With little more than six weeks until July 1, when the Clinton Administration’s Task Force on E-Commerce must present its year’s worth of findings, US vice-president Al Gore has announced privacy initiatives that appear to diverge from Task Force head Ira Magaziner’s party line so far. Using New York University’s 166th Commencement Address as his platform, Gore called for tighter controls on handling of individuals’ medical information and promised a one-stop privacy opt-out shop on the web. Government officials in each agency are to ensure privacy policies are followed. The VP also asked the Commerce Department to convene a Privacy Summit, where consumer advocates and industry representatives could join to plan strategy and focus on protecting children. Just what Gore trying to get at remains a matter for debate in privacy circles. For one thing, nothing of what he announced is new. The opt-out web page, says David Baniser, attorney and senior policy analyst with the Electronic Privacy Information Center (EPIC), is a bit of a joke. It’s something we had our intern do last summer. Similarly, steps to protect medical information have been on the go for some time, as has the privacy summit – announced and cancelled twice so far. As for the appointment of one person in each government agency to ensure that privacy policies are adhered to, Baniser says: That has been required by law since 1988. W. Scott Blackmer, a advisor to business on privacy issues with Washington, DC law firm Wilmer Cutler & Pickering, is equally puzzled by Gore’s reference to an electronic bill of electronic rights. He suggests that this sounds like a single set of rules [to protect individual privacy] which may be government-imposed, a solution at odds with Magaziner’s known leanings towards industry self-regulation. Blackmer says Gore may have been referring to an end-state objective. In the end, consumers should have some information and some options with respect to the information that is being held about them. Gore’s ambiguous remarks may reflect the highly political nature of his material. As technology becomes more and more sophisticated, the amount and quality of personal information available for collection and analysis has increased dramatically. This is a boon to direct marketing firms, but most other people consider it a potential invasion of their privacy. High levels of public concern over this situation led the European Union to issue a directive on the transborder flow of information. Under the terms of this directive, exports of personal data from the EU will be restricted to those nations deemed to have adequate standards for the protection of individual privacy. The directive kicks in on October 28 this year, and US companies doing business with Europe must take it into account (CI No 3,343). Definitions of what will constitute adequacy vary wildly, but the essential distinction is between a legislated approach and industry self-regulation. EPIC wants legislation, saying that the industry has been left to itself for the last eighteen years only to prove itself untrustworthy, time and time again. The government, however, supports direct marketers in their calls for a self-regulated regime – or at least it has done so far. Blackmer explains the argument for self-regulation by downplaying the influence of the impending EU directive on the Clinton administration’s policy. There are clearly two drivers, and the main one is domestic political concern, he says. A 1997 report prepared by Boston Consulting Group for net non-profit TrustE found that more than 70 per cent of web users were more worried about the privacy of their information in net-based transactions than they would be in similar transactions conducted by fax or phone. Those concerns translate to lost business dollars for net merchants. According to Blackmer, that fact makes legislation unnecessary. For the self-regulatory approach to work you have to appeal to the economic self-interest of the actors, he explains. Since it is in merchant’s interests to be seen to be responsible handlers of information, the pro-regulation lobby argues, they will be. To raise confidence in net commerce, Magaziner has proposed a system of trust seals on web sites. Consumers should be able to feel comfortable that a sealed site has a responsible privacy policy. Privacy proponents remain unconvinced, and have said as much to the Task Force. EPIC and a number of other privacy and consumer advocacy groups met with Magaziner earlier this week. Nobody supported him, says Baniser. We all said ‘Forget it, it’s not going to work.’ Self-regulation assumes a level of good faith on the part of the public that merchants do not necessarily enjoy. But generalized resistance to government intervention may prevent overarching legislation to protect consumer privacy ever being passed in the United States. Without such a regime, will the USA’s existing patchwork of ‘sectoral’ laws be deemed adequate by the EU? Baniser says two American lawyers retained by the European Union found that certain industries, such as credit reporting, are better monitored in America than in Europe, while others such as marketing and medical health are sorely lacking. In the end, it may not be possible to reconcile Europe’s human rights emphasis with the principles of free enterprise that are so important to the USA’s political process. Blackmer concludes: We’re on a collision course between the increasing ability of businesses and organizations to gather and use personal data and the increasing sensitivity of the individuals concerned. In the meantime, the privacy advocates that might have been expected to welcome Gore’s speech have ridiculed it, while the rest of the industry is left simply confused.
