Personal tools

You are not logged in
Log in
Join

Home » Previous CPSR Web Site » conferences » cfp91 »

plesser.html

CFP'91 -

International Perspectives & Impacts

Tuesday, March 26, 1991

David Flaherty

Tom Riley

Robert Veeder

Ron Plesser, Chair

Copyright (c) 1991 IEEE. Reprinted, with permission, from The First Conference on Computers, Freedom and Privacy, held March 26-28, 1991, in Burlingame, California. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the IEEE copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Institute of Electrical and Electronics Engineers. To copy otherwise, or to republish, requires a fee and specific permission.

Published in 1991 by IEEE Computer Society Press, order number 2565. Library of Congress number 91-75772. Order hard copies from IEEE Computer Society Press, Customer Service Center, 10662 Los Vaqueros Circle, PO Box 3014, Los Alamitos, CA 90720-1264.

PLESSER: ... I'm delighted to be here to talk about International Perspectives and Impacts of Privacy. ... I'm a lawyer in Washington, D.C. [with] Piper and Marbury, and I was former General Counsel of the United States Privacy Protection Study Commission in the mid-1970s. As a disclosure, I do a lot of work in electronic-accessed information. I represent Mead Data Central and other companies like that in terms of getting access to government data. I also do work [on] privacy issues for trade associations, including the Direct Marketing Association and other individual companies. I have been involved in the international issue for a fair while. ...

Tom Riley is the head of Riley Information Services in Canada, and Tom has been on the international information and privacy scene for probably as long as I have been, about 20 years or something like that. Tom lived in England, and tried to get them to do away with the Official Secrets Act, but left after about eight years in some level of frustration. But he may be able to talk to us a little bit about the problems of international-access laws. Today Tom runs a consulting and seminar company in Canada that's been very active and on the cutting edge of information and privacy issues.

... David Flaherty ... is a professor at the University of Western Ontario. He is a graduate of McGill University and has a doctorate in American constitutional law from Columbia. And, while he is a Canadian and not a lawyer, he knows more about American constitutional law and the history of American constitutional law than most people, with the possible exception of our morning speaker. ...

But we're very lucky to have David. He's filling in for another speaker, who's Michelle Muth, who could not make it from the U.S. government. David is somewhat of an expert in this field in having written the definitive text called Protecting Privacy in Surveillance Societies, [1989, 443 pp.; The University of North Carolina Press, P. O. Box 2288, Chapel Hill, NC 27515-2288, ISBN 0-8078-1871-2] which is a review of the laws of Germany, Sweden, France, Canada and the United States on data protection, and is really the key current work in the area. I recommend it highly to you.

Our final speaker is [as] close as we can get in the United States to a data commissioner, or a data czar. ... Rob Veeder works with the Office of Management and Budget and for a number of years was desk officer in the OIRA, Office of Information and Regulatory Affairs. His desk job was to run the privacy issues and also some freedom-of- information issues. He's recently received a promotion and is now the section chief for information. He is the person who knows, in our government, the most about the ... implementation of the Privacy Act, Freedom of Information Act and matching statutes, and [is] as close as we get to someone in government who kind of understands and is responsible for the overview of privacy.

PLESSER: ... We did a tutorial on this issue yesterday, where I was in a smaller room with a much smaller group. It was really interesting to me because we spoke about international privacy for about 45 minutes or an hour, and then it just exploded into an issue of the whole subject. It's curious to me, too, that ... we're talking about the international implications before we talk about privacy as a base issue. Hopefully, we can focus on international, but we will talk a fair amount about the domestic privacy activities in the United States and some of the concerns and good benefits of those systems.

Why are we worried about Europe and the international implications? Why are we talking about it on the first day of this conference? The answer, I think, is pretty straightforward. The European Commission last September issued a set of directives - one of which deals with privacy of databases; others deal with security of information; another deals with communication networks.

But the one we will focus on today is privacy of databases. It's important because it's a set of rules under which each state in Europe who's a member of EC [European Community] will have to adopt legislation.

It's important to us for three reasons. One, is it's going to impact how everybody does business in Europe, for reasons that we will say. European companies, U.S. companies, Canadian companies - everybody's going to be impacted equally. But it will limit some of the electronic activities that we are used to doing through some of the provisions, or at least my theory is that it will limit some of the things that we can do.

[The] second reason is that there are provisions in ... the proposed [EC] legislation that exert extra-territorial jurisdiction over databases and information that is accessible and used in Europe but may be located in a third country, and that is of great concern.

Similarly, part of that issue is the old trans-border dataflow issue. European countries are asserting a legitimate interest in saying: If we have good data protection in our country or our set of countries, what happens when that data flows to other countries that don't have - the current word is - "adequate level of protection." What do we have to do to make sure that there doesn't develop a set of data havens, or what we know in banking as "offshore banks" or offshore havens, where people can do evil things to data outside of legal parameters?

The third concern: When you have anybody as large as combined Europe setting up database principles on how data is collected, used and disseminated, that's a lot of standard. You know, that's a lot of people demanding one standard. That's obviously going to impact our standards. It's going to impact how we do business in the United States. It's going to impact our privacy laws, and it's going to [have] - and there already has been, I think - a clear impact on how we look at privacy as a result of the European models.

So I think it's important, again for three reasons: one is the impact on business in Europe, two is trans-border dataflow, and three is the model that it will provide for the development of U.S. privacy in the United States.

Let me talk about a couple of conceptual issues first. As happened yesterday, this question is difficult. We will also talk about the two defining principles in the EC concept.

One defining principle is Europe and other countries, or "member countries" and other countries. "Geographic borders" is a defining principle. Another defining principle is private sector and public sector. They have different rules. I think Professor Tribe, this morning - and I think all of us - realize that it's going to be exceedingly difficult to maintain those barriers in the new world of technological improvement and explosion [of] electronic information.

[Consider] the idea of being able to place a set of national rules on data that's flowing around an open network - even a credit-card network, something as kind of mundane as that - which travels all the way around the world [with] entry points at any point. It really is very difficult to say ... which laws apply. It's like where most of the interests sit.

I think it's going to be very hard to address those concepts. Conceptually, it is very hard to talk about national borders in this arena, and I think that's one of the problems.

The second problem is this private-sector/public-sector definition issue. It is very difficult ... to define in some cases what's the difference between the types of systems and how you can create defined rules on that basis.

Let me give you a real quick history ... of ... modern data protection generally, with an emphasis on the European activity. ...The modern beginning of data protection probably was many of the works of Alan Westin in the mid-'60s when he defined the current record and privacy issues.

But the first real governmental look at those issues was a 1973 report that HEW [U.S. Department of Health, Education and Welfare] issued on records, privacy and databases. The chairman of that advisory committee and very principled author of that is sitting in the front row - Dr. Willis Ware, from Rand, who was very instrumental in that and later efforts in creating the Fair Information Practice Principles that were really first enunciated in that report. That really got a lot of people interested.

In the United States very quickly thereafter there was passed the 1974 Privacy Act, which covered, in an omnibus fashion, all records in the federal sector - but did not relate to state or local records or private- sector records.

They also set up a Privacy Commission, of which I was General Counsel. The Privacy Commission issued a report several years later, in 1977. Willis was ... Vice Chair of that commission, and we issued a report in 1977 making recommendations, really elaborating on the HEW concepts.

Meanwhile in Europe, the Swedish government was the first to act. In 1973, they adopted a data-registration system that required centralized registration of data in Europe. Then several other countries in quick suit - France, Germany - in the mid- to late '70s adopted national laws of privacy protection. Then in 1980 the OECD - the Organization of Economic Community Development, which is not just a European agency but has about 23 countries, including the United States and Japan; ... the economic leaders of the world belong to OECD - came out with a set of generalized privacy guidelines. The United States did not formally sign on to [them], but about 140 companies in the United States adopted and signed on to those guidelines.

Two years later, the Council of Europe promulgated a treaty on privacy which was more specific than OECD, but also was really not much more than a general pronouncement of principles. That was enacted and signed and implemented by seven countries in Europe. There were five countries - Italy, Spain, Portugal, Greece and I think one other country - that did not sign on to that.

Things have been relatively quiet in the '80s. Then, with EC92 coming on; with the concept of open borders ... and very legitimate concerns of some member nations in Europe ... about information being able to freely flow from border to border; with the history of intransigence of certain of the governments (like the Italians, ...Spanish and Portuguese) to create any level of data protection - [with all these concerns] - this EC Directive was developed to create a uniform standard of privacy protection for Europe.

Tom Riley will give you much further detail about the political atmosphere in which that is currently being [developed].

[Here's] a quick overview of the state of the [EC] regulation, so that you can see some of the issues, and ... it will focus some of the more general privacy concerns that we have.

There are two objects. One is, "The member states shall ensure, in accordance with this Directive, the protection of the privacy of individuals in relation to the processing of personal data contained in data files."

Two: "The member states shall neither restrict nor prohibit the free flow of personal data between member states for reasons to do with protection afforded under paragraph one."

Initially, we see a balance between data protection, the privacy interests on one hand, and free flow on the other. Certainly there is free flow within Europe. One of the questions we'll want to talk about is how free that flow may be outside of Europe.

I've not [outlined] all the definitions because the definitions are fairly straightforward. But, this applies to both manual and electronic data and has a definition of personally identifiable information that is fairly familiar to most of us in terms of data that can be identified by name or characteristics.

I thought this [excerpt] was an interesting one to give you a feel, because of the territorial issue: "Each member state shall apply this Directive to all files located in its territory. The controller of the file resident in its territory who uses from its territory a file located in a third country, whose laws does not provide an adequate level of protection, unless such use is only sporadic. - ." [laughter] Well, I have a part of the speech where I talk about how vague the statute is, so I don't need to make that speech after you [see] how unclear it is.

You can see that there's an axe in there in terms of extra-territorial jurisdiction over databases that are feeding Europe. And, if you look [around] any kind of modern network of information, of distributed information nodes coming into a large network, the [hidden] jurisdictional control ... is of great concern.

[There are several] public-sector requirements, and there are very basic fair-information-practices principles that Dr. Ware and others have developed. They're not very well defined or very elaborate - certainly far less elaborate than what we have even in our U.S. Privacy Protection [laws], and far less than anything we have on stored data or electronic files.

So, "Creation of a file must be related to the purpose of the agency. The processing of data, ... other than for which the file was created, shall be lawful if the data subject consents. It is affected on the basis of community law or law or measure taken pursuant to a law or member state conforming with the directive which authorizes it and defines the limits thereto."

I actually don't like that because it doesn't ... create any concept of notice to the data subject. It just says if it's required by law, but it doesn't give any definition of what that law should say, which is including notification of information practices to the data subject.

Then you have, "The legitimate interest of the data subject does not preclude such change of purpose if it is necessary in order to ward off an imminent threat to public order or serious infringement of the rights of others." Again, very general requirements.

On the private-sector data, there are three principles. "Member states shall provide [in] their law that, without the consent of data subject, the recording of a file or any other processing of personal data shall be lawful only if it is effected in this Directive, and if the processing is carried out under contract, or in the context of a quasi-contractual relationship of trust with the data subject and is necessary for its discharge." (This would be bank accounts, credit accounts, the kind of thing where there's some kind of subscription agreement, or pre-notification as in insurance records.) "The data comes from sources generally accessible to the public, and their processing is intended solely for correspondence purposes."

Let me give you an example, and let me just focus a minute on that one. Let's say that Nexus ... has contracts with Figaro and other European newspapers ... to do what they do with U.S. newspapers, which is to put the stories in electronic format and to create a retrievability by name so that you can look up and see how many times you got quoted in a newspaper.

Certainly that's available now in the United States, and it's probably available in Europe. I'm reading this hypertechnically and I acknowledge that. I'm sure what I'm about to say was not intended by the drafters. But if you read this statute - if you read this legislation - clearly the impact is that you cannot take information from sources generally accessible to the public [and] data-process it without the consent of the individual, unless you're doing it solely for correspondence purposes.

Nexus or [other on-line use of articles] is not solely for correspondence purposes. So clearly the kinds of electronic-data services - the kind of activities that we've grown used to in the United States - would be severely impacted by that clause. We may get a comment that that wasn't intended. I hope it wasn't. I hope it changes. But that's what the law says now, or that's what the draft says now.

"The member states shall provide in their law that it shall be for the controller of the file to ensure that no communication that should be incompatible with the purpose ... of the file is contrary to public policy. In the event of on-line consultation, the same obligation shall be incumbent on the user."

The last section I'd like to [review] - and there's a lot more here on the definition of informed consent, and we can talk about that later ... - [are] trans-border dataflow issues: "The member states shall provide in their law that the transfer to a third country, whether temporary or permanent, of personal data which are undergoing processing or which have been gathered with a view to processing, may take place only if that country assures an adequate level of protection."

What does that mean? What does that mean in relation to, "Are our laws adequate?" They are certainly not equivalent, ... and some argue that they're not adequate in an absolute sense of adequacy for the general principles of privacy. But in this context, are they adequate so that Europeans, for example, can transfer data to the United States without fear of them being abused and misused?

How the United States will stack up with Europe is going to be an open question. It will force us to examine our own laws a great deal. ... We have nothing like this. We have no omnibus statute with the data commission governing the private sector. But we do have a fair amount of legislation.

[Next,] Mr. Riley [will] discuss some of the political activity in Europe and some of his particular views on these issues.

RILEY: Thank you, Ron, and thank you for showing us the directives. I think it's quite clear they are complex, to say the least, and in many instances vague, and - a third thing is the obvious - very bureaucratic.

Having said all that, you can just forget everything you just [heard] because that whole thing is being rewritten because of great protest from not only the private sector but from governments. So we are going to see a drastically reformed EC [Privacy] Directive, come this summer.

[Ron's review] really indicated a lot of the problems ... not just for American corporations or Canadian, but actually for people doing business in Europe itself.

I'd like to quickly give an overview of some of the political aspects of the tensions between freedom of information and privacy which are driving this debate - and actually the attitudes towards specifically the United States, and why this has become an important issue for Americans from the point of view of what is going on in Europe and the attitude [about] data protection.

The last thing I want to mention is the actual proposed Data Protection Board, here in the United States, and why it would be a very good thing for Congress to pass the current bill that is receiving very little attention in Congress at the moment.

First of all, interesting enough, data protection is not new to the EC. There was an initiative when the OECD guidelines were drafted in 1981. The EC took this up as an issue. But at the time they were mostly seen as an economic body. The popular wisdom that evolved within the commission was, "Well, we don't really need to worry about this because it looks like data protection is evolving as a human rights issue. We're more concerned with economic issues."

Well, ... the philosophy of the EC changed quite radically in 1988 when Jacques Delors came to be President of the EC, and rapidly started to take Europe towards an integrated market which would allow the free flow of services, goods and information.

That changed the data-protection debate radically. It gave focus to two data-protection laws, because a lot of the data-protection registrars and commissioners responsible for laws in each of the countries started to make a lot of noises about those naughty European countries that didn't have laws. If they thought they were going to be able to pass information from, say, the United Kingdom to Turkey or Portugal without having some kind of equitable law, then they better start thinking [about] this in a very serious way because they weren't going to put up with that.

The reason that statements like that were able to be made was the fact that most of these laws contained what is called a "trans-border dataflow clause," which means they may or may not have the option to restrict the flow of data from one country to another.

The attitude started to change within the EC, ... that, "OK, what we need now is harmonized laws, or a directive for the passage of harmonized laws." But, as the debate escalated politically among the EC itself, and what it would become, it moved from just being an integrated market to [where], now, they're talking seriously about not just economic union but political union in the years to come.

This is a very heated debate in Europe. A large part of the downfall of Mrs. Thatcher wasn't just the ugly poll tax. It had everything to do with her attitude towards Europe and a disagreement within her own party about what United Kingdom's role should be within Europe. That's just one manifestation of how this spilled over into the data-protection debate.

... A lot of rumors have gone around about, "Why did the EC step in?" Apart from seeing it as an economic reason, one of the theories that has been floating around ... was ... that - when the data-protection commissioners started to make noises a year ago about restricting the flow of data, not only within Europe but possibly to non-data-protection countries - ... the EC themselves actually wanted to take this directive and to put control on it because they wanted to ... control how this information moved.

Why? For a very simple reason: The overall purpose of the union is to make the integrated market work. To make this work, they have to harmonize their laws; they have to harmonize their thinking. Mostly, they have to harmonize the free flow of information because - stating the obvious - with the development of technology and automation (obviously information flow was along electronic networks) the old paper days are almost gone.

This made data protection even more important because data protection now has everything to do with computers and not a lot to do with manual files. [As a] matter of fact, the majority of laws don't [concern] manual files. Rather, they deal with automated systems.

What came out of this - though when they did it, it seems that the EC directive was written in a vacuum - they didn't go and seek advice from the member countries with current laws. The data-protection commissioners themselves were making noises about stopping the free flow of data for some time, and also started in talking about the tensions between freedom of information and data protection. But there was not a lot of consulting that went on, and there was minimal consulting with the private sector.

The result was [the draft EC Directive] which in the eyes of many was something that came out of the late 1970s or early 1980s and didn't deal with a lot of the evolution of data-protection laws that [is] currently going on in Europe - for example, second-generation DP [data processing] laws which allow for self-regulation, such as in the Dutch model which has now come out and, I might add, the approach that Japan has taken.

Of course, the private sector reacted very strongly. There have been numerous meetings, first with the OECD and then in meetings between the European Committee data commissioners and the business community. ... There are very conflicting signals coming out of those meetings. At the OECD meeting - all private, but nothing's private anymore; everybody knows it the next day if you're interested enough - out of that meeting came the message that, "Well look. Don't really worry in the North American market. This is only aimed at the European market. You have nothing to worry about." Out of the meeting in Brussels at the end of November, it was, "We have to take very seriously the information and data going to non-data-protection countries." That includes the United States.

The point is, it's a very fluid time right now. There's a lot of lobbying going on. Essentially what they are going to come up with is a harmonized directive. It's being taken seriously because Greece and Italy are finally taking measures. In Italy it's very difficult for anything to get passed because there are so many political parties there - at one time I counted 23 different data-protection proposals.

Maybe they'll all have a party and all agree on one. But, they are going to be forced into it. Greece is going to do something. And Belgium, which has been talking with us for a long time, feels very compelled to do it. The EC is located in Brussels and it's rather embarrassing for the European Community to be talking about harmonized laws and the host country doesn't even have one. However, this is going to come about.

There's a very interesting part of this whole business about trans- border dataflows. There's a big argument within Europe itself about who should control this. Should it be the member countries? The United Kingdom I'm sure would rather prefer to apply their own laws on trans- border dataflow, whereas Brussels is saying they shall become the body which shall decide on the transfer of information within Europe - in other words a licensing authority. The private sector again reacted very strongly in the November meeting and said, "This is impractical. You're going to weigh us down with these bureaucratic measures. How is that going to help the free flow of information?"

I think we will see a dramatic change because the primary purpose is economic, but at the same time the EC [has] recognized that this is a human-rights issue that can't be ignored.

... The fact is that we're going to get something. I think it's going to be in a very different vein from what Ron has [described] today. I think it'll be not so much watered down, but will take into account a lot of the problems that they've encountered amongst themselves.

One of the things is [that] many countries are disagreeing in private about the kind of harmonization they want. David Flaherty is much more able to talk about this than I, but if you look at the different laws in Europe, you will see they take very different approaches to how they administer data protection, or even implement the privacy rights.]

I must stress, though: Data protection is inevitable in Europe. We're not talking about a lessening of the right of the individuals to have their information protected and all the fair-information practices go with it. There are going to be laws. I'm only talking about the degree to which the Directive will turn out. I'm not suggesting in any way that there be a lessening in data-protection rights. No, it's only going to be a matter of degree in how they apply the Directive.

The problem you have also is a lot of the countries don't want the power going into Brussels. This is part of the overall larger political argument about where shall the sovereignty rest in Europe. If they go towards political union, will we see the development of a large bureaucracy in Brussels or will we maintain the independence? Anybody that knows anything about European history knows this is a question that is not going to be resolved in a very few months or overnight. This is going to take years. But we will see something by January, 1993.

As to the freedom-of-information debate, it had never been [taken] seriously in Europe, even though many laws had been passed, such as in Denmark - and, [in] Sweden, it goes back to 1776. But there'd always been [an] anathema attitude to these laws. Basically, Europeans have always operated in a very secret culture and in very layered structures of dealing with the public, so as not being conducive to freedom-of-information laws.

The onslaught of technology and automated systems has changed that radically, and we are now seeing a debate between the balance [of] necessity for the free flow of information out of government. Again, it's economic-driven for the simple reason that the governments in every country are the largest library in their country. They contain pervasive amounts of information that need to be shared not just with the corporate sector but also with the private sector - public-interest groups and others - to whom it is necessary to run the affairs of state and the country.

For viable economic and workable cultures they are now saying that we need to see the evolution of some form of freedom-of-information laws, which is not going to see just a few benefits but many.

This is going to be a long process - coming back to the EC Directive - mainly because each of the countries are adopting their ... positions. In the meantime, we are seeing the escalation of these laws and they are going to pass very quickly.

Let me say why this is important to [the] North American environment - and I include Canada in this as well as the United States. Mostly, the fixation in Europe is on American corporations. I've been to many meetings for the last 15 years where a lot of hostility is expressed for the simple reason that they think Americans don't take privacy seriously. I think now, with the EC directives to act as a catalyst for the debate, some of these positions have softened and they've come to realize that they can't just willy-nilly impose EC directives on an American market.

Because it's quite obvious to everybody that what they're talking about is a non-tariff economic barrier. You start talking about a non-tariff economic barrier and you're going well [beyond] the confines and walls of data protection. You're going into a political level. They have to take a very realistic approach to how they're going to sell data protection to the Americans.

I think out of the last meeting that occurred among data commissioners in Paris, that was the message that was delivered. They have to recognize the development of a lack of climate in the United States for a federally regulated system which would cover the private sector such as they do in Europe.

Having said that, I think there is still a persuasive argument for a data-protection board in the United States. Not only do I believe that privacy itself - and some forms of protections are inevitable, not only here but around the world, in the western world in particular ... - will evolve in central Europe because of technology itself.

As we know from the Lotus case in the United States - where 30,000 people on e-mail responded to the CD ROM and forced them to cancel that project because of these privacy concerns - that there is a large constituency that is very concerned about their privacy.

... Looking at this in [the] context of Europe, I would say that one of the persuasive values for a data-protection board would be as a speaking body to be able to liaise with the Europeans. I can foresee a scenario in 1993 where ... once they ... have the Directive - the harmonization of the laws will take years - I can see some country saying, "Well, you know, let's look at this trans-border dataflow clause in our legislation. Why don't we take a test case? We have XYZ corporation which is sending enormous amounts of information on employees. They're an American corporation. They operate in our country, but they're sending it back to head office in New York or San Francisco or wherever. We feel this is a violation of the rights of our individuals and also of our sovereignty ... . [Note that] there's a sovereignty question here. Therefore we are going to impose a restriction and stop the flow of this information." Then watch the sparks fly.

Having a data-protection board will at least put a body there that can do many things. One is raise the awareness of privacy issues in the United States; also act as a liaison with the European countries and the concerns they have. And, generally raise the issue to the level to which it belongs. And on that note, I will end .... [applause]

FLAHERTY: I'm going to use the podium because I'm going to pretend I'm George Bush and give a speech that I think George Bush should have given, if he had been here at this conference. I'm partly giving it because my pals last night, when I was catapulted onto this panel, said to me - [when I asked], "What am I going to do?" - said, "Aaah, give your speech."

I'm as tired of my speech as they are, so I thought I'd give a George Bush speech. And I'm naive enough and optimistic enough at the same time to actually believe that this is the kind of speech that George Bush should give, for reasons that I will try and explain to you - although I suspect Rob Veeder will get up and explain why George Bush would never give this speech. In fact when I asked Rob a few minutes ago where George Bush would probably give this speech, he suggested the Gridiron Club. [laughter] I think this is a more serious privacy conference in San Francisco.

If I were George Bush, I'd begin this way. (I'm aware that for a Canadian to do this must be a form of lese majeste, but [laughter] Ron Plesser can add a criminal-defense side to his practice if I'm charged in D.C.)

"In the aftermath of Desert Storm, I think it's time to get back to some domestic concerns in this country. [applause] As you know, I've also had to spend a lot of time hanging around with foreigners in the last six months or so. [laughter] I've been talking with Margaret Thatcher and then with John Major. I'm been in Bermuda recently, even with Francois Mitterrand, with Chancellor Kohl, even with Brian Mulroney, my good buddy in Canada.

"And in the process, we finally talked about some new things I can do. Now that the great military might has reasserted itself and we've taken care of Saddam Hussein, it's time to get back to some domestic concerns. So I chatted with these people about some of the things I could do. And even Margaret Thatcher said, "Well, there's something fairly easy to do. Doesn't cost much. When I was Prime Minister in 1984, I enacted a data-protection law, which was to protect individual privacy. And I'm sort of vaguely aware you don't have very good privacy laws in the United States.

"Well, both Barbara and I were very insulted when these foreigners started to talk about weak privacy protection in our own country, for reasons I will remind you of in a few more minutes. Even Chancellor Kohl was telling me about extending their very strong system of federal and state data protection to East Germany. I mean, imagine! They're going to try to do that to the land of the Stasi [East German secret police]. If they can do it, I think we've got ... our socks to pull up in this country.

"Then there's this business of the EC initiative. Now I've got businessmen at our regular cocktail parties, and businesswomen, telling me that there's this EC initiative, which appears to be a royal pain in the neck for American companies. And my view is we've got to persuade these Europeans that we've got as good laws in this country as they have in their own country.

"In fact, what I think we need to do is reassert U.S. leadership in a global privacy policy. I want the United States to be the leader of the world in practically everything, [laughter] and I think we should do it in privacy policy as well. Particularly because, although I didn't go to law school, [laughter] I'm well aware that one of the great law-review articles of all time was [Louis D.] Brandeis and [Charles] Warren, just a hundred and one years ago in the Harvard Law Review - when they basically invented the legal right of privacy.

"Some people claim that Alan Westin invented it, [but] it was actually Warren and Brandeis, a hundred and one years ago. [laughter] It showed the kind of leadership [when] ... the frontier hadn't even closed ... and here our law reviews were carrying articles on the right to privacy, which were very well received at the time.

"I'm also aware, because I've been around Washington a long time, that a historical accident happened when the Privacy Act of 1974 was passed in the unfortunate aftermath of Watergate. I understand - I'm told by my very well-informed officials at OMB [Office of Management and Budget], who are very much in favor of what I'm about to tell you" [laughter] (this may give Veeder the big one immediately) [laughter] "that the original Privacy Act included the creation of a Privacy Protection Commission, which was actually going to do something, to make something out of the Privacy Act of 1974.

"And some very good people, like Sam Irvin, the patron saint of privacy in this country, and some good Republican senators like Charles Percy, and even Mayor Koch, later-to-be mayor Koch of New York, and Barry Goldwater, thought there ought to be a Privacy Protection Commission created.

"But Gerry Ford was sort of new at the game. He was a little tense, and he threatened to veto the legislation if the Privacy Protection Commission was left in there. So it was taken out. Now, I hate to have to admit this, but the fact has been that only a couple of people in OMB have, since 1974, been trying to make the federal Privacy Act of 1974 work. And while it's there, and they publish a lot of systems notices in the Federal Register, it would be hard to argue that it's a very effective piece of legislation. Plus, I'm sick and tired of these Europeans telling me about all these laws. And never mind Canadians - now, Brian Mulroney telling me how to better protect privacy is really a bit much.

"I also accept, as do my recent nominees to the Supreme Court, that there is a right to privacy in the Constitution. That simply reaffirms the fact that privacy has a great track record in the history of the United States. [laughter] I also want to tell you, my fellow Americans, that this is an issue for Republicans and conservatives. [laughter] It's not simply an issue for the Left. I consciously sat, in fact, at this podium to the right of Rob Veeder [laughter] to try to assert the fact that this was a matter that Republicans and conservatives ought to be really concerned about. It's not something for left-wing phonies with beards and the like, and long hair. [laughter] It's a matter that the vast majority of you good Americans who supported Desert Storm are going to want to be in favor of.

"And ... privacy ties in with individual initiative, with freedom, with individual autonomy, with the preservation of personal integrity. Now, I know those are a lot of big words, [laughter] but those are things that are enshrined in our Constitution - and are matters of great concern to Barbara and myself. [laughter]

"Ahem. I would also like to add, and I think this is really the theme today, that an open society - and we value that as a paramount good in our society - needs good data protection. It's evident to me from a survey done recently by one of our great American companies, Equifax. They did a big privacy survey, it was released at the White House last June [and it] shows that Americans are very concerned about the preservation of their personal privacy. I think we've got to do something about that.

"Now I'm not trying to run a Big Brother government, where I'm going to tell you as President of the United States exactly what you ought to do. I think we've got 50 states in this country. I hate to say that none of them - none of the states - even have good data-protection laws of a general sort, like these European states have, in Germany or in the Canadian provinces, like Ontario and Quebec. I think we need to experiment here. I don't have an absolute solution for how best to protect the privacy of individuals in this country.

"I understand that Congressman Bob Wise, who's regrettably a Democrat but nevertheless [laughter] has a Data Protection Board bill that's been kicking around Congress for awhile. It'd be kind of a cheap thing [to do]. We've got a Mammal Commission of 3,000 people to protect mammals. We might as well have a small commission of 50 or 100 people, in terms of staff, to protect individual privacy. It will get the Europeans off our back, in particular. It will be an advisory body only, the way Congressman Wise has written this bill. So, I think that's one of the alternatives we should consider in this country.

"I know that some of the Canadian provinces have even given regulatory power to an agency of this sort, to a Data Protection Commission. Now, it's not in my Texas background or my Maine background to want to run around advocating regulatory commissions of any sort. But if we really want to be at the cutting edge in this privacy business and really put the Europeans and Australians to sleep, we might want to give a slight bit of regulatory power to this group. I'll leave it up to Congress to decide.

"But I am persuaded that we do need an ombudsman for citizens. Now we don't want to interfere with the livelihood of the 700,000 lawyers in this country. [laughter] We don't want to keep these people from going to court, and I think all of us want to promote the inalienable right to sue in this country. [laughter]

"However, we also want to create an ombudsperson, an ombuds- office. This data-protection commissioner's office should have some way of helping individual citizens before they have to go to court. Let's face it, Mr. and Mrs. Average American, none of us can really afford to go to court. [It would help if we could] go to an ombudsperson, perhaps at the federal and state level, to get help with what we perceive to be our privacy problems.

"I would also like to urge our great American companies, many of which have lots of personal data on billions and billions of us, that they should do more to self-regulate, to implement fair-information practices, to reassure our great American people that our privacy interests are actually being protected.

"I think that we don't need any more consumer firestorms such as struck Lotus Marketplace in January. I also would like to finish this Fireside Chat by telling you that data protection begins at home. [laughter] I want all of you good Republicans and good Democrats to start worrying a little bit about your individual privacy at the level of what you next give out to whoever starts asking you questions. You have to realize that preserving your privacy begins with you. Barbara and I both know that in 1991 it's pretty difficult to protect your privacy all by yourself because we've been filling out forms for 50 or 60 years, and so have most of you. But nevertheless I'd like all of you to become a little bit more sensitive to this whole privacy issue. And on that, my fellow Americans, I'll leave you." [applause]

PLESSER: That's great! ... I'm completely grateful, though I always have to say that in the United States we do not have data protection - although we have a lot of privacy laws. In Canada, the privacy laws apply only to [the] public sector, and there [are] almost no [private sector] laws in Canada. So it is my turn next month to give the Mulroney speech in Canada - about how we need to get some privacy protection up there on private records.

FLAHERTY: There's no truth to the rumor that Ron's a Democrat.

VEEDER: Aren't you required to repeat that speech in French? [laughter and applause]

FLAHERTY: Mes citoyens, et. ... [laughter]

VEEDER: Aaaah. Whenever I show up on a panel with these guys, I'm reminded of a former boss of mine, Jim Miller, who was prior director at OMB [U.S. Office of Management and Budget], who was invited to address the ABA [American Bar Association] at one point, and solicited some advice from some lawyer friends of his. They said, "Be humble." Every time I appear with these guys, that advice becomes more real to me.

I'm in charge of the Information Policy Branch at the Office of Information and Regulatory Affairs, OMB. The intent of Congress in establishing the Office was to bring some coherence to the process of managing government information and the resources that are used to acquire that information. And we try to do both things.

... We have responsibility both under the Privacy Act and under the Paperwork Reduction Act for the agency's implementation of the Privacy Act of 1974, to a lesser extent parts of the Freedom of Information Act, specifically pertaining to fees, and the Computer Matching and Privacy Protection Act of 1988 - which is the first major amendment to the Privacy Act, I would argue, and tries to bring some procedural regularity to the use of computers to match personal information and the provision-of-benefits area, eligibility for determination of eligibility for benefits: food stamps, AFDC [Aid to Families with Dependent Children] and things like that.

So why am I on this panel? I have no particular interest in the European Community or in international dataflows. I guess maybe, as David said, data protection begins at home.

I would argue that the federal Privacy Act of 1974 is really the only existing model that we have that imposes fair-information-practices principles on a wide range of data. The act covers things like personnel records, things like medical records - a whole range of federal records. Now, [it deals] with the federal records exclusively, except in one area, and that's in the matching area, [where] the act has been pushed out to state and local records. That's a very small area. By and large, it's a federal-records statute.

I would also argue that perhaps the federal Privacy Act and its principles and its difficulties in implementation in this electronic-records era may provide some models - at least cautions - that would let us (assuming that we do need a data-protection statute or a data-protection commission or whatever) deal with records that are outside the federal arena, or even records that are in the federal arena which the Privacy Act doesn't deal with very well.

The second reason I think OMB is involved is because - to the extent that legislation is needed to take care of these problems - OMB clears legislation for the government. It flows through OMB, and statements of administration position are developed and presented to the Congress. Also, we fund things. If there is such a thing as a Data Protection Commission, it will be subject at some point to some funding constraints. And that's a very powerful tool to decide how a commission is shaped, what kinds of things it can reach and so forth.

I've been thinking about the problem from the other end. Assuming that we do need something like a Data Protection Commission, ... what would it look like? How would it be constructed? What [would] the players involved - who might bring it about - look like? What would the process be like?

Frankly, the history of efforts to establish things like data- protection commissions - or even to extend the principles of the Privacy Act through legislation to other kinds of records, private-sector records - is not particularly promising. As David pointed out, the Data Protection Study Commission was originally not intended to have "Study" in its name. It was intended to function as a Data Protection Commission, and that was a compromise. They did a superb job. The document that Ron held up is only one part of what it did. It looked at privacy issues across the government and across the nation, and issued a very comprehensive six-volume report dealing with those issues in 1977.

But it never became what the Congress, at least, started out thinking it should be - a Data Protection Commission. If you look at the Carter Administration legislative initiatives attempting to push [the] private sector, using a model something like the Privacy Act, trying to push those principles to the private sector in dealing with specific categories of records - that was pretty much of a failure.

It was a wonderful effort that ultimately crashed. I think it dealt effectively with areas where there was a real concern - consumer privacy, things like that. But, [for instance with] medical records, [the] AMA [American Medical Association] was not particularly interested in having its opinion second-guessed by presenting the right to patients to have access to medical records. So there was a lot of smoke, and a lot of fire. A lot of energy went into the development of this legislation, and ultimately very little of it was enacted.

Recently we've had an effort by the Subcommittee of Government Ops (now chaired by Congressman Wise of West Virginia) ... to establish a Data Protection Commission [but] without power, I would point out. ... It's not a regulatory commission, but it's a commission that's designed to look at these issues, and maybe could grow into something that would be more regulatory.

The bill has been introduced for a number of sessions of Congress and has been the subject of hearings, but nobody has taken it up. Nobody's pushed it. Nobody in the Administration has been interested. And that's not an expression of hostility. It's more apathy, and the same kind of apathy, I think, that exists in the public, by and large, for the creation of these kind of legislative solutions.

Why is there renewed interest in privacy? ... For the first time ... in ten years I detect an interest in privacy issues and concerns about privacy issues that just hasn't been there before. The public apathy maybe is ending, to a certain extent, and this may give us a window of opportunity to do something.

Why? Because we're keeping more records electronically. We're spending something like $20 billion a year to buy ADP [automatic data processing] and telecommunications goods and services. We rely to a tremendous extent on this technology to manage our government programs, funnelling a trillion dollars this way and that way. The effect of that is to put a premium on electronic record-keeping. We have to find ways of dealing with that more effectively.

There's also, I think, an electronic co-joining of interests that has not occurred before. And that may be the result of bulletin boards, electronic databases, telecommunications that marry interests and allow people to comment. I think that's the lesson of Lotus. I know David is concerned that the provision of 30,000, "Don't do it," telegrams to Lotus, or e-mail messages to Lotus or whatever, may wind up like, "Write a letter to your Congressman, clip it out of the paper, sign it and send it."

There has to be some balance in that process, but it's an interesting issue. It's an interesting process that enough people were concerned about it - 30,000 people - to send messages, to lobby Lotus. Not that they did it, but that they got together to do it and understood what the issues were and took some action. I think that's extraordinary. We've never had that before. If you look at the history of surveys, and you ask a question like, "Are you concerned that the government has too much information about you? Are you concerned that a credit company has more information about you?" the instinctive answer - my answer and your answer - probably would be, "Sure. Of course I'm concerned." "Well, what are you going to do about it?" "Well, I don't know." No actions. The issue sparks and it dies.

Now we have the means to make that much more real and much more long-lived, and we'll see if that happens. If it does, I think we have a chance of doing something interesting as far as regenerating an interest in privacy in this country.

There's also the EC issue that's been ventilated fairly thoroughly here. But it's an expression of a world-wide general interest in these kinds of issues. That may feed the United States' interest as well by focusing it on dataflows and privacy protections, consumer-privacy issues, both from a consumer standpoint and from a business standpoint. I think businesses are becoming more sensitized to this issue as consumers press them, as consumers become more educated and more interested and more capable of dealing with these concerns.

Having said that, we may have at least some way to influence the process. What kind of models do we have? We obviously have many state and local laws. ... Robert L. Smith produces, if you haven't seen it, a compendium of state laws and some local laws that's an excellent volume. He publishes and updates it about every two years. And, they are not simply the laws that we have at the state and local levels... that deal with governmental records. They deal with a lot of different kinds of records. The problem with them is they are disparate. They deal in different areas. They provide different levels of protection. They address different kinds of records. There's no coherence to our state and local efforts.

Extend the federal Privacy Act as an option? Probably not. That's been looked at, thought about - and I will read Ron Plesser's words back to him, "The Privacy Protection Study Commission, 1977, thought about that, rejected it and said the last thing we want is to put the federal government in the middle of every information flow in the country." We'd have to think very hard about that in extending the Privacy Act to cover non-federal records, or non-governmental records.

One other option is something like a safe-haven statute, which would be a voluntary statute, something like the Foreign Corrupt Practices Act, that allows interested parties to sign onto the process and to accept some kind of legal constraints. What would that be? Well, in order to make it effective, you'd have to have some kind of oversight, some kind of ombudsman. I don't know what that is; don't know what the mechanism is. It could be a federal commission.

The advantage of a federal commission is that it does have power to act. If it's a regulatory commission, it has power to enforce - something that the Data Protection Commission [of] Congressman Wise's bill would not [have]. The disadvantages are that - through funding, through appointments - such commissions can be rendered less effective than their framers intended.

Could it be something like a self-regulatory organization - a collection of interested parties that would come together and be licensed or chartered by the government and ... oversee this area, something like the securities-and-exchange licensing of National Association of Securities Dealers, or the Chicago Board of Trade? The Board of Trade's not a good example. The New York Stock Exchange, that has a very narrow focus? Regulatory authorities, but not itself a governmental entity? I don't know, maybe that's a possibility.

Or there could be no body, and we could - as to a certain extent the Privacy Act does - require the citizen to come forward and to pursue his own concern, his own problems through the courts. Enable the person by giving him access to the ability to sue. Just possibilities, I don't know.

What changes would have to happen if this were to occur? I would point out that the Budget Enforcement Act of 1990 set very severe spending limitations. There were three caps on where the money goes: domestic spending, international spending, and ... DoD spending, defense spending. And, within those caps people are competing for money.

I don't think there's money right now to fund a new commission. I'm not sure that there will ever be sufficient money to fund a new commission. And as we get further and further down the road, the next five years, those three money pots collapse into a single money pot. People will be competing for those resources, and they're diminishing resources. And, this time I think it's really real. There are diminishing resources.

I don't think there is visible administration support for a new initiative, especially a privacy initiative. That's not because there's hostility to privacy. That's because the administration hasn't had its attention focused, and there's no forum. There's no advocate in the administration for these kinds of issues. Nor is there really any congressional interest in it, except for the normal players: the people who have responsibility, Congressman Wise and so forth. ...

There's no organized citizen effort to generate this. There are some businesses concerned, but not an enormous bow wave of pressure that would bring this thing to being. The challenge is going to be to find a force, like the force that drove the Privacy Act into existence, to coalesce interest in this issue and produce some action. That's why I'm hoping that this conference ... - because we have good minds; people who are interested in this issue, sometimes passionately; people who care - ... may provide us some insights into this effort. ... [applause]

QUESTION & ANSWER PERIOD

PLESSER: [We have about five minutes for questions.]

AUDIENCE MEMBER: [... What is going on] in Japan and in the Soviet Union and maybe in any other key countries around the world?

RILEY: ... What the Japanese are looking to is they wanted to adhere to the OECD guidelines, as a signatory to the OECD, and were concerned about their flow of information into Europe, not into America. ... They did an extensive study, as they do there; they've done the same on freedom of information. They decided that they're more interested in privacy than freedom of information. But they wanted to avoid what they felt was the European trap, especially on this business of registering databanks, which is the U.K. model, one of the models. Sweden took that role, and as David Flaherty points out in his book, they came to realize it was unworkable, and lessened the way in which everybody in the country had to license their databanks. ...

The Japanese have looked at a lot of different systems and decided they liked this concept of second-generation laws which regulate our own files, i.e., the public sector, but create voluntary measures for the private sector, create a body. There is a (you can translate it) data- protection body within the Prime Minister's office. They're responsible for it in the public sector. In the private sector, what they are encouraging are voluntary codes, except they oversee the codes. They decide whether they comply to the law. Their idea is, do this first and if it doesn't work then we'll think of wider regulation in the future.

AUDIENCE MEMBER: I have a question about data destruction, actually. In the issue of privacy, one way to avoid the problem of how very carefully to safeguard data is simply not to hang on to it forever but really to destroy it in a timely way after it's served [its] purposes. ... Many international organizations - all the U.N. member organizations, for example - have records-scheduling practices that come out of traditional records-management methodologies, that say such-and-such types of records should be destroyed after such-and-such time. ... [Why wasn't this discussed?]

PLESSER: I think it doesn't enter the discussion because the European Directive doesn't have it. In the privacy laws that have been enacted in the United States affecting the private sector in the last ten years - on cable, video, on the other areas - there [are] destruction-of-records provisions. It is something we are very aware of. ... [Also], one of the most important privacy acts that the United States has passed in the last couple years to my mind is the polygraph statute, which prohibits the use of polygraphs - which means you don't start with a record in the first place on polygraph. ...It's not only destruction of records. It's collection of records in the first place where you can really assert the privacy interests. If you don't allow certain records that are inherently unreliable - like polygraph - to develop in the first place, then you don't have to worry about all the procedural concerns at the other end.

RILEY: ... Actually, in European law there is a destruction clause. It's that the Directive is more interested in the interchange of information and harmonizing laws and such, and that's why perhaps you haven't seen that.

PLESSER: I'm afraid that's the last word. We've just been given the hook. [applause]