a state of the union for privacy: fall, 2002 professor peter p. swire ohio state university...
TRANSCRIPT
“A State of the Union for Privacy: Fall, 2002”
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
International Privacy Officers Association
October 18, 2002
Overview
Privacy and Government– The “Lawless State” and the 1970s Reaction– Since September 11
Privacy in the Private Sector– Medical, financial, Internet, international
What to Do Next
I. “The Lawless State”
By the mid-1970s, there was clearly substantiated evidence of widespread lawlessness and surveillance by the FBI, CIA, and other federal agencies
“The Lawless State” by Jerry Berman & others
Church Committee hearings
“The Lawless State”
Surveillance and smears of MLK, Jr. FBI infiltration of political groups
– FBI agents in KKK to Black Panthers, including participating in bombings, etc.
– “Fringe groups”? Large fraction of delegates to 1972 Democratic National Convention under surveillance
– Blackmail files on political officials
“The Lawless State”
IRS files routinely scanned for political advantage
CIA prohibited from acting in U.S.– But, active in ports– Then active in hundreds of other domestic
operations– Allende assassination plans, secret funding in
foreign elections, and other “black ops” overseas
“The Lawless State”
National security powers– President and A.G. claimed unlimited ability to
wiretap within the U.S. for “national security” purposes
State wiretaps– No federal law limiting wiretaps by state
officials until 1968
Reactions to the Lawless State
Title III (1968) -- wiretaps only under strict, federal standards
Privacy Act, 1974 Government in the Sunshine
– FOIA Amendments, 1974– Open meeting & whistleblower laws
Foreign Intelligence Surveillance Act, 1978 Electronic Comm. Privacy Act, 1984
Summary on the Lawless State
Demonstrated history of abuse of power and lack of accountability
New laws going beyond constitutional minimum, to limit surveillance and protect privacy
New laws to create openness in government, to promote accountability
II. Privacy -- the Next Generation
Clinton years– “Chief Counselor for Privacy”– HIPAA, GLB, COPPA, and more– 2000 proposal to update wiretap laws
Initial Bush Administration– Pro-privacy statements by the President– Decision not to cancel medical privacy rule– Likely would have had a Federal CPO by now
9/11 and USA-PATRIOT
Legal changes: significant rollback but not repeal of surveillance law
Updating with the surveillance powers from 2000 Clinton proposal
“Double” that, especially for FISA and computer trespasser
None of the proposed privacy updating– No suppression for illegal email/web snooping– That evidence can be used in court
USA PATRIOT Act & After
Implementation changes: use authorities to the limit, and perhaps beyond
Political changes: “protecting privacy” means “weak on terrorism”
Not all proposals enacted:– Some proposals taken out of bill– E.g., proposal for CIA to get IRS records– Sunset for some surveillance in fall, 2005
The Effects of 9/11
Less known -- the theory change Viet Dinh in DOJ, seek powers to the limit
permitted by the Constitution Sounds good, but means repeal of much of the
1970s laws– Often no “reasonable expectation of privacy”– Often records held by 3d parties, who can “consent”
to release– Surge in secrecy -- FOIA not in Constitution
Homeland Security Department
Beginning of a return to previous privacy politics
House hearing and bill– CPO for the Department– Privacy Impact Assessments– No authorization for national ID– TIPS (Armey)
Senate? Commission on Privacy & H.S.?
Cyber-Security Report
Released September, 2002 Section of report on privacy
– First Bush Administration written statements (that I have found) on the importance of building privacy into government practices
– Excellent on this: should build in privacy when upgrade systems for security
– Report widely criticized for good intentions, but few actual action items
Summary on Government Access to Records
Some Congressional return now to previous pro-privacy politics
September 11 and USA-PATRIOT effects continue
Administration statements: privacy should be based on what is required by the Constitution
That is less than I believe most Americans will want
III. Privacy & the Private Sector
Medical Financial On-line and more generally International
Medical Privacy & HIPAA
I commend the Bush Administration for going forward with HIPAA– Have historic one-time shift from paper to
electronic medical records– Is of course a difficult transition for a huge
industry to new IT systems– Overwhelming majority of Americans expect
security and privacy to be built into the new medical record systems
HIPAA
What about the changes to the rule?– I estimate HHS kept 90-95% of the 2000 rule– Many changes sensible & fix problems– Biggest mismatch of rule and consumers on
marketing Now permits a covered entity to do unlimited marketing
for health-related products and services Covered entity can be paid for this, no disclosure No disclosure of source of communication Likely biggest impetus for Congressional action
HIPAA
HHS staff: professional, thoughtful, & hardworking
Administration leadership:– Has done the “minimum necessary” for achieving
HIPAA goals– NCVHS (HHS Committee): call for far more
guidance, education, and outreach from HHS– Abject failure to promulgate Security Rule, with
needless cost to industry
Financial Privacy
Implementing Gramm-Leach-Bliley– Pretty routine for many companies– Should have “layered notices” such as HHS
encourages for HIPAA
Changes in Financial Privacy?
Fair Credit Reporting Act reauthorization due in 2003
FCRA preemption of state law expires State law changes possible for GLB
– California, North Dakota Sarbanes hearing last month, and he has
supported Clinton 2000 bill Unclear what will happen
Online and Other Privacy
Progress thus far without legislation– 15% privacy policies in 1998 (commercial)– 88% privacy policies in 2000
FTC/Muris commitment to enforcement Question is the “quality” of policies
– Cautious lawyers and promise as little as possible
– Many policies weaker today than 2 years ago
What next for Online?
Stearns and Hollings bills No action unless there is
– Remember Sarbanes bill for Enron reforms– Dead in the water– Now, have Sarbanes-Oxley Act
Big issue: online only?– FTC approach that can’t promise online and treat
offline data differently– Likely the best approach
International Data Flows
E.U. Privacy Directive– Beginning of some enforcement with
significant fines E.U.-compatible privacy regimes
– E.U. neighbors– New Zealand & Australia– Canada– More coming: Malaysia? Everyone else?
International Issues
Safe harbor for financial services– No agreement yet, truly difficult issues
The reality for global companies– Compliance with privacy regimes outside the
U.S.– What to do inside the U.S.?
Conclusion: ongoing international pressure for more privacy laws in the U.S.
IV. Conclusion: Private Sector
Privacy is not dead HIPAA is the biggest privacy compliance in
U.S. history More federal financial privacy legislation if
the states get active Internet legislation is one scandal away Global companies face continuing pressure
from almost all our trading partners
Conclusion: Government Access
The Bush Administration is at risk if privacy politics continue to shift back
It has taken stands as a friend of government surveillance and secrecy
It has not designated officials to address privacy and ensure that privacy values are incorporated in new initiatives
Conclusion: Privacy & Security
First, does the intrusive measure in fact improve security?
Second, is the measure designed to improve security while also respecting privacy where possible?
Third, have we built the new checks and balances appropriate to the new surveillance?
Finally ...
Don’t let the anti-terrorism measures of today turn into the anti-communist excesses of decades past.
We’ve seen what abuses in the name of liberty look like -- lack of accountability and institutionalized lawlessness.
We must assure that does not happen again. You as privacy professionals can help assure it
does not.
Contact Information
Professor Peter P. Swire web: www.peterswire.net phone: (240) 994-4142 email: [email protected]