Remarks of Gregory L. Rohde
Assistant Secretary of Commerce for Communications and Information
European Parliament Workshop on EU Privacy Directive
January 9, 2001
(as prepared for delivery)
PRIVACY: IT'S BECOMING EVERYBODY'S BUSINESS
Grazie Signore Cappato. That about exhausts my Italian so the rest of my intervention is going to be in English if it is alright with you.
Thank you very much for inviting me to participate in this forum discussion on the European Parliament's Privacy Directive. I very much appreciate the opportunity to share a transnational perspective on the proposed changes that the EP is considering. Also, I am grateful for the opportunity to learn more about Europe's perspective on this very important issue. I have already enjoyed listening to the forgoing discussion and it is obvious that Europe and the United States are each wrestling with the issue of privacy in the information age.
I want to compliment you Mr. Cappato for convening this forum discussion. Providing opportunity for open public discussion of EP's proposal to extend privacy protections to all forms of electronic commerce is important and beneficial. Public discussion will serve to help Europe and other regions of the world to work together and obtain a full understanding of the implications of the proposal and hopefully lead to a good result.
Importance of Privacy Protection
Privacy protection in the new economy is not only a matter of concern to those who use computers and cell phones. It is an issue for everybody. Today, personal information kept on consumers by insurance companies, governments, banks, etc. is usually stored on a computer which is connected to a communications network. While this brings many, many beneficial efficiencies and conveniences, it also brings with it new vulnerabilities. Everybody has a stake in protecting the security of communications systems and the protection of privacy in the information age. People want and expect privacy protection from government, corporations, businesses, and from their neighbors. Protecting privacy is a crucial element for the new economy - the new opportunities afforded by the Internet revolution have also brought new challenges to protect privacy.
A few decades ago, the personal information kept on us by our banks, insurance companies, and governments was usually contained on a piece of paper, looked in a file cabinet and secured in a building with good security. The information kept on us by our doctors, pharmacists, insurance companies, and our governments was considered pretty secure and people had confidence that their personal information was being protected. Protecting personal information in today's world is more complex when monitoring can be invisible and access can be from remote locations and it is a matter of concern for everyone.
Obviously, privacy protection in the age of the Internet and electronic commerce is a hot topic in Europe. Otherwise, the EP would not be considering the proposed changes to the 1997 Privacy Directive which is the purpose of today's hearing. Electronic privacy is also a very important topic of debate across the Atlantic.
Internet privacy and privacy over all other means of electronic communications is a matter of broad concern in the United States. I know this not from reading polls or conducting surveys. It is evident through the truly accurate reflection of American culture: the comic strips in our newspapers. About a year ago, a popular comic strip called "Cathy" ran a series of cartoons trying to find the lighter side of privacy on the Internet through a series called "the Information 'Snooper highway." When comic strip such as this dedicates its commentary to Internet privacy, we know that it is a subject that is cutting to the core of popular culture.
People in both of our continents have high expectations about their personal privacy. I grew up in a relatively small town in the Western United States: Bismarck, North Dakota, which is our state capital. It was named after the German Chancellor. A little over a century ago, many German and Norwegian immigrants who traveled to America took advantage of the Homestead Act and moved out to the Western plains of the United States. They went there to farm and many still do a century later. My home town is a place that still feels a strong cultural affinity with Europe. We still have Hoestfests and Oktoberfests at the right times of the year.
My father was a pharmacist at a little drug store in Bismarck. Twenty or thirty years ago in small western towns like Bismarck, drug stores served the same cultural purpose as European cafes: they were central gathering places where people would stop by to buy their prescriptions and sit around the soda fountain counter drinking coffee and catching up with their friends.
As a pharmacist, my dad knew most everybody in town. Most folks would buy their prescriptions from him, and when they did so, they had a lot of confidence that when my dad filled out the prescription and paid for it with a credit card, that my dad was not going to take their personal information and share it with others or sell it to someone who would use it to turn around and market other products that them. People had a high degree of confidence that their personal information was being protected in that era. Today, when someone is buying their drugs on-line, they have may have no idea who is monitoring that purchase; what information is being collected on them and what is being done with that personal information.
Privacy protection is an essential ingredient for the growth of electronic commerce. If people do not have confidence that when they pay for an item online with their credit card it will be protected, they will not migrate their shopping to the Internet. Shopping online, for example, needs to be viewed by consumers as safe and as shopping at a local store.
In addition, clarity; consistency; and effectiveness of rules and requirements on industry are equally important. Ambiguous rules that cannot be effectively implemented can be just as damaging to e-commerce as the shattering of consumer confidence about their personal privacy. As both Europe and the United States proceed in considering how best to protect consumers in the information age, we must also be mindful of the necessity to provide industry with clear, consistent, and enforceable rules so that they will have an environment in which they can provide the services to consumers that consumers want.
Global, not a Domestic Issue
The global nature of the Internet means that privacy is becoming everybody's business. The Internet knows no borders. Thus, it is becoming increasingly impossible to distinguish between domestic and international treatment of policies that affect the Internet. Both the US and Europe are wrestling with privacy protection. Neither of us can afford to address this issue in a vacuum because the decisions made in Europe or the US will have a direct impact on consumers in each continent.
The Internet has brought cultures together in ways not encountered before. This raises new challenges with respect to how we deal with the collision of cultures and economies. For example, a Disney movie may be considered wholesome entertainment in the U.S. but viewed as cultural pollution in France. In an era where high speed connections to the Internet that allows for the mass distribution of digital copies of music and video, these kinds of cultural differences will come into conflict more intensely than in the past.
Another example is the Yahoo case in France and Nazi memorabilia. There are certain things that French society consider unacceptable under their hate crimes laws, such as the availability of Nazi memorabilia for sale. While many Americans may have strong disagreements with Nazism, Americans in general place a very high value on the right of free speech. Despite political differences, we still support the right to speak and share political views. But when a court decision in France led Yahoo to shut off access to the purchase of Nazi material via its portal sites, it impacted consumers world wide.
On the Internet, our cultural traditions collide.
I am certainly not here to comment on whether or not it was right or wrong for the French to force Yahoo to shut down access to Nazi memorabilia. The point I am simply making is that this case demonstrates that French law and jurisdiction have in the past only applied to France but on the Internet, French law will impact consumers worldwide.
In a similar way, the EP Data Protection Directive, the EP Privacy Directive, and proposed changes to the Telecom Privacy Directive have to be considered in a global context.
The U.S. Experience - Still Deliberating
To date government action in the United States has been limited. For example, we have regulated privacy protections with respect to the Internet only in selected areas such as financial services and health care information. In addition the United States enacted the Child Online Privacy Protection Act (COPPA) which requires "verifiable parental consent" before collecting, using, or disclosing personal information of a child online.
We have also seen some progress in private sector initiatives such as third party verification of privacy policies like Truste and BBB Online. And, former Commerce Secretary William Daley succeeded in exerting pressure on industry to limit advertising to sites with privacy policies. Now some of the largest advertisers such as Disney and IBM have made it a matter of policy that they will not buy advertising on web sites which do not have privacy policies.
Finally, we have also seen the emergence of technological solutions which have provided new opportunities to empower consumers to protect their personal information when they search web sites, buy online, or use their cell phones.
Platform Privacy Preferences - commonly known as P3P - is a technology that allows a consumer to personalize their own privacy preference and when they search a web site it will tell them whether or not the web site conforms to their privacy preference. Also, credit card companies are devising ways to protect against fraud when people use credit cards to shop online.
As you know here in Europe, wireless technology is progressing rapidly and wireless carriers are developing effective location detection systems. This has tremendous benefits for public safety but at the same time raises new concerns about privacy protection. In response to consumer concerns about privacy protection, we are seeing the development and availability of technologies that put the power in the hands of the consumer to decide whether or not they want the default on their phones to send location information or not.
But we are starting to see a shift towards stronger governmental action in the United States. Last May, our Federal Trade Commission (FTC) - which is an independent regulatory body which has jurisdiction over consumer protection issues among other things - issued a report which suggested that despite some progress in what we have called "self regulation," legislation may be necessary.
The report found that most web sites do not have comprehensive privacy policies. Less than half of web sites have 3rd party seals for privacy policies. Therefore, according to the FTC report, industry "self regulation" is not sufficient.
The recommended legislation which would set basic "standards of practice" and require:
· Notice to consumers on information practices;
· Choice to consumers as to how their personally identifiable information will be used;
· Access (of consumers) to information collected about them; and
· Security - web sites should assure consumers that their personally identifiable information about them is being protected.
Even before the FTC report, the US Congress has been considering legislation, examining many of the issues that were raised in the FTC report. The Congress continues to debate these questions of whether or not consumers should be notified that data is being collected on them;
the question of choice (opt-in vs. opt-out with respect to consumer information being collected);
the question of access, i.e., should consumers have access to the information that is being collected on them; the question of security, i.e., should carriers assure consumers that the information that is collected on them is protected; and exploring effective means of enforcement.
As you can see, we are wrestling with this vexing issue as well. The challenge for both the U.S. and Europe is to find the appropriate balance between consumer protection and marketplace freedoms. We need to ask: What is the appropriate role for governmental action or directives and to what extent can market forces address consumer privacy protection? Up to this point, the U.S. has chosen to allow the emerging Internet and new communications systems to develop without broad scale government regulation. While we certainly see issues with respect to protecting consumer privacy, the U.S. government has chosen to hesitate getting involved because: (a) acting too early and without a complete understanding of regulatory impacts might impede the development of electronic commerce and (b) there is a strong possibility that market driven solutions could be more effective than a broad government regulation.
This is not a black and white question of whether or not there should be government regulation. Rather, it is a question of finding the right balance, discerning the appropriate role of government and encouraging the maximum amount of market place freedoms.
As the U.S. and Europe proceed in making the transition from the communications era of phones and faxes to the new generation of complex services such as the Internet, it is imperative that we appreciate that this is not just a small step, but a giant leap into another era. The old regulations may not be easily adaptable to the new era. This must be understood if indeed we share the objective of promoting electronic commerce and look forward to advanced telecommunications services such as IMT-2000.
European Parliament Directives and Finding the Balance
With your permission, I would like to offer some reflections on your privacy considerations and later, humbly make a few suggestions. First, allow me to offer some observations.
In my judgement, the EP is being forward looking and I commend you for addressing this important issue. Your objective to update privacy protections and make them "technologically neutral" is actually consistent with the regulatory approach that the United States adopted when we enacted the sweeping changes under the Telecommunications Act of 1996. Under that legislation, the U.S. is attempting to adopt technologically neutral regulations in all areas of communications and information services. In the past, and to a large degree still, we have treated local and long distance telephone services different from each other and from cable, broadcast and wireless services. Our regulatory legacy is that different services are put in different "buckets" and a different body of law and regulation applied to different buckets.
Since 1996, we have been attempting to move out of that approach and adopt a technologically neutral form of regulation. Convergence of technology demands this and the U.S. will have to continue moving towards technologically neutral regulation - not just in privacy protection but in all forms of regulation. On this point, I think we share a common objective.
As you know, there are a number of EP Directives that are under consideration. It seems that these ought to be coordinated to achieve the best result for consumers and industry:
· 1995 Data Protection Directive. This directive, which is up for review in the fall of 2001, imposes the requirement that EU members prohibit data transmission with countries that do not have "adequate" privacy protection. The adoption of this directive led the US and the EU to work out a "safe harbor" agreement.
· 1997 Telecommunications Privacy Directive. I understand that this directive is still being implemented by the Member States.
· Proposed "Update" of the 1997 Telecommunications Privacy Directive. This is the proposal that we are discussing today which attempts to apply the 1997 privacy protections on "calls" to "all forms of electronic communications."
· The February 2000 Legal Aspects of E-commerce Directive, the RTTE Directive and the Distance Selling Directive are other directives which appear to have some overlap or inconsistencies with some of the proposed changes to the privacy directive.
· The Cybercrime Communication expected to be issued by the Commission shortly and the Council of Europe Treaty on Cybercrime currently being negotiated also come into play since that will have significant impacts on the question of consumer privacy and could impose regulations which could be in conflict with those in other directives.
The interaction between these directives could easily create confusion - for consumers and industry alike. Therefore, the EP ought to seek to coordinate these directives and strive for clarity, consistency, and enforceability. This will be in everyone's best interest.
The broad sweeping approach of the proposed changes to the 1997 Privacy Directive raises many new questions. This broad approach is unlike anything that has been adopted in the United States - at least at the national level. Expanding privacy protections from telephony services to all means of electronic communications, although well intended, may pose new problems that will need resolution. Allow me to offer a few examples.
The issue of unsolicited calls. Under the EP 1997 Privacy Directive, consumers must "opt-in" in order to receive an unsolicited machine generated phone call or fax. While the impact of an "opt-in" approach for faxes and automated telemarketing calls may be understood, a strict "opt-in" for online services could have different consequences.
- How will a ban on unsolicited e-mails apply to non-EU ISPs? There are technical and practical challenges in identifying the location of e-mail customers. When IMT-2000 arrives, will the ban apply when an EU consumer travels to Asia or the US?
- Will this really address "spamming"? Restrictions on spamming raise questions of liability for ISPs.. How will that be addressed?
- Would this prohibition only affect commercial unsolicited e-mails? What about legitimate direct marketing communications where a business has an existing relationship with a customer? Political communications? Public service messages? (e.g., emergency warnings - will these be allowable?)
Data collection restrictions may have significantly different implications with respect to Internet services than it has with telephony services. How feasible is data collection and how wise is it to require its destruction? What is the impact on law enforcement (and the Cybercrime Directive)? Transaction logs are part of maintaining security on the networks. If data collections is strictly prohibited, what impact will this have on a carrier's ability to maintain a secure network? How about a consumer's interest in having access to past records?
Mandating technological solutions may have unintended consequences. Technological innovation thrives in free market environments. Directing governments to mandate technological solutions - which is provided for under the proposed changes to the Privacy Directive - may impede innovative development, hurting consumers in the long run. As I discussed earlier, technology can provide solutions which empower the consumer. The example I mentioned earlier is a company which has created a device that is part of a cell phone battery and allows the consumer to switch the transmission of their location data on or off according to their preference. This innovation developed to meet a market demand for consumer control - not because of a governmental mandate. There may even be better location control solutions out there. A governmental mandate could have the effect of impeding that innovation.
I don't believe that it is my place to come here and tell the EP whether or not it should adopt a directive or consider certain regulations. However, as I stated earlier, the borderless nature of modern communications systems requires us to work together and share our perspectives. I have very much benefitted from hearing the debate over this issues that has occurred today. Now, please allow me to make a few humble suggestions for your consideration.
First, I would like to encourage you to take an integrated approach and give serious consideration to the interaction between the various directives related to data protection, privacy, electronic commerce, and cybercrime. Strive for clarity, consistency, and enforceability.
Second, proceed with caution when contemplating government regulation. Have confidence in the market system. Focusing on empowering consumers and withholding government regulation to the greatest extent possible will foster an environment of innovation and opportunity. In the area of privacy protection in electronic communications, it is not easy to know exactly when should government get involved and to what degree can we rely upon market dynamics sort out consumer concerns.
Finally, focus on how technology can provide solutions by empowering consumers. Just as new technology and convergence of technology can raise new concerns about protecting privacy, technological innovation can solve many of these issues. At the agency which I administer, the National Telecommunications and Information Administration (NTIA), we have focused much of our efforts in this area on exploring technological solutions working with industry.
Thank you Mr. Cappato and all the members of the European Parliament once again for inviting me to join you at this first public forum on the proposed changes to the telecommunications privacy directive.
The discussion we are having today is not a question of whether or not consumer privacy should be protected in all areas of electronic communications. Of course consumer privacy needs protection. The question is how best to provide it. The solution lies in striking the balance between necessary governmental action and encouraging market place freedoms to respond to consumer needs. Finding this balance is a challenge as communications networks become avenues for high speed data transmission and other sophisticated electronic communications systems.
One thing is certain: finding workable solutions requires cooperation. International cooperation as well as cooperation between private and public sectors.
Thank you once again.