Date: Thu, 21 Apr 94 09:20:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#055 Computer Privacy Digest Thu, 21 Apr 94 Volume 4 : Issue: 055 Today's Topics: Moderator: Leonard P. Levine FEDGOVT: Request for comments: privacy and the NII (long) The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "Arthur R. McGee" Date: 20 Apr 1994 20:09:32 -0700 (PDT) Subject: FEDGOVT: Request for comments: privacy and the NII (long) ---------- Forwarded message ---------- Date: Wed, 20 Apr 1994 13:18:42 -0400 From: CMATTEY@ntia.doc.gov Subject: privacy and the NII The National Telecommunications and Information Administration is seeking comments on issues relating to privacy and the National Information Infrastructure. The attached files are a press release and full text of NTIA's Notice of Inquiry and Request for Comments. CONTACT: Larry Williams NTIA EXTENDS NOTICE OF (202) 482-1551 INQUIRY ON PRIVACY ISSUES TECHNICAL NEWS ADVISORY The National Telecommunications and Information Administration (NTIA) has extended the deadline for filing comments in its privacy Notice of Inquiry (NOI) to May 23, 1994. On February 11, 1994, NTIA published a Notice of Inquiry and Request for Comments in the Federal Register entitled "Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Information." 59 FR 6842. NTIA has received comments from 30 parties in this proceeding. Those comments can be reviewed in NTIA's Openness Room, U.S. Department of Commerce, Room 4092, 14th St. and Pennsylvania Ave., N.W., Washington, D.C. 20230, between the hours of 9:00 am - 5:00 pm. For further information about NTIA's Openness Room, contact Norbert Schroeder at (202)482-6207. Since the comment deadline date, NTIA has received several requests for extension of time to file comments. In the interest of fairness to all potentially interested parties, and to provide an additional opportunity to develop the record in this proceeding, NTIA will allow additional time in which to file comments. Additional comments should be filed on or before May 23, 1994, to receive full consideration. Please submit seven copies to the Office of Policy Analysis and Development, NTIA, U.S. Department of Commerce, Room 4725, 14th St. and Pennsylvania Ave., N.W., Washington, D.C. 20230. Comments also may be submitted electronically via Internet to cmattey@ntia.doc.gov. For further information, please contact Carol Mattey or Lisa Leidig, Office of Policy Analysis and Development, NTIA, at (202) 482-1880. April 19, 1994 ------------------- NOIPRIV.DOS follows -------------------- [Billing Code: 3510-60] DEPARTMENT OF COMMERCE National Telecommunications and Information Administration [Docket No. 940104-4004] Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Personal Information AGENCY: National Telecommunications and Information Administration (NTIA), Commerce ACTION: Notice of Inquiry; Request for Comments SUMMARY: NTIA is conducting a comprehensive review of privacy issues relating to private sector use of telecommunications-related personal information associated with the National Information Infrastructure. Public comment is requested on issues relevant to such a review. After analyzing the comments, NTIA intends to issue a report, which may make recommendations to the Information Infrastructure Task Force and Congress in the area of telecommunications and information policy, as appropriate. DATES: Comments should be filed on or before March 30, 1994, to receive full consideration. ADDRESS: Comments (seven copies) should be sent to the Office of Policy Analysis and Development, NTIA, U.S. Department of Commerce, 14th St. and Constitution Ave., N.W., Room 4725, Washington, D.C. 20230. FOR FURTHER INFORMATION CONTACT: Carol Mattey or Lisa Leidig, Office of Policy Analysis and Development, 202-482- 1880. AUTHORITY: National Telecommunications and Information Administration Organization Act of 1992, Pub. L. No. 102- 538, 106 Stat. 3533 (1992) (to be codified at 47 U.S.C. SUPPLEMENTARY INFORMATION: I. Introduction 1. Today, there is a thriving U.S. industry dealing in personal information. Over 10,000 lists of data about individuals are available for rent. According to one 1990 estimate, the business of selling personal information was a $3 billion per year industry. Personal computers can be used to access information services that provide a wealth of information about individuals. Often such personal data is being manipulated for purposes other than those originally intended when collected, and the parties engaging in such activities have no prior direct relationship with the individual about whom the information pertains. Moreover, many Americans have little idea of what information is being collected about them or the many possible uses of such information. 2. The National Information Infrastructure (NII) -- the evolving seamless interactive web of communications networks, computers, data bases, and consumer electronics in the United States -- will accelerate this trend even further. As the NII develops, Americans will be able to access numerous commercial, scientific, and business data bases, obtain government information and apply for government benefits, select and customize entertainment programming, engage in retail, banking, and other commercial transactions, express their views to federal, state, and local government officials, and engage in productive employment, all from the comfort of their homes. With this growth in the number of electronic transactions, the accelerated collection of personal information, and the increase in the interconnectivity of telecommunications networks and information service providers, however, comes increasing public concern about communications and personal privacy. 3. On September 15, 1993, the Clinton Administration announced the formation of a federal interagency task force -- the Information Infrastructure Task Force (IITF) -- that would work with Congress and the private sector to propose policies and initiatives needed to accelerate the deployment of the NII. One of the IITF's goals is to ensure that the NII's operations are compatible with the legitimate privacy interests of its users, while recognizing the legitimate societal need for the flow of information. 4. One of the agencies participating in the IITF is the National Telecommunications and Information Administration (NTIA), which is the Executive Branch agency principally responsible for developing and articulating domestic and international telecommunications policies. As the principal advisor to the President on telecommunications policies, NTIA conducts studies and makes recommendations regarding telecommunications policies, activities, and opportunities, and presents Executive Branch views on telecommunications matters to the Congress, the Federal Communications Commission (FCC), state and local governments, and members of the public. 5. NTIA is undertaking this proceeding to examine the privacy implications associated with private sector use of personal information associated with the NII. Consistent with NTIA's communications and information policy function, we focus our inquiry on potential uses of information generated by interactive multimedia and by telephone usage and transactions utilizing the telephone, known as telephone transaction generated information (TTGI). We ask whether any overarching principles can be developed that would apply to all firms in the telecommunications sector. Moreover, we consider the issues that arise when such telecommunications- related information is used to create and disseminate detailed dossiers about individuals. We then address the role of industry self-regulation for providers of telecommunications and information services. Finally, we solicit comment on other countries' actions to ensure the privacy of information transmitted over telecommunications networks, and how any U.S. policies in this area will affect the international arena. The record developed in this proceeding will be used to develop recommendations in the area of communications and information policy for presentation to the IITF and Congress, as appropriate. II. Privacy in a Changing Environment 6. A critical question is what exactly should the right to privacy entail in today's information economy. In a seminal law review article in 1890, Samuel Warren and Louis Brandeis defined the right of privacy as "the right to be left alone." In more recent years, privacy has been defined by one academic as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others." 7. There is no single privacy law in the United States; rather, U.S. privacy law is a patchwork of constitutional, statutory, regulatory, and common law protections. While the Supreme Court has held that the Fourth Amendment restricts the ability of government to collect information from places in which an individual has a reasonable expectation of privacy, there is no constitutional right to be free from analogous intrusions by private sector parties. Tort law limits intrusive collection of private information, penalizes unwarranted disclosure of such information, and protects against disclosure of erroneous information about individuals. A number of statutes, at both the federal and state level, protect individuals from governmental misuse of personal information, while other statutes adopt "fair information principles" for private sector record keepers in specific industries. 8. In 1974, Congress established the Privacy Protection Study Commission to undertake a broad study of whether privacy rights were being adequately protected in the emerging information society. In its final report, issued in 1977, the Commission concluded that federal privacy laws should advance three concurrent policy goals -- - To minimize intrusiveness by creating a proper balance between what an individual is expected to divulge to a record-keeping organization and what he or she seeks in return; - To maximize fairness by opening up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is itself a source of unfairness in any decision about him or her; and - To create legitimate, enforceable expectations of confidentiality by creating and defining obligations with respect to the uses and disclosures that will be made of recorded information about an individual. 9. Today, more than fifteen years later, there have been further advances in telecommunications and information technology. Given the proliferation of computerized data collection and the prospect of converging technologies -- computers, telephones, and mass media -- it is time to reconsider what privacy means in developing electronic communities. 10. The Administration has a broad vision of a future NII that will enable people in their homes, schools, places of business, and elsewhere to benefit from improved communications and access to information resources. In such a world, the collection and dissemination of information can serve many useful social and economic purposes. At the same time, each new communications and information service potentially affects the privacy interests of individuals and businesses. What are the First Amendment implications of regulating the dissemination of information by individuals or businesses? 11. What technology is available now, or in the foreseeable future, that could have an impact on the privacy expectations of telecommunications users? Should the ability of technology to enhance, or threaten, privacy have a bearing on what expectations of privacy are deemed "reasonable"? Can privacy laws or policies be developed that are technology-neutral? How can we ensure that whatever privacy protections that are in place apply equally to all Americans that use the NII, both younger and older, the wealthy, the middle class and the disadvantaged, and the technologically literate and the uneducated? 12. As the components of the NII develop, it may become increasingly difficult to define the rights and responsibilities of stakeholders. Today, one set of privacy requirements applies to traditional cable operators; other rules apply to telecommunications common carriers (with even more specialized rules that apply to the Regional Bell Operating Companies and AT&T); and other firms that provide telecommunications and information services are subject to no restrictions on how they use personal information. Are there any overarching principles that can be extended across specific services in the telecommunications sector? Given the convergence of different industries within this sector, is there a need for a more comprehensive approach to privacy regulation? Can "fair information principles" be extended to interactions between individuals in an electronically wired nation? III. Multimedia Transactions 13. The NII could ultimately provide access to interactive multimedia, integrated digital streams of video, audio, text, and graphics that will allow an instantaneous dialogue between the user and the system for the transmittal of information. Interactive multimedia encompasses such services as video on demand, participatory television, electronic publishing, interactive video games, teleshopping, telebanking, videoconferencing, remote medical testing and evaluation, and distance learning. For example, using devices with the attributes of a telephone, a television, a camcorder, and a personal computer, students ultimately may be able to browse through the collections of any library in the country and collaborate on research projects with others hundreds of miles away, individuals may be able to experience special family events like a christening or wedding even though they cannot attend in person, and citizens may be able to participate in electronic town meetings. In addition, small businesses as well as large may take advantage of the latest in computer technology to design products and provide useful services, and consumers may be able to shop for the best prices in town on groceries, furniture, clothing, or other consumer items. 14. Of necessity, usage of such multimedia services may create the electronic equivalent of a paper trail capturing many details of a person's life. Moreover, as more and more everyday interactions take place on-line, it will become even easier to compile, package, and sell information about individuals than presently is the case. The existence of more extensive transactional data may enable both large and small firms to conduct more effective targeted advertising and market research, which could facilitate the ability of individuals to access the products and services they desire. At the same time, people may be uncomfortable with the notion that "someone" may be keeping track of every interaction they engage in with the outside world. A. Existing Legal Framework 15. Several laws are relevant to the use of transactional records associated with communications media. Three of these laws -- the 1984 Cable Act, the Cable Television Consumer Protection Act of 1992 (1992 Cable Act), and the Video Act -- in essence adopt "fair information principles" for the use of cable subscriber data and video cassette rental and sale data. In contrast, the Electronic Communications Privacy Act of 1986 (ECPA) imposes no restrictions on private sector use of transactional data. 16. The 1984 Cable Act precludes cable operators or third parties from monitoring the viewing habits of cable subscribers. Under the subscriber privacy provisions of that Act, cable operators are required to inform their subscribers at the time of entering into a contractual arrangement, and annually thereafter, of the nature of the "personally identifiable information" they collect about subscribers, their data disclosure practices, and subscriber rights to inspect and correct errors in such data. Cable operators are prohibited from using the cable system to collect personally identifiable information about their subscribers, except that which is necessary to render cable service, without subscriber consent, and are generally barred from disclosing such data to third parties without written or electronic consent. Cable operators may sell their mailing lists to third parties only if they have given their subscribers an opportunity to limit such disclosure, and the disclosure does not reveal the viewing habits or other transactions of the subscriber. 17. The 1992 Cable Act extended the protections of the 1984 Cable Act to new wire and radio services that may be provided over cable facilities, such as personal communications services (PCS). It also requires cable operators to take actions necessary to prevent unauthorized access to personal information by persons other than the subscriber or cable operator. 18. The Video Act protects the privacy of video cassette rentals and sales. Among other things, the law prohibits disclosure of the fact that individuals have rented specific videos. Congress enacted this law in part in reaction to the well-publicized disclosure of Robert Bork's video rental history when he was under consideration for the Supreme Court. The law prohibits video tape service providers from disclosing to anyone the titles of video cassettes rented or purchased by a particular individual without the customer's consent, although they may release customer mailing lists and the subject matter (but not specific titles) of customer selections if the customer has been given the opportunity to object to such disclosure. 19. ECPA was enacted in 1986 to address new technologies not anticipated by the 1968 federal wiretap law. While that law generally prohibits eavesdropping and the interception of the content of electronic mail, radio communications, data transmissions, and telephone calls without consent, it imposes no restrictions on the internal use by providers of an "electronic communication service" of transactional records pertaining to such communications. As a consequence, such service providers are free to make any use of the identity of the parties to the communication or the fact of the communication. Moreover, while the ECPA specifies standards and procedures for court authorized electronic surveillance by government entities, and government access to stored electronic communications, it does not restrict the dissemination of transactional data that is maintained in electronic storage to non-governmental entities. Indeed, a service provider is expressly permitted to disclose transaction information concerning a subscriber to any person, for any purpose, without notice or subscriber consent. B. Areas of Inquiry 20. NTIA solicits comment on the extent to which the foregoing laws would apply to multimedia services that will be delivered over the NII, and if not, how they provide a useful model for new legislation. Commenters are specifically asked to provide a legal analysis of whether the cable subscriber privacy protections of the 1984 Cable Act, as amended by the 1992 Cable Act, would apply to telephone companies delivering multimedia services over switched broadband networks. Commenters also are asked to provide a legal analysis of whether firms that provide video on demand would be considered "video tape service providers" as defined in the Video Act, 47 U.S.C.  2710(a)(4). 21. As a policy matter, what principles should apply to the handling of transactional records associated with multimedia services delivered over the NII? Should multimedia service providers be required to obtain affirmative consent from NII users for the collection and dissemination of personal information, and how should this type of presumptively restricted information be defined? What should the user be deemed to consent to by subscribing to or ordering NII multimedia? 22. Without consent, should any secondary uses of personal information derived through the use of NII multimedia be permissible? As a technical matter, is there any way a user could monitor subsequent usage of personal information to ensure that such usage is consistent with his or her expectations? Should there be a requirement that transactional records be destroyed after some designated period of time? How will these requirements be enforced, and what right of redress will individuals have? 23. Should the ECPA be amended to impose restrictions on the use of transactional records associated with electronic communications services? What costs would such restrictions place on businesses, and what impact would restrictions on information collection and dissemination have on individuals? IV. Telephone Transaction Generated Information 24. Existing telecommunications networks generate a vast amount of personal information about telephone usage and transactions related to telephone service, which is likely to increase as more advanced services are offered. There are many forms of TTGI: white pages information, yellow pages information, new telephone service orders, aggregate telephone traffic information, calling number identification, other network information, call detail records, and billing and credit information. Today, some telephone companies are subject to restrictions on the use and disclosure of telephone transactional data, while other firms that have access to such information are subject to no restrictions at all. Given that the networks of telecommunications carriers are part of the backbone of the NII, NTIA is interested in determining what policies, if any, should govern the secondary use of telephone transaction generated information. In the discussion below, we focus on two forms of TTGI: Customer Proprietary Network Information (CPNI) and Automatic Number Identification (ANI). A. Existing Legal Framework 1. Customer Proprietary Network Information 25. When initially establishing telephone service for a customer, telephone companies obtain information such as the subscriber's name, billing address, and desired network services. Over time, telephone companies maintain service records and billing records, which include the monthly charges for network services, call detail for toll calls, and, if applicable, call detail for local calls. Such information, known as CPNI, is one form of telephone transaction generated information. 26. Currently, there are no federal statutes governing the secondary use of such information, but there are FCC rules governing use of CPNI by AT&T and the Bell Operating Companies (BOCs). Those rules prohibit the BOCs and AT&T from transferring the CPNI of customers with more than twenty lines to affiliated personnel engaged in the marketing of customer premises equipment (CPE) or unregulated enhanced services unless they have the customer's permission. BOCs and AT&T are allowed to make any use of the CPNI of smaller business and residential customers without customer authorization. Upon customer request, the BOCs and AT&T are required to release CPNI to unaffiliated CPE vendors or enhanced services providers (ESPs) on the same terms and conditions as made available to their affiliates. 27. The FCC's CPNI rules apply only to the seven BOCs and AT&T. Those rules were adopted largely to address competitive concerns based on the potential advantage the BOCs and AT&T might have when they provide unregulated enhanced services or terminal equipment and regulated "basic" telecommunications services on an integrated basis, rather than to protect customer privacy concerns. There are no restrictions on the use of CPNI by the more than 1,000 independent telephone companies, nonwireline cellular carriers, interexchange carriers (IXCs) other than AT&T, ESPs, or other businesses engaged in the provision of telecommunications and information services. 2. Automatic Number Identification 28. According to the Direct Marketing Association, on a typical business day in 1993, approximately 60 million toll free telephone calls were placed on the 1.8 million 800 numbers in the United States. According to one estimate, more than 274 million calls were placed to 900-number services in 1991, with over 14,000 pay-per-call programs being offered by approximately 5,000 pay-per-call service providers. 29. Interexchange carriers offering 800-number and 900- number services provide their customers -- that is, firms with 800 and 900 numbers -- with monthly statements providing call detail for all calls billed to them, including the telephone number of the calling party. In addition, interexchange carriers provide real-time Automatic Number Identification to those 800- and 900-number customers that choose to subscribe to this feature. Firms that subscribe to 800- and 900-number services use ANI for billing and routing, account management, and security purposes. For instance, mail order retailers can expedite transactions by retrieving the account information of a repeat customer as soon as the call is received, while these and other businesses can use such services to route large customers to their assigned account executive. 30. There are no FCC restrictions on the use or sale of ANI data gathered from interstate calls. The FCC received comments on ANI in 1992 in its Caller ID proceeding, but has taken no further action to date. 31. The only state that regulates the use or sale of ANI data of which NTIA is aware is New York. New York's Public Service Commission has issued terms and conditions concerning intrastate ANI, which became effective in December 1992. Under these terms and conditions, ANI information associated with an intrastate service in New York cannot be used to establish marketing lists or to conduct marketing calls. Firms may not resell or disclose ANI information to third parties unless there is prior written consent from the subscriber. Firms are allowed to gather ANI, however, for billing and collection, routing, screening, to ensure network performance, to complete a telephone subscriber's call or transaction, and for services directly related to the telephone subscriber's original call. B. Proposed law 32. Rep. Edward Markey, Chairman of the House Subcommittee on Telecommunications and Finance of the House Committee on Energy and Commerce, has introduced the Telephone Consumer Privacy Protection Act of 1993 (H.R. 3432), which would regulate the usage of CPNI and ANI data. The bill would amend the Communications Act to bar all local exchange carriers from using CPNI (1) to provide any service other than telephone exchange or telephone toll service, (2) to identify or solicit potential customers for services other than that from which the information is derived, or (3) to provide customer premises equipment. LECs would be prohibited from disclosing CPNI to affiliates or other persons that are not employees of the carrier, unless required by law or requested by the customer. The legislation would prohibit LECs from discriminating between affiliated and unaffiliated service or equipment providers in providing access to individual and aggregate CPNI. The bill also would require LECs to provide subscriber list information (e.g., subscriber name and address) on nondiscriminatory and reasonable terms to any person upon reasonable request. 33. The Telecommunications Infrastructure Act of 1993 (S. 1086) has a similar provision governing the use of CPNI. S. 1086 would apply the restriction more broadly, however, to all telecommunications carriers, rather than to local exchange carriers. Moreover, S. 1086 would give subscribers the power to limit the disclosure of subscriber list information. 34. H.R. 3432 also would amend the Communications Act to bar persons that use ANI (i.e., providers of 800 and 900 services) from reusing or selling the telephone number or billing data provided through ANI without first orally notifying the calling party and providing that party the option of limiting or prohibiting such reuse or sale. Otherwise, such information may only be used to perform the services or transactions intended by the original call, or for other limited uses, such as ensuring network security and performance. However, firms with 800 and 900 numbers would be permitted to use ANI to offer customers with whom they have an established customer relationship a product or service directly related to that previously acquired by that customer. Common carriers would be required to report violations of these provisions to the FCC, and the FCC would be authorized to order the termination of ANI service to the offending party. 35. A bill that is pending in the Senate (S. 612) would impose similar restrictions on the use of ANI by amending the federal wiretap statute. However, unlike the House bill, S. 612 specifies that ANI recipients may use such information for any lawful purpose if per call blocking at no charge (or per line blocking in states that have adopted such a requirement prior to the act's enactment) is available to the calling party. S. 612 also would impose civil penalties on parties that use information in violation of the statute's ANI requirements. C. Areas of Inquiry 36. NTIA solicits comment on how CPNI will evolve as the NII develops, and how should its treatment evolve. Is it correct to assume, as the FCC did when it adopted the current CPNI rules for provision of enhanced services in 1991, that there are no significant privacy concerns when CPNI is made available to different divisions within a single integrated company? To what extent do the competing rationales associated with regulating access to CPNI -- maintaining competitive equity between the BOCs and AT&T and unaffiliated ESPs, protecting customer privacy, and permitting efficient marketing and provision of enhanced services -- apply to other types of carriers, such as competitive access providers, IXCs, cellular telephone service providers, and cable companies, that will be part of the NII? We note in this regard that rationales for regulating use of CPNI based on competitive concerns suggest a focus on "dominant" providers (i.e., those with market power), while customer privacy rationales would seem to suggest a broader application of such regulatory protections. 37. When consumers purchase goods or services through an 800 number, they ordinarily orally disclose their name, telephone number, credit card number, billing address, and other information necessary to complete the transaction. Similarly, individuals that call 900 numbers are aware that a charge for that call will appear on their telephone bill. How is individual privacy additionally threatened by the potential passage of ANI to firms with 800 and 900 numbers? Is it reasonable to allow NII service providers to use ANI information to market new products or services to established customers? Should the answer to this question differ, depending on whether the individual has previously disclosed his or her telephone number to the called party, either orally or in writing? Should firms that offer 800- and 900-number services be required to notify callers at the outset of the conversation that their telephone number has been recorded? Do states, other than New York, have restrictions on the intrastate use and sale of ANI data, and is there a need for federal legislation in this area? 38. Does H.R. 3432 strike an appropriate balance between telephone subscriber privacy interests, and the desire of information gatherers to use customer information to provide services over the NII? Should NII users have easy access to some forms of TTGI (such as white page directory information), but not others? Should the burden be on the telephone subscriber to direct that transactional information not be used (the so-called opt-out approach), or on the party that gathers the information to obtain consent for the use of such information (the opt-in approach), and what specific consent mechanism should be used in either case? What costs would such restrictions impose on businesses? As a matter of policy, should any restrictions on the use of TTGI apply to all telecommunications carriers, rather than LECs? 39. NTIA solicits comment on whether NII network operators and service providers should be required to inform their customers, at the time service is initially established and periodically thereafter, what TTGI is accumulated about them, and how that information is used or disseminated to third parties. How would compliance with such rules be enforced, and what body should enforce them? If the end result of such restrictions is that less information is collected and disseminated in our society, what impact would that have on individuals, businesses, and the NII? V. Development of Personal Profiles 40. Enhanced information and computing technology, and the greater interconnectivity of telecommunications networks, will allow greater access to a broad range of record systems containing health, financial, academic, government, employment, telephone and other information that may be of a highly sensitive and personal nature. Easy and often anonymous access to such information raises concerns that anyone will be able to download information about individuals from different data bases and compile that information into detailed personal dossiers. A. Existing Legal Framework 41. In order to create a personal profile, a two-step process is required -- accessing the information and "matching up" the information for each individual. The Privacy Act of 1974 and a 1988 amendment to that Act -- the Computer Matching and Privacy Protection Act of 1988 (Matching Act) -- provide federal guidelines governing the compilation, use, and dissemination of personal information gathered by government agencies. 42. The Privacy Act's matching provisions regulate the conditions under which federal agencies may match personal information held in their data bases with data stored in other data bases. Such matching often is done in order to verify the eligibility of individuals for federal benefits. For example, a government agency may "match" its employee list with a list of persons receiving public assistance. The match would identify persons who are earning an income and improperly receiving public assistance at the same time. Such matching, without regulation, may result in indiscriminate swapping of data files. 43. Under the Matching Act, matching takes place under the "routine use" exception to the Privacy Act's limitation on use of personal information. Agencies are required, before matching, to enter into written, inter-agency agreements specifying the purpose of the match, the records to be matched, and a cost/benefit analysis of the match. The Matching Act creates an important procedural framework of notice to individuals, the right to a hearing before government benefits are cut off or denied, and mandatory reporting requirements for agencies that match records. 44. No federal or state laws regulate private sector matching of personal information. However, some existing federal and state laws restrict the accessibility of certain types of personal information. For instance, as previously discussed, federal law restricts disclosure of cable subscription and video tape rental or sale information. Such restrictions, when coupled with similar restrictions on the release of other types of personal information such as credit ratings and credit card usage, to some extent limit the information that can be used to create personal profiles. The existing legal framework, then, addresses only the first step of the matching process in the private sector by limiting access to information. B. Areas of Inquiry 45. NTIA solicits comment on whether existing federal laws would adequately deter invasions of personal privacy resulting from the compilation of telecommunications-related data, such as records of interactive media and telephone usage, obtained through the NII. Should federal legislation restrict private sector computer matching of such data? If so, for what purposes would the Matching Act serve as a useful model? Does computer matching create new information that should be subject to greater privacy restrictions than those applicable to each separate piece of information used in the match? Is privacy threatened by the act of gathering information about an individual from several different sources, or only when the resulting personal profile is used for purposes beyond the individual's knowledge and ability to control? 46. Market forces have an impact on the actions of businesses and consumers. For instance, Lotus Development Corporation and one of the nation's largest credit reporting bureaus, Equifax, abandoned plans to market a data base on a CD-ROM called "Marketplace: Households" in the face of widespread public criticism. In 1990, New York Telephone abandoned plans to rent directory information such as name, address, and telephone number from 4.7 million listings to retailers, telemarketers, and others selling products and services in the face of 800,000 requests to be excluded from such lists. Will consumer concern about the existence of personal profiles deter companies from developing such profiles? If so, what impact would that have on individuals and society? VI. Role of Self-Regulation 47. In response to growing customer concern about privacy issues, many companies are developing their own corporate privacy codes and other initiatives to bolster customer confidence in their services. In the telecommunications area, Pacific Bell, one of the Regional Bell Operating Companies, issued a comprehensive telephone customer privacy code in December 1992. MCI as a matter of policy does not sell or rent its customer lists or information about customers to third parties. Among information providers, Prodigy, one of the largest commercial on-line services, has a formal policy governing its use of personal information about subscribers. NTIA solicits comment on what other companies in the telecommunications and information field are doing to address their customers' privacy concerns. What has been the experience to date of companies that have privacy policies? Should companies be required to provide their customers with notice of their internal practices and policies regarding collection and use of personal information? To what extent can we expect that marketplace forces will adequately resolve conflicts over privacy interests, and how will this occur? 48. Many non-commercial networks have informally developed norms for conduct that are voluntarily adhered to by users. Users that engage in unacceptable behavior may be "flamed" by other users. On many bulletin boards, the system operator retains discretion to banish users who post offensive messages. Is such self-regulation in electronic communities adequate to protect the individual's right to privacy over the NII? VII. International Issues 49. The NII will be part of evolving global networks and therefore must be coordinated with international requirements in order to facilitate the competitiveness of U.S. firms. Many of our major trading partners in Europe, for instance, have formal data protection commissions that oversee implementation of national laws governing the information practices of both public sector and private sector parties. Thus, the United States needs to evaluate how the policies regulating the privacy of personal information transmitted over telecommunications networks in other countries will affect individuals and commerce in the United States, and vice versa. A. International Privacy Guidelines 50. International interest in advancements in computerization and related privacy issues began in the late 1960s. Since then, different nations have followed varying approaches to privacy. As previously noted, U.S. privacy law is a patchwork of constitutional, statutory, regulatory, and common law protections, and voluntary self-regulation. The European approach to the privacy of electronic information has been to favor omnibus data protection regulations that apply to both the public and private sectors and are overseen by state-controlled privacy boards. The Organization for Economic Cooperation and Development (OECD), whose membership consists of twenty-four industrialized countries, including the United States, Canada, most Western European countries, and Japan, has adopted guidelines for the protection of personal data that permit both the U.S. and European approaches. African, South American, and Central American countries have not yet adopted any data protection laws, but some are studying the issue. 51. In the discussion that follows, we focus on the major international instruments pertaining to privacy adopted by the OECD and the Council of Europe (COE), and under consideration by the European Community (EC), rather than the laws of specific countries. These international agreements -- which generally recognize that the free flow of information is critical to transborder economic activity -- provide a framework for adoption of domestic legislation by member nations. 1. Organization for Economic Cooperation and Development 52. The OECD has been active since the 1970s in considering the impact of computers and telecommunications technologies on the international flow of data. In 1978, it instructed a "Group of Experts" to develop a set of basic guidelines to govern transborder data flow and the privacy of personal data. The Group of Experts adopted "Guidelines on the Protection of Privacy and Transborder Data Flows" in 1980. All twenty-four OECD member countries have accepted the OECD Guidelines, which are strictly voluntary. In the United States, over 175 corporations have provided written statements of support for the OECD Guidelines. 2. Council of Europe 53. In 1980, the Council of Europe, whose membership consists of the twelve EC countries and nineteen other European countries, adopted "fair information practices" similar to those of the OECD regulating the collection, storage, and automated processing of personal data, and transborder data flow. Those principles, set forth in the "Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data" which was opened for signature in 1981, establish standards that must be enacted into domestic law by signatory countries. Twenty of the thirty-one Council of Europe members have signed the convention, and thirteen have ratified it. Ten of the twelve EC member states have ratified the convention and enacted domestic data protection laws. The COE Convention permits, but does not mandate, signatory countries to refuse to transfer data to other countries that do not provide equivalent data protection. 54. The Council of Europe continues to respond to new privacy issues brought about by technological innovation. Its Committee of Experts on Data Protection has studied a number of areas that pose challenges to privacy, including telemetry (the use of remote cameras, sound detectors, and other means to collect personal data without the consent, or even the knowledge, of the data subject), interactive media, and electronic mail. 3. European Community Directives 55. In 1990, the EC proposed a new directive that would create another set of international privacy guidelines, which would be mandatory for all EC Member States. Among other provisions, the 1990 Proposed Directive adopted an "opt-in" approach requiring companies to notify and obtain consent from each individual regarding the use of personal data pertaining to them. This directive would have allowed Member States to block the transborder flow of data to any country whose privacy regulations are determined to be inadequate. 56. U.S. businesses objected to the 1990 Proposed Directive because it would place potentially costly, bureaucratic restrictions on the collection, use, alteration or transfer of personal data files. The United States government argued that this directive would potentially hinder the ability of U.S. companies to communicate with their subsidiaries and customers in Europe. The German, U.K., and French governments also spoke out against the directive. 57. In 1992, the EC proposed a revised privacy directive that has not yet been adopted, but addresses some of the major concerns of U.S. industry. In particular, the revised proposal is less restrictive than the original with respect to transborder data flow. In determining whether the destination country affords a sufficient degree of privacy protection, nations may consider the specific circumstances of each data transfer on a case-by-case basis, rather than on an overall country assessment, taking into account the nature of the data, the purpose and duration of processing, and professional rules. 58. The 1992 Privacy Directive would require EC member countries to have independent supervisory authorities for the protection of personal data. These advisory bodies would monitor implementation of national laws adopted as a result of the EC privacy directive and would have the power to bring action against infringements of the law. 59. The 1992 Privacy Directive also acknowledges contractual provisions that protect data subjects' rights, but still does not recognize voluntary self-regulation, practiced widely by U.S. industry. It considers intracorporate data transfers between and among a company and its overseas subsidiaries and affiliates to be communications to a third party and subject to privacy regulations. Member States therefore still would be able to block the transborder flow of intracorporate data, if the privacy regulations in the country receiving the data are determined to be inadequate. The 1992 Privacy Directive has not been ratified due to remaining concerns within the EC business community over such issues as how to determine the adequacy of foreign data protection laws. 60. In addition to the 1992 Privacy Directive, the EC is considering a proposed directive that would harmonize regulations in Member States designed to protect the privacy of telephone subscribers. Generally, the proposed ISDN Directive would allow telephone companies to collect and store only that information that is necessary to provide requested services, require subscriber's consent to provide such information to third parties, guarantee adequate protection against unauthorized access, and require telephone companies to provide a call blocking option for calling line identification. 4. Areas of Inquiry 61. NTIA solicits comment on whether U.S. industry believes that the OECD Guidelines and the COE Convention are adequate instruments to protect individuals' right to privacy over telecommunications networks. Should there be any change in U.S. international privacy policy beyond individual firms' support for voluntary OECD guidelines related to transborder data flows? What impact would ratification of the EC's 1992 Privacy Directive or ISDN Directive have on the NII? Would the United States need to adopt additional privacy laws applicable to the private sector to ensure that, as the NII develops, it is not excluded from exchanging personal information with the EC? Could problems arise for international calls originating in the United States if the EC requires specific technologies or policies to be implemented that are different from those in use in the United States? For example, deployment of SS7 is necessary in order for calling parties to block transmittal of their telephone number to called parties. Different standards exist for technological solutions to privacy concerns such as encryption. To what extent does international network configuration have an impact on privacy considerations? What privacy policies have been adopted by individual countries that could serve as useful models for the United States as it develops its privacy policies for the NII? B. International Trade Agreements: GATT/NAFTA 62. Issues relating to privacy will continue to be a growing international trade issue as other countries and regions develop their own information networks. The protection of individual privacy is mentioned in both the GATT Telecommunications Annex and the telecommunications chapter of the North American Free Trade Agreement (NAFTA). Both documents focus on the right of users and service providers to access and use the public telecommunications network on a nondiscriminatory basis. However, under both GATT and NAFTA, laws or regulations that protect privacy of individuals in the processing and dissemination of personal data are permissible so long as they are not applied in a discriminatory manner or as a disguised restriction on trade. Will such provisions adequately limit the ability of a signatory country to impose its own privacy framework on other signatory countries, while allowing for a free flow of information? Given that the telecommunications networks that are part of the NII extend across U.S. borders into Canada and Mexico, will the United States need to consider how those countries address privacy issues as we develop our policies in this area? VIII. Conclusion 63. NTIA hereby requests comments in this inquiry to be filed on or before March 14, 1994. DATED: February 7, 1994 Larry Irving Assistant Secretary of Commerce for Communications and Information ------------------------------ End of Computer Privacy Digest V4 #055 ****************************** .