--- Date: Wed, 1 May 2002 08:53:08 -0400 Subject: Privacilla Testimony to House Judiciary Committee From: "Jim Harper - Privacilla.org" <jim.harperat_private> This morning, I'll be testifying to the House Judiciary Committee's Subcommitttee on Commercial and Administrative Law regarding the Federal Agency Protection of Privacy Act (H.R. 4561). (10:00 am in 2141 Rayburn House Office Building.) My written testimony is up on the site at: PDF: http://www.privacilla.org/releases/federal_agency_privacy_testimony.pdf html: http://www.privacilla.org/releases/federal_agency_privacy_testimony.html The html version has handy links to additional reading. And not just any additional reading. Additional reading about privacy . . . . Jim Harper Editor Privacilla.org --- Prepared Statement of Jim Harper, Editor of Privacilla.org at the Hearing on H.R. 4561 the "Federal Agency Protection of Privacy Act" U.S. House of Representatives Committee on the Judiciary Subcommittee on Commercial and Administrative Law May 1, 2002 Chairman Barr, Mr. Watt, and Members of the Subcommittee, It is a great pleasure to appear before you to discuss H.R. 4561, the "Federal Agency Protection of Privacy Act." I am Jim Harper, the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. I am also an Adjunct Fellow at the Progress & Freedom Foundation and the Founder and Principal of Information Age lobbying and consulting firm PolicyCounsel.Com. Privacy is one of the most complex and difficult public policy issues confronting Congress and legislatures across the country today. I am pleased to lend what knowledge I have to your consideration of this legislation. Privacilla.org is a Web site that attempts to capture "privacy" as a public policy issue. The pages of Privacilla cover the issue of privacy from top to bottom. We deal with fundamental privacy concepts, privacy from government, and privacy in the private sector, including financial, medical, and online privacy. Anyone may submit ideas, information, and links for potential inclusion on the site. The site represents the thinking of many people and I would refer you to the Privacilla "Support" page to get an idea of the groups we work with. Please visit Privacilla at http://www.privacilla.org and use it as a resource whenever your work brings you to a privacy policy question. Privacilla takes a free-market, pro-technology approach to privacy policy. There certainly are other views, and you should consider them all. Please also be aware that Privacilla is currently a project of my lobbying and consulting firm, PolicyCounsel.Com. My firm does not represent any interest on privacy specifically, but nearly all issues touch on privacy in some way, so you should consider my potential for bias, as you would with any privacy advocate. The views presented on Privacilla, and those I express today, are not the views of any client. Chairman Barr, I salute you for introducing H.R. 4561 with broadly bipartisan support, and for holding these hearings today. Mr. Watt, and other Members of the Subcommittee, congratulations to you for joining in introducing this important bill. Privacy is a complex and widely misunderstood public policy issue. This legislation can help protect Americans' privacy by giving the American people, the press, and Congress information they need about how federal regulation affects privacy. This legislation presents an opportunity to refine the terms of the many different "privacy" debates, so that Congress, the press, and the public can find solutions to a number of important problems. Though they are motivated only by beneficent purposes, many government programs deprive Americans of control over personal information and their privacy. The Federal Agency Protection of Privacy Act can help restore to the people the power and autonomy that is one of the great benefits of living in the United States. There are several successful precedents in our nation's administrative laws for this proposal. Few, if any, changes are needed to perfect the legislation in terms of privacy. I urge you, though, to be aware of the many important elements of information policy beyond privacy that fall within the scope of the bill. Defining Terms: What is Privacy? The Judiciary Committee is the committee of American law and legal institutions. There is no better place to define and give structure to terms such as our focus today: privacy. By digging deeply into privacy as a legal concept, you as congressional leaders can dramatically improve the quality of many public policy debates, and the outcomes Congress produces for the American people. Left undefined, the word "privacy" has become far too much of a stalking horse for all variety of ideological and special interest groups. Indeed, a coterie of activist organizations - including Privacilla - thrives because there is not an agreed to and limited definition for the word "privacy" in current debate. Moreover, the lack of definition has rendered Congress, state legislatures, the press, and the public less able to find solutions to the many problems and legitimate concerns that popularly fall under the heading of "privacy." For example, identity fraud is widely perceived as a "privacy" problem. But it is better understood as a group of crimes that thrive on the use of personal identification and financial information. Because of this widespread misperception, the crimes that constitute identity fraud go poorly enforced while Congress considers banning many uses of Social Security Numbers in the name of "privacy." Limiting SSN use would likely stifle many benefits that consumers and the economy enjoy without effectively reducing this serious crime problem. Similarly, unwanted commercial e-mail, or "spam," is an intrusion into electronic communications and a serious annoyance that is often labeled as a "privacy" problem. Spam exists in large part because e-mail marketers know little or nothing about the interests of potential customers. It is difficult to reconcile spam - e-mails broadcast to unknown people nearly at random - with the heart of the privacy concept, which is too much personal information being available too widely. At Privacilla, we have a working definition of privacy that we believe should form the basis of policy discussions on the topic: Privacy is a subjective condition that individuals enjoy when two factors are in place legal ability to control information about oneself, and exercise of that control consistent with one's interests and values. Privacy is a personal, subjective condition. It is a state of affairs individuals enjoy based on sharing or retention of information about themselves consistent with their own preferences. These preferences are a product of such things as culture, upbringing, and experience. Because privacy is subjective, one person cannot decide for another what his or her sense of privacy should be. You can not tell me, either by giving your opinion or by passing a law, that my privacy is protected when I think it is not. The first factor above goes to the existence of choice the legal power to control the release of information. A person who wishes to maintain privacy in the appearance of his or her body, for example, may put on clothes and be relatively certain that no one will remove that clothing without permission. Few laws require people to remove their clothing and, thanks to the concept of "battery" in state tort and criminal law, private actors may be punished for touching our clothing in any way that interferes with bodily privacy. Our choices to hide or reveal information about the appearance of our bodies are protected by law. Likewise, a person who wants to prevent others from gaining knowledge of his or her purchasing patterns may pay in cash and regularly change the stores at which he or she shops. He or she may also arrange by contract to have personal information maintained in confidence. Various legal protections, such as the law of contracts, give us autonomy and choice that we use to protect privacy. The second factor is exercising that control of information consistent with our values. This is difficult in many commercial marketplaces. Many consumers are unaware of how the Information Economy works, and the fact that they are a part of it. Many industries are monolithic in their information practices. Arguably, they fail to fully inform consumers about what happens with personal information, and they offer consumers few alternatives. This is arguable, however. It may be that only a tiny, but vocal minority of consumers and activists actually wants to study commercial information practices and exercise choice among different options. If a significant number of consumers do, they are a market waiting to be served. As policy-makers, we should not presuppose that a certain amount or type of privacy serves consumers' interests in the marketplace, and Privacilla's definition of privacy does not do this. Advocates who claim to know what consumers want in terms of privacy prove their ignorance by making the claim. Consumers may rationally determine that they are safe from harmful uses of information when dealing with certain companies and leave it at that. The fact that hundreds or even thousands of mundane facts about themselves are in the hands of businesses may be a matter of indifference to reasonable people. Aware, empowered, and responsible consumers can demand of businesses what options they want in terms of information sharing or withholding. They can also demand, if they prefer, lower prices, customized service, combined offerings, and so on. Unless Congress and state legislators are going to guess at consumers' true preferences and impose them from the top down, only consumer education will deliver privacy on the terms consumers want it in the commercial world. Governments cannot protect privacy directly; they can only foster or destroy people's ability to protect their own privacy. Governments Pose a Unique Threat to Privacy While protecting privacy in the commercial world may be difficult, protecting privacy from government is impossible. Dealings with government are categorically different from interactions in the private sector. When citizens apply for licenses or permits, fill out forms for regulators, or submit tax returns, they do not have the legal power to control what information they share. They must submit the information that the government requires. It is either illegal to withhold information or withholding information penalizes citizens of money or benefits to which they are legally entitled. The notorious "Big Brother" in George Orwell's 1984 was a caution against the powers of governments. When dealing with them, the first factor in privacy protection - legal power to control personal information - is absent. It would be a mammoth, but worthwhile, task to catalogue all the personal information that is demanded by all federal programs. Additional study should include the purposes for which information is collected, other purposes to which it is put, and whether such information is ever eliminated from government records when it has served its original or successor purposes. The Federal Agency Protection of Privacy Act may help us do that. Some studies suggest the scope of personal data collection and warehousing done at the federal level. In September 2000 testimony to the House Government Reform Subcommittee on Information Management, Information, and Technology, Solveig Singleton, now of the Competitive Enterprise Institute, surveyed federal databases. Her non-exhaustive list included databases at the Commerce Department, the Department of Justice, the Department of Education, the Department of Energy, the Federal Bureau of Investigation, the Department of Health and Human Services, the Department of Housing and Urban Development, the Department of the Interior, the Department of Labor, the Social Security Administration, and the Department of the Treasury, which houses the Internal Revenue Service. Many of these databases include health and financial information. In March 2001, a study issued by Privacilla.org found that, during the 18-month period from September 1999 to February 2001, federal agencies announced 47 times that they would exchange and merge personal information from databases about American citizens. New information sharing programs were instituted more than once every two weeks. We characterized these programs as only the tip of an information-trading iceberg. The Computer Matching and Privacy Protection Act, which causes agencies to report these activities in the Federal Register, applies only to a small subset of the federal agency programs that use personal data about Americans. New uses of personal information are made by federal agencies constantly. The Privacy Act requires only a declaration in the Federal Register of a new "routine use" before personal data is used and shared in new ways. In case it needs emphasis, the threats to privacy posed by government programs are not the result of malice or malfeasance of any kind. The political leaders who have instituted such programs, and the administrators who operate them, have the best intentions for serving the public. Similarly, the fact alone that any government program weakens American citizens' privacy should not be the sole reason to terminate or cut back the program. Rather, privacy should be an important factor that policy-makers consider whenever they are creating, implementing, or altering government programs. Studies like Privacy and the Digital State: Balancing Public Information and Personal Privacy by Progress & Freedom Foundation Senior Fellow Alan Charles Raul have made progress on that front. The Federal Agency Protection of Privacy Act would help make privacy part of the policy-making calculus in federal agencies and in the Congress. The Administrative Process Should Inform the Public About Privacy Impacts A prominent theory behind the Administrative Procedure Act's enactment in 1946 was the idea of "scientific government." This was the notion that a band of impartial public servants would discover the one true public interest underlying legislation, and regulate in its service. Experience and modern scholarship reveal that the regulatory process, like the legislative process, does not locate some singular public interest. It responds to a cacophony of competing interests and values, among which are the interests of regulators and bureaucracies themselves. Administrative government does not improve on constitutional legislative processes so much as it improvises to accommodate the growth of the federal government in the latter half of the last century. An increasingly prominent theory of the administrative process though perhaps still a fallback from the idea that regulation would discern a "pure" public interest is that it can open administrative lawmaking to public scrutiny, particularly along lines that are deemed important by Congress. Several amendments to the APA in the last twenty-five years are consistent with this approach. The Regulatory Flexibility Act, passed in 1980, requires agencies to consider the special needs and concerns of small entities. Each time it publishes a proposed rule in the Federal Register, an agency must prepare and publish a Regulatory Flexibility Analysis describing the impact of the proposed rule on small businesses, organizations, government jurisdictions, and the like. The Initial Regulatory Flexibility Analysis is subject to public comment, and a final regulation must be accompanied by a final Regulatory Flexibility Analysis. The Reg-Flex Act apparently provides the model for the Federal Agency Protection of Privacy Act. Along similar lines, Congress passed the Unfunded Mandates Reform Act in 1995. Among other things, UMRA requires federal agencies to inform and work with states and localities on major regulations. The Small Business Regulatory Enforcement Fairness Act, passed in 1996, requires agencies to work more closely with small business in formulating regulations. It also subjects the analysis requirements of the Regulatory Flexibility Act to judicial review. These laws provide extensive precedent for the Federal Agency Protection of Privacy Act. The federal administrative process has been modified several times to accommodate the interests of various private- and public-sector institutions. Opening that process to the privacy interests of individual Americans is a matter of consensus among a broad cross-section of advocacy groups and congressional leaders, as we see from the wellspring of support for this legislation. Some Important Details and Nuances to Consider The Federal Agency Protection of Privacy Act is modeled on the Regulatory Flexibility Act, which has been used with success for more than 20 years to get greater information about the impacts proposed regulations will have on small entities. Simply, the Act would require agencies to issue the same type of analysis an Initial Privacy Impact Analysis along with a notice of proposed rulemaking. After considering the comments of the interested public, agencies would have to issue a Final Privacy Impact Analysis along with the finally promulgated regulation. The success of the Regulatory Flexibility Act increased with the addition of the judicial review provisions to the Reg-Flex law in 1996, and it is pleasing to see that the Federal Agency Protection of Privacy Act also would make agency action subject to judicial review. Knowing that judicial review is available will make agencies naturally solicitous of congressional intent without requiring a great deal of litigation. As with all legislation, there are some elements that could be improved. The casual reader may suspect that the Federal Agency Protection of Privacy Act would require agencies to assess how private sector implementation of regulatory mandates would affect privacy. This reading is probably a stretch and, judging by the public statements you and your colleagues have made, Chairman Barr, this is not your intent. Rather, it appears that your intent is for agencies to assess the consequences of their own information practices on privacy. Language perfecting the bill could require agencies performing an Initial Privacy Impact Analysis to "describe the impact of the agency's uses of information under the proposed rule on the privacy of individuals." (proposed 5 U.S.C. § 553a(a)(1); suggested added language in bold). Likewise, agencies performing a Final Privacy Impact Analysis could be required to describe and assess "the extent to which the agency's uses of information under the final rule will impact the privacy interests of individuals . . . ." (proposed 5 U.S.C. § 553a(b)(2)(A); suggested added language in bold). These minor changes are one way to better express the intent of the legislation. As you consider this legislation, you should be aware that it incorporates many policies beyond privacy. Security, for example, (made a part of Privacy Impact Analyses at 5 U.S.C. § 553a(a)(2)(A)(iv) and 5 U.S.C. § 553a(b)(2)(A)(iv)) is any number of practices and processes that respond to threats against a company or government's ability to function. Only one such function is carrying out privacy obligations. A business or government that lacks proper security may well violate its privacy commitments, but may allow much worse to happen as well. The policy considerations that go into security of data in the hands of governments is a separate and significant issue beyond my expertise. There are benefits from requiring agencies to declare that they provide for security of personal information, as long as the agency is not so forthcoming as to breach security in the process. Providing access and an opportunity to correct personal information is an important consideration (made a part of Privacy Impact Analyses at proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. § 553a(b)(2)(A)(ii)). But access and the opportunity to correct information go to fair treatment much more than privacy. Consider that there is no reason to access or correct information that will never be used. It is only important that information be correct if it may be used adversely to the interests of the individual. Using incorrect information against a person is unfair, not unprivate. Access is also generally inconsistent with security. Giving access only to appropriate parties presents difficult security challenges clustered around authentication of identity. An Advisory Committee on Access and Security, convened by the Federal Trade Commission in early 2000, concluded its work without reaching consensus because of the complex interaction between these two, essentially conflicting, interests. To illustrate this point: The privacy of information sealed in concrete and dropped to the bottom of the ocean is well protected, and it may remain private for eternity, but there is no opportunity to access it. As with security, there is no harm in requiring federal agencies to inform the public of access and correction rights. Similar fairness protections are found in the Privacy Act of 1974, which obviously deals with more than privacy. Using information for additional purposes (a part of Privacy Impact Analyses at proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. § 553a(b)(2)(A)(ii)) may affect privacy, depending on whether there is further disclosure of information. Information about a citizen's medical condition and address, for example, collected for making health care payments, may not be rendered less private if the same part of the same agency uses that information to research whether people with certain conditions reside in certain areas of the country. If a subsequent use of information involves sharing that information with a state agency or a different federal agency, however, then the subsequent use can be said to render the information less private than it was before. More importantly, though, a Privacy Impact Analysis that claims there will be no further sharing of information may provide false assurance. This is because nothing prevents governments from changing the rules about their use of information after it is collected. The National "New Hires" Database is an excellent case in point. The Personal Responsibility and Work Opportunity Reconciliation Act of 1996 required the Secretary of Health and Human Services to develop a National Directory of New Hires. This directory is a database of information on all newly hired employees, quarterly wage reports, and unemployment insurance claims in the United States. The purpose of this new database was entirely laudable - helping states locate parents who have skipped out on their child support obligations. But, already, the data is being repurposed. The National Directory of New Hires has been expanded to track down defaulters on student loans. Additional expansions have been proposed that would give state unemployment insurance officials access to the database. In the better view, privacy in information is lost when it is submitted to government authorities. Unlike in the private sector, there is no higher authority to which Americans can appeal when personal information held by governments is put to new and unanticipated uses. A Privacy Impact Analysis that claims there are protections against use of information for changed purpose may be accurate for weeks, months, or years. But this is weak protection compared to contractual obligations formed in the private sector. Privacy-protecting contracts may be regarded as permanent because their breach is contrary to legally enforceable obligations that neither of the parties can unilaterally change. This does not counsel against requiring Privacy Impact Analyses to discuss use limitations. Such analyses may make Americans more aware when commitments to restrict uses of information are changed by subsequent Congresses and Administrations. We will be better informed if the Federal Agency Protection of Privacy Act is passed with all its current provisions. This discussion of the many nuances of the bill is intended to illustrate the enormous complexity of information policy, and to caution against unconsidered adoption of the so-called "Fair Information Practices." Often touted by pro-regulation privacy activists, they represent a vast array of different policies. Some are related to privacy; some are inconsistent with it. One does not have to agree with the baggage-laden concept of "Fair Information Practices" to support the Federal Agency Protection of Privacy Act. The concept of "Fair Information Practices" appears to have originated in the early 1970s from a committee convened within the Department of Health and Human Services called "The Secretary's Advisory Committee on Automated Personal Data Systems." The intellectual content of its report, commonly known as the "HEW Report," formed much of the basis of the Privacy Act of 1974 and its thinking is useful for controlling government data collection and use. The report treated the public and private sectors identically despite the vast differences in rights, powers, and incentives that exist in these different worlds. For this reason, it cannot be said that the HEW Report addressed all the complexities of the privacy issue. "Fair Information Practices" do not apply well to the commercial world. As an analysis of government information practices, however, the HEW Report was an important project and document. It also tells us that computers and privacy are not a new concern to Americans. Conclusion Again, Chairman Barr, Mr. Watt, and Members of the Subcommittee, congratulations on engaging an issue where you can truly improve the quality and character of life for all Americans. There is widespread consensus that people in the United States want to protect their privacy from government encroachments. The Federal Agency Protection of Privacy Act will inform the public about the privacy impacts of federal regulations, and empower them to make informed decisions about government programs. There are many nuances to consider and understand privacy and information policy are very difficult areas but the legislation you have proposed is an appropriate, measured, and important step in the pursuit of enhanced privacy protection for American citizens. _________________________________________________________________ ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 11:04:27 PDT