Personal Privacy in an Information Society. Implementation Choices

07/12/1997

The Commission had three basic alternatives for giving effect to its policy recommendations: (1) voluntary compliance; (2) statutory creation of rights, interests, or responsibilities enforceable through either individual or governmental action; and (3) establishment of ongoing governmental mechanisms to investigate, study, and report on privacy protection issues. Each of the Commission's policy recommendations specifies the alternative it believes is most appropriate for that particular measure.

In the areas of research and statistical activities, and education, for example, the Commission specifies legislation in the form of amendments to existing Federal statutes to define further the responsibilities and duties of those types of record keepers. In the public assistance and social services area, the Commission specifies Federal action that would make State enactment of the recommended statutory rights and responsibilities a condition of Federal funding.

In the private sector, the Commission specifies voluntary compliance when the present need for the recommended change is not acute enough to justify mandatory legislation, or if the organizations in an industry have shown themselves willing to cooperate voluntarily. In its mailing list recommendations for example, the Commission specifies that when an organization has a practice of renting, lending, or exchanging the names of its customers, members, or donors for use by others in a direct mail marketing or solicitation, it should inform each of them that it does so and give each an opportunity to veto the practice with respect to his own name. The Commission does not call for legislation to enforce compliance with this recommendation because it has reason to believe the industry is willing to accept these restrictions voluntarily, and there are no legal impediments to stop it from doing so.

The Commission also relies mainly on voluntary compliance in the area of employment and personnel; though there are a few exceptions, the most notable being the recommendation dealing with the creation and use of investigative reports, where implementation by amendment of the Fair Credit Reporting Act is the Commission's choice. In this area, the Commission prefers to rely mainly on voluntary compliance because of the complexity of the relationship between employer and employee, and the difficulty of classifying all the various records different employers maintain about their employees and the way they use these records in employment decision making. For the Commission to recommend otherwise would be to recommend uniformity where variation is not only widespread but inherent in the employee-employer relationship as our society now knows it.

Most of the Commission's recommendations, however, do specify mandatory measures. This is partly because the Commission believes that in most cases voluntary compliance would be too uneven to be dependable; but more importantly, many of the issues the Commission's recommendations address are legal ones and require legal remedies. In the Miller case described above, for example, if the bank had wholeheartedly tried to protect Miller's interest, it would have done him little or no good since under existing law, Miller would have no interest in the records to assert. If a Federal agency insists on having an individual's account record today, a bank cannot successfully refuse to make it available.

In some cases, existing law and practice also work against the individual when he seeks access to records about himself. For example, the contracts that consumer reporting agencies have with their insurer, employ er, and credit grantor subscribers specify that the client may not disclose the information they report on an individual. Thus, an organization reaching an adverse decision about an individual on the basis of an investigative report cannot disclose the negative information in the report to him, even if it would otherwise be willing to do so. The Commission's recommendations would void such prohibitions.

In choosing mandatory implementation alternatives for the private sector, the Commission also aimed for consistency in the matter of damages and in the method of enforcement. Where the Commission recognizes an individual's right of access to records that have not entered into a decision adverse to him, as in the insurance recommendations for example, it has recommended that when an individual denied this right substantially prevails in court, he be able to recover the costs of compelling compliance, including attorney fees, but that he not be awarded damages. When the individual's right of access is triggered by an adverse decision and a record keeper fails to perform a duty required of it, or fails to correct or amend a record about him or to propagate a correction or amendment, a court which determines that the denial or failure was willful or intentional would not only allow the individual to recover his cost of compelling compliance, including attorney's fees, but also could award him up to $1,000.

For credit, insurance, and depository records, the Commission adopts the concept of a "legitimate expectation of confidentiality." Since the damage an individual can suffer from an organization's breach of confidentiality often cannot be undone, the Commission recommends that an individual so aggrieved have the right to compensation for any special (i.e., actual) damages resulting from a private sector organization's violation of his legitimate expectation of confidentiality, and, if a court determines that the organization acted willfully or intentionally, to additional compensation for general damages in the amount of at least $1,000 but no more than $10,000.

The third implementation choice obviously requires a Federal body to oversee, regulate, and enforce compliance with certain of the Commission's recommendations. This alternative is not incompatible with the other two. In fact there are powerful arguments for using it in conjunction with the other two, rather than depending on the first two alone.

The strongest argument for using a combination of alternatives is the dynamic character of personal data record keeping practices that will continue to create new privacy concerns, and redirect existing ones. Without a focal point to keep privacy concerns in proper perspective for the public as well as for record keeping organizations, other issues competing for attention may obscure them.

A primary objective of the Commission's implementation strategy is to make sure that the privacy issues stay in proper focus. This requires continuing attention from a broad public policy perspective– a need that is not fulfilled today even within the scope of the Privacy Act. A means must be found to provide for continued public awareness of what is clearly a continuing and pivotal concern, and to assure ongoing attention to develop and refine understanding of specific and emerging problems. Notwithstanding the broad scope of this report, a number of tasks remain. Significant record keeping areas, such as licensing at the State and local level, remain unexplored and several chapters of this report highlight other problem areas that need further analysis, including the issue of unreasonable intrusiveness as evidenced by the amount and type of information an individual is required to reveal about himself in return for a desired or needed service or benefit. As indicated earlier, the propriety question is an extremely delicate one and there is as yet no generally accepted method of arriving at answers to it in different contexts. The Commission's recommendations offer mechanisms to identify those kinds of questions so they can be debated in the context most likely to be constructive in determining public policy.

A further argument for combining all three alternatives is that experience with other publicpolicy issues of this sort suggests a continuing need to coordinate the policies that have been and will be adopted, and to assist in identifying and resolving real or apparent conflicts between existing, modified, and new statutes and regulations.

There is also the consideration that decentralized enforcement spreads responsibility for enforcement among agencies, organizations and individuals, each of which has numerous other responsibilities, thus increasing the risk that privacy objectives and protections will be obscured. The Commission advocates rights for individuals and reliance primarily on the courts to assure exercise of those rights. As indicated in many chapters of this report, however, improving the capability of the individual to protect himself can be an inadequate tool for resolving major systemic problems. The Commission sees a need for some influential "prodding" structure, some sustained oversight over the actual implementation of the protections it recommends. The Federal agency experience under the Privacy Act described in Chapter 13 attests to the need as it has arisen within the Federal government. The experience of the various Federal regulatory bodies that will have additional responsibilities if the Commission's recommendations are adopted for example, the Federal Trade Commission, the Federal Reserve Board, and the compliance monitoring units of the Department of Health, Education and Welfare further underscores it.

Finally, in all areas of the public sector the Commission has studied, the need for a mechanism to interpret both law and policy is clear. The difficulty of deciding which disclosures of records about individuals are routine within the meaning of the Privacy Act often raises conflicts of interest or interpretation between two or more Federal agencies. Similarly, as indicated in Chapter 13, Federal agencies often need an efficient means of arriving at common solutions to their common privacy protection problems, such as establishing procedures for the disposal of records, the propagation of corrections, and the maintenance of accountings of disclosures. State agencies frequently complain about being subjected to multiple, and sometimes incompatible, record keeping rules as a consequence of participating in programs funded by different Federal agencies or by different components within a single agency. There must also be a way of bringing private sector recommendations for voluntary action to the attention of all the relevant organizations. Many of these varied needs can best be met by the third implementation alternative.

Therefore the Commission recommends:

That the President and the Congress establish an independent entity within the Federal government charged with the responsibility of performing the following functions:

(a) To monitor and evaluate the implementation of any statutes and regulations enacted pursuant to the recommendations of the Privacy Protection Study Commission, and hae the authority to formally participate in any Federal administrative proceeding or process where the action being considered by another agency would have a material effect on the protection of personal privacy, either as the result of direct government action or as a result of government regulation of others.

(b) To continue to research, study, and investigate areas of privacy concern, and in particular, pursuant to the Commission's recommendations, if directed by Congress, to supplement other governmental mechanisms through which citizens could question the propriety of information collected and used by various segments of the public and private sector.

(c) To issue interpretative rules that must be followed by Federal agencies in implementing the Privacy Act of 1974 or revisions of this Act as suggested by this Commission. These rules may deal with procedural matters as well as the determination of what information must be available to individuals or the public at large, but in no instance shall it direct or suggest that information about an individual be withheld from individuals. (d) To advise the President and the Congress, government agencies, and, upon request, States, regarding the privacy implications of proposed Federal or State statutes or regulations.

The entity the Commission recommends may be a Federal Privacy Board or some other independent unit. However, if a new entity is established, the only enforcement authority the Commission would recom mend it be given would be in connection with the implementation by Federal agencies of the Privacy Act itself. Its oversight responsibility in all of the other areas covered by the Commission's recommendations would require it only to participate in the proceedings of other agencies when substantive privacy issues are involved. For example, if the Federal Reserve Board were to issue proposals to amend its Regulation Z pursuant to the Truth in Lending Act after the Commission's recommendations are adopted, the new entity could participate in the proceedings only to the extent of presenting testimony and other comments from a privacy protection point of view.