• The Current State of United States Data Privacy Law
• The European Union Personal Data Directive
• Recent United States Legislative Proposals
• Clinton Administration Approaches to Data Privacy
• Practical Considerations Given the Potential Legal Changes in Data Privacy Laws

• Intention or knowledge
• Reasonable expectation of privacy

• Publicity of the information to the "public at large"
• The defendant must have caused the disclosure
• The facts must have initially been private
• The disclosure must be "highly offensive to a reasonable person."

1. Guidelines for Personal Information Protection
• (1) Personal data should be collected by fair and lawful means for a direct marketing purpose.
• (2) Direct marketers should limit the collection of data to only that deemed necessary for direct marketing.
• (3) The data should be accurate and complete and should be kept no longer than necessary.
• (4) Individuals can request personal data about themselves, as well as challenge the accuracy of the personal data.
• (5) Consumers who provide data that may be rented or sold should be told of that potential and given an opportunity to delete their data.
• (6) The collection, rental, sale and use of consumer data should be constrained to direct marketing purposes.
• (7) Each direct marketer is responsible for the security of their data.
• (8) Visitors to personal data processing and storage sites should only be allowed to visit if they have the express permission of the direct marketer and are accompanied by an employee at all times.
• (9) When transferring data between direct marketers, the receiver is responsible for the security of the data during the transfer.<,/li>
• (10) An ethics committee of the DMA has jurisdiction to review individual complaints in violation of these Guidelines.


2. DMA’s Marketing Online Privacy Principles and Guidance
   
   • (1) Online Notice: Direct marketers should prominently display a notice that indicates who they are, what information they are collecting, the purposes of collecting the information, the types of people who will receive the information and the method by which one can limit the disclosure of information.
   • (2) Opting Out: Marketers should inform customers of their opt-out choices and act upon the wishes of the consumers.
   • (3) Unsolicited Email: These messages should be clearly marked as solicitations and identify the marketer. Marketers should also provide recipients with a method of preventing future messages from being sent to those recipients.
   • (4) Online Data Collection Involving Children: Marketers should take into account their audience when deciding whether to collect data. Marketers should encourage parents to monitor their children while their children are online. Use of collected data should be limited to marketing purposes.

1. TRUSTe is an initiative that seeks for Web sites to utilize the "trustmark," a symbol that indicates the Web site complies with TRUSTe privacy disclosure requirements.
2. Trustmark recipients must have a privacy statement which discloses at a minimum:
   
   • What type of data is gathered
   • How the data will be used
   • Who will receive the data.
   
   Recipients must display the trustmark and adhere to its privacy statement.
3. TRUSTe will periodically audit its licensee sites to ensure they conform with TRUSTe standards. Conformance reviews will also occur by Coopers & Lybrand and KPMG Peat Marwick.
4. TRUSTe is supported by various companies, including AT&T, Excite, IBM, Land’s End, Netcom, Netscape and Oracle.

• Processed fairly and lawfully
• Collected for specified, explicit and legitimate purposes without further processing incompatible with those purposes
• Adequate, relevant and not excessive in relation to the purposes of collection or processing
• Accurate and kept up to date where necessary
• Kept no longer than necessary in a form which identifies the data subjects.

• The data subject unambiguously provides consent or
• Processing is necessary for a contract of which the data subject is a party or
• Processing is necessary to comply with a legal obligation of the data subject or the data controller or
• Processing is necessary for a task carried out in the public interest.

• Confirmation as to whether the data relating to the subject is being processed
• The purpose of the processing
• The categories of data being processed
• The recipients or categories of recipients who will receive the data.

• The nature of the data
• The purpose and duration of the proposed processing operation
• The country of origin
• The country of final destination
• The rules of law in the other country
• The professional rules and security in the other country.

1. This Paper contemplates the creation of White Lists of nations which possess adequate data protection.
2. For those nations not on the White Lists, the Paper sets forth a category of transfers that would be particularly sensitive and more likely to be carefully examined:
   • Transfers of sensitive information described in Article 8 of the Directive
   • Transfers which carry the risk of financial loss (such as credit card payments over the Internet)
   • Transfers carrying a risk to personal safety
   • Transfers made for the purpose of making a decision which significantly affects an individual (such as whether to grant credit)
   • Repetitive transfers involving massive volumes of data
   • Transfers involving the collection of data in a covert or clandestine manner (such as Internet cookies).
3. In defining "adequate protection," the Working Party noted the two key elements are the content of the equivalent rules and the means by which those rules are enforced. The Working Party provided a list of 6 principles which should be reflected in the content of the other country’s rules, at a minimum:
• (1) Purpose Limitation. Data should only be processed for a specific purpose.
• (2) Data Quality and Proportionality. Data should be accurate and not excessive in relation to the purpose of its acquisition.
• (3) Transparency. Subjects should be informed of the identity of the data controller and the purpose of the processing.
• (4) Security. The data controller should take appropriate technical and organizational security measures.
• (5) Rights of Access, Rectification and Opposition. The data subject should have the right to obtain the data obtained by the controller, the right to clarify inaccuracies and the right to oppose certain uses of the data.
• (6) Restrictions on onward transfers to other countries. Further transfers should only be allowed if the next country also has an adequate level of protection.

In addition, the following 3 principles were offered for their use when they apply:

• (1) Sensitive Data. Additional safeguards should protect sensitive data of the kind listed in Article 8.
• (2) Direct Marketing. Data subjects should be able to opt-out of the use of their data for direct marketing purposes.
• (3) Automated Individual Decisions. Data subjects should have safeguards when the data is to be used in automated individual decisions.
4. Aside from the issue of the content of the rules, the Working Party observed that to effectively enforce the rules, a system must (1) ensure a good level of compliance, (2) support and help individual data subjects to enforce their rights and (3) provide appropriate redress when the rules are violated.

• Where the data subject has given his unambiguous consent to the proposed transfer
• Where the transfer is necessary for the performance of a contract between the data subject and the data controller
• Where the transfer is necessary for the performance of a contract which benefits the interests of the data subject, but is between the data controller and a third party.

1. Article 26(2) still requires adequate safeguards, even in the contractual provisions.
2. Article 26(2) is further modified by Article 26(3). Article 26(3) places the burden on a Member State to inform the rest of the European Union about any authorizations granted under 26(2). This is a reversal of the Directive’s other provisions, which only require an equivalent disclosure when adequate protection has not been granted by a Member State, under Article 25.

1. Federal Internet Privacy Protection Act of 1997 (H.R. 1367)
   
   Summary: Prohibits Federal agencies from making available through the Internet certain confidential records with respect to individuals and to provide for remedies in cases in which such records are made available through the Internet.
   
   Status: Referred to the House Government Reform and Oversight Committee, April 17, 1997.
   
   Sponsor: Rep. Mark Barrett (D-WI)



2. Social Security Information Safeguards Act of 1997 (H.R. 1331)
   
   Summary: Requires the Commissioner of Social Security to assemble a Social Security Information Safeguards Panel to assist the Commissioner in developing appropriate mechanisms and safeguards to ensure the confidentiality and integrity of personal Social Security records made accessible to the public.
   
   Status: Referred to the House Ways and Means Committee, April 15, 1997.
   
   Sponsor: Rep. Barbara Kennelly (D-CT)

1. Children’s Privacy Protection and Parental Empowerment Act of 1997 (H.R. 1972)
   
   Summary:
   
   (1) Any seller of data who is found to knowingly purchase or sell data containing the personal information (such as name, telephone number, social security number or email address) of a child who is under 16 years of age may be fined or imprisoned unless that seller receives the written consent of the child’s parent. The data vendor must also comply with requests from parents about (1) the source of the personal information, (2) the contents of the information about the parent’s child and (3) the identity of the purchasing parties.
   
   (2) Anyone who uses any personal information about a child of under 16 years of age to contact that child in order to sell goods or services to the child or a parent may be fined up to $5,000 if that person fails to comply with requests from parents about (1) the source of the personal information, (2) the contents of the information about the parent’s child, (3) the identity of the purchasing parties and (4) discontinues providing that personal information about the parent’s child to third parties.
   
   (3) Anyone who uses prison labor to process data or distributes or solicits personal information about a children of less than 16 years of age with the intent to abuse, cause physical harm or sexually exploit the child, shall be fined or imprisoned.
   
   Status: Referred to House Subcommittee on Crime (via Committee on the Judiciary), June 25, 1997. Subcommittee hearings held, April 30, 1998.
   
   Sponsor: Bob Franks (R-NJ)



2. Communications Privacy and Consumer Empowerment Act (H.R. 1964)
   
   Summary:
   
   (1) Empowers the Federal Trade Commission to commence a proceeding six months after the Bill has been enacted to investigate whether consumers can determine (1) whether information is being collected about them, (2) whether that information is being used for purposes unrelated to the original collection and (3) the exercise of control over the collection of personal information. The FTC will propose changes in FTC regulations consistent with those three objectives and complete those changes within one year of the Bill’s enactment.
   
   (2) Empowers the Federal Communications Commission to investigate the impact of interconnected communications networks, such as telephone, cable, and satellite, on those three objectives. The FCC is to propose changes in their regulations consistent with the three objectives and complete those changes within one year of the Bill’s enactment.
   
   (3) Amends the Communications Decency Act to add a provision which requires Internet Service Providers to provide screening software which limits Internet access to material that is inappropriate for children.
   
   Status: Referred to the House Subcommittee on Telecommunications, Trade and Consumer Protection (via the House Commerce Committee), June 26, 1997.



3. Consumer Internet Privacy Protection Act of 1997 (H.R. 98)
   (See Attachment 4)
   
   Summary: Unlike current privacy protections, which allow individuals to opt-out, this Bill only allows information to be used by Internet Service Providers if individuals opt-in to the database.
   
   Interactive computer services, which are defined as those services that provide multiple users with computer access to Internet, cannot disclose any "personally identifiable information" without the consent of the individual service subscriber.
   
   The Bill also requires interactive computer services to reveal the identity of third party recipients of personally identifiable information to the relevant service subscriber.
   
   The Federal Trade Commission is empowered by the Bill to enforce its provisions.
   
   Status: Referred to the House Commerce Committee, January 7, 1997
   
   Sponsor: Rep. Vento (D-MN)



4. Data Privacy Act of 1997 (H.R. 2368)
   See Attachment 5)
   
   Summary
   
   (1) Establishes a computer interactive services industry working group to establish voluntary guidelines:
   (1) limiting the collection of personal information for commercial purposes obtained through any interactive computer service; (2) relating to the distribution of unsolicited commercial email messages; (3) and to provide incentives to follow the guidelines, including icons which indicate guideline adherence.
   
   (2) The Bill also prohibits the use of personal information for commercial marketing purposes, the use of personal health or medical information for medical purposes, or the display of another person’s social security number through an interactive computer service, unless that person had a prior business relationship or valid contract with the information provider.
   
   Status: Referred to the House Commerce Committee, July 31, 1997
   
   Sponsor: Rep. Billy Tauzin (R-LA)



5. Social Security On-Line Privacy Protection Act of 1996 [sic] (H.R. 1287)
   
   Summary: Prohibits interactive computer services from disclosing an individual’s social security numbers or related personal information without his or her prior, informed, written consent. Individuals are allowed to revoke their consent at any time, upon which the interactive computer service will cease disclosing the private information.
   
   Status: Referred to the House Commerce Committee, April 10, 1997
   
   
   Sponsor: Rep. Robert Franks (R-NJ)

• (1) Sends unsolicited email from an unregistered or fictitious address to prevent responses to the message.
• (2) Disguises the source of the unsolicited email message to prevent recipients from using a mail filter.
• (3) After sending an unsolicited email message, fails to comply with a request to terminate sending further messages.
• (4) Distributes a collection of email addresses while knowing that some of the recipients do not want to receive unsolicited email.
• (5) Initiates an unsolicited email message despite prior notice that the recipient does not want to receive an unsolicited message.
• (6) Registers or creates an Internet domain name for the principal purpose of initiating the transmission of unsolicited email.
• (7) Sends an unsolicited email message through an interactive computer service knowing that sending that message violates the rules of the interactive computer service.
• (8) Despite the contrary rules of an interactive computer service, accesses that service’s server to collect email addresses.
• (9) Initiates the transmission of bulk unsolicited email messages but then splits up the messages to circumvent this Bill.

• (1) Ban the transmission of unsolicited advertisements by electronic mail when there is no preexisting and ongoing business or personal relationship, unless the recipient provides an express invitation to send such advertisements.
• (2) Require unsolicited advertisements begin with the date and time the message is sent, the sender’s identity and the sender’s return email address.

• (1) Requires any person transmitting an unsolicited commercial electronic mail message to include as part of the message the word "advertisement" at the beginning of the message, as well as the name and address of the sender.
• (2) Empowers the Federal Trade Commission with authority over unsolicited electronic mail. This includes the ability to conduct investigations and impose fines.
• (3) Allows a state to bring an action on behalf of its residents, so long as that state notifies the Federal Trade Commission.
• (4) Requires that senders of unsolicited electronic mail terminate those messages upon the request of the recipients of those messages.

• Medical Privacy: The Vice President called on Congress to pass legislation which would restrict access to medical records and allow for individuals to correct their records.
• One Stop Opt-Out: The Vice President indicated that the FTC will be sponsoring a new Web site, located at "www.consumer.gov". At this site, consumers will be able to (1) bar companies from pre-screening their credit records, (2) restrict the sale of their drivers’ license data to data vendors and (3) remove their names and addresses from direct-mailing lists.
• Appropriate Use of Federal Government Data: The Vice President announced that the President had sent a new Memorandum to agency heads to ensure that new technologies are used in accordance with existing governmental privacy laws and to evaluate legislative proposals with regards to those governmental privacy laws.
• Privacy Summit: The Vice President asked the Commerce Department to hold a summit within the month of June to bring together privacy advocates and industry representatives. This summit will focus on self-regulation and children’s privacy issues.

1. The private sector should lead.
2. Governments should avoid undue restrictions on electronic commerce.
3. Where governmental involvement is needed, its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.
4. Governments should recognize the unique qualities of the Internet.
5. Electronic Commerce over the Internet should be facilitated on a global basis.

1. Awareness: Consumers need to know --
   
   • The identity of the collector of their personal information
     
   • The intended uses of the information
   • The means by which they may limit its disclosure.
   
   Data vendors are responsible for raising consumer awareness about these issues and can do so through:
   
   • Privacy Policies
   • Notification
   • Consumer Education
   
   
2. Choice: Consumers must be able to make choices about whether and how their information will be used. To make these choices possible, consumers must be offered simple, easily understood and affordable mechanisms. In some circumstances, such as medical information or children’s information, data vendors should not use the data without the consent of the appropriate person.
3. Data Security: Companies should take reasonable precautions to protect the data’s accuracy and integrity. This should extend to those third parties to whom they may send data.
4. Consumer Access: Consumers should be able to access the information that has been collected about them, as well as be able to correct any inaccuracies.

1. Consumer Recourse: Companies should offer some form of dispute resolution to provide redress for consumer complaints.
2. Verification: Companies must be able to demonstrate that the claims they make about their privacy protection regimes are accurate.
3. Consequences: Examples of consequences include cancellation of the right to use a seal or logo, posting the name of the violator on a bad actor list or disqualification from a trade association. FTC liability may also exist if the company has failed to live up to its privacy policy.

1. Notice to consumers as to whether their information will be transferred to other parties
2. Whether a choice is provided to consumers as to the use of the data
3. Whether consumers can access their own personal data
4. Whether consumers are informed about security precautions taken to protect the data.

1. In December 1997, the FTC published a report to Congress approving the self-regulation principles promulgated by the Individual Reference Services Group (IRSG).
2. Individual reference services are vendors who collect and disseminate personal identification information about consumers, such as their credit ratings.
3. The IRSG comprises 14 companies, a substantial majority of the companies comprising the individual reference service industry.
4. The IRSG Principles are as follows:
   

   (1) Restrictions on the Availability of Non-Public Information: The IRSG treats customers differently, based on their access to non-public information. The greater the information access of the customer, the greater the controls on the customer.
   (2) Monitoring Use and Maintaining Audit Trails: Each service is required to maintain a record of higher-end subscribers, such as professional users. This record must contain the solicitor’s identity, the types of uses the subscriber employed and the terms and conditions that the subscriber agreed to. This record is to be kept for three years after the service-subscriber relationship ends. Services do not have to record what information their subscribers’ accessed.
   (3) Consumers’ Access to Personal Information and Methods to Ensure Information Accuracy: The methods to ensure accuracy include only accepting data from reputable sources and correcting inaccuracies presented by individuals. Alternatively, an IRSG member can direct the individual to the source of the data.
   (4) Ability to Opt-Out: Individuals may opt-out of the general distribution of their information, but cannot opt-out of distribution to professional and commercial users.
   (5) Consumer Education and Openness: The services are to educate the public and users about privacy concerns. Each service must have a privacy policy statement which meets requirements such as disclosing to whom it may disclose information. Services are to also notify consumers through advertisements or other educational efforts.
   (6) Compliance Assurance: IRSG members’ practices are subject to review by a reasonably qualified independent professional service.

5. The FTC did criticize the IRSG Principles
   

   (1) The IRSG Principles fail to limit or control the use of publicly available information.
   (2) The Principles fail to require specific audit trails of the records accessed by each user.
   (3) The Principles fail to allow individuals to access public records or publicly available information maintained by IRSG members.

   
   Despite these concerns, the FTC has recommended that the IRSG Group be allowed to demonstrate that their Principles are a viable self-regulatory system. In addition, IRSG members have agreed to re-examine the FTC’s concerns by June 1999.

• Self-Regulation: A group of interested parties, led by the Center for Democracy and Technology, is preparing a report outlining potential options on this front.
• Enforcement Actions: The FTC has brought several actions against individuals that it believes are making fraudulent solicitations through unsolicited commercial email, including FTC v. Maher (D. Md., filed Feb. 19, 1998) and FTC v. Cooley (D. Ariz. filed Mar. 4, 1998).
• Education: FTC staff has produced materials warning consumers about the dangers of unsolicited commercial email.

1. Restricted Purposes: Health care information should be only disclosed for health care purposes.
2. Security: Those who legally receive health information must take reasonable precautions to protect the information.
3. Consumer Control: Individuals should have the ability to know what is in their records, who has examined their records, how they can change inaccurate information in their records and where they can obtain their records.
4. Accountability: To enforce these principles, those found violating them should be severely punished, including the possibility of criminal penalties.
5. Balancing Of Interests: Privacy interests should be balanced with other national priorities.

• Your identity (the data controller)
• The purposes for collecting data
• How long the data will be kept
• How the data is kept secure
• The procedures for keeping the data accurate, including how individuals can correct inaccuracies in their data
• How individuals can access their personal data, as well as learn who will receive their data
• Opt-in or opt-out provisions for individuals
• Dispute resolution procedures