Options for Promoting Privacy on the National Information Infrastructure. Executive Summary

04/01/1997

The information revolution is underway.

As Vice President Gore predicted in 1995, development of the Global Information Infrastructure (GII) is increasing economic growth and productivity, creating high-wage jobs in newly emerging industries, and fostering U.S. technological leadership across the globe. Through this medium, we can already secure high quality services at low cost and prepare our children for the demands of the 21st Century. A more open and participatory democracy is emerging at all levels of government.

And yet, we are only beginning to tap the information infrastructure's potential to improve the lives of ordinary Americans.

The information economy of the 21st Century will run on data. Some of that data may be highly personal and sensitive. In some cases, personal data may become quite valuable. Thus, the transition to the Information Age calls for a reexamination of the proper balance between the competing values of personal privacy and the free flow of information in a democratic society. Will our traditional balance point serve in the digital age? Can we continue to rely on the same tools we have used to strike this balance in the past? Or, is an entirely new approach warranted?

This Options Paper explores the growing public concern about personal information privacy. The paper describes the status of electronic data protection and fair information practices in the United States today, beginning with a discussion of the Principles for providing and using personal information issued by the Information Infrastructure Task Force in 1995. It then provides an overview of new information technologies, which shows that personal information is currently collected, shared, aggregated, and disseminated at a rate and to a degree unthinkable just a few years ago. Government is no longer the sole possessor of extensive amounts of personal information about U.S. citizens; in recent years the acquisition of personal information by the private sector has increased dramatically.

We next consider in more detail the laws and policies affecting information privacy in four specific areas: government records, communications, medical records, and the consumer market. This examination reveals that information privacy policy in the United States consists of various laws, regulations and practices, woven together to produce privacy protection that varies from sector to sector. Sometimes the results make sense, and sometimes they do not. The degree of protection accorded to personal information may depend on the data delivery mechanism rather than on the type of information at issue. Moreover, information privacy protection efforts in the United States are generally reactive rather than proactive: both the public and the private sector adopt policies in response to celebrated incidents of nonconsensual disclosure involving readily discernable harm. Sometimes this approach leaves holes in the fabric of privacy protection.

We then turn to the core question: in the context of the GII, what is the best mechanism to implement fair information practices that balance the needs of government, commerce, and individuals, keeping in mind both our interest in the free flow of information and in the protection of information privacy? At one end of the spectrum there is support for an entirely market-based response. At the other end of the spectrum, we are encouraged to regulate fair information practices across all sectors of the economy. In between these poles lie a myriad of options.

In response to public concern, both government and private industry seem to be taking a harder look at privacy issues. As government and consumers become more aware of the GII's data collection, analysis and distribution capabilities, demand could foster a robust, competitive market for privacy protection. This raises the intriguing possibility that privacy could emerge as a market commodity in the Information Age. We recognize ongoing efforts to enhance industry self regulation to carry out the IITF Privacy Principles. We also discuss ways this self regulation might be enforced, and discuss a number of ways that government could facilitate development of a privacy market.

We then consider a number of options that involve creation of a federal privacy entity. We discuss some of the many forms that such an entity could take and consider the advantages and disadvantages of the various choices. We also consider the functions that such an entity might perform, as well as various options for locating a privacy entity within the federal government.

This paper presents a host of options for government and private sector action. Our ultimate goal is to identify the means to maintain an optimal balance between personal privacy and freedom of information in the digital environment. The next step is to receive and respond to public comment on the report in order to develop consensus regarding the appropriate allocation of public and private sector responsibility for implementation of fair information practices.