 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Peter P. Swire, Moritz College of Law
Ohio State University
The Online/Offline Question [pdf]
In the debates about how to protect individuals' privacy, a recurring issue has been whether legislation, if enacted, should apply only to information collected online, or whether that legislation should cover information collected offline as well.
This paper makes the case that any such legislation should apply specifically to personal information collected online for commercial purposes:
I am now Professor of Law at the Moritz College of Law of the Ohio State University, and Director of that school's Washington, D.C. summer program. I have written and taught about the Internet and electronic commerce for over a decade, and am Editor, with Larry Lessig, of the Cyberspace Law Abstracts of the Social Science Research Network. I am also a consultant on privacy and other issues to the law firm of Morrison & Foerster LLP, although the views stated here are entirely my own. Full contact information and publications are available at http://www.peterswire.net.
My views on the issue of Internet privacy legislation are informed by my experience as the Chief Counselor for Privacy in the U.S. Office of Management and Budget from 1999 until early 2001. In that position, I served on the White House Electronic Commerce Working Group, chaired a White House Working Group on how to update wiretap and surveillance laws for the Internet age, and worked on numerous Internet privacy, computer security, and related issues. I also played a leading role in privacy regimes that were not focused on the Internet, such as serving as White House coordinator for the first national medical privacy rule, working intensively on the financial privacy law and regulations under the Gramm-Leach-Bliley
Act, and being actively involved in the process that resulted in the Safe Harbor for data transfers from the European Union to the United States.
Limiting legislation to commercial, online collection of information provides a jurisdictional trigger Ð it clearly delineates who is and who is not covered by the legislation. As in other privacy protection and other regulatory regimes, the single most important decision to be made by companies is a determination of whether or not they are subject to regulation. Consumers in turn seek a clear sense of under what circumstances their information benefits from the protection of law.
Medical privacy. In the area of medical privacy the Health Insurance Portability and Accountability Act (HIPAA
), with its extensive legal requirements, covers health care providers, health plans, and health care clearinghouses. HIPAA does not cover other sorts of organizations. For instance, if a person goes to an online book store, and looks at a book about a certain type of cancer, the bookstore does not come within the HIPAA requirements simply because the book is health-related. Similarly, the privacy law does not apply if you decide to tell a friend or your employer about your medical condition.
Some might object to HIPAA because it does not apply even-handedly
to the covered hospital and to the non-covered bookstore, friend, or employer. In practice, however, HIPAA demands quite a bit from covered entities Ð notices to patients, a designated privacy official, training and complaints procedures, and so on. These HIPAA requirements make sense, I believe, for organizations that are in the business of health care. It would be difficult or impossible, however, to expect the same privacy compliance from all of the other sorts of entities that might incidentally learn about health information in the course of daily activities.
The European Union Directive. That lesson is made even more clear from our experiences with privacy rules under the European Union Data Protection Directive. In 1998 Robert Litan and I published a book with the Brookings Institution entitled None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive. The Directive has a sweeping scope. Article 3 reads in part: This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
There is an exception for some non-commercial activities, but only by a natural person in the course of a purely personal or household activity.
In research for our book, my co-author and I explored the implications of this sweeping language. One of the key requirements of the Directive is that personal data can only leave the European Union under certain conditions, notably where the receiving country has adequate
privacy protections. It has long been unclear whether and when the United States and other countries have such adequate
protections, and thus it has been potentially unlawful to transfer personal data to the U.S.
We specifically considered whether it would be lawful for business travelers to carry laptops with them on a plane from the European Union to the United States. Given the broad scope of the Directive, the answer appears to be no.
After all, a modern laptop can easily carry gigabytes of personal information across the ocean. The laptop is not being used for a purely personal or household activity.
Are business travelers required, therefore, to give notice to each name and address in their laptop or Palm Pilot before leaving Europe? Must they register the laptop in the E.U. countries that require registration of databases?
The text of the Directive apparently applies to such transfers of data out of Europe. When we asked E.U. officials, they were split on the issue. In the book, we concluded: The question of whether the provisions of the Directive would be applied to laptops would be left to the discretion of enforcement officials.
We found this response unsatisfactory. Having clearly excessive regulation, tempered by the discretion of enforcement officials, is contrary to the rule of law. Overbroad legislation, if actually put into practice, leads to needless costs and burdens by those who should not be included. If overbroad legislation is left to the discretion
or good sense
of regulators, then we lack clear notice of what is prohibited and risk arbitrary or discriminatory enforcement. If everyone comes to perceive the legislation as overbroad and unenforceable, the entire law can become a dead letter. The achievable good purposes of the legislation would not be achieved, because the law went too far.
Online/offline or online only? The U.S. Congress should learn from the experience under the Directive with laptops and other personal computing technology (Palm Pilots and the like). It is tempting to believe that more is achieved by applying a law to all collection or use of information.
But what will that mean in a typical business meeting, when you wish to write down the names and contact information of the other people in the meeting? Will you need to send them a privacy notice? Will you need to give them an opt-out choice before telling a business partner that someone at the meeting is interested in a particular type of product? In a pervasively digital world, the collection and use of information happens in so many ways that it is terribly difficult to require legal compliance with privacy rules for all collection or use of information.
By contrast, it is far easier to understand when information is collected online for a commercial purpose.
If one has a website, and is selling or doing other commercial activity there, then one can be required to have a privacy policy. If one is using spyware or otherwise gathering information about people's surfing, then that is covered as well.
Defining a statute in this way creates a bright line, with fair notice to regulators, those regulated, and consumers. Those covered should be able to determine that fact quickly and inexpensively so as to be able to comply with the law accordingly.
Anyone who has lived through the privacy debates of the past several years should agree that there has been a special consumer concern about data collection online. One reason for this concern is the unprecedented level of detail that can be automatically collected and sold about online activities. In a physical bookstore, for instance, the company may keep a record of every book you have purchased. In an online bookstore, by contrast, the company can know about every book that you have even looked at Ð standard technologies such as cookies track each web page visited rather than only the actual purchases.
A second reason for consumer concern is the perception, and often the reality, of data-sharing at unprecedented levels. The Internet is an unmatched tool for sharing information. With the click of a mouse, ordinary people can download information that previously would have been unreachable from their homes or businesses. These same Internet techniques, however, mean that companies can easily transfer detailed personal information to anywhere in the world. The Internet experience of the user, that data can be transferred so easily, leads to consumer demands that privacy protections be established that are tailored to the Internet.
Public opinion surveys confirm the greater consumer concern about privacy online. According to a National Consumers League study, top privacy concerns online include websites providing personal information to others without their knowledge (64%) and websites collecting information about them without their knowledge (59%).[1] Forrester Research has estimated that 45% of consumers who do not currently make online purchases would do so if their privacy concerns were addressed, and 52% of current buyers would make more purchases with privacy protections in place.[2]
A bill targeted at online privacy protection would likely capture the bulk of potential benefits while avoiding the burdensome costs of extending the law to all offline activity. First, current FTC policy already addresses the important category of databases that combine online and offline personal information. For these combined databases, the FTC has indicated that a company's online web policy should apply to the handling of data in these sorts of combined databases.[3] This policy is appropriate to avoid consumers' being deceived in how their data will be handled by a company. Any Internet privacy legislation could explicitly include this FTC policy in the law.
With this mixed database
rule in place, the logic of the marketplace will push important offline databases into a regime of sensible privacy protection. Companies, eager to communicate with their consumers and take advantage of cost savings offered by Internet commerce, increasingly merge their online and offline data collection and storage capabilities. Only companies that rigidly separate their online and offline databases and sacrifice the ability to participate effectively in E-commerce would remain outside the scope of the online privacy protections. This approach would provide a smooth path toward widespread privacy protection in the offline world. It would have the greatest impact on the largest and most important databases, which pose the greatest privacy risks and which would inevitably be used in connection with online commerce. At the same time, those who assemble smaller collections of data in the offline world would not need to worry that they had unexpectedly crossed the line into compliance with a federal regulatory scheme.
In 1999 and 2000 I participated in the Clinton Administration's policy decision that Internet privacy legislation was not appropriate at that time. One key rationale for that view at that time was that the online industry was demonstrably upgrading its privacy practices. For instance, only 14% of commercial web sites surveyed in the spring of 1998 had any privacy notice posted, but that number rose to 88% by the spring of 2000.
I believe that progress has stalled since 2000. There is a considerably stronger case to be made today that Internet privacy legislation is needed in order to provide the privacy and security online that is achievable in a cost-effective way. As of this writing in late 2002, I am working on an article, to be published in the Hastings Law Review, that explains these views in more detail.
As such legislation is considered, I believe the best approach is to have it apply to personal information collected online for commercial purposes. This bright-line approach will be easy and fair to administer, and will allow tailoring of the rules to the online environment. The opposite approach has the serious substantive flaws discussed above. In addition, an approach that seeks to apply to all personal information collected in the economy will likely generate political opposition. Vast numbers of new entities may fear that the new law applies to them in unknown and difficult-to-determine ways. By going too broad, and seeking to regulate in all areas of data collection, an opportunity for meaningful progress could be lost.
[1] National Consumers League, E-Consumer Confidence Study (2000).
[2] Forrester Research, Personalization v. Privacy 6 (2000).
[3] See comments of Consumer Protection Director Howard Beales in a speech to the Promotional Marketing association annual meeting in Washington, December 5, 2001. We've been looking more closely at offline collection of information. These days, people who are collecting information offline are doing it online, too. The issue is the same, offline or online.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |