,000 
independent telephone companies, nonwireline cellular carriers, 
interexchange carriers (IXCs) other than AT&T, ESPs, or other 
businesses engaged in the provision of telecommunications and 
information services.
---------------------------------------------------------------------------

    \3\5CPNI can be used to identify new customers for enhanced 
services or terminal equipment, such as subscribers moving into the 
area or adding service locations, before competitors become aware of 
them, and to prepare targeting marketing presentations. Unaffiliated 
ESPs and terminal equipment vendors have alleged that the BOCs use 
CPNI to gain an unfair competitive advantage. For instance, a BOC 
could use CPNI to identify small businesses using outside answering 
services in order to market its own answering service to those 
businesses.
    \3\6In the Computer III Remand decision, the FCC concluded that 
customer privacy concerns would be raised if CPNI were released to 
unaffiliated third parties without a customer's permission, but not 
if such CPNI were used within the carrier's own affiliated business 
operations. 6 FCC Rcd at 7611-12 n.159.
---------------------------------------------------------------------------

2. Automatic Number Identification
    28. According to the Direct Marketing Association, on a typical 
business day in 1993, approximately 60 million toll free telephone 
calls were placed on the 1.8 million 800 numbers in the United 
States.37 According to one estimate, more than 274 million calls 
were placed to 900-number services in 1991, with over 14,000 pay-per-
call programs being offered by approximately 5,000 pay-per-call service 
providers.38
---------------------------------------------------------------------------

    \3\7Direct Marketing Association, Inc., ``Facts & Stats on 
Telephone Marketing in America'' 29 (May 1993) (on file at NTIA).
    \3\8William W. Burrington & Thaddeus J. Burns, ``Hung Up on the 
Pay-Per-Call Industry?: Current Federal Legislative and Regulatory 
Developments,'' 17 Seton Hall Legis. J. 359, 364 (1993). In 1992, 
the revenues of the 900-number industry were estimated to be $550 
million, with 60% of those revenues derived from entertainment 
services, including horoscopes, soap opera updates, jokes, celebrity 
call-in lines, and games, 15% from live group conversation lines, 7% 
from political polling, 5% from product and event promotion, 5% from 
adult-oriented lines, and 8% from other uses. See Cindy Skrzycki, 
``FTC Issues Final Regulations for 900-Number Industry,'' Wash. 
Post, July 28, 1993, at D5; Direct Marketing Association, supra note 
37, at 30.
---------------------------------------------------------------------------

    29. Interexchange carriers offering 800-number and 900-number 
services provide their customers--that is, firms with 800 and 900 
numbers--with monthly statements providing call detail for all calls 
billed to them, including the telephone number of the calling party. In 
addition, interexchange carriers provide real-time Automatic Number 
Identification to those 800- and 900-number customers that choose to 
subscribe to this feature.39 Firms that subscribe to 800- and 900-
number services use ANI for billing and routing, account management, 
and security purposes. For instance, mail order retailers can expedite 
transactions by retrieving the account information of a repeat customer 
as soon as the call is received, while these and other businesses can 
use such services to route large customers to their assigned account 
executive.
---------------------------------------------------------------------------

    \3\9ANI is an access signaling protocol used by local exchange 
carriers (LECs) that automatically identifies the calling party's 
telephone number. It was originally developed to provide telephone 
subscribers with equal access to all long distance carriers, by 
enabling those carriers to identify customers handed off from the 
LECs.
    A more advanced version of this technology that incorporates 
Signalling System Seven (SS7) is used to provide Caller ID, a 
service that enables telephone subscribers to see the telephone 
number of the calling party before the call is answered. Because the 
focus of NTIA's inquiry is on commercial use and misuse of personal 
information, and Caller ID is primarily marketed to residential 
customers, we do not examine Caller ID in this proceeding.
---------------------------------------------------------------------------

    30. There are no FCC restrictions on the use or sale of ANI data 
gathered from interstate calls. The FCC received comments on ANI in 
1992 in its Caller ID proceeding,40 but has taken no further 
action to date.
---------------------------------------------------------------------------

    \4\0Rules and policies regarding calling number identification 
services, CC Docket No. 91-281.
---------------------------------------------------------------------------

    31. The only state that regulates the use or sale of ANI data of 
which NTIA is aware is New York. New York's Public Service Commission 
has issued terms and conditions concerning intrastate ANI, which became 
effective in December 1992.41 Under these terms and conditions, 
ANI information associated with an intrastate service in New York 
cannot be used to establish marketing lists or to conduct marketing 
calls. Firms may not resell or disclose ANI information to third 
parties unless there is prior written consent from the subscriber. 
Firms are allowed to gather ANI, however, for billing and collection, 
routing, screening, to ensure network performance, to complete a 
telephone subscriber's call or transaction, and for services directly 
related to the telephone subscriber's original call.42
---------------------------------------------------------------------------

    \4\1State of New York Public Service Commission, Opinion and 
Order Concerning ANI Terms and Conditions No. 92-37 App. 2 at 1-2 
(Dec. 3, 1992).
    \4\2These terms and conditions are similar to those proposed in 
the Telephone Consumer Privacy Protection Act of 1993, H.R. 3432, 
discussed in the next subsection.
---------------------------------------------------------------------------

B. Proposed law

    32. Rep. Edward Markey, Chairman of the House Subcommittee on 
Telecommunications and Finance of the House Committee on Energy and 
Commerce, has introduced the Telephone Consumer Privacy Protection Act 
of 1993 (H.R. 3432), which would regulate the usage of CPNI and ANI 
data. The bill would amend the Communications Act to bar all local 
exchange carriers from using CPNI (1) to provide any service other than 
telephone exchange or telephone toll service, (2) to identify or 
solicit potential customers for services other than that from which the 
information is derived, or (3) to provide customer premises equipment. 
LECs would be prohibited from disclosing CPNI to affiliates or other 
persons that are not employees of the carrier, unless required by law 
or requested by the customer. The legislation would prohibit LECs from 
discriminating between affiliated and unaffiliated service or equipment 
providers in providing access to individual and aggregate CPNI. The 
bill also would require LECs to provide subscriber list information 
(e.g., subscriber name and address) on nondiscriminatory and reasonable 
terms to any person upon reasonable request.
    33. The Telecommunications Infrastructure Act of 1993 (S. 1086) has 
a similar provision governing the use of CPNI. S. 1086 would apply the 
restriction more broadly, however, to all telecommunications 
carriers,43 rather than to local exchange carriers. Moreover, S. 
1086 would give subscribers the power to limit the disclosure of 
subscriber list information.
---------------------------------------------------------------------------

    \4\3S. 1086 defines a ``telecommunications carrier'' as any 
provider of telecommunications services.
---------------------------------------------------------------------------

    34. H.R. 3432 also would amend the Communications Act to bar 
persons that use ANI (i.e., providers of 800 and 900 services) from 
reusing or selling the telephone number or billing data provided 
through ANI without first orally notifying the calling party and 
providing that party the option of limiting or prohibiting such reuse 
or sale. Otherwise, such information may only be used to perform the 
services or transactions intended by the original call, or for other 
limited uses, such as ensuring network security and performance. 
However, firms with 800 and 900 numbers would be permitted to use ANI 
to offer customers with whom they have an established customer 
relationship a product or service directly related to that previously 
acquired by that customer. Common carriers would be required to report 
violations of these provisions to the FCC, and the FCC would be 
authorized to order the termination of ANI service to the offending 
party.
    35. A bill that is pending in the Senate (S. 612) would impose 
similar restrictions on the use of ANI by amending the federal wiretap 
statute. However, unlike the House bill, S. 612 specifies that ANI 
recipients may use such information for any lawful purpose if per call 
blocking at no charge (or per line blocking in states that have adopted 
such a requirement prior to the act's enactment) is available to the 
calling party. S. 612 also would impose civil penalties on parties that 
use information in violation of the statute's ANI requirements.

C. Areas of Inquiry

    36. NTIA solicits comment on how CPNI will evolve as the NII 
develops, and how should its treatment evolve. Is it correct to assume, 
as the FCC did when it adopted the current CPNI rules for provision of 
enhanced services in 1991,44 that there are no significant privacy 
concerns when CPNI is made available to different divisions within a 
single integrated company? To what extent do the competing rationales 
associated with regulating access to CPNI--maintaining competitive 
equity between the BOCs and AT&T and unaffiliated ESPs, protecting 
customer privacy, and permitting efficient marketing and provision of 
enhanced services--apply to other types of carriers, such as 
competitive access providers, IXCs, cellular telephone service 
providers, and cable companies, that will be part of the NII? We note 
in this regard that rationales for regulating use of CPNI based on 
competitive concerns suggest a focus on ``dominant'' providers (i.e., 
those with market power), while customer privacy rationales would seem 
to suggest a broader application of such regulatory protections.
---------------------------------------------------------------------------

    \4\46 FCC Rcd at 7611-12 n.159.
---------------------------------------------------------------------------

    37. When consumers purchase goods or services through an 800 
number, they ordinarily orally disclose their name, telephone number, 
credit card number, billing address, and other information necessary to 
complete the transaction. Similarly, individuals that call 900 numbers 
are aware that a charge for that call will appear on their telephone 
bill. How is individual privacy additionally threatened by the 
potential passage of ANI to firms with 800 and 900 numbers? Is it 
reasonable to allow NII service providers to use ANI information to 
market new products or services to established customers? Should the 
answer to this question differ, depending on whether the individual has 
previously disclosed his or her telephone number to the called party, 
either orally or in writing? Should firms that offer 800- and 900-
number services be required to notify callers at the outset of the 
conversation that their telephone number has been recorded? Do states, 
other than New York, have restrictions on the intrastate use and sale 
of ANI data, and is there a need for federal legislation in this area?
    38. Does H.R. 3432 strike an appropriate balance between telephone 
subscriber privacy interests, and the desire of information gatherers 
to use customer information to provide services over the NII? Should 
NII users have easy access to some forms of TTGI (such as white page 
directory information), but not others? Should the burden be on the 
telephone subscriber to direct that transactional information not be 
used (the so-called opt-out approach), or on the party that gathers the 
information to obtain consent for the use of such information (the opt-
in approach), and what specific consent mechanism should be used in 
either case? What costs would such restrictions impose on businesses? 
As a matter of policy, should any restrictions on the use of TTGI apply 
to all telecommunications carriers, rather than LECs?
    39. NTIA solicits comment on whether NII network operators and 
service providers should be required to inform their customers, at the 
time service is initially established and periodically thereafter, what 
TTGI is accumulated about them, and how that information is used or 
disseminated to third parties. How would compliance with such rules be 
enforced, and what body should enforce them? If the end result of such 
restrictions is that less information is collected and disseminated in 
our society, what impact would that have on individuals, businesses, 
and the NII?

V. Development of Personal Profiles

    40. Enhanced information and computing technology, and the greater 
interconnectivity of telecommunications networks, will allow greater 
access to a broad range of record systems containing health, financial, 
academic, government, employment, telephone and other information that 
may be of a highly sensitive and personal nature. Easy and often 
anonymous access to such information raises concerns that anyone will 
be able to download information about individuals from different data 
bases and compile that information into detailed personal dossiers.

A. Existing Legal Framework

    41. In order to create a personal profile, a two-step process is 
required--accessing the information and ``matching up'' the information 
for each individual. The Privacy Act of 197445 and a 1988 
amendment to that Act--the Computer Matching and Privacy Protection Act 
of 1988 (Matching Act)46--provide federal guidelines governing the 
compilation, use, and dissemination of personal information gathered by 
government agencies.
---------------------------------------------------------------------------

    \4\55 U.S.C. 552a.
    \4\65 U.S.C. 552a(o)-(q) (1988).
---------------------------------------------------------------------------

    42. The Privacy Act's matching provisions regulate the conditions 
under which federal agencies may match personal information held in 
their data bases with data stored in other data bases. Such matching 
often is done in order to verify the eligibility of individuals for 
federal benefits. For example, a government agency may ``match'' its 
employee list with a list of persons receiving public assistance. The 
match would identify persons who are earning an income and improperly 
receiving public assistance at the same time. Such matching, without 
regulation, may result in indiscriminate swapping of data files.
    43. Under the Matching Act, matching takes place under the 
``routine use'' exception to the Privacy Act's limitation on use of 
personal information.47 Agencies are required, before matching, to 
enter into written, inter-agency agreements specifying the purpose of 
the match, the records to be matched, and a cost/benefit analysis of 
the match. The Matching Act creates an important procedural framework 
of notice to individuals, the right to a hearing before government 
benefits are cut off or denied, and mandatory reporting requirements 
for agencies that match records.
---------------------------------------------------------------------------

    \4\7The Privacy Act prohibits government use of personal data, 
without consent, for a purpose other than that for which it was 
originally collected. It contains 12 exceptions to this principle, 
including a ``routine use'' exception that permits disclosures 
without consent for purposes compatible with, but not identical to, 
the reason for the data file's creation. 5 U.S.C. 552a(b)(3).
---------------------------------------------------------------------------

    44. No federal or state laws regulate private sector matching of 
personal information. However, some existing federal and state laws 
restrict the accessibility of certain types of personal information. 
For instance, as previously discussed, federal law restricts disclosure 
of cable subscription and video tape rental or sale information.48 
Such restrictions, when coupled with similar restrictions on the 
release of other types of personal information such as credit ratings 
and credit card usage,49 to some extent limit the information that 
can be used to create personal profiles. The existing legal framework, 
then, addresses only the first step of the matching process in the 
private sector by limiting access to information.
---------------------------------------------------------------------------

    \4\8As discussed supra in notes 20 and 24, numerous state laws 
restrict the use of cable subscriber data and video cassette rental 
records.
    \4\9See, e.g., Fair Credit Reporting Act Sec. 604, 15 U.S.C. 
Sec. 1681b (Supp. 1993) (requiring that consumer reports go only to 
companies that will use them for credit, insurance, employment, or 
``a legitimate business need''); Cal. Civil Code Sec. 1785.1 
(Deering Supp. 1993) (regulating consumer credit reporting agencies 
that gather credit-oriented information for consumer reports to 
third parties); Mass. Gen. Laws Ann. ch. 93, Secs. 51-52 (West 1993) 
(limiting credit-report access to third parties and content in 
consumer credit reports). See generally Robert E. Smith, 
``Compilation of State and Federal Privacy Laws'' (1992).
---------------------------------------------------------------------------

B. Areas of Inquiry

    45. NTIA solicits comment on whether existing federal laws would 
adequately deter invasions of personal privacy resulting from the 
compilation of telecommunications-related data, such as records of 
interactive media and telephone usage, obtained through the NII. Should 
federal legislation restrict private sector computer matching of such 
data? If so, for what purposes would the Matching Act serve as a useful 
model? Does computer matching create new information that should be 
subject to greater privacy restrictions than those applicable to each 
separate piece of information used in the match? Is privacy threatened 
by the act of gathering information about an individual from several 
different sources, or only when the resulting personal profile is used 
for purposes beyond the individual's knowledge and ability to control?
    46. Market forces have an impact on the actions of businesses and 
consumers. For instance, Lotus Development Corporation and one of the 
nation's largest credit reporting bureaus, Equifax, abandoned plans to 
market a data base on a CD-ROM called ``Marketplace: Households'' in 
the face of widespread public criticism.50 In 1990, New York 
Telephone abandoned plans to rent directory information such as name, 
address, and telephone number from 4.7 million listings to retailers, 
telemarketers, and others selling products and services in the face of 
800,000 requests to be excluded from such lists.51 Will consumer 
concern about the existence of personal profiles deter companies from 
developing such profiles? If so, what impact would that have on 
individuals and society?
---------------------------------------------------------------------------

    \5\0The proposed data base would have contained such personal 
information as the names, estimated incomes, purchasing habits, and 
marital status of 120 million Americans. See, e.g., Charles Piller, 
``Privacy in Peril,'' Macworld, July 1993, at 8, 11; Mendel-Balck & 
Richards, supra note 2, at H1.
    \5\1Comm. Daily, June 19, 1990, at 5.
---------------------------------------------------------------------------

VI. Role of Self-Regulation

    47. In response to growing customer concern about privacy issues, 
many companies are developing their own corporate privacy codes and 
other initiatives to bolster customer confidence in their services. In 
the telecommunications area, Pacific Bell, one of the Regional Bell 
Operating Companies, issued a comprehensive telephone customer privacy 
code in December 1992.52 MCI as a matter of policy does not sell 
or rent its customer lists or information about customers to third 
parties.53 Among information providers, Prodigy, one of the 
largest commercial on-line services, has a formal policy governing its 
use of personal information about subscribers.54 NTIA solicits 
comment on what other companies in the telecommunications and 
information field are doing to address their customers' privacy 
concerns. What has been the experience to date of companies that have 
privacy policies? Should companies be required to provide their 
customers with notice of their internal practices and policies 
regarding collection and use of personal information? To what extent 
can we expect that marketplace forces will adequately resolve conflicts 
over privacy interests, and how will this occur?
---------------------------------------------------------------------------

    \5\2``Pacific Bell's Customer Privacy Guidelines'' (Sept. 1993) 
(on file at NTIA); see also ``Profile of Pacific Bell and its 1992 
Customer Privacy Policy,'' Privacy & Am. Bus., Sept./Oct. 1993, at 
12, 13.
    \5\3Letter from Gerald J. Kovach, Senior Vice President, 
External Affairs, MCI, to Chairman Edward Markey, House Subcommittee 
on Telecommunications and Finance (May 20, 1992) (on file at NTIA).
    \5\4Prodigy Services Co., ``Policy on Protecting Member 
Privacy'' (on file at NTIA).
---------------------------------------------------------------------------

    48. Many non-commercial networks have informally developed norms 
for conduct that are voluntarily adhered to by users. Users that engage 
in unacceptable behavior may be ``flamed'' by other users.55 On 
many bulletin boards, the system operator retains discretion to banish 
users who post offensive messages. Is such self-regulation in 
electronic communities adequate to protect the individual's right to 
privacy over the NII?
---------------------------------------------------------------------------

    \5\5``Flaming'' is the practice of users sending electronic mail 
messages that confront and chastise the addressee.
---------------------------------------------------------------------------

VII. International Issues

    49. The NII will be part of evolving global networks and therefore 
must be coordinated with international requirements in order to 
facilitate the competitiveness of U.S. firms. Many of our major trading 
partners in Europe, for instance, have formal data protection 
commissions that oversee implementation of national laws governing the 
information practices of both public sector and private sector parties. 
Thus, the United States needs to evaluate how the policies regulating 
the privacy of personal information transmitted over telecommunications 
networks in other countries will affect individuals and commerce in the 
United States, and vice versa.

A. International Privacy Guidelines

    50. International interest in advancements in computerization and 
related privacy issues began in the late 1960s. Since then, different 
nations have followed varying approaches to privacy. As previously 
noted, U.S. privacy law is a patchwork of constitutional, statutory, 
regulatory, and common law protections, and voluntary self-regulation. 
The European approach to the privacy of electronic information has been 
to favor omnibus data protection regulations that apply to both the 
public and private sectors and are overseen by state-controlled privacy 
boards. The Organization for Economic Cooperation and Development 
(OECD), whose membership consists of twenty-four industrialized 
countries, including the United States, Canada, most Western European 
countries, and Japan, has adopted guidelines for the protection of 
personal data that permit both the U.S. and European approaches. 
African, South American, and Central American countries have not yet 
adopted any data protection laws, but some are studying the 
issue.56
---------------------------------------------------------------------------

    \5\6See Olga Estadella-Yuste, ``Transborder Data Flows and the 
Sources of Public International Law,'' 16 N.C.J. of Int'l L. & Com. 
Reg. 379, 429-30 (Fall 1991).
---------------------------------------------------------------------------

    51. In the discussion that follows, we focus on the major 
international instruments pertaining to privacy adopted by the OECD and 
the Council of Europe (COE), and under consideration by the European 
Community (EC), rather than the laws of specific countries.57 
These international agreements--which generally recognize that the free 
flow of information is critical to transborder economic activity--
provide a framework for adoption of domestic legislation by member 
nations.
---------------------------------------------------------------------------

    \5\7For list of privacy laws in particular countries, see id. at 
392 n.56, 395 n.79.
---------------------------------------------------------------------------

1. Organization for Economic Cooperation and Development
    52. The OECD has been active since the 1970s in considering the 
impact of computers and telecommunications technologies on the 
international flow of data. In 1978, it instructed a ``Group of 
Experts'' to develop a set of basic guidelines to govern transborder 
data flow and the privacy of personal data. The Group of Experts 
adopted ``Guidelines on the Protection of Privacy and Transborder Data 
Flows'' in 1980.58 All twenty-four OECD member countries have 
accepted the OECD Guidelines, which are strictly voluntary. In the 
United States, over 175 corporations have provided written statements 
of support for the OECD Guidelines.59
---------------------------------------------------------------------------

    \5\8Organization for Economic Cooperation and Development, 
``Recommendation of the Council Concerning Guidelines Governing the 
Protection of Privacy and Transborder Flows of Personal Data,'' OECD 
Doc. C(80)58 final, reprinted in 20 I.L.M. 422 (OECD Guidelines). 
The OECD guidelines include the following eight principles:
     There should be limits on the collection of personal 
data, and it should be obtained fairly and lawfully and, where 
appropriate, with the data subject's consent.
     Personal data should be accurate, complete, current, 
and relevant to the purposes for which it is obtained.
     Personal data should be used for legitimate, specified 
purposes and the data subject should be notified of any changes in 
those purposes.
     Personal data should not be used for purposes other 
than those for which it was originally intended, except with the 
consent of the data subject or legal authorization.
     Personal data should be protected by reasonable 
security safeguards.
     There should be a policy of openness about practices 
and policies related to the collection and use of personal data.
     Individuals should have the ability to examine and 
correct data relating to them upon request.
     Organizations should have a data controller who is 
responsible for complying with the above principles.
    \5\9See Letter from Nanette Di Tosto, U.S. Council for 
International Business, to Larry Irving, Assistant Secretary for 
Communications and Information, NTIA, U.S. Department of Commerce 
(Oct. 19, 1993) (on file at NTIA). Other aspects of transborder data 
flow are regulated by the OECD's ``Declaration on Transborder Data 
Flow.'' See Estadella-Yuste, supra note 56, at 405.
---------------------------------------------------------------------------

2. Council of Europe
    In 1980, the Council of Europe, whose membership consists of the 
twelve EC countries and nineteen other European countries, adopted 
``fair information practices'' similar to those of the OECD regulating 
the collection, storage, and automated processing of personal data, and 
transborder data flow. Those principles, set forth in the ``Convention 
for the Protection of Individuals With Regard to Automatic Processing 
of Personal Data'' which was opened for signature in 1981,60 
establish standards that must be enacted into domestic law by signatory 
countries. Twenty of the thirty-one Council of Europe members have 
signed the convention, and thirteen have ratified it. Ten of the twelve 
EC member states have ratified the convention and enacted domestic data 
protection laws.61 The COE Convention permits, but does not 
mandate, signatory countries to refuse to transfer data to other 
countries that do not provide equivalent data protection.62
---------------------------------------------------------------------------

    \6\0Council of Europe, Convention for the Protection of 
Individuals with Regard to Automatic Processing of Personal Data, 
Jan. 28, 1981, Europ. T.S. No. 108, reprinted in 20 I.L.M. 317 (COE 
Convention). The COE Convention includes principles analogous to the 
OECD principles discussed supra note 58, with some difference in 
emphasis, plus two additional principles: the collection of personal 
data should be for general purposes and specific uses that are 
socially acceptable, and data should be preserved no longer than 
necessary for the purpose for which it is stored.
    \6\1Nanette Di Tosto, U.S. Council for International Business, 
Remarks before the International Data Protection Landscape 2 (July 
23, 1993). Belgium, for instance, is in the process of establishing 
a national registry of all information data bases. Belgium law 
requires that individuals have access to personal information 
contained in such data bases and have a right to be informed at the 
moment of data collection about what information is being collected. 
A. Pipers, ``Personal Data Protection in Belgium Now,'' Lecture 
Before the Council of Europe, Consultative Committee of the 
Convention for the Protection of Individuals with Regard to 
Automatic Processing of Personal Data (Jan. 18, 1993) (on file at 
NTIA). One commenter has concluded that most social research will 
cease in Belgium once these requirements become fully operational. 
Erik Von Hove, ``Legislation on Privacy Protection and Social 
Research'' 11 (Sept. 1993) (paper presented at the Council of 
Europe's International Conference of Data Protection and Privacy 
Commissioners, on file at NTIA).
    \6\2France and the United Kingdom have banned data transfer in 
specific cases based on the lack of, or inadequacy of, data 
protection laws in the receiving country. The U.K. ban involved the 
transfer of direct marketing lists to the United States. See Joel R. 
Reidenberg, ``Rules of the Road for Global Electronic Highways: 
Merging the Trade and Technical Paradigms,'' 6 Harv. J.L. & Tech. 
287, 290-91 & n.13 (Spring 1993); Estadella-Yuste, supra note 56, at 
402 n.125. See generally George B. Trubow, ``The European 
Harmonization of Data Protection Laws Threatens U.S. Participation 
in Trans Border Data Flow,'' 13 Nw. J. Int'l L. & Bus. 167 (Spring/
Summer 1992); Joel E. Reidenberg, ``Privacy in the Information 
Economy: A Fortress or Frontier for Individual Rights,'' 44 Fed. 
Comm. L.J. 195, 200-201 & nn.20-23 (1992).
    In addition to the international instruments discussed above, 
the United Nations has adopted its own set of guidelines relating to 
computerized personal files and transborder data flows, which are 
similar to the OECD Guidelines and COE Convention. See Estadella-
Yuste, supra note 56, at 385 & n.23, 391.
---------------------------------------------------------------------------

    54. The Council of Europe continues to respond to new privacy 
issues brought about by technological innovation. Its Committee of 
Experts on Data Protection has studied a number of areas that pose 
challenges to privacy, including telemetry (the use of remote cameras, 
sound detectors, and other means to collect personal data without the 
consent, or even the knowledge, of the data subject), interactive 
media, and electronic mail.63
---------------------------------------------------------------------------

    \6\3See Council of Europe, ``New Technologies: a Challenge to 
Privacy Protection?'' (1989); Colin J. Bennett, ``Regulating 
Privacy'' 245 (1992).
---------------------------------------------------------------------------

3. European Community Directives
    55. In 1990, the EC proposed a new directive that would create 
another set of international privacy guidelines, which would be 
mandatory for all EC Member States.64 Among other provisions, the 
1990 Proposed Directive adopted an ``opt-in'' approach requiring 
companies to notify and obtain consent from each individual regarding 
the use of personal data pertaining to them. This directive would have 
allowed Member States to block the transborder flow of data to any 
country whose privacy regulations are determined to be inadequate.
---------------------------------------------------------------------------

    \6\4Commission of the European Communities, Proposal for a 
Council Directive Concerning the Protection of Individuals in 
Relation to the Processing of Personal Data, COM(90)314 final--SYN 
287, reprinted in 1990 O.J. (C277/3) (1990 Proposed Directive).
---------------------------------------------------------------------------

    56. U.S. businesses objected to the 1990 Proposed Directive because 
it would place potentially costly, bureaucratic restrictions on the 
collection, use, alteration or transfer of personal data files. The 
United States government argued that this directive would potentially 
hinder the ability of U.S. companies to communicate with their 
subsidiaries and customers in Europe. The German, U.K., and French 
governments also spoke out against the directive.65
---------------------------------------------------------------------------

    \6\5Id., art. 24.
---------------------------------------------------------------------------

    57. In 1992, the EC proposed a revised privacy directive that has 
not yet been adopted, but addresses some of the major concerns of U.S. 
industry.66 In particular, the revised proposal is less 
restrictive than the original with respect to transborder data flow. In 
determining whether the destination country affords a sufficient degree 
of privacy protection, nations may consider the specific circumstances 
of each data transfer on a case-by-case basis, rather than on an 
overall country assessment, taking into account the nature of the data, 
the purpose and duration of processing, and professional rules.67
---------------------------------------------------------------------------

    \6\6Commission of the European Communities, Amended Proposal for 
a Council Directive on the Protection of Individuals with Regard to 
the Processing of Personal Data and on the Free Movement of Such 
Data, COM(92) 422 final--SYN 287 (1992 Privacy Directive).
    \6\7Id., art. 26.
---------------------------------------------------------------------------

    58. The 1992 Privacy Directive would require EC member countries to 
have independent supervisory authorities for the protection of personal 
data. These advisory bodies would monitor implementation of national 
laws adopted as a result of the EC privacy directive and would have the 
power to bring action against infringements of the law.68
---------------------------------------------------------------------------

    \6\8A number of European countries have already established data 
commissions to fulfill this role. See also discussion supra at note 
61.
---------------------------------------------------------------------------

    59. The 1992 Privacy Directive also acknowledges contractual 
provisions that protect data subjects' rights, but still does not 
recognize voluntary self-regulation, practiced widely by U.S. 
industry.69 It considers intracorporate data transfers between and 
among a company and its overseas subsidiaries and affiliates to be 
communications to a third party and subject to privacy regulations. 
Member States therefore still would be able to block the transborder 
flow of intracorporate data, if the privacy regulations in the country 
receiving the data are determined to be inadequate. The 1992 Privacy 
Directive has not been ratified due to remaining concerns within the EC 
business community over such issues as how to determine the adequacy of 
foreign data protection laws.
---------------------------------------------------------------------------

    \6\9The EC has commissioned a study of U.S. privacy policies to 
determine the effectiveness of self-regulation by private industry 
in the United States. The 1992 Privacy Directive would allow trade 
associations to create codes of conduct within the framework of the 
Directive. See 1992 Privacy Directive, arts. 28, 30. Such codes 
would not be comparable to self-regulation as practiced by U.S. 
industry, however, as those codes would be approved and enforced by 
the supervising body in the country.
---------------------------------------------------------------------------

    60. In addition to the 1992 Privacy Directive, the EC is 
considering a proposed directive that would harmonize regulations in 
Member States designed to protect the privacy of telephone 
subscribers.70 Generally, the proposed ISDN Directive would allow 
telephone companies to collect and store only that information that is 
necessary to provide requested services, require subscriber's consent 
to provide such information to third parties, guarantee adequate 
protection against unauthorized access, and require telephone companies 
to provide a call blocking option for calling line identification.
---------------------------------------------------------------------------

    \7\0Proposal for a Council Directive Concerning the Protection 
of Personal Data and Privacy in the Context of Public Digital 
Telecommunications Networks, in Particular the Integrated Services 
Digital Network (ISDN) and Public Digital Mobile Networks, SYN 288 
(ISDN Directive).
---------------------------------------------------------------------------

4. Areas of Inquiry
    61. NTIA solicits comment on whether U.S. industry believes that 
the OECD Guidelines and the COE Convention are adequate instruments to 
protect individuals' right to privacy over telecommunications networks. 
Should there be any change in U.S. international privacy policy beyond 
individual firms' support for voluntary OECD guidelines related to 
transborder data flows? What impact would ratification of the EC's 1992 
Privacy Directive or ISDN Directive have on the NII? Would the United 
States need to adopt additional privacy laws applicable to the private 
sector to ensure that, as the NII develops, it is not excluded from 
exchanging personal information with the EC? Could problems arise for 
international calls originating in the United States if the EC requires 
specific technologies or policies to be implemented that are different 
from those in use in the United States? For example, deployment of SS7 
is necessary in order for calling parties to block transmittal of their 
telephone number to called parties. Different standards exist for 
technological solutions to privacy concerns such as encryption. To what 
extent does international network configuration have an impact on 
privacy considerations? What privacy policies have been adopted by 
individual countries that could serve as useful models for the United 
States as it develops its privacy policies for the NII?

B. International Trade Agreements: GATT/NAFTA

    62. Issues relating to privacy will continue to be a growing 
international trade issue as other countries and regions develop their 
own information networks. The protection of individual privacy is 
mentioned in both the GATT Telecommunications Annex and the 
telecommunications chapter of the North American Free Trade Agreement 
(NAFTA). Both documents focus on the right of users and service 
providers to access and use the public telecommunications network on a 
nondiscriminatory basis. However, under both GATT and NAFTA, laws or 
regulations that protect privacy of individuals in the processing and 
dissemination of personal data are permissible so long as they are not 
applied in a discriminatory manner or as a disguised restriction on 
trade.71 Will such provisions adequately limit the ability of a 
signatory country to impose its own privacy framework on other 
signatory countries, while allowing for a free flow of information? 
Given that the telecommunications networks that are part of the NII 
extend across U.S. borders into Canada and Mexico, will the United 
States need to consider how those countries address privacy issues as 
we develop our policies in this area?
---------------------------------------------------------------------------

    \7\1The GATT exception for privacy states that ``A Party may 
take such measures as are necessary to ensure the security and 
confidentiality of messages. . . .'' GATT Doc. MTN.TNS/W/FA, at 18 
(1990). The NAFTA states that any Party to the agreement may pass 
any measure to ``ensure the security and confidentiality of 
messages,'' or to ``protect the privacy of subscribers to public 
telecommunications transport networks or services.'' North American 
Free Trade Agreement, art. 1302(5) (1992), Hein's No. KAV 3417.
---------------------------------------------------------------------------

VIII. Conclusion

    63. NTIA hereby requests comments in this inquiry to be filed on or 
before March 14, 1994.

    Dated: February 7, 1994.
Larry Irving
Assistant Secretary of Commerce for Communications and Information.
[FR Doc. 94-3185 Filed 2-10-94; 8:45 am]
BILLING CODE 3510-60-P