Options for Promoting Privacy on the National Information Infrastructure. An Enhanced Sectoral Approach

04/01/1997

Most advocates of the sectoral approach to privacy protection concede that there is room for improvement. They believe, however, that the sectoral approach is fundamentally sound and should be preserved, but made to operate in a more cohesive fashion. Specifically, a decision to maintain a sectoral approach to privacy protection does not mean taking no new action. As set forth throughout this report, both the public and private sectors are responding to growing public concern about new threats to privacy. Solutions are on the horizon, or at least have been identified, for many of the substantive inadequacies of U.S. data protection policy.

Congress, for example, is debating several statutory solutions to problems associated with medical information, the collection of data from and about children, communications privacy, and consumer privacy issues arising, or expected to arise, in connection with electronic commerce. At the direction of Congress, an HHS Task Force is currently developing recommendations for comprehensive protection of medical records.

The President's Office of Consumer Affairs (OCA) has been active in educating the public about a variety of privacy issues and was instrumental in establishing the Privacy Working Group of the IITF. In addition, OCA has worked with industry to preserve consumers' privacy and control over the use of their personal data while encouraging both growth and innovation in the use of telecommunications and information management technology.252 Recently, the newly appointed director of OCA, Leslie Byrne, announced that consumer privacy issues would be a primary focus of her office in the Clinton Administration's second term.253

Several organizations have announced and demonstrated technology that consumers can use, or will soon be able to use, to protect their personal information online. Trade associations representing the advertising, marketing, and online service industries have announced new or revised privacy codes and consumer education programs for the information age. The FTC has indicated that it will monitor consumer privacy concerns, as well as the implementation of technological and self-regulatory tools to respond to consumer concerns.

Similarly, NTIA recently issued a White Paper on telecommunications privacy, and is now meeting with telecommunications providers to assess adherence to the privacy principles outlined in that paper. NTIA plans to report its findings, and to recommend statutory or regulatory changes if needed to ensure compliance. NTIA, with the Department of State, is also holding discussions with the European Union on the EU Directive. Finally, NTIA is evaluating a number of papers to identify the constellation of characteristics and circumstances that produce effective self-regulation.

Why are such initiatives under way now? There are probably a number of explanations for this phenomenon. Now that the ease with which the NII allows data to be collected, distributed and analyzed has become clearer, there is greater demand for privacy enhancing products and policies. This can be viewed as an example of the free market in operation. In the Information Age, privacy may become a market commodity. Given adequate levels of consumer and government awareness, demand for privacy protection could continue to increase and a robust, competitive market for privacy protection could develop. Under this scenario, the market itself could protect privacy on a sectoral basis without the inevitable duplication of sectoral expertise required to administer government programs.

Government could facilitate the development of a marketplace for privacy in four distinct ways. First, the government could formally adopt the Privacy Principles. The Privacy Working Group issued its Principles for Providing and Using Personal Information nearly two years ago. To date, neither the executive or legislative branch has formally adopted them as official policy. An obvious first step is to do so.

Thus, the Office of Management and Budget might consider whether to direct all federal agencies to incorporate the Principles in their information management and procurement practices. In addition, the Administration could consider using its powers of persuasion to encourage state, local and tribal governments, as well as business leaders, to adopt and implement information practices that recognize the rights and responsibilities set forth in the Principles.

Congress might also consider formal adoption of the Privacy Principles as part of omnibus privacy legislation, in connection with agency specific legislation, or in the form of legislative resolutions. For example, Congress might direct the Federal Trade Commission to undertake rulemaking to ensure that the collection and use of personal data in the commercial setting occurs in a manner that comports with the core elements of fair information practices: notice, choice, access and integrity.

Second, the government could get its own house in order by ensuring that government data collection remains consistent with the Privacy Principles in the face of changing technology. The Office of Management and Budget, Office of Information and Regulatory Affairs (OIRA) has statutory responsibility with respect to the Privacy Act, the Paperwork Reduction Act and the Freedom of Information Act, for example, and might consider reviewing these statutes in light of the Privacy Principles. OMB could report its findings and recommend legislation, regulation, administrative action, or executive orders as appropriate to solve any problems it discovers. This kind of review could provide a model for the private sector organizations to undertake similar audits.

Recently, a number of federal agencies, including HHS and the IRS have established privacy offices. One option would be to expand this practice government wide and establish a formal Privacy Advocate in each agency to consider the privacy implications of particular public or private sector practices. An inter-agency committee of privacy advocacy offices could facilitate interagency coordination and cooperation on privacy-related issues as they arise. There is ample precedent for such councils: for example, the Office of Management and Budget administers a Chief Information Officer Council; likewise, the Office of Consumer Affairs chairs the Consumer Affairs Council, an inter-agency committee of consumer affairs officers.

Third, government could play a larger role in consumer and business education. Agencies could act as "bully pulpits" to raise consumer and business awareness of the issue. Consumer education is likely to raise demand for information privacy protection to its optimal level. Business education is also necessary to introduce technology entrepreneurs to consumer protection theory, which in turn could help industry anticipate the privacy implications of a new product. Government could also continue to facilitate dialogue among industry representatives and consumer advocates that lead to early identification of emerging issues and that foster joint efforts to address privacy concerns as they arise. The expense associated with consumer and business education would be minimized if the industries that will benefit most directly from increased consumer confidence in the NII were to accept some responsibility for this program.

Fourth, government could enhance self-regulation by exploring enforcement deficiencies with industry. This would address the most oft-heard complaints about self-regulation; that industry codes of conduct are praiseworthy, but largely unenforced. Industry often responds that U.S. competition law limits their enforcement efforts. One option is to ask the anti-trust enforcement agencies, in conjunction with consumer protection agencies, to consider whether, and how, competition policy undermines privacy enforcement activities. Government and industry could then work together to resolve any conflicts between consumer protection and competition values raised by strong enforcement of self regulatory regimes.

Much can be done following this approach, but it may be viewed by some as little more than the status quo in a new package. For example, the increased legislative activity, while appropriate, is reactive. So too, the steps the government could reasonably take to protect privacy (i.e., getting its own house in order, playing a larger role in consumer and business education, and enhancing self-regulation by exploring enforcement deficiencies with industry) are all steps that could have been taken years ago. The sectoral approach, even enhanced, may continue to produce inconsistent privacy protections, or fail to anticipate future developments in a comprehensive, thoughtful way.

Continued reliance on the incremental, responsive mix of public and private action involves acknowledging that no agency has privacy as its primary mission. Privacy issues would continue to be one of many issues for which a particular agency is responsible. But, is it necessarily inappropriate for a policy concern such as privacy to compete, in terms of budget and staff resources, for government and industry attention? Such competition may minimize the threat of over regulation, ensuring that resources will not be devoted to problems that are merely theoretical. Moreover, allowing privacy to compete with other policy priorities makes it more likely that government will not intervene until there is clear evidence of a market failure -- a situation where government intervention is necessary to achieve an important policy objective that the unregulated marketplace cannot provide. Finally, the existence of a separate government entity to address privacy would not isolate it from the annual authorization and appropriation process, in which it would compete with other public priorities as a matter of course.

Reliance on an enhanced sectoral approach would also mean that no single federal agency would be responsible for articulating privacy values on an ongoing or proactive basis. New data technology, or a particular information practice could become prevalent without any consideration of privacy values. While it is costly and controversial to eliminate commercial practices that are already widely deployed, preventative privacy might find no champion without a federal agency to articulate privacy values.

Although market forces undoubtedly have played and will continue to play a critical role in protecting privacy, relying too heavily on market forces is arguably a mistake in the privacy area, where externalities and/or inadequate information are likely to exist, or in cases where the consumer is not in an equal bargaining position with industry.254 Some argue that free market forces will not discipline commercial practices in the many instances when there is no relationship between the consumer and the private sector entity collecting or using personal information. For example, individuals cannot choose which credit bureau will maintain their credit report. And few consumers have even heard of the Medical Information Bureau. Neither education nor market forces are of much help here--a person suffering from cardiac arrest needs immediate medical care; there is not time to negotiate with the ambulance attendant over whether the hospital's records will be referred to the MIB.

Finally, none of the options described above facilitate better understanding of sectoral practices by extra-sectoral players, either domestic or international. In the absence of a centralized information resource, both governments and individuals will continue to experience difficulties finding the right place to resolve any particular set of privacy concerns. This is particularly troublesome in the inherently borderless domain of electronic commerce.


252. See Hearings Before the Subcommittee on VA-HUD-Independent Agencies of the House Committee on Appropriations, 104th Cong. 2d sess. (1996) (statement of Bernice Friedlander, Acting Dir., Office Of Consumer Affairs), available in 1996 WL 5511468.

253. See statement of Leslie Byrne, Director, Office of Consumer Affairs, at Privacy and American Business -- Third Annual Conference, Managing Privacy in Cyberspace and Across National Borders, Washington, D.C., Oct. 10, 1996.

254. Externalities occur when neither the buyer nor the seller of a product pays a price that reflects the costs that its use and production imposes on society. For example, when list brokers sell information to direct marketers, the data subject may not be fully compensated for the cost that the transfer of data will impose on the data subject. Different but equally troubling concerns exist with respect to inadequate information when available legal remedies are expensive or impractical or the market fails to furnish the information necessary to evaluate a particular product.