1. The United States, Privacy, and Data Protection Peter P. Swire Dutch Embassy Presentation January 19, 2001

2. Overview n The Inevitability of Societal Decisions on Privacy n Clinton Administration Actions n A Look Ahead

3. E-mail attachment as the new metaphor n From mainframe to the e-mail attachment n 1970s and mainframes – Worry about large, centralized databases – Fair Credit Reporting Act, 1970 – Privacy Act of 1974 – First European data protection laws

4. Changes to the 1990s n Everyone has a mainframe -- laptop or desktop n Transfers are free, instantaneous, & global n Usually change symbolized by the web n Better image is the e-mail attachment – Anyone to anyone – Can attach anything to an e-mail – The lived experience of almost all users

5. Inevitability of Societal Decisions about Privacy n The lack of a status quo n Examples: – State public records – Medical records – Financial records – Internet records

6. The Lack of a Status Quo n Old reality: – Relatively few databases – Relatively few rules -- by law or industry n New reality: – Far more databases, with more detail – If few rules, then vastly greater data flows – If try to retain pre-existing privacy balance, then will have many more rules

7. Public Records n Old reality (e.g., 20 years ago) – Legal openness, state open government laws – Practical obscurity -- cost and bother of going to the courthouse for paper records n New reality: – Legal openness, except drivers records – Practical openness, far more intensive use – Bankruptcy and privacy study

8. Medical Records n What has changed: – Mostly paper to mostly electronic – Records held by large providers and plans, and used for many management purposes n Societal response: – HHS medical privacy regulations

9. Financial Records n What has changed: – Level of detail -- from credit history to transactional history – Industry convergence n Societal response – FCRA – Financial Modernization law 1999 – Clinton Administration pushed for more

10. Internet Privacy n Old reality? – None. n Inevitability of societal decisions – Web sites – Online profiling – GUIDs – Etc. -- IPv6, links to offline, and so on

11. What are Societal Decisions? n Technology -- engineers in the company or standards organizations n Markets -- company decisions and contracts with business partners n Self-regulation n Governmental rules n Transborder rules -- Safe Harbor

12. Conclusion on societal decisions n No status quo: cant return to few databases and few rules n Number and velocity of privacy issues increasing rapidly n E-mail attachments: solutions must be robust in a world of anyone-to-anyone transfers

13. II. Clinton Administration Privacy Policy n Support self-regulation generally – Applaud self-regulatory efforts n Sensitive categories deserve legal protection – Medical & Genetic – Financial & ID Theft – Childrens Online n Government should lead by example

14. Internet Privacy n Quantity of policies – 15% to 66% to 88% from 1998 to 2000 n Quality of policies – Seek fair information practices n Major legislative push this year

15. Safe Harbor n Now approved by E.U. n Self-regulation as a core achievement n Lawful basis for trans-Atlantic data flows n Streamlined registration n Up for review in summer, 2001 n Financial services not yet addressed

16. Medical Records Privacy n HIPAA 1996 called for legislation by 8/99 n President announced proposed regs 10/99 n Over 53,000 submissions of comments n Final rules announced December, 2000 n Take effect early 2003

17. Genetic Discrimination n February 8 Executive Order – Prohibits federal agencies from using genetic information in hiring or promotion n Call for legislation – Daschle/Slaughter bills – Extend protections to private sector – Apply to purchase of health insurance

18. Childrens Online Privacy n Childrens Online Privacy Protection Act of 1998 n FTC rules took effect 4/2000 n Key is verifiable parental consent

19. Financial Privacy n Financial Modernization Act – Notice for 3d parties and affiliates – Opt out choice for 3d parties only – Significant enforcement provisions

20. Federal Databases n Privacy Act in place since 1974 n Now, all agencies have privacy policies at their major web sites n Summer 2000 -- presumption against the use of cookies at federal web sites n Other OMB actions

21. III. LookingAhead n Bipartisan interest in privacy protections n Republican focus especially on misuse in the government sector n Democrats more likely to favor regulation of the private sector n Growing realization, though, that data flows between the sectors

22. The Bush Administration n Campaign statements similar to Clinton Administration approach: – Focus on sensitive medical and financial – Encourage self-regulation – But, comments by Bush himself suggested more activist

23. Which U.S. Institutions will Lead? n OMB -- traditional role for government databases n Larry Lindsay -- possible policy lead n FTC -- independent agency has called for Internet legislation n Hard to imagine a new federal privacy agency in medium term

24. Conclusion n U.S. has taken significant legal steps toward protecting most sensitive information n Ongoing debate of whether to expand to the Internet, or even off-line n Unclear what institutions would regulate in the area n Likely significant change within 5-10 years