February 24, 1998

PRIVACY PROTECTION DEMANDED, THE GOVERNMENT SNAPS TO ATTENTION

by Andy Oram
American Reporter Correspondent

CAMBRIDGE, MASS.—The public is scared stiff by leaks of personal data over computers and networks, and recent press reports justify their worries. Over the past year the U.S. government has moved with slow reluctance to protect personal data, while other countries take firmer legal action and business interests counter the threat of new laws by proposing non-government solutions. After Monica Lewinsky was secretly taped, even the President came to realize that too much snooping is a bad thing.

A new alarm went out last week, when the CVS department store chain was found to be selling lists of its customers and their medications to a marketing firm. This firm was writing and calling customers to sell them related products (a practice that in other situations has been a sleazy business—marketers like to describe the benefits of medicines but not their risks). It was numerous complaints from customers, who know that the data is sensitive enough to jeopardize jobs and insurance coverage, that forced CVS to suspend its sale of data. While the company claimed that the data was safe and would go no further than one marketing firm, the public didn’t stand for it.

If businesses are slow to respond, what is the government doing? Last June the Federal Trade Commission held hearings where they found numerous unethical uses for personal data, particularly that collected from children by kid-oriented Web sites. While they put some guidelines in place for children, they decided for most cases to trust the claims of businesses that they were working on private-sector solutions.

Only the civil liberties community came out for new laws, which the businesses and FTC opposed with the traditional criticisms of heavy-handed government regulation and bureaucracy. But if government doesn’t step in, who will?

The most carefully thought-out proposal to let business police itself is the Electronic Frontier Foundation’s TRUSTe. In this system, businesses publicly avow that they will respect privacy when they collect data over the Web. Three levels of restrictions are defined. Auditing firms will check whether businesses uphold their promise.

Sounds like a bureaucracy to me. It’s not much different from having a government agency investigate the businesses, except that under TRUSTe any violations would merely be breaches of contract rather than criminal acts; redress may be harder for users to obtain.

Two other proposals rolled out with great fanfare before the FTC last year—Platform for Privacy Preferences and Open Profiling Standard—have largely disappeared with no results.

Since medical data is the most sensitive information that the average person has to release to strangers, the government has done more in that area. In 1995, Senator Bennett introduced a bill to protect medical data. Unfortunately, it was marred by loopholes allowing easy access to law enforcement and health care researchers. Last November, Senators Leahy and Kennedy introduced the Medical Information Privacy and Security Act (S. 1368), a great improvement.

The bill restricts releases of information to the minimal data needed. It restricts health research to data that does not identify individuals, unless the Secretary of Health and Human Services can demonstrate that identifying information is necessary. The bill also ensures that individuals can see all data stored about them, including data about who tried to get access to their data.

Best of all, it tightens law enforcement access with limitations similar to those currently in place for wire-tapping. The release of data to the police requires a court order and proof that the data is necessary to pursue an investigation. The data cannot be used for any purpose except the original investigation.

In the Du Maurier novel Rebecca (adapted into a movie by Alfred Hitchcock), Doctor Baker had to rely on personal judgement when deciding whether to reveal the dead woman’s condition to an investigator. If this law had been in place, he would have required a court order (if the request was within two years after her death).

Europe and Canada have longer traditions than the U.S. of government intervention in social issues, so it is not surprising that they have made much stronger statements about legal protection for data privacy.

The Ministries of Industry and Justice in Canada have released a report saying that, while a voluntary Code of Practice is valuable, “we believe that federal legislative measures must also be taken to level the playing field and ensure that all Canadians enjoy privacy protectionLegislation is an integral part of the ‘Privacy Toolkit.’

A directive by the European Parliament required all member countries to pass laws by October 1998 ensuring that, among other safeguards:

Most significant for Americans, “the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.” If we lag behind in the United States, you may find that you can’t use a credit card in Europe, or book a seat on a flight there.

So unless the U.S. steps up and matches the European initiative, we may find ourselves in a diplomatic crisis. And in fact, the U.S. has called on companies to prove soon that self-regulation works. Time is running out for those opposing legislation in the U.S.; neither the public nor our international trading partners will tolerate the current situation for long.


Editor, O’Reilly Media
Author’s home page
Other articles in chronological order
Index to other articles