By Rachel Chalmers
The Federal Trade Commission has told the US Congress that it sees no need for legislation to prevent companies from abusing individuals’ private information. We continue to believe that effective self-regulation is the best way to protect consumer privacy on the internet, said FTC chairman Robert Pitofsky, and I am pleased that there has been real progress on the part of the online industry. Because of that progress, I do not believe legislation is necessary at this time.
Not everyone agreed. The Commission was split 3-1 over whether to authorize the release of the report, with Commissioner Sheila F Anthony concurring in part and dissenting in part. I believe the time may be right for federal legislation to establish at least minimum baseline standards, said Anthony in her statement. I note that bipartisan bills are pending in both the House and the Senate and could provide a good starting point for crafting balanced protective legislation. I am concerned that the absence of effective privacy protections will undermine consumer confidence and hinder the advancement of electronic commerce and trade.
Pitofsky did, however, acknowledge that as a way of protecting privacy, industry self-regulation is not without its problems. This is not the occasion to declare victory, he admitted. He recognized that a lot of what the industry would like to advertise as progress towards privacy protection is purely cosmetic: There is more to protecting consumer privacy than simply publishing notices on web sites, he said. We intend to monitor what we hope and expect will be continuing progress in development of privacy protection programs, as well as efforts to develop effective enforcement mechanisms.
Those reservations aside, the report found that self-regulation is the least intrusive and most efficient means to ensure fair information handling. The FTC based its findings upon two studies conducted by Georgetown University professor Mary Culnan. It should be noted that both studies were funded by business interests and proponents of self-regulation, including the Online Privacy Alliance, TrustE and BBBOnline.
Culnan’s studies did demonstrate that most sites are implementing the basic Notice principle of fair information handling. At the same time, the studies revealed that only a small percentage of the most frequently visited sites address the other three principles: Choice, Access and Security. Little wonder that privacy advocates have urged Congress to disregard the FTC report and to pursue a legislated solution. All objective evidence has shown self-regulation to be an utter failure, said Evan Hendricks, editor of Privacy Times.
The wild card in the game is the European Union, which has far more stringent legal standards for information handling than the United States does, and which is threatening to suspend cross- border information exchange until the US cleans up its act. The US Department of Commerce has been negotiating with the EU, trying to persuade it to compromise. For years European countries have guaranteed their citizens access to the information companies have about them, explained Privacy International deputy director David Banisar. The Clinton administration has been trying to lower this standard to only the information provided directly by the consumer, or even just a summary of the kind of information generally kept.
As Pitofsky himself admitted, enforcement is the key. The privacy advocates call for a private right of action that would allow anyone whose privacy has been violated to sue the offending organization for statutory damages. Leaving enforcement to the FTC alone means only a tiny percentage of infractions are ever investigated. Until violations are against the law, companies will have little or no incentive to take their customers’ privacy seriously. Jason Catlett, president of Junkbusters Corp, explained: Consumers must be given the power to enforce their privacy rights against those who would violate them.
