Introduction from the Assistant Secretary,
National Telecommunications and Information Administration
The Global Information Infrastructure has tremendous potential to bring
economic, social and cultural benefits to America and its citizens. Because
it will facilitate and expand the flow of information between people and
from place to place, the GII promises enhanced educational and employment
opportunities, greater citizen participation, and improved delivery of
government services. Information technologies promise to revolutionize
the manner in which commerce is transacted domestically and across international
borders. The GII has provided faster, cheaper, and more reliable communication
of business data, so that great distances and multiple time zones are no
longer barriers to transacting business.
But while information technologies can bring these benefits to Americans,
they also present new challenges to individual privacy. Not only does the
GII make the collection, storage, and transmission of large amounts of
personal data possible, use of the GII creates information trails that,
without proper safeguards, could reveal the personal details of people's
lives. Failure to recognize and protect the privacy interests could slow
the growth of the GII. If we are to realize the full potential of the information
infrastructure, the legitimate privacy interests of users of the GII must
be acknowledged and protected.
This report explores the extent to which self-regulation can be an effective
means of reducing these concerns, as well as the benefits, challenges and
limitations of self-regulatory privacy regimes.
The National Telecommunications and Information Administration has worked
to ensure that all of the benefits of rapid, efficient information exchange
are achieved without sacrificing privacy. NTIA has been actively involved
in the search for solutions to the challenges posed by information technologies
to individual privacy since the early 1980s, when it worked closely with
industry to develop the Organization for Economic Cooperation and Development
(OECD) privacy guidelines. Its 1995 White Paper,
Privacy and the NII,
established a framework for safeguarding transaction information -- personal
information associated with subscribing to and using a telecommunications
or information service. Under the approach, companies would notify
their customers about how their personal information would be used and
obtain their consent, tacit or otherwise, before using it. This approach
would give consumers more control over information maintained about them
and allows them to make informed choices about the ways in which data about
them is used. And, it would do so without imposing inflexible regulation
on the GII in this early stage of its technological and policy development.
Since issuing the White Paper, NTIA has worked with the private sector
to monitor the voluntary implementation of data protection practices. We
have realized that many questions remain about how self-regulation works
and how it can be implemented. Most basically, we need to define what we
mean, as the term "self-regulation" itself has a range of definitions.
At one end of the spectrum, the term is used quite narrowly, to refer only
to those instances where the government has formally delegated the power
to regulate, as in the delegation of securities industry oversight to the
stock exchanges. At the other end of the spectrum, the term is used when
the private sector perceives the need to regulate itself for whatever reason
-- to respond to consumer demand, to carry out its ethical beliefs, to
enhance industry reputation, or to level the market playing field -- and
does so.
NTIA uses the term in its broadest sense to encompass all these meanings.
At a minimum, however, effective self-regulation must involve substantive
rules as well as means to ensure that consumers know the rules, that companies
actually do what they promise to do, and that consumers can have their
complaints heard and resolved fairly.
In issuing this call for papers on self regulation and privacy, NTIA
asked experts to explore the issues that arise in implementing self regulatory
privacy protections. How do self regulatory regimes work in market economies?
What elements if any are prerequisites to self regulation in an industry?
What are the existing models for self regulatory regimes? Is self regulation
inimical to the antitrust laws? What kinds of enforcement mechanisms are
appropriate? How have businesses gone about self regulating, and where
have they encountered benefits and challenges?
The first chapter of this volume explores what we mean when we talk
about self regulation of privacy in a market economy. It explores the market
for personal information and ways in which self regulation functions in
such a market. Certain articles also consider instances in which self regulation
may not be an appropriate means for protecting privacy, such as personal
information about children.
Chapter 2 examines the antitrust issues that may arise when rival companies
engage in self-regulation. The papers present opposing views. The first
concludes that in the rapidly changing economic and technical environment
of modern telecommunications and information systems, self regulation may
inhibit naturally occurring market forces. The second author finds that
industry self regulation of personal information use, while not exempt
from antitrust laws, is unlikely to run afoul of those laws, so long as
the rules imposed are designed to protect privacy and not to limit competition.
The papers in Chapter 3 propose models for self regulation. In this
context, two of the papers explore issues raised by self regulatory approaches
to protecting privacy by examining the experience of a specific company
and a specific industry. Others consider the efforts of national bodies
in implementing self regulatory regimes through standard setting and government-initiated
legislation. The articles in chapter 4 attempt to define more specifically
the preconditions and necessary elements of a self-regulatory regime for
protecting privacy, highlighting the role of consumer education.
Chapter 5 highlights some of the technological and policy mechanisms
available to make self regulation work, as well as the opportunities the
Internet may offer to give individuals the ability to make decisions about
the use and disclosure of personal information. One area of particular
focus includes the tension between the desire of users of the Internet
to be anonymous in online transactions and instances in which user accountability
is required.
One paper considers a labeling system for privacy protection and the
manner in which it facilitates consumer choice and control over information.
Even when these mechanisms are in place and working well, however, disputes
will inevitably arise. This chapter therefore also explores the potential
of online arbitration to address privacy disputes. Arbitration is adaptable
to any privacy policy and legal regimes, and the suggestion is therefore
made that it may be best suited to resolving online disputes.
In the final chapter, corporations and trade associations describe their
experiences in crafting and implementing internal policies to protect consumer
information.
This volume presents a broad array of models -- and specific tools and
mechanisms -- to further debate and help identify which approaches will
make self regulation work. The contributions to this publication indicate
that the private sector is implementing self regulation on a company-by-company
basis. At the same time, economists, lawyers and privacy experts are exploring
carefully the issues surrounding self regulation. The constant development
of new information technologies may well enhance the feasibility of self
regulation by placing choices about information privacy increasingly in
the hands of consumers themselves. The experiences, models, technologies,
and concerns discussed in this volume point to an ongoing and lively experiment
in self-regulation.
As this experiment continues, it is important that thoughtful consideration
be given to the potential for effective self regulation. NTIA has focused
attention on self-regulation in part to afford it the benefit of closer
analysis, and in part to further debate on whether it is a viable option
for protecting privacy in the Information Age. This volume seeks to contribute
to that process, by providing tools and by encouraging meaningful debate.
Larry Irving
Assistant Secretary for
Communications and Information