US House hearing on the EU Data Protection Directive

Rohit Khare (rohit@fdr.ICS.uci.edu)
Tue, 19 May 1998 11:46:31 -0700


[I don't have too much intelligent to add, except that this area of US law
reflects our deeply held American faith in legislation-by-headline, assembling
a patchwork of laws trailing crimes with loopholes aforethought. Just like
declaring "carjacking" a federal crime, or the current California ballot
intiative escalating the penalty for killing a "peace officer" (anyone else's
murder is murder by another name, don't you see?).

I'm libertarian enough to be skeptical of the EU directive, but still
disgusted by the Government's position of denying, delaying, and denigrating
it rather than engaging the debate. Most of all, the media for burying the
issue under alternating hype and ignorance. --RK]

Forwarded Text ----
Date: Thu, 7 May 1998 17:34:44 -0700 (PDT)
From: Phil Agre <pagre@weber.ucsd.edu>
To: rre@weber.ucsd.edu
Subject: US House hearing on the EU Data Protection Directive

[The background here is that the member countries of the European Union are
implementing the EU Data Protection Directive, a set of regulations about
the
fair handling of personal information. Many US companies are alarmed
because
the Directive says that firms doing business in Europe cannot export
databases
of personal information to countries that do not have adequate privacy laws.
Although the EU has not yet made its formal determination, it seems certain
that the US laws will not be found adequate. The question is whether the US
should join the rest of the industrial world by adopting an adequate privacy
protection framework. Some are arguing that the Directive is excessively
burdensome, and it is true that a framework designed from scratch to respond
to the current technological environment would differ in some ways -- it
would
be more flexible in some areas and stronger in others. The fact is,
however,
that the Directive simply harmonizes laws that have been in effect in the
member countries for many years, and many US firms comply with those laws
already in their European operations. Furthermore, the EU's determination
of
adequacy is unlikely to depend on the out-of-date features of the EU
policies.
The US shouldn't modernize its privacy policies in order to make the EU
happy;
rather, being supposedly a democracy, it should modernize its privacy
policies
in order to make its own citizens happy. For more details, see Simon
Davies'
article in the May issue of Wired.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command. For information on RRE, including instructions
for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Thu, 7 May 1998 15:45:58 -0400
From: Marc Rotenberg <rotenberg@epic.org>
Subject: EPIC Testifies on EU Data Directive

--------

http://www.epic.org/privacy/intl/rotenberg-eu-testimony-598.html


Testimony and Statement for the Record of
Marc Rotenberg
Director, Electronic Privacy Information Center
Adjunct Professor, Georgetown University Law Center
on
The European Union Data Directive and Privacy
Before the
Committee on International Relations,
U.S. House of Representatives
May 7, 1998

My name is Marc Rotenberg. I am the executive director of the
Electronic Privacy Information Center, a public interest research
organization based in Washington, DC. I am also an adjunct professor
at Georgetown University Law Center and senior lecturer at the
Washington College of Law. I have taught privacy law for almost
ten years and I have been involved in many debates and discussions
concerning privacy protection. I appreciate the opportunity to testify
today on the EU Data Directive.

I should say at the beginning that I am not here to defend the Data
Directive. Like all legislation, the Directive has some strengths
and some weaknesses. It grew out of specific circumstances related to
the integration of the European economies and the need to harmonize
national privacy laws. It also reflects a widely held belief that
privacy is a fundamental human right, entitled to full protection in
law.

But I am also not here to attack the Directive. While it has become
common practice for some companies to criticize the Directive, to fund
conferences and reports raising questions about the Directive, I view
the problem differently. In my opinion, it is not the privacy laws
in Europe that raise concern; it is the absence of privacy laws in
the United States that created the difficult situation we face today.
Because privacy safeguards in the United States have not kept up to
date, both European governments and American citizens are rightly
concerned about the adequacy of privacy protection in this country.

I will make several points this morning about the debate over the EU
Data Directive. These are:

1.Privacy as a legal right is well established in the United
States, and the United States has passed many privacy laws in response
to new technologies. But the Administration and some companies are
now actively opposing the adoption of real privacy safeguards. A
country such as ours that prides itself on human rights should not
be campaigning against privacy-- which is one of the most important
rights in the information age.

2.The self-regulatory approach that has been offered as an
alternative to strong legal and technical protections is not doing
very well. Public support for privacy legislation has grown during the
time that self-regulatory policies have been pursued.

3.Other countries are following the European approach and adopting
new laws and new technical measures to protect privacy. The United
States is becoming increasingly isolated in the global debate over
privacy protection.

4.Europe is committed to the enforcement of the Directive. Failure
by the United States to address this issue will have specific economic
consequences for US firms and transborder data flows.

5.The U.S. policy on privacy is particularly ineffective
because we are simultaneously urging surveillance standards in the
telecommunications field for European governments and businesses even
as we tell the Europeans not to apply their privacy guidelines to
American firms operating in Europe.


Privacy Rights are Part of the American Tradition

First, it is important to understand that the right of privacy, as a
legal claim enforceable in law, is very much a part of our tradition
in the United States. In fact, the privacy right outlined by Brandeis
and Warren in their famous 1890 law review article came to be known
as the "American Tort." Even before Brandeis, Benjamin Franklin the
architect of the United States postal system urged the Congress to
enact a federal privacy law to ensure the protection of the US mails.

The United States has continued the tradition of enforcing privacy
rights even with the development of new technology. In fact privacy
protection has invariably come about in response to new technology.
In 1970, the Fair Credit Reporting Act was adopted in response to the
privacy risks associated with the creation of databanks containing
credit reports. The Privacy Act of 1974, the most comprehensive
privacy law in this country, was specifically intended to address
the concerns created by the growing automation of records held on US
citizens in the federal and state government.

In 1984, the United States adopted privacy provisions as part of the
Cable Act to protect the privacy of subscriber records. In 1986 the
United States extended privacy protections in the federal wiretap
statute to new forms of communications, including electronic mail and
digital communication. In 1988 we adopted the Video Privacy Protection
Act to protect the privacy of video rental records. In 1991 the
Telephone Consumer Protection Act was passed to deal with the problems
created by autodialers and junk faxes.

In example after example, we have developed privacy rights,
enforceable in law, to address public concerns. But in the last
several years, the Administration has been unable to coordinate its
privacy policies and there has been little success on the legislative
front. Our leadership in the privacy field has slipped.

Still, the need to protect privacy is clear. Across the country
states have passed new privacy laws on everything from credit record
information to limitations on the misuse of the Social Security
Number. This week the California legislature will consider a measure
to prohibit the sale of databases containing biometric identifiers.

In Congress there are more than ninety privacy measures pending. Some
of these bills would protect the privacy of data about children.
Others would extend the privacy protection for telephone conversations.
There are proposals to protect the privacy of genetic information, and
bills that would strengthen the Fair Credit Reporting Act.

Those who argue that the United States has typically protected privacy
by self-regulation and industry codes know very little about the
long tradition of privacy legislation in this country. It is, however,
correct to say that the United States, over the last twenty years,
has taken a sectoral approach as opposed to an omnibus approach to
privacy protection in the private sector. But it is also important to
note that the sectoral approach has several weaknesses. For example,
we have federal privacy laws for video records but not for medical
records. There are federal privacy laws for cable subscriber records
but not for insurance records.

I think the problems with the sectoral approach will become
increasingly apparent as commerce on the Internet grows. The Internet
offers the ideal environment to establish uniform standards to protect
personal privacy. For the vast majority of transactions, simple,
predictable uniform rules offer enormous benefits to consumers and
businesses.

It is also becoming increasingly clear that the large industry mergers
in the telecommunications and financial services sectors have made the
sectoral approach increasingly obsolete. Firms now obtain information
about individuals from many different sources. There is a clear need
to update and move beyond the sectoral approach.

I am confident that we will be able to do this. Our legal tradition is
ideally suited to develop the solutions that will protect privacy and
promote commerce in this new economic environment.


Failure of Self-Regulatory Approach

Second, it is important to make clear that the self-regulatory
approaches that are currently being touted by industry and the
administration have not received much support from consumers and users
of the Internet. Poll after poll shows that people want legislation,
not fine print, to protect privacy on the Internet.

The most recent Harris poll found that 53% of Americans believe that
"Government should pass laws now for how personal information can
be collected and used on the Internet." Of those polled, 23% said
"government should recommend privacy standards for the Internet but
not pass laws at this time." Only 19% believe that the government
"should let groups develop privacy standards but not take any action
now unless real problems arise."

The Harris/BusinessWeek poll is consistent with other polls that have
asked similar questions about privacy and the Internet. Contrary to
the popular belief that Internet users oppose all forms of government
action, when it comes to matters of privacy, they believe new laws are
necessary.

The public skepticism about self-regulation for privacy protection
is understandable. The commercial incentive to collect and sell data
is enormous. The safeguards are weak and easily ignored. Typically,
there is little more than fine print.. The essential framework for
privacy policy - a Code of Fair Information Practices that sets out
the obligations of companies that collect personal information and the
rights of individuals that give up personal information -- is often
missing, incomplete, or completely unenforceable

The direct marketing industry, which has long touted industry
self-regulation, has one of the worst privacy records of any industry.
A 1993 study by Professor Paul Schwartz and Professor Joel Reidenberg
found that only half of the industry complies with the industries own
self-regulatory procedures. Even the recent announcement by the Direct
Marketing Association that they will require that their members comply
with a minimal privacy policy has done little to provide any real
assurance for American consumers.

It is true that there are good non-legislative privacy solutions.
But these solutions often exist where there is also a legal framework.
One interesting lesson that has been learned from looking at the
early impact of the EU Data Directive is that a privacy law can
help encourage the development of good privacy techniques, while
the absence of a privacy law will lead to weaker technical standards.
For example, the European Commission is actively promoting anonymous
payment systems that could spur electronic commerce and protect
privacy interests. The new German multi-media law encourages the
adoption of similar techniques to protect privacy.

It is particularly interesting to look at the impact of the two
approaches on the development of cryptography, a critical technique
to protect privacy and security. The European directive has produced
policies more consistent with the interests of both consumers and
businesses. But the absence of a clear privacy standard in the US
means that less favorable standards are being developed.

Consumer groups, privacy experts, and academics have repeatedly
made this point to US officials. A group of consumer and privacy
organizations wrote to the Senator McCain last year to express support
for new privacy legislation for a series of hearings held by the
Federal Trade Commission. Earlier this year, more than seventy privacy
advocates, experts, and scholars wrote to Commerce Secretary Daley
to urge him to carefully assess the adequacy of self-regulation as a
means to protect privacy. Regarding a planned conference on privacy
group, the group said:

The evaluation of the adequacy of self-regulation
to protect privacy should be a primary goal of this conference. The
Administration has recommended self-regulation to protect privacy in
lieu of other policies and approaches. Many believe that the policy
has not succeeded and that stronger steps, including legislation,
should be considered. With the July 1st deadline for a report to
the President approaching, now would be the right time to determine
whether in fact self-regulation has worked.


Other Countries are Following the European Lead

The debate over the EU Data Directive often assumes that Europe is
acting alone in developing new privacy laws, but this is not the
case. Many countries are moving to adopt privacy standards. From
Ottawa to Tokyo, efforts are underway to implement private sector
privacy laws. Across Eastern Europe countries are developing new
privacy rights enforceable in law. Next month the twenty-nine member
nations of the OECD will meet in Paris to discuss the application of
the OECD Privacy Guidelines to electronic commerce around the globe.

It is largely the United States, not Europe that has stood alone in
the privacy debate.


Europeans Intend to Enforce the Directive

I would also like to say a few words about what I believe to be
the view of the European Commission regarding the implementation of
the Directive. Over the last several years I have had many meetings
with European privacy officials. My sense is that the Europeans are
very serious about the Directive, just as we are serious about the
protection of our interests, such as controlling software piracy, that
may be adversely affected by the lack of safeguards and protections in
other countries. In this respect, it should be understood that the EU
is not trying to tell the US what to do. It is only trying to protect
information about its own citizens when it is transferred abroad.

In a meeting in March in Washington John Mogg, the Director General of
DG XV of the European Commission, said that:

The high standards of data protection which our data
protection directive seeks to achieve inside the Union will be quickly
and fatally undermined if we do not pay attention to what happens to
personal data once it leaves our borders.

Mr. Mogg made clear that the EU Directive was a flexible document. But
he also said that it is important to ensure that basic data protection
rights are protected by enforceable rules with meaningful rights
for citizens. This view is shared by the national data protection
authorities who are also prepared to take measures to protect the
privacy rights of their citizens.


US Seeks to Enforce Surveillance Standards

Even as the United States has opposed the application of European
privacy laws to American firms we have promoted surveillance standards
overseas for the Internet and all new communication networks by legal
and standard-setting efforts

With the Communications Assistance for Law Enforcement Act, European
manufacturers of a wide range of telecommunications products and
services are now required to ensure that their products can be easily
wiretapped by US law enforcement agencies. These requirements probably
violate international norms for communications privacy, but that has
not stopped our government from imposing them on all foreign companies
attempting to sell communications products in the US.

Further, on encryption policy, the Administration is trying to
force foreign government to adopt techniques to enable access to
confidential communications Through a series of Freedom of Information
Act requests, EPIC has obtained the records of meetings between US
officials and officials of foreign governments on the encryption
issue. It is clear from these records that the Administration is
trying to foistan unwanted and unpopular technical standard on foreign
governments. A separate study that we undertook of international
encryption policy found little support for the US key escrow/key
recovery policies. Even Commerce Secretary Daley recently conceded
that the implementation of this policy has been a "failure."

The relationship between our opposition to the European privacy
initiative and our support for extending domestic surveillance
requirements to other countries is not lost on the European
governments. They view our efforts to promote these unsound
policies as part of the problem with countries that do not establish
adequate privacy protection in law. This point became clear at the
EU Ministerial Conference last July where the European governments
reaffirmed their support for the Data Directive and expressed their
opposition to controls on encryption.


What is to be Done?

If you ask American consumers the same question that officials of
the European Union are asking -- "is privacy protection in the United
States adequate?" -- you will get the same answer. In fact, when I
asked this question over at the Brooking Institution when Mr. Litan
released his report, only a few hands in the audience went up. So,
what are we arguing about? It is obvious that we have a real problem
in this country with this absence of good privacy safeguards and
Brussels is not responsible for this.

Of course, I do not dispute that the Data Directive of the European
Union may pose some problems for American companies doing business
in Europe. Nor does it seem particularly significant that a company
operating in Europe which processes data on European citizens in the
United States should be subject to the same protections as if the
processing took place in Europe.

The critical question is whether the United States government will
continue to oppose efforts by foreign governments to protect the
privacy rights of their citizens. There has been no glory in our
recent campaigns against the EU Data Directive. Our government
officials spend more time in Brussels lobbying against the European
privacy law than they do in Washington trying to develop sensible
privacy safeguards. They will meet with industry groups to compile
detailed list of problems with the EU Directive but they have been
unable to organize one public meeting with American consumers or
privacy advocates to discuss privacy safeguards.

Nor do I suspect that many Americans would be pleased if they were
aware of the efforts underway to actively oppose the adoption of
real privacy safeguards. A country that prides itself on human rights
should not be campaigning against one of the most important rights in
the information age.

The EU Data Directive is not so much a problem as it is a reminder
that our privacy laws are out of date and that there is much work to
be done in this country to ensure the protection of this essential
freedom. Further action against the EU Data Directive will not make
the privacy concerns in the United States go away.

In the end, we need stronger privacy safeguards not to satisfy
European government, but to assure the protection of our own citizens.
I remain hopeful that this Committee will not lose site of our
country's proud traditions as it considers the issues raised by the EU
Data Directive.

Thank you for your attention. I will be pleased to answer your questions.


References

Phil Agre and Marc Rotenberg, eds., Technology and Privacy: The New
Landscape (MIT Press 1997)

Colin Bennett, Regulating Privacy (Cornell Press 1992)

Fred Cate, Privacy in the Information Age (Brookings 1997)

David H. Flaherty, Protecting Privacy in Surveillance Societies: The
Federal Republic of Germany, Sweden, France, Canada, and the United
States (Chapel Hill 1989).

Marc Rotenberg, The Privacy Law Sourcebook: United States Law,
International law, and Recent Developments (EPIC 1998)

Paul Schwartz and Joel Reidenberg, Data Privacy law: A Study of United
States Data Protection (Michie 1996)

Priscilla M. Regan, Legislating Privacy: Technology, Social Values and
Public Policy (University of North Carolina Press 1995)


Resources

Electronic Privacy Information Center [http://www.epic.org]

Global Internet Liberty Campaign [http://www.gilc.org]

Junkbusters [http://www.junkbusters.com]

Privacy International [http://www.privacy.org/pi/]

Privacy Rights Clearinghouse [http://www.privacyrights.org]


Attachments

Letter to Senator John McCain (August 1, 1997)

Letter to Secretary Daley (February 28, 1998)


end



End Forwarded Text ----