To the Working Group on Privacy
National Telecommunications and Information Administration March 21, 1995
|
|
CDT submits these comments on the draft "Principles for Providing and Using Personal Information".
To the Working Group on Privacy National Telecommunications and Information Administration March 21, 1995 |
Working Group on Privacy
NII Secretariat
National Telecommunications and Information Administration
U.S. Department of Commerce
Room 4892
Washington, D.C. 20230
To the Working Group on Privacy:
The Center for Democracy and Technology (CDT) submits these comments on the draft "Principles for Providing and Using Personal Information" as developed by the Working Group on Privacy of the Information Policy Committee of the Information Infrastructure Task Force (IITF) and published in the Federal Register, Vol. 60, No. 13, page 4362 (January 25, 1995).
CDT is a non-profit, public interest organization dedicated to developing and implementing public policies to protect and advance civil liberties and democratic values in new digital media. One of our core goals is to enhance privacy protections for individuals in the development and use of new technologies.
The Deputy Director and Staff Counsel of CDT staffed the National Information Infrastructure Advisory Council's (NIIAC) Mega-Project III on Privacy, Security and Intellectual Property for Co-Chair Esther Dyson. During our tenure with the Advisory Council, the Mega-Project developed and finalized Privacy and Related Security Principles that were approved by the NIIAC in January, 1995. 1
The emerging global information infrastructure poses difficult challenges for protecting individual privacy. However, CDT believes that new technologies can be designed to enable citizens to exercise greater control over the collection and use of personal information. Through the development and implementation of strong privacy policy, and the design and implementation of technological mechanisms that facilitate individual choice, interactive digital media can empower citizens.
CDT concludes that the Administration's most recently proposed privacy principles represent a retreat from the original privacy principles set forth by the Department of Health, Education and Welfare in 1973. We urge the Working Group on Privacy to reaffirm the 1973 principles and to press for a strengthening of the Privacy Act of 1974 that re-establishes the Act's original intent. In addition, we urge the Working Group on Privacy to tackle issues not addressed by the Privacy Act of 1974 through recommendations regarding transactional data and encryption. CDT urges the Working Group on Privacy to assert that, to the maximum extent possible, technological advancement should be used to enhance individual privacy and should not be used to erode existing privacy rights. Lastly, CDT is sorely disappointed by the IITF's second draft of the Privacy Principles. The second draft does not respond to the significant privacy concerns expressed by privacy advocates during the first public comment period on the May 25, 1994 draft. 2 (Federal Register, Vol. 59, No. 100, page 27206).
The Working Group on Privacy is part of the Information Infrastructure Task Force (IITF), an inter-agency task force set up by the Clinton Administration to articulate and implement the Administration's vision of the NII. The Task Force is chaired by Ron Brown, Secretary of Commerce, and consists of representatives from various Federal agencies involved in telecommunications and information policy.
The Working Group on Privacy issued its initial draft "Principles for Providing and Using Personal Information," on May 25, 1994. (Federal Register, Vol. 59, No. 100, page 27206). On January 25, 1995, the Working Group issued its second draft. (Federal Register, Vol. 60, No. 13, page 4362). CDT is commenting upon the Working Group's latest draft.
In drafting privacy principles, the Working Group's stated goal is to update the Code of Fair Information Practices developed by the Department of Health, Education and Welfare (HEW) in 1973. The Working Group seeks to address two major changes in information technology since the 1970s -- the emergence of large, privately-held databases, and the development of interactive technologies.
In 1972, then-Secretary of HEW Elliot L. Richardson, appointed an Advisory Committee on Automated Personal Data Systems to explore the impact of computerized record keeping on individuals. In a report published in 1973, the Advisory Committee proposed a Code of Fair Information Practices published in Records, Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems. 3
The 1973 Code of Fair Information Practices supplied the intellectual and statutory framework for the Privacy Act of 1974 and served as a model for privacy legislation in this country and worldwide. The basic principles of the 1973 Code, as published in the Advisory Committee's Report, are:
1.There must be no personal data record-keeping systems whose very existence is secret;
2.There must be a way for an individual to find out what information is in his or her file and how the information is being used;
3.There must be a way for an individual to correct information in his or her records;
4.Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse; and
5.There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent. 4
Despite the clear language and intent of the 1973 principles, in practice they have failed to adequately protect the privacy of personal information. The Privacy Act of 1974, which codified the 1973 principles, has been undermined by legislative loopholes, lukewarm implementation by government agencies, and broad interpretation by courts.
The Privacy Protection Study Commission, a temporary commission created by The Privacy Act as a compromise to those who wanted a permanent oversight agency, highlighted the legislative and administrative shortcomings of the Act in a 1977 report entitled Personal Privacy in an Information Age. 5 The Commission found that the Privacy Act "had not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect..." 6 Since the 1973 Code was written, privacy rights in the United States have languished.
CDT strongly opposes the IITF draft privacy principles which, we believe, incorporate a number of concepts and phrases that are associated with the deterioration of privacy rights in the United States, namely:
CDT believes that the 1973 fair information practice principles are as pertinent today as they were twenty years ago. Updating of the 1973 principles should be directed towards addressing issues arising out of new applications and developments in technology which were unforeseen in 1973. In addition, CDT recommends that the IITF support passage of a strengthened Privacy Act to reinterpret the "reasonable expectation of privacy" standard, the "compatible use" exemption, the "authorized by law" exemption, and the "actual harm" requirement that have diminished individual privacy in the electronic age.
This section discusses in more detail the shortcomings of the IITF's draft privacy principles, and CDT's recommendations.
A."Reasonable expectation of privacy" standard
The draft IITF Information Privacy Principle states: "An individual's reasonable expectation of privacy regarding access to and use of his or her personal information should be assured." (I.A.) The Commentary states: "A reasonable expectation of information privacy is an expectation subjectively held by the individual and deemed objectively reasonable by society. (12.) What counts as a reasonable expectation of privacy under the Principles is not intended to be limited to what counts as a reasonable expectation of privacy under the Fourth Amendment of the United States Constitution. . . judicial interpretations. . . should not inhibit NII participants from applying the Principles in a manner more protective of privacy. (13.)"
The second draft of the proposed Privacy Principles does not adequately address the serious privacy concerns raised by the use of the term "reasonable expectation." Whatever the intent of the Working Group may be, the "reasonable expectation" standard is not a new phrase devoid of decades of interpretation. There currently exists thirty years of Supreme Court decisions interpreting the "reasonable expectation" standard, which while articulated to advance privacy protection under the Fourth Amendment has been applied to diminish individual privacy.
The Supreme Court first formulated the "expectation of privacy" standard in Katz v. United States 7 when it ruled that warrantless wiretapping is unconstitutional. Since Katz, however, this standard has failed to provide strong privacy protection. The problem with the Katz formulation is that expectations of privacy can only reflect, not prevent, a deterioration in societal respect for privacy. Applying the "reasonable expectation" standard, the Supreme Court in later cases often determined that an individual's privacy had not been violated by certain intrusions because society's "expectation of privacy" had been persistently lowered by the circumstances of modern existence.
Nowhere is the fallibility of the reasonable expectation of privacy standard more evident than in the Court's holding in United States v. Miller. 8 The Court in Miller ruled that one does not have a constitutionally protected privacy interest in personal records held by a bank. The Miller decision ultimately turned on the fact that the bank customer could not assert ownership of his documents. The Court held that because Miller's documents were the bank's business records, the expectation of privacy that he asserted was not reasonable. The Court reached this conclusion even though most bank customers probably do have an actual expectation of privacy in those records. As Justice Brennan dissented in the 5-4 opinion in the Miller case:
A bank customer's reasonable expectation is that, absent a compulsion by legal process, the matters he reveals to the bank will be utilized by the bank only for internal banking purposes.... [A] depositor reveals many aspects of his personal affairs, opinions, habits, associations. Indeed, the totality of bank records provides a virtual current biography.... Development of photocopying machines, electronic computers and other sophisticated instruments have accelerated the ability of government to intrude into areas which a person normally chooses to exclude from prying eyes and inquisitive minds. Consequently, judicial interpretations of the constitutional protection of individual privacy must keep pace with the perils created by these new devices.9
The year following the Miller decision, Congress passed the Right to Financial Privacy Act 10, which limits government access to personal bank records.
In another case, Smith v. Maryland 11, the Supreme Court ruled that law enforcement officials do not need a search warrant to install a pen register, a device that records the numbers dialed from a telephone. Under the Katz standard, the Court found that people have no reasonable expectation of privacy in the numbers that they dial. Congress overturned this ruling in 1986 when it passed the Electronic Communications Privacy Act.
The Miller and Smith decisions demonstrate the Court's unwillingness to bring the Fourth Amendment into the information age. Although modern society may change the form in which information is stored, the conflict between the government and industry's interest in expanding its power through access to personal information, and the individual's interest in retaining a sphere of autonomy against that power, remains the same.
The unwillingness of the Supreme Court to protect individual privacy under changing circumstances will be especially problematic in the realm of electronic communications. For example, the reasonable expectation of privacy standard will not protect an individual who intends to keep information private but whose "expectations" are technologically out of date. What a "reasonable" expectation of privacy is will be difficult to determine where many levels of users participate in the exchange of information.
It is unclear how the "reasonable expectation of privacy" standard would be applied in an interactive electronic environment. We are not persuaded that the standard will be applied to protect personal information on the NII. In fact, the application of the standard will most likely undermine the confidence of the general public in the NII.
As the Criminal Division of the Justice Department stated, in response to a question posed by Senator Leahy (D-VT) in 1984:
In this rapidly developing area of communications which range from cellular non-wire telephone connections to microwave-fed computer terminals, distinctions such as whether there does or does not exist a reasonable expectation of privacy are not always clear or obvious. 12
The Electronic Communications Privacy Act of 1986 recognized the failings of the "reasonable expectation" standard. The Senate Report accompanying the legislation states:
(T)he law must advance with the technology to ensure the continued vitality of the Fourth amendment. Privacy cannot be left to depend solely on physical protection, or it will gradually erode as technology advances. Congress must act to protect the privacy of our citizens. If we do not, we will promote the gradual erosion of this precious right. 13
Similar concerns with the ability of technology to eviscerate individual privacy are found in the House and Senate reports accompanying the "Digital Telephony" Bill of 1994. 14
Unlike recent legislation, the current IITF draft principles fail to reckon with the corrosive effect technology can have on privacy.
The IITF Commentary does not provide guidance on applying the Principle. It does not assist in defining "reasonable expectation" in the difficult cases where the individual's actual expectations are undermined by technological mechanisms for invading privacy. Rather, it offers an example of an individual who posts an unencrypted personal message on a public bulletin board, to show the application of the "reasonable expectation" standard defined as "an expectation subjectively held by the individual and deemed objectively reasonable by society." (12.) This example would be better used to illustrate how an individual's expectation and intent can be manifest through their choice of communication medium, forum, etc.
The Commentary goes on to state: ". . . judicial interpretations of . . . a reasonable privacy expectation under the Fourth Amendment should not inhibit NII participants from applying the Principles in a manner more protective of privacy." (13.) The use of the term "reasonable expectation" within the IITF's Principles opens the door for the application of the Supreme Court's Fourth Amendment jurisprudence. If the IITF does not intend to invoke the current understanding of "reasonable expectation", it should refrain from using the term.
Finally, how much privacy an individual can reasonably expect on the information highway will depend on the legal and regulatory protections set by Congress and the agencies. By adopting the reasonable expectation standard without re-defining it, the IITF takes a step backwards from extending privacy protections.
CDT Recommendation:
The IITF's principles should abandon its reliance on the "reasonable expectation of privacy" standard. A new standard should be developed to extend to individuals a strong, enforceable expectation of privacy.
B.Technology should be used to Enhance Privacy
The IITF's draft principles lack an overarching privacy principle. Privacy protection must be a precondition to technological development in order to ensure the fullest individual participation on the NII. Individual control over access to and information about oneself is central to protecting autonomy and fostering first amendment freedoms.
CDT Recommendation:
Strong and enforceable privacy policy should guide the development and be built in to the design of new technologies. In this way, technological advancement will enhance individual privacy and not be the basis for eroding existing privacy rights
A.Transactional Information
The IITF Principles for Users of Personal Information appear to address privacy concerns with the collection and use of information "provided by the individual." The principles do not mention personal information obtained or generated during transactions. Equally absent is direction with respect to personal communications on the information infrastructure. The Commentary extends the notice obligations to those who collect transactional data "directly from the individual."
The IITF second draft does not adequately address the privacy concerns raised by the collection and use of "transactional information." The use of the word "obtain" in principles II.A.1 and II.A.2., does not draw sufficient attention to the importance of "transactional information" privacy concerns. Lastly, the inclusion of Commentary ¶ 21, which states, "This requirement specifically applies to all parties who collect transactional data generated as a byproduct of an individual's participation in the NII. . ." does not alleviate our concern. The Commentary lacks the force of the principles. The importance of "transactional information" in an interactive digital environment demands that it be addressed in the IITF principles.
The collection and use of "transactional information" in interactive media presents significant privacy concerns. Although this information is not "content," it may reveal an individual's associations, hobbies, political activities, financial status, and spending habits. In recognition of the heightened importance of information generated during transactions in interactive media, the 103d Congress passed legislation enacting an intermediate standard to govern law enforcement access to "transactional information."15
Concerns with the collection and use of "transactional information" are highlighted by the use of electronic communications. In order for individuals to communicate, access services, and exchange information on the information infrastructure, they must reveal personal information. Some of the information shared during these transactions is "provided" by the individual. However, much of the information necessary for the completion of a transaction is generated by the transaction itself. Such "transactional information" is personal information capable of revealing many aspects of an individual's life. For example, accessing a fee service electronically will generate information about the individual's on-line address, consumer preferences, billing address, and credit card number. This information will be obtained in electronic form making it exponentially easier to combine with other information sources for profiling activities. During visits to forums, bulletin boards, chat groups, and web sites, individuals using an information services carrier generate logs of their travels. This information is not provided by the individual to the carrier -- rather it is generated simply by the individual's actions on-line.
Privacy protections for "transactional information" should be clearly articulated. Of specific importance in this area is the creation of strong notice principles. Unlike personal information provided directly by the individual, "transactional information" is frequently generated and collected without the individual's knowledge.
CDT's Recommendation
Users of transactional information must abide by the notice requirements. They must inform individuals:
1) Why they are collecting information;
2) What the information will be used for;
3) What steps will be taken to protect its confidentiality, integrity, and quality;
4) The consequences of providing or withholding information; and
5) Any rights of redress.
Transactional information may not be used for an unrelated purpose nor disclosed to another party without the individual subject's prior informed consent .
B."Compatible use" exemption
The second draft of the IITF principles has not responded to concerns raised in response to the first draft, with the "compatible use" exemption. Acquisition Principle (II.A.2) states that "Users of personal information should... obtain and keep only information that could be reasonably expected to support current or planned activities and use the information only for those or compatible purposes.
Similarly, the IITF Fairness Principle (II.D.) states that "Individuals provide personal information on the assumption that it will be used in accordance with the notice provided by collectors. Therefore, users of personal information should enable individuals to limit the use of their personal information if the intended use is incompatible with the notice provided by collectors." [See also Paragraphs 31-35 of the Commentary.]
Under the Privacy Act of 1974, the term "compatible" has been interpreted in ways that allow agencies wide latitude in disclosing personal information to other agencies, a practice inconsistent with the original thrust of the Privacy Act.
In its 1977 Report, the Privacy Commission found that the consent principle of the 1973 Code was subverted by the government's interpretation of the Privacy Act's "routine use" exemption, which allows agencies to disclose personal information if the disclosure is compatible with the purpose for which it was collected. 16 For instance, government officials have interpreted the exemption to allow the computerized matching of separate agency record systems, arguing that detecting waste, fraud, and abuse in government programs is a legitimate government interest, and is thus compatible with any original purpose for which the records were collected.
In 1988, Congress attempted to tighten this loophole by passing the Computer Matching and Privacy Protection Act. 17 The legislation does not limit the content or types of records that can be matched, but does create an important procedural framework of more adequate notice to individuals, the right to a hearing before benefits are cut off or denied, and mandatory reporting requirements for agencies that match records.
The purpose of the Acquisition and Use, and the Fairness Principles -- "[respecting] the understanding and consent under which the information was provided by the individual," (¶21 Commentary) " and "enabling individuals to limit incompatible uses of personal information" (¶ 31 Commentary) -- would be more effectively met by requiring:
Users of information must inform individuals, in advance, of other uses and disclosures of personally identifiable information provided by that individual or generated by transactions to which that person is a party. Personally identifiable information about an individual provided or generated for one purpose should not be used for an unrelated purpose or disclosed to another party without the informed consent of the individual. (see National Information Infrastructure Advisory Council, Privacy and Related Security Principles for the NII, January 1995).
The addition of a strong "informed consent" principle to section II would buttress the 1973 Code of Fair Information Practices by articulating a standard and general procedure for the re-use of personal information.
CDT Recommendation:
1.The "routine use" exemption in the 1974 Privacy Act must be revamped so that the law will work as intended. A clear and restrictive definition of routine use must be added to the statute clarifying that disclosure for a routine use must be consistent with the original purpose for which the information was originally collected. Individuals must have the right to challenge a proposed routine use on the grounds that it is not consistent with the purpose for which the information was originally collected. Routine use disclosures under this definition should be benign and not for the purpose of taking adverse action against an individual.
2.The Principles for Users of Personal Information should limit the collection of personal information to that necessary for the transaction or service.
3.All those who collect and store information must inform individuals, in advance, of other uses and disclosure of personally identifiable information provided by that individual or generated by transactions to which that person is a party. Personally identifiable information about an individual provided, or generated, for one purpose should not be used for an unrelated purpose or disclosed to another party without the informed consent of the individual.
A."Shared responsibility" for fair information practices on the NII.
The second draft of the IITF's principles does not alleviate our concern that individuals will be inappropriately expected to seek out information regarding collection and use of personal information.
The Preamble to the draft IITF Principles states: "... [the] new principles must acknowledge that all members of our society (government, industry, and individual citizens), share responsibility for ensuring the fair treatment of individuals in the use of personal information..."
As written, the draft IITF Principles (Preamble, Section III.A and Commentary Paragraphs 38-41) place a heavy burden on individuals to educate themselves about the potential uses and misuses of the information they provide. While CDT agrees that individuals should be informed prior to disclosing personal information of its uses by others, we are concerned that the draft Principles limit an individual's ability to hold collectors and users of information accountable for information policies and practices.
Section 7(b) of the Privacy Act of 1974 places the burden of providing information, prior to the collection of Social Security Numbers, on the federal, state or local government agency collecting it:
Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individuals whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it. 18
In interpreting Section 7(b), courts have held that the law is violated where individuals do not receive the information required by the statute, even in cases where the individual has not questioned the use of his or her number. 19
Further, the courts have found that the notice provision requires agencies to take affirmative steps. Therefore, the notice requirement is not met "when no affirmative effort is made to disclose this information at or before the time the [Social Security] Number is requested and a citizen . . . must instead pry the pertinent facts from a state agency." 20 Section 7(b) of the Privacy Act recognizes that users of personal information are in the best position to provide information on potential uses of information. Therefore, the government or related actor has an affirmative duty, that requires it to provide enough information to "'permit an individual to make an informed decision whether or not to disclose the Social Security Number,' and to 'bring recognition to, and discourage, unnecessary or improper uses of that number.'" 21
The draft IITF Principles should address the imbalance of power between providers, collectors and users of information. The affirmative notice requirement placed on those who desire to collect and use information under the Privacy Act should be extended to cover all personal information collected by the government and private sector. Notice requirements should not be undermined by language that shifts the responsibility on to individual citizens.
In addition, the IITF Principles should acknowledge that in order to receive benefits and services, providers of information frequently have no meaningful choice as to whether to provide personal information. Strong notice requirements are a central component of the consent based approach to protecting privacy. Notice requirements ensure that individuals have the information necessary to make informed decisions regarding release of personal information.
CDT Recommendation:
1.The burden of maintaining fair information practices should not rest with the individual who discloses personal information. Rather, the ultimate responsibility for upholding fair information practices should rest with the collectors and users of personal information.
2.Collectors and users of personal information must provide effective notice of their information practices prior to obtaining information from individuals.
B.Weak Guarantee of the "Right to Correct Personal Information"
The draft IITF principles dilute the individual's right to correct personal information. The second draft is substantially similar to the first and does not respond to issues raised in previously submitted comments.
Section III.B.1 provides that individuals be given the "opportunity to correct information that could harm them."
The Privacy Commission found that the correction principle of the 1973 Code, as codified in the Privacy Act of 1974, appears "to have had little effect on agency practices..."22 In particular, the Commission found "that the Act's requirements for the propagation of corrections does not adequately assure that decisions are made on the basis of accurate, timely, complete and relevant information. Under the Act, for example, corrections do not have to be sent to prior internal agency recipients or to the sources of erroneous information. In addition, corrections of erroneous information initiated by the agency rather than by the individual, no matter how important, do not have to be propagated at all." 23
Paragraph 43 of the Commentary states: "Whether this opportunity [to correct] should be granted depends on the seriousness of the consequences to the individual of the use of the information." This statement is a serious retreat from the principles set forth in the Report of the Secretary's Advisory Committee on Automated Personal Data Systems in 1973:
Any organization maintaining an administrative automated personal data system shall:
(2) . . . make data fully available to the individual, upon his request, in a form comprehensible to him;
(6) Maintain procedures that (i) allow an individual who is the subject of data in the system to contest their accuracy, completeness, pertinence, and the necessity for retaining the; (ii) permit data to be corrected or amended when the individual to whom they pertain so requests; and (iii) assure, when there is disagreement with the individual about whether a correction or amendment should be made, that the individual's claim is noted and included in any subsequent disclosure of dissemination of the disputed data.
In a recent article, Willis Ware, information security expert at the Rand Corporation, writes, "The consequences of an erroneous action [information] can be devastating because it proliferates through other data systems that play an unusually central role in one's personal affairs, notably credit databases, financial records, and tax records. The one-sidedness of the privacy situation as it now exists in favor of the record keeper, especially the government agency, is probably one of the most ugly faces of privacy." 24
The facility with which information can be shared, manipulated and combined in the information age significantly raises the individual's stake in reviewing and correcting personal information. It is difficult to know at what point, or during what interaction, information will "harm" the individual. As information continues to be automated, it is critical that individuals have the right to see, correct and challenge personal information held by others, regardless of whether the information is judged "harmful".
CDT Recommendation:
The right of individuals to access and correct personal information, regardless of harm, is critical to prevent the propagation of incorrect information across multiple databases. Accordingly, the right of individuals to access and correct personal information should be incorporated into the design of all information systems. In addition, users and collectors of information should develop technical mechanisms to detect, locate, and fix problems and correct errors. 25
C."Actual harm" requirement for redress
As with the first draft, the IITF's second draft Principles premise the right to redress on the individual's ability to show harm (Principle III.B.2, and Paragraphs 42 and 43 of the Commentary). Likewise, Principle III.B.1, limits the individual's " opportunity to correct . . . [to information] that could harm them."
In commenting upon the Privacy Act of 1974, the Privacy Commission noted that actual injury could be difficult to prove even where violations of the Act had occurred. 26 For instance, harm is difficult to prove when an agency violates notice requirements or fails to correct inaccuracies. The Commission recommended:
. . .a suit should be permitted to force compliance with the requirements of the Act absent a demonstration of injury to, or adverse effect on, the individual and that a court should be able to order an agency to comply. 27
Even where actual harm has occurred, it is extremely difficult for individuals to obtain relief under the 1974 Privacy Act. The Act's lack of both a broad injunctive relief and liquidated damages provision prevents meaningful litigation of the Act's intent and application. In addition, a plaintiff must show that the government agency's action was "intentional and willful" in order to obtain damages.
The enforcement scheme suggested by the IITF's draft Redress Principle, as with the Privacy Act, is not an effective method of ensuring compliance with User obligations, nor an effective accountability mechanism. The "actual harm" requirement severely curtails individuals' ability to take action to enforce the fair information practices.
CDT Recommendation:
1.The Privacy Act needs a new remedy section that provides both liquidated damages and injunctive relief for any aggrieved individual. Section (g)(4)(A) of the Privacy Act should be amended to allow individuals to obtain damages for violation of the "accurate, relevant, timely or complete" standard without a showing of adverse effect to the plaintiff. Individuals must be able to collect damages for intangible harms caused by violations of the Act. Individuals must also be informed of any actions taken as a result of incorrect information.
2.Individuals must be informed of all actions taken based on incorrect information. Individuals should have effective remedies to ensure that their rights, and the obligations of users, regarding personal information are enforced.
D.Communications
The IITF's draft principles do not address the lack of security during the transmission of personal information on the NII. The principles place obligations on users to "prevent the information they have from being disclosed or altered." However, these protections do not address the problem of protecting privacy during the transmission of information from provider to user. Due to restrictions on the export of strong encryption technologies, most citizens send and receive information over unsecured networks. Administration proposals, such as the Clipper Chip, if adopted, will undermine the ability of users, providers and system designers to protect personal information communicated on the NII.
CDT recommendation:
Individuals, both users and providers of information, should be able to encrypt communications, information, and transactions.
Recognition of Substantive Changes in second draft
CDT commends the Working Group for eliminating the "authorized by law" exemption from the Fairness principle. As the history of the 1974 Privacy Act reveals, such "authorized by law" language is a clear invitation to Congress to erode existing statutory protections.
In sum, IITF's proposed principles will serve only to weaken and muddle the current state of information privacy protection in this country. We had hoped that the IITF's second draft of the principles would reflect the comments of public interest organizations. We are disappointed that our prior comments and those of other public interest organizations are relegated to discussion in the Commentary. Without substantial redrafting of the Principles to reflect the concerns presented above, the IITF's efforts will undermine existing privacy policy.
We urge the IITF to recommend a rewriting of the Privacy Act to undo twenty years of weak enforcement and interpretation that have undermined the Privacy Act's original intent. CDT urges the IITF to recommend the application of the 1973 Code of Fair Information Practices by both the public and private sector, and to recommend additional principles that address privacy concerns raised by an interactive information infrastructure. We believe that the 1973 principles, in their original scope and intent, remain sound and enduring.
CDT is available to work with you on the final development of these Privacy Principles.
Sincerely,
Janlori Goldman
Deputy Director
Deirdre Mulligan
Staff Counsel
| FOOTNOTES |
1 See attached principles.
2 See attached comments submitted by Janlori Goldman as Director of the Electronic Frontier Foundation's Privacy and Technology Project.
3 Report of the Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, U.S. Dept. of Health, Education & Welfare, July 1973.
4 Id. at xxiii-xxvi.
5 Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission, p. 529 (July 1977).
6 Id. at 502
7 389 U.S. 347 (1967).
8 425 U.S. 435 (1976).
9 Id.
10 12 U.S.C. § 3401 (1978)
11 442 U.S. 735 (1979).
12 Senate Judiciary Committee Report on the Electronic Communications Privacy Act of 1986 (S. 2575), Report 99-541, 99th Congress, 2d Session, 1986, p. 4 (internal brackets omitted): see also, House of Representatives Judiciary Committee Report on the Electronic Communications Privacy Act of 1986 (H.R. 4952), Report 99-647, 99th Congress, 2d Session, p. 19.
13 Id. at 5.
14 House of Representatives Judiciary Committee Report on the Telecommunications Carrier Assistance to the Government Act, Report 103-827, 103d Congress, 2d Session (1994).
15 18 U.S.C. Chapter 121 § 2703 and Chapter 206 § 3121: see also, attached, "NIIAC Privacy and Related Security Principles for The National Information Infrastructure," Principle 3.
16 5 U.S.C. § 552a (b)(3) (1974).
17 5 U.S.C. 552a (1988).
18 The Privacy Act of 1974, 5 U.S.C. 552a 7(b) (1974).
19 Doyle v. Wilson, 529 F. Supp. 1343, 1350 (1982) (use of a refund voucher that failed to indicate whether the disclosure of the Social Security Number was voluntary or mandatory, by what statutory or other authority such number was solicited, and for what purposes it would be used, failed the statutory requirements).
20 Id.
21 Id., citing, Analysis of House and Senate Compromise Amendments to the Federal Privacy Act, printed in 120 Cong. Rec. S21, 817 (Dec. 17, 1974) and in 120 Cong. Rec. H12,243 (Dec. 18, 1974).
22 Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission, at 524.
23 Id.
24 Willis H. Ware, The New Faces of Privacy, 9 Information Society 195, 203 (1993).
25 Id. at 204.
26 Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission, p. 529 (July 1977).
27 Id.