1. A State of the Union for Privacy: Fall, 2002 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Privacy Officers Association October 18, 2002

2. Overview n Privacy and Government – The Lawless State and the 1970s Reaction – Since September 11 n Privacy in the Private Sector – Medical, financial, Internet, international n What to Do Next

3. I. The Lawless State n By the mid-1970s, there was clearly substantiated evidence of widespread lawlessness and surveillance by the FBI, CIA, and other federal agencies n The Lawless State by Jerry Berman & others n Church Committee hearings

4. The Lawless State n Surveillance and smears of MLK, Jr. n FBI infiltration of political groups – FBI agents in KKK to Black Panthers, including participating in bombings, etc. – Fringe groups? Large fraction of delegates to 1972 Democratic National Convention under surveillance – Blackmail files on political officials

5. The Lawless State n IRS files routinely scanned for political advantage n CIA prohibited from acting in U.S. – But, active in ports – Then active in hundreds of other domestic operations – Allende assassination plans, secret funding in foreign elections, and other black ops overseas

6. The Lawless State n National security powers – President and A.G. claimed unlimited ability to wiretap within the U.S. for national security purposes n State wiretaps – No federal law limiting wiretaps by state officials until 1968

7. Reactions to the Lawless State n Title III (1968) -- wiretaps only under strict, federal standards n Privacy Act, 1974 n Government in the Sunshine – FOIA Amendments, 1974 – Open meeting & whistleblower laws n Foreign Intelligence Surveillance Act, 1978 n Electronic Comm. Privacy Act, 1984

8. Summary on the Lawless State n Demonstrated history of abuse of power and lack of accountability n New laws going beyond constitutional minimum, to limit surveillance and protect privacy n New laws to create openness in government, to promote accountability

9. II. Privacy -- the Next Generation n Clinton years – Chief Counselor for Privacy – HIPAA, GLB, COPPA, and more – 2000 proposal to update wiretap laws n Initial Bush Administration – Pro-privacy statements by the President – Decision not to cancel medical privacy rule – Likely would have had a Federal CPO by now

10. 9/11 and USA-PATRIOT n Legal changes: significant rollback but not repeal of surveillance law n Updating with the surveillance powers from 2000 Clinton proposal n Double that, especially for FISA and computer trespasser n None of the proposed privacy updating – No suppression for illegal email/web snooping – That evidence can be used in court

11. USA PATRIOT Act & After n Implementation changes: use authorities to the limit, and perhaps beyond n Political changes: protecting privacy means weak on terrorism n Not all proposals enacted: – Some proposals taken out of bill – E.g., proposal for CIA to get IRS records – Sunset for some surveillance in fall, 2005

12. The Effects of 9/11 n Less known -- the theory change n Viet Dinh in DOJ, seek powers to the limit permitted by the Constitution n Sounds good, but means repeal of much of the 1970s laws – Often no reasonable expectation of privacy – Often records held by 3d parties, who can consent to release – Surge in secrecy -- FOIA not in Constitution

13. Homeland Security Department n Beginning of a return to previous privacy politics n House hearing and bill – CPO for the Department – Privacy Impact Assessments – No authorization for national ID – TIPS (Armey) n Senate? Commission on Privacy & H.S.?

14. Cyber-Security Report n Released September, 2002 n Section of report on privacy – First Bush Administration written statements (that I have found) on the importance of building privacy into government practices – Excellent on this: should build in privacy when upgrade systems for security – Report widely criticized for good intentions, but few actual action items

15. Summary on Government Access to Records n Some Congressional return now to previous pro-privacy politics n September 11 and USA-PATRIOT effects continue n Administration statements: privacy should be based on what is required by the Constitution n That is less than I believe most Americans will want

16. III. Privacy & the Private Sector n Medical n Financial n On-line and more generally n International

17. Medical Privacy & HIPAA n I commend the Bush Administration for going forward with HIPAA – Have historic one-time shift from paper to electronic medical records – Is of course a difficult transition for a huge industry to new IT systems – Overwhelming majority of Americans expect security and privacy to be built into the new medical record systems

18. HIPAA n What about the changes to the rule? – I estimate HHS kept 90-95% of the 2000 rule – Many changes sensible & fix problems – Biggest mismatch of rule and consumers on marketing n Now permits a covered entity to do unlimited marketing for health-related products and services n Covered entity can be paid for this, no disclosure n No disclosure of source of communication n Likely biggest impetus for Congressional action

19. HIPAA n HHS staff: professional, thoughtful, & hardworking n Administration leadership: – Has done the minimum necessary for achieving HIPAA goals – NCVHS (HHS Committee): call for far more guidance, education, and outreach from HHS – Abject failure to promulgate Security Rule, with needless cost to industry

20. Financial Privacy n Implementing Gramm-Leach-Bliley – Pretty routine for many companies – Should have layered notices such as HHS encourages for HIPAA

21. Changes in Financial Privacy? n Fair Credit Reporting Act reauthorization due in 2003 n FCRA preemption of state law expires n State law changes possible for GLB – California, North Dakota n Sarbanes hearing last month, and he has supported Clinton 2000 bill n Unclear what will happen

22. Online and Other Privacy n Progress thus far without legislation – 15% privacy policies in 1998 (commercial) – 88% privacy policies in 2000 n FTC/Muris commitment to enforcement n Question is the quality of policies – Cautious lawyers and promise as little as possible – Many policies weaker today than 2 years ago

23. What next for Online? n Stearns and Hollings bills n No action unless there is – Remember Sarbanes bill for Enron reforms – Dead in the water – Now, have Sarbanes-Oxley Act n Big issue: online only? – FTC approach that cant promise online and treat offline data differently – Likely the best approach

24. International Data Flows n E.U. Privacy Directive – Beginning of some enforcement with significant fines n E.U.-compatible privacy regimes – E.U. neighbors – New Zealand & Australia – Canada – More coming: Malaysia? Everyone else?

25. International Issues n Safe harbor for financial services – No agreement yet, truly difficult issues n The reality for global companies – Compliance with privacy regimes outside the U.S. – What to do inside the U.S.? n Conclusion: ongoing international pressure for more privacy laws in the U.S.

26. IV. Conclusion: Private Sector n Privacy is not dead n HIPAA is the biggest privacy compliance in U.S. history n More federal financial privacy legislation if the states get active n Internet legislation is one scandal away n Global companies face continuing pressure from almost all our trading partners

27. Conclusion: Government Access n The Bush Administration is at risk if privacy politics continue to shift back n It has taken stands as a friend of government surveillance and secrecy n It has not designated officials to address privacy and ensure that privacy values are incorporated in new initiatives

28. Conclusion: Privacy & Security n First, does the intrusive measure in fact improve security? n Second, is the measure designed to improve security while also respecting privacy where possible? n Third, have we built the new checks and balances appropriate to the new surveillance?

29. Finally... n Dont let the anti-terrorism measures of today turn into the anti-communist excesses of decades past. n Weve seen what abuses in the name of liberty look like -- lack of accountability and institutionalized lawlessness. n We must assure that does not happen again. n You as privacy professionals can help assure it does not.

30. Contact Information n Professor Peter P. Swire n web: www.peterswire.net n phone: (240) 994-4142 n email: pswire@mofo.com