Prepared Intervention of
Marc Rotenberg, Director
Electronic Privacy Information Center
Privacy and Data Protection
Committee on Citizens Freedoms and Rights, Justice and Home Affairs, and the
Committee on Legal Affairs and the Internal Markets
23 February 2000
Thank you for the opportunity to appear today before the Parliament to discuss the consumer perspective on privacy and data protection. My name is Marc Rotenberg and I am the director of the Electronic Privacy Information Center (EPIC), a public interest research organization in Washington, DC.
I appreciate the interest of the Members of the European Parliament in this important issue. I am also grateful for the participation of the Members of the US Congress in this proceeding. It is important for consumers in the United States and Europe that political leaders on both sides of the Atlantic have the opportunity to meet and to discuss these issues.
The protection of privacy has quickly emerged as one of the most critical concerns of citizens in the information society. When the Wall Street Journal asked its subscribers last year what they believed the greatest problem would be in the twenty-first century, the number one problem - ahead of economic depression, terrorism, and racial tension - was the "loss of personal privacy."
If you ask industry leaders about privacy, you will find even higher levels of concern than with the general public. This is not surprising. If you understand what the world will look like with real-time matching of facial images, routine identification requirements that rely on biometric data, the collection and matching of health information, family data and personal employment records, you will quickly understand how significant is the problem we face.
And if you ask the groups in society who are most often discriminated against, those people who are excluded from employment, credit and medical care because of personal information contained in a computerized file, you will understand also that the loss of privacy will be felt first by those who are the politically least powerful.
The roots of the problem are not difficult to understand. Our technological capabilities and our new business practices are racing fast ahead of our established expectations and our legal protections. It is clear that government has an important role to play in the new economy but it is not always clear what should be the best role for government. However, in the area of privacy there is a already a well established tradition of protection in law and through institutions. The key question today is whether to continue this important tradition and ensure that basic rights will be preserved even as new technologies emerge.
PROBLEMS WITH "SELF-REGULATION"
Today you are being told that "self-regulation" provides an effective means to protect privacy in the online world. But the experience of consumers in the United States is that self-regulation has done little to protect privacy. Quite to the contrary, self-regulation is inviting a "race to the bottom" in which companies pursue ever more invasive collections of personal information.
Many of the problems with self-regulation can be understood by looking at the Doubleclick company, the largest Internet advertising firm. When Doubleclick began it built an advertising model based on anonymous profiles that allowed businesses to target consumers and, at the same time, respect the privacy of consumers. Doubleclick assured Internet users by means of its own privacy policies and the policies of its business partners that it would not collect personally identifiable information. Consumer organizations, including my own, favored this approach and we applauded Internet firms that were developing similar innovative approaches to privacy protection.
But there was no legal framework in the United States that ensured that these good practices would be supported in law. Doubleclick decided to acquire Abacus Direct, the largest catalog database firm in the United States, and to join that database of actual consumer transactions with their own database of virtual surfing records. It then quietly began to change its privacy policies, and began the process of building detailed profiles of consumers interests - not simply their purchases - but where Internet users visit, what they read, what images they see without any legal accountability.
The American public is outraged. My organization EPIC filed a complaint at the Federal Trade Commission, alleging that the company had engaged in "deceptive and unfair" trade practices. Today Doubleclick faces investigations by the Federal Trade Commission, two state attorney generals, and several private lawsuits. Consumers across the United States are calling on Doubleclick to end its invasive profiling of the private lives of Americans. But Doubleclick continues to assure the public that it is a "leader" in privacy protection even as opposition to the firms practices mount.
This is what self-regulation has produced - the most egregious violations of privacy, little accountability, and no assurance that others firms will not engage in similar practices in the future.
What would have happened under a legal framework under the type embodied in the Data Directive? Doubleclicks original approach to advertising would cause no difficulty under the framework established by the EU Data Directive. It was an innovative marketing practice that did not rely on the collection of personal information. But the new model would be subject to data protection requirements and Doubleclick would be forced to accept the responsibility of providing consumers with access to their profiles if it wished to go forward. I suspect that, given this requirement, Doubleclick would have stayed with their original plan. And it would also have the assurance, in a jurisdiction where privacy is protected in law that competitors would not engage in the practice.
This is not the first time that the EU Directive has played an important role in safeguarding the privacy of Internet users. Several years ago, some political leaders in the United States believed that it would be possible to enforce adoption of an encryption scheme that would enable routine access by government agencies to privacy encoded messages. The proposal was widely opposed by users and Internet companies. It was also strongly opposed by European governments who cited the requirements of the EU Data Directive. In the end, the key escrow proposal failed in part because of the firmly established right of privacy in the European Union.
The Data Directive anticipates many of the privacy challenges of the information society and provides sensible, effective solutions. Far from being outdated, it builds on the experiences of many countries within Europe and outside of Europe in the development of legal rules that allow innovation to go forward and privacy to be protected.
But the failures of self-regulation to protect privacy is everywhere apparent. A consumer from the US or the EU cannot visit a single commercial web site in the United States with any assurance that privacy will be protected. And every indication is that the problems will get worse. The Federal Trade Commission has revealed that web sites dedicated to providing health information about consumers are now surreptitiously collecting information about individuals and sharing this with others in violation of their own privacy policies. Such information could include diagnoses, prescription medications, HIV status, and pregnancy.
Privacy policies do not provide privacy protection. In fact the "privacy policies" that you see on the Internet today are in fact privacy warning labels - they tell consumers how little protection they have. As these warning notices become more widespread, the level of privacy protection will continue to diminish.
What is the solution to this problem? It is the establishment of legal rules that protect privacy and the adoption of genuine privacy enhancing techniques that minimize or eliminate the collection of personal information. It is the approach embodied in the Data Directive of the European Union, the sectoral legislation in the United States, and the many privacy laws and statutes that can be found in countries all around the world.
Consumers are not prepared to leave their privacy behind in the twentieth century. They believe that a technology that is so malleable, that promotes so much innovation, can surely allow consumers to receive goods and services in the online environment with just as much privacy, perhaps even more, than has been possible in the past. There is no need for a trade-off. The loss of privacy must not become the admission ticket to the information economy.
SUPPORT FOR PRIVACY LEGISLATION
There is widespread support in both the United States and Europe for privacy laws that protect the rights of citizens. Earlier this month consumer organizations from both sides of the Atlantic meeting in Washington reaffirmed their commitment to a legal framework to protect personal and called on the United States to adopt privacy legislation comparable to the EU Data Directive. The Trans Atlantic Consumer Dialogue took particular note of the planned merger of AOL and Time Warner, and said that in the absence of strong privacy rules, not only would consumer privacy be at risk other companies would be at a competitive disadvantage. In other words, protecting consumer privacy will also promote business competition in the electronic environment.
Citizen organizations have also made clear that even as government establishes laws to protect the freedom of citizens, it should not use its lawmaking power to restrict the ability of individuals to make use of new technologies, such as encryption, that may provide greater privacy protection. The Global Internet Liberty Campaign (GILC) has led an international campaign to urge national governments, and I am pleased to say that after several years of hard work by GILC and other citizen organizations operating on the Internet progress is at least being made to remove barriers to the free exchange of information and ideas about privacy-enhancing techniques.
The Chairman of the Federal Trade Commission in the United States has said recently that the US industry should reconsider its opposition to privacy legislation. Chairman Pitofsky warned that "without comprehensive federal legislation" business groups are likely to face increasing number of lawsuits brought by both consumers and state agencies. Congress is also beginning to act. In the last few weeks, two different privacy caucuses were established to address privacy issues in anticipation of the elections later this year. There is growing support in the US for privacy legislation, and growing opposition to self-regulatory approaches.
The Safe Harbor proposal now before the European Union threatens the interests of consumers around the globe. It is an assault on the rule of law and the right of privacy. It asks consumers to give up their legal claims and to turn away from institutions with the authority and the competence to protect privacy interests and to accept instead a deeply flawed regime that is intended to put basic rights up for sale to the highest bidder. Far from a safe harbor, the proposal is in fact a "pirates cove," a scheme to take from people what can only be taken where there is no law and no regard for law
Everyone recognizes the enormous opportunities of the Internet economy. There is growth, employment, and innovation. Consumers will be beneficiaries of the opportunities to obtain information, comparison shop, and compete more aggressively in the marketplace.
But the benefits of the Internet economy cannot come - must not come - in exchange for the personal information of consumers, for the knowledge of the names and ages of their children, the prescription drugs they take, the candidates they support, and the opinions they hold. No economic system should impose such a cost on the privacy of consumers.
Consumers in a global economy share a common interest in the protection of basic rights and freedom. Government has always had - and always will have - a responsibility to protect the fundamental rights of it citizens. In the information society, one of the fundamental rights of citizen is surely the right to control the collection and use of personal information, to maintain private life even as one enjoys the benefits of public life. Government cannot turn from this responsibility.
Thank you for the opportunity to appear before the Parliament today. I would be pleased to answer your questions.
Electronic Privacy Information Center
European Consumer Organization (BEUC)
Global Internet Liberty Campaign
Trans Atlantic Consumer Dialogue