For Privacy, New Laws
thestandard.com
This From: The Industry Standard, December 04, 1998
thestandard.com
By
Marc Rotenberg
A Web site posts a privacy policy. Does that protect privacy? I don't think so, nor do many consumers who favor privacy legislation to protect online transactions.
Let's be clear on one point: The Electronic Privacy Information Center is a leading champion of Internet freedom. We litigated the first challenge to the Communications Decency Act and are now litigating the second. EPIC has been on the front lines of protecting the right to use encryption without restriction. But when it comes to privacy, we think there is a clear need for law.
Opponents of legislation say that technology moves too quickly, that
legislating is inefficient. But privacy law has almost always responded to new technology. The Privacy Act of 1974 answered public concerns about the computerization of records in the federal government. Twenty-five years later, it's still a good law. Government agents must safeguard the records of citizens, and everyone should have access to their records.
Privacy laws have also encouraged the growth of new commercial services. In 1984, the United States established laws to protect the privacy of cable subscriber records. Cable companies can't sell the viewing records of their customers, and many observers wonder why similar Internet-based services, such as WebTV, don't offer the same legal protection.
In 1986, the government extended privacy protections in the federal wiretap statute to new forms of communications, including e-mail and digital communication. In 1988, the U.S. adopted the Video Privacy Protection Act to safeguard the privacy of video rental records. In 1991, the Telephone Consumer Protection Act was passed to deal with the problems created by autodialers and junk faxes.
In example after example, the United States has established privacy rights to address public concerns. These laws have helped curb abuses in new industries and have promoted consumer confidence. This is exactly what the Internet needs today.
Opponents of privacy law say the answer is self-regulation. The history of self-regulation is not compelling. The Direct Marketing Association advocates self-regulation, but its own regulatory record is poor indeed. A 1996 study by Professor Joel Reidenberg and Professor Paul Schwartz found that fewer than half of DMA members complied with the association's own modest guidelines. A study conducted by EPIC in 1998 found that only a handful of new DMA members met the DMA's privacy principles, even after the DMA made compliance a condition of membership.
Privacy policies are notoriously weak. What is often called a privacy policy reads more like a simple disclaimer. The consumer ends up with a take-it-or-leave-it proposition. Typically, there is little more than fine print and no means of enforcement. The essential framework for privacy protection – a code of fair information practices, setting out the obligations of companies that collect personal information and the rights of individuals that give personal information – is often missing, incomplete or unenforceable.
Policies will not provide the protection consumers need for e-commerce to thrive. Consumers want their rights protected in the online world, just as they are protected in the offline world. Privacy protection should not end where the Internet begins.
The biggest problem with the campaign for self-regulation right now is that the goal has become making self-regulation work rather than making privacy protection work. Too many businesses have been told to "come up with good policies or the government will do it for you." That approach has led many to believe the goal of privacy protection should be to avoid government regulation. That's the wrong goal.
The effort to keep government out of the privacy game has also backfired in one area in which industry and consumers share common ground – encryption.
Without a federal agency backing good privacy policies, the government has been free to pursue various schemes to promote government access to private communications. The contrast with the European experience is striking.
Europe rejected key escrow and the various Clipper-like proposals; privacy agencies made clear that such efforts would violate well-established privacy rights. The European agencies also promote new privacy-enhancing techniques, such as methods for anonymity and virtual identities, that could be particularly effective for protecting privacy online.
It's time to move beyond self-regulation. We need privacy laws for the
Internet and an agency committed to protecting the right of privacy.
Industry groups should support these efforts. Simple, predictable rules to protect privacy will be good for all.
Marc Rotenberg is director of the Electronic Privacy Information Center (www.epic.org) and editor of The 1998 Privacy Law Sourcebook and Technology and Privacy: The New Landscape (MIT Press).
Copyright © 1998 The Industry Standard
|
