<DOC>
[106th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:71178.wais]
H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF
PRIVACY PROTECTION
=======================================================================
HEARINGS
before the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
of the
COMMITTEE ON GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTH CONGRESS
SECOND SESSION
ON
H.R. 4049
TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF PRIVACY
PROTECTION
__________
MAY 15 AND 16, 2000
__________
Serial No. 106-204
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
----------
U.S. GOVERNMENT PRINTING OFFICE
71-178 WASHINGTON : 2001
_______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
JOHN L. MICA, Florida PATSY T. MINK, Hawaii
THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York
DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio
Carolina ROD R. BLAGOJEVICH, Illinois
BOB BARR, Georgia DANNY K. DAVIS, Illinois
DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts
ASA HUTCHINSON, Arkansas JIM TURNER, Texas
LEE TERRY, Nebraska THOMAS H. ALLEN, Maine
JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee
GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California ------
PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont
HELEN CHENOWETH-HAGE, Idaho (Independent)
DAVID VITTER, Louisiana
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
David A. Kass, Deputy Counsel and Parliamentarian
Lisa Smith Arafune, Chief Clerk
Phil Schiliro, Minority Staff Director
------
Subcommittee on Government Management, Information, and Technology
STEPHEN HORN, California, Chairman
JUDY BIGGERT, Illinois JIM TURNER, Texas
THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania
GREG WALDEN, Oregon MAJOR R. OWENS, New York
DOUG OSE, California PATSY T. MINK, Hawaii
PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Robert Alloway, Professional Staff Member
Bryan Sisk, Clerk
Mark Stephenson, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on:
May 15, 2000................................................. 1
May 16, 2000................................................. 93
Text of H.R. 4049................................................ 2
Statement of:
Belair, Bob, editor, Privacy & American Business; Mary
Culnan, professor, McDonough School of Business, Georgetown
University; Christine Varney, former Commissioner, Federal
Trade Commission; Solveig Singleton, Director of
Information Studies, CATO Institute; Ron Plesser,
legislative counsel, 1977 Privacy Commission; and Stanley
Sokul, member, Advisory Commission on Electronic Commerce.. 115
Hatch, Mike, Minnesota State Attorney General................ 33
Markey, Hon. Edward J., a Representative in Congress from the
State of Massachusetts..................................... 189
Spotila, John, Administrator, Office of Regulatory Affairs,
Office of Management and Budget............................ 17
Stone, Robert, executive vice president, American Healthways. 41
Veator, David, Office of Consumer Affairs and Business
Regulation, State of Massachusetts......................... 27
Letters, statements, etc., submitted for the record by:
Belair, Bob, editor, Privacy & American Business, prepared
statement of............................................... 117
Culnan, Mary, professor, McDonough School of Business,
Georgetown University, prepared statement of............... 126
Hatch, Mike, Minnesota State Attorney General, prepared
statement of............................................... 35
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 95
Moran, Hon. James P., a Representative in Congress from the
State of Virginia:
Prepared statement of.................................... 61
Prepared statement of Marjory Blumenthal, Director,
Computer Science and Telecommunications Board, the
National Academies................................... 55, 109
Plesser, Ron, legislative counsel, 1977 Privacy Commission,
prepared statement of...................................... 160
Singleton, Solveig, Director of Information Studies, CATO
Institute, prepared statement of........................... 152
Sokul, Stanley, member, Advisory Commission on Electronic
Commerce, prepared statement of............................ 168
Spotila, John, Administrator, Office of Regulatory Affairs,
Office of Management and Budget, prepared statement of..... 20
Stone, Robert, executive vice president, American Healthways,
prepared statement of...................................... 43
Turner, Hon. Jim, a Representative in Congress from the State
of Texas, prepared statement of............................ 108
Varney, Christine, former Commissioner, Federal Trade
Commission, prepared statement of.......................... 134
Veator, David, Office of Consumer Affairs and Business
Regulation, State of Massachusetts, prepared statement of.. 30
Waxman, Hon. Henry A., a Representative in Congress from the
State of California, prepared statement of................. 99
H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF
PRIVACY PROTECTION
----------
MONDAY, MAY 15, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Turner.
Also present: Representatives Hutchinson and Moran.
Staff present: J. Russell George, staff director and chief
counsel; Heather Bailey, professional staff member; Bonnie
Heald, director of communications; Bryan Sisk, clerk; Liz Seong
and Michael Soon, interns; Kristin Amerling, minority deputy
chief counsel; Michelle Ash and Trey Henderson, minority
counsels; and Jean Gosa, minority assistant clerk.
Mr. Horn. A quorum being present, this hearing of the
Subcommittee on Government Management, Information, and
Technology will come to order.
At the request of the subcommittee's minority members, we
will continue our April 12th examination of H.R. 4049, a bill
that would establish a Federal commission to study privacy
protection.
[The text of H.R. 4049 follows:]
[GRAPHIC] [TIFF OMITTED] T1178.001
[GRAPHIC] [TIFF OMITTED] T1178.002
[GRAPHIC] [TIFF OMITTED] T1178.003
[GRAPHIC] [TIFF OMITTED] T1178.004
[GRAPHIC] [TIFF OMITTED] T1178.005
[GRAPHIC] [TIFF OMITTED] T1178.006
[GRAPHIC] [TIFF OMITTED] T1178.007
[GRAPHIC] [TIFF OMITTED] T1178.008
[GRAPHIC] [TIFF OMITTED] T1178.009
[GRAPHIC] [TIFF OMITTED] T1178.010
[GRAPHIC] [TIFF OMITTED] T1178.011
[GRAPHIC] [TIFF OMITTED] T1178.012
[GRAPHIC] [TIFF OMITTED] T1178.013
Mr. Horn. At the subcommittee's first hearing on H.R. 4049,
experts in the areas of medicine, finance, and Internet privacy
shared their views on the many challenges involved in
protecting privacy. Witnesses discussed their concerns about
the increasing accessibility to personal information, such as
medical records, Social Security numbers, and credit card
records.
Both today and tomorrow, the subcommittee will continue
this discussion with people knowledgeable in privacy issues.
I welcome our witnesses, and look forward to their
testimony.
Let me just explain how the panels work. We will be
swearing in all witnesses today. We would like you to summarize
your statements. We have read all of them, and we would like
you to do that in 5 minutes. So we will now finish with the
opening statements, and I will give you the oath when those
statements are through.
I now call on the gentleman from Texas, the ranking member,
Mr. Turner, for his opening statement.
Mr. Turner. Thank you, Mr. Chairman.
This is the second of three hearings that we have had
scheduled on H.R. 4049, and I want to thank the chairman for
prioritizing the need to study this very important issue. There
is no doubt that privacy is one of the top concerns of the
American people and one of the most important issues facing
this Congress.
I am pleased to be a cosponsor of this legislation which
would create a commission that will enable us to have a full
and open discussion with the American people about privacy so
we can address it in an appropriate manner. However, I do not
want us to rush forward with the bill without proceeding
cautiously and considering a number of issues surrounding the
creation of this commission.
I commend Congressman Hutchinson for his leadership on this
very important issue. At our first hearing, witnesses raised
questions regarding the relationship the commission's work
would have with privacy efforts by other entities.
Specifically, concerns were voiced as to whether the commission
could serve as a delay to regulations, studies that are
currently moving forward. For example, witnesses pointed out
that a bipartisan congressional privacy caucus is currently
pushing for passage of a financial privacy measure.
Pursuant to the congressional mandate, the Secretary of HHS
is now in the process of finalizing medical privacy
regulations. Additionally, the Department of Treasury study on
financial privacy regulations is soon to be completed.
We have many issues that need to be dealt with immediately,
and I was pleased to hear Congressman Hutchinson state that the
intent of the bill was not to impede the progress of other
regulations which may reach consensus during the commission,
rather, to be used as a sounding board to those initiatives.
Questions have arisen regarding the composition and
expertise of members selected to the commission. Currently, the
bill does not contain requirements regarding the qualifications
of commission members. We need to ensure that an appropriate
balance between all stakeholders in this issue is represented.
Witnesses also questioned the scope of the commission's
mandate, which currently is not set forth in the bill. We
should be concerned about duplicating work which has already
been done and consider whether it might be more productive for
the commission to focus on specific privacy issues.
In light of the concerns that witnesses raised at the first
hearing, members of the past and present entities charged with
studying privacy issues as well as Federal and State government
representatives who have been active on privacy matters have
been identified and asked to testify before this subcommittee.
These witnesses are expected to address the types of expertise
and background that should be sought in the commission members,
the types of issues that should receive focus and the types of
reviews that may be redundant.
Again, I want to thank the chairman for holding the
hearings; and I welcome the witnesses here today.
Mr. Waxman also advises me that he appreciates you
scheduling the hearings to ensure that the issues raised by the
legislation receive careful consideration. Mr. Waxman sends his
regrets. He is unable to be here today, but he plans to attend
tomorrow's hearing and looks forward to receiving the testimony
from today's hearing.
The American people deserve to have their privacy protected
in a correct and timely fashion. It is my hope that as a result
of these hearings, we will be closer to that goal.
Thank you, Mr. Chairman.
Mr. Horn. We thank you. And now we have a member of the
full committee who is the author of the legislation, the
gentleman from Arkansas, Mr. Hutchinson, for an opening
statement.
Mr. Hutchinson. I thank the chairman, and I just want to
take a moment to express my appreciation to you and the
committee for scheduling a second day of hearings.
During the last break, I believe it was, I received a copy
of a letter from Mr. Waxman requesting additional hearings; and
as one of the lead sponsors of this legislation I was delighted
of his interest in it; and I appreciate the chairman scheduling
this hearing so promptly to followup on Mr. Waxman's request.
I also appreciate Mr. Turner, the ranking member, and his
leadership on this issue which has been critical from the very
beginning. It has been a goal to make sure that this is--
privacy is pursued in a bipartisan fashion, and the
participation of Mr. Turner and the many Democrats who have
joined on this legislation is important to its success and
ultimate credibility.
Mr. Turner outlined a number of concerns--I wouldn't say a
number. There were serious concerns raised in the last hearing
that are very legitimate in terms of we should discuss those
and perhaps look at amending the legislation, if necessary, as
we go through the markup process. It is certainly not the
intent of the privacy commission to serve as a delay on other
legitimate efforts to address privacy concerns. I have always
viewed this as complementary. Whatever happens in other arenas
on a smaller scale, it is important to look at privacy in a
comprehensive way and in an ongoing way.
Second, it was discussed about the diversity of the
commission members, and certainly I believe that the point of
authority should seek to ensure that membership of the
commission will represent a diversity of views and experiences
on the issues that they will address in terms of privacy, and
that is important.
So we are happy to work with those who are supportive of
privacy--of the privacy commission to make sure that it is
drafted in a fair manner and move this ball forward and protect
privacy in a balanced way.
Mr. Chairman, I thank you; and I look forward to the
testimony of the witnesses.
Mr. Horn. I thank the gentleman.
Now if the witnesses will stand.
[Witnesses sworn.]
Mr. Horn. The clerk will note that there are five witnesses
that accepted the oath.
The Honorable John Spotila is the Administrator of the
Office of Regulatory Affairs in the Office of Management and
Budget. Mr. Spotila.
STATEMENT OF JOHN SPOTILA, ADMINISTRATOR, OFFICE OF REGULATORY
AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET
Mr. Spotila. Mr. Chairman and members of the committee,
thank you for inviting me here to present the administration's
views on H.R. 4049, the Privacy Commission Act.
As Administrator of OMB's Office of Information and
Regulatory Affairs, I care deeply about the protection of
privacy. In 1998, OIRA took on enhanced responsibility for
coordinating privacy policy throughout the administration. OIRA
already had policy responsibility under the Privacy Act of 1974
which applies to Federal Government systems of records. Now it
plays a central coordinating role for privacy policy more
generally.
Last year OMB appointed its first Chief Counselor for
Privacy, Peter Swire, to be the point person in this
coordination effort; and Peter is here with me today and
available if needed.
The President and the Vice President are committed to the
protection of individual privacy. As President Clinton said on
April 30 when announcing his new financial privacy proposal,
``From our earliest days, part of what has made America unique
has been our dedication to freedom and the clear understanding
that real freedom requires a certain space of personal
privacy.''
In studying the proposed findings for H.R. 4049, we find
much common ground. We agree that Americans are increasingly
concerned about the security and use of their personal
information. We agree that the shift from an industry-focused
economy to an information-focused economy calls for reassessing
the way we balance personal privacy and information use.
As Administrator of OIRA, I work extensively on information
policy issues relating to computer security, privacy,
information collection, and our transition to the electronic
delivery of government services. In these and other areas, we
are working hard to gain the advantages that come from new
technologies while guarding against possible costs to privacy
and security that can come from badly crafted uses of those
technologies.
In some areas, we already know that we must act swiftly to
protect privacy and security. Indeed, the administration's
biggest concern with H.R. 4049 is the risk that you highlighted
earlier, the risk that some might use the commission as a
reason to delay much-needed privacy legislation. We understand
that supporters of H.R. 4049 have emphasized that it should not
be used as a reason for delay, and we agree with that, but we
are concerned that there are those that would oppose privacy
reform who would prefer to have Congress study the issue
indefinitely rather than take action. We cannot afford to take
a year and a half off in protecting Americans' privacy. We
believe that action is needed now in the areas of financial
privacy, medical records privacy, and genetic discrimination.
There have been extensive initiatives by the Federal
Government since 1993 to study and take appropriate action in
the area of privacy protection. Study of privacy was an
integral part of the National Information Infrastructure
project, sometimes called the ``information superhighway''
effort, with the issuance in 1995 by an interagency privacy
working group of principles for providing and using personal
information. This effort was led by OIRA--before I was there, I
will admit.
With the administration's support, Congress has passed a
long list of privacy legislation. In my written statement, we
provide details about these laws and other activities by the
administration to protect Americans' privacy.
My statement also explains the legislation that is now
before the Congress to provide legal protections for three
especially sensitive categories of personal information:
financial records, medical records, and genetic discrimination.
Let me turn again to the specifics of H.R. 4049.
The administration does have concerns that the study
commission might be used as an excuse for delaying needed
activity in privacy protection, and we appreciate the strong
statements we heard today that indicate that you agree that
should not happen. These concerns would be especially acute for
these important topics such as medical, financial, and genetic
information. We know there has already been extensive
discussion of these proposals, and we would not want to see
further study duplicating the public examination that has
already taken place without adding real value.
We recognize that the Congress needs to make its own
judgments on these matters, and we defer to it in its
assessment of what it needs to inform those judgments. It seems
sensible, however, to adopt a focused approach to exploring
these topics. Ideally, any further study efforts should be done
within a short timeframe and would build on, not duplicate,
existing studies.
If there were to be a commission, we should ensure that it
focuses its efforts in an effective way. Casting too broad a
net would delay the work of any new commission, with uncertain
results. We note, for example, that the treatment of data
collected on-line has been the subject of extensive hearings in
Congress as well as public workshops, public comments, studies,
and reports. The Federal Trade Commission is about to issue a
major report. We recognize that this is a complicated area that
requires careful evaluation and an understanding of new
technology. It is not clear, however, that a commission lasting
18 months will give decisionmakers the help they need in this
area.
Rather than have a commission pursuing a very broad set of
topics, it might be more productive to have technology and
policy experts address specific, emerging issues that have not
yet benefited from much attention. One targeted way to study
such issues might be to enlist the expertise of the National
Academy of Sciences/National Research Council, which has
already produced studies in areas such as cryptography and
medical records privacy. We could call it in again on emerging
areas of concern. These might be particularly appropriate for
examining authentication technologies and their privacy
implications and the topic of biometrics and privacy.
For all of these reasons, we believe that there may be
sound alternatives to a privacy commission. If legislation
creating a commission does move forward, however, we do have
some specific concerns about the method of appointment of
commissioners, and the possibility that the current draft could
lead to the release of classified information.
We share with Congress a very strong interest in protecting
privacy. We look forward to working with you to find suitable
new ways to improve that protection. We understand the good
intentions motivating the sponsors of H.R. 4049; and, despite
our reservations about the specifics of this bill, we welcome
the commitment to privacy protection that they seek to
demonstrate.
Thank you once again for the invitation to discuss these
issues.
Mr. Horn. We thank you for that very concise presentation.
[The prepared statement of Mr. Spotila follows:]
[GRAPHIC] [TIFF OMITTED] T1178.014
[GRAPHIC] [TIFF OMITTED] T1178.015
[GRAPHIC] [TIFF OMITTED] T1178.016
[GRAPHIC] [TIFF OMITTED] T1178.017
[GRAPHIC] [TIFF OMITTED] T1178.018
[GRAPHIC] [TIFF OMITTED] T1178.019
[GRAPHIC] [TIFF OMITTED] T1178.020
Mr. Horn. Our next presenter is David Veator, who is with
the Office of Consumer Affairs and Business Regulation for the
State of Massachusetts. Mr. Veator.
STATEMENT OF DAVID VEATOR, OFFICE OF CONSUMER AFFAIRS AND
BUSINESS REGULATION, STATE OF MASSACHUSETTS
Mr. Veator. Thank you, Mr. Chairman and members of the
committee. My name is David Veator, and I am the general
counsel for the Massachusetts Office of Consumer Affairs and
Business Regulation. Our office is charged with the oversight
of all State-chartered banks, insurance companies, most of the
professional trades and the supervision of the State's consumer
protection laws.
Because issues of privacy are of growing importance both to
consumers and the businesses that my agency regulates, our
agency is the one in Massachusetts that has been tapped with
supporting Governor Cellucci and Lieutenant Governor Swift's
privacy agenda, and on behalf of them, I am pleased to testify
in support of the privacy commission proposed in H.R. 4049.
As this committee knows, privacy issues are now at the
forefront of the national discourse. As we say in our prepared
statement, the information age has brought many good things to
people, but no silver lining is without its cloud. With the
rapid growth in technology to collect and compile personal
information, citizens face unprecedented threats to their
personal privacy. One recent poll conducted by Lou Harris &
Associates noted that 88 percent of Americans are concerned
about threats to personal privacy and that 83 percent believe
that consumers have lost all control over how companies collect
and use their personal information.
For a small fee there are companies that can collect more
information than you would have believed about you and compile
it and disseminate it, and one of the witnesses in this
committee's last hearing demonstrated that in some detail.
I am sure that each of the members of this committee is
aware that this widespread perception of privacy abuse has
already translated into action at the State and Federal level.
Although this action has resulted in good legislation and
improving industry practices, it is fair to say that our
approach to privacy is disjointed and ad hoc. According to
several commentators, between 2,000 and 3,000 privacy-related
bills are currently pending in State legislatures. Many of
these bills deal with multiple privacy issues. It would appear
that this less-than-coordinated approach to privacy cannot be
an efficient way to deal with the subject.
Another problem with our approach to privacy to date has
been a criticism that it is too sectorial, that is, different
legislation tends to tackle privacy issues with respect to
different industries. As a result, we have on-line privacy
rules, privacy rules for brick and mortar companies, banking
privacy rules, insurance privacy rules, and telecommunications
privacy rules. Privacy in American Business reported that, by
the end of 1999, 179 different privacy laws relating to health
care had been enacted, as had 65 privacy laws related to direct
marketing or telecommunications, 59 relating to financial
services, 39 relating to insurance and 14 relating to on-line
or Internet activity.
This approach may have been workable in the past, but as
the nature of our economy changes it may no longer make sense.
For example, as the financial services industry has
revolutionized and converged, several isolated privacy statutes
that deal with banking or insurance or securities may no longer
have much application.
We think that the commission proposed by Congressmen
Hutchinson and Moran is a logical way to approach the question
of privacy. There are obvious advantages to taking a
comprehensive look at the array of complex privacy issues such
as financial privacy, identity theft, biometrics and children's
privacy, etc.
The most obvious benefits are the ability to take advantage
of work that has been done both at the Federal level and at the
various States and take advantage of nationwide expertise. I
would like to offer the experience of Massachusetts.
Shortly after their election, Governor Cellucci and
Lieutenant Governor Swift convened a working group to examine
the quality of life in Massachusetts. We were able to consult
with privacy experts, local business leaders, and law
enforcement, and shortly thereafter Governor Cellucci and
Lieutenant Governor Swift filed a comprehensive bill on privacy
that updated existing privacy laws to reflect the technological
changes that have occurred since their inception and instituted
new protections to address new technology. The intent of the
bill was to empower consumers in the 21st century economy while
continuing to allow Massachusetts business to flourish.
I can also point to the experience of the FTC Subcommittee
on Access and Security which recently reported to the FTC, and
the FTC I think was able to develop a committee that provided a
robust analysis precisely because it had many viewpoints from
across the country on that committee.
I would like to close by saying a few words about one
State's view of the roles of both Federal and State examination
of privacy.
I think the States will continue to legislate and act to
protect their citizens, but we believe that the Congress has a
unique capacity to develop workable privacy protections. It may
be that most States would prefer not to act unilaterally if we
were assured that the Federal Government and private industry
are striking the right balance between the need of businesses
for information and the right of citizens to personal privacy.
Indeed, a uniform approach to privacy confers two
advantages from a State's point of view. It makes interstate
commerce easier for businesses which only have to follow one
set of rules rather than 50, and by establishing at least
baseline standards for all States means that no State will have
to potentially disadvantage its own economy by establishing on
its own minimum protections for its own consumers.
In closing, I would like to thank the committee on behalf
of Governor Cellucci and Lieutenant Governor Swift for this
opportunity to testify. We support H.R. 4049 as a means for
taking, for the first time, a national approach to privacy in a
new economy. As I indicated, our economy has undergone a
technological revolution, and the way in which privacy catches
up to this revolution will have important consequences for us
as individuals and for our new economy.
Thank you.
Mr. Horn. Well, we thank you. That is very helpful
testimony, and we always appreciate it from the State of
Massachusetts. You are usually ahead of the rest of the country
quite a bit.
[The prepared statement of Mr. Veator follows:]
[GRAPHIC] [TIFF OMITTED] T1178.021
[GRAPHIC] [TIFF OMITTED] T1178.022
[GRAPHIC] [TIFF OMITTED] T1178.023
Mr. Horn. Our next presenter is from another very
progressive State and that is the State of Minnesota. We have
the Attorney General from the State of Minnesota, Mike Hatch.
STATEMENT OF MIKE HATCH, MINNESOTA STATE ATTORNEY GENERAL
Mr. Hatch. Mr. Chairman and members of the committee, I
have read the testimony that was presented at your prior
hearing, and it is apparent that you have full grasp of this
issue. You have examples of everything from perpetrators on the
Internet taking photos out of yearbooks and putting them on
pornography, displaying them out for the public. You have
corporations asking self-insured administrators and even the
government to draw profiles of their employees' health care and
health conditions. You have telemarketing companies using bank
data to target senior citizens, perpetrating financial fraud
far beyond what was contemplated by enactment of the Vulnerable
Adult Act.
It is very plain that something ought to be done now by
policymakers. My concern with regard to a commission and with
all due respect for studying it, this is an issue that is the
result of technology, but it is not the issue of technology
itself. It can be addressed and ought to be addressed, and all
too often in our society--and I am afraid that is the case
here--commissions or task forces are appointed to delay, to try
to escape an issue.
Last year, Congress passed the Financial Services
Modernization Act, and they lifted the Pandora's lid on
privacy. They basically permitted banks to exchange information
which under State law in most States fiduciary obligations
would have prevented them or left them open to litigation for
doing so. By opening that Pandora's lid, the playing field has
changed so that now those institutions don't want to change.
They have got it. Yet the public, by margins that were pointed
out in poll after poll by the prior speaker, 85 percent
strongly believe that action ought to be taken now.
Congress lifted the lid last year. It ought to put the lid
back on--and I am talking about financial privacy, health care,
the Internet--and start addressing the issue. Don't study it,
but move on it.
Now, at the State level, we have several bills. We have
gotten them through the Senate, and we are hopeful that we can
get some bills through the House on this. We had over 100
lobbyists representing, according to the chairman of the
Commerce Committee in the House, 59 interests at one hearing,
which is considerable for a State legislature. They are all
opposed to any change, and what their cry was, ``leave it to
Congress. Congress will change it. It is a Federal issue.'' And
you know what is going to happen. You pass a bill having a
commission, all 59 will be back. Let this commission come back.
But every day that we delay we have another stakeholder on
this privacy issue. More data is exchanged about each of us.
More privacy is invaded, more stakeholders and more lobbying
techniques will follow. It is important. It is an important
issue. People feel strongly about it. If a privacy commission
were established where something was stated very clearly that
the States should move forward now, that Congress should move
forward now, that would be one thing. But it is extremely
important--I don't think we have done very much on this issue,
contrary to perhaps some of the other speakers here, and I
think the time is now for policymakers to stand up and have the
courage to take on these interests and start enacting some
legislation.
Mr. Horn. I thank you very much for your presentation. You
can probably look around behind you and see a lot of interest
there, too.
[The prepared statement of Mr. Hatch follows:]
[GRAPHIC] [TIFF OMITTED] T1178.024
[GRAPHIC] [TIFF OMITTED] T1178.025
[GRAPHIC] [TIFF OMITTED] T1178.026
[GRAPHIC] [TIFF OMITTED] T1178.027
[GRAPHIC] [TIFF OMITTED] T1178.028
[GRAPHIC] [TIFF OMITTED] T1178.029
Mr. Horn. We now have Mr. Robert Stone, who is the
executive vice president of American Healthways. If you would,
I would like you to explain what American Healthways is. I find
it a rather unique operation.
STATEMENT OF ROBERT STONE, EXECUTIVE VICE PRESIDENT, AMERICAN
HEALTHWAYS
Mr. Stone. Thank you, Mr. Chairman and members of the
committee. Thank you for the opportunity to appear before you
today.
My name is Robert Stone, and I am executive vice president
of American Healthways, the Nation's largest disease management
organization. I am also a board member of the Disease
Management Association of America.
Today, American Healthways serves approximately 170,000
people afflicted with diabetes, cardiac, and/or respiratory
disease and the more than 30,000 physicians who care for them.
My oral testimony today highlights the written testimony
already submitted to you.
How to protect individual privacy, particularly the privacy
of personal health information, is extremely important. It is
for this reason that we strongly support H.R. 4049. But in
health care, perhaps more than any other area, balance is
required. The proposed commission should therefore carefully
weigh the protection of Americans from inappropriate uses of
our personal information against the need to ensure access to
that information for the effective provision of health care,
particularly to the 50 million Americans with chronic disease.
No one understands the need for this balance better than
patients themselves. With her permission, of course, let me
share my wife's perspective. Having had Type 1 diabetes for 24
years, she frequently serves as my resident consumer expert. I
asked her recently if her privacy would be violated if she
received a letter from her health plan advising her of a
program to help her better manage her diabetes; her response, a
simple, ``Of course not.'' Without further prompting, however,
she went on to say she would be outraged if she then received a
letter from a pharmaceutical company, a medical device
manufacturer, or other organization trying to sell her a
product or service related to her diabetes.
She recognizes, as do most consumers, that the motives
behind the use of her personal health information in these two
examples are clearly different. One is designed to help her,
the other to sell her something by capitalizing on her illness.
It is disease management programs that provide the
coordination, integration, and management of care processes
necessary to help people with chronic diseases more effectively
control their illness; and by improving overall health status,
these programs also reduce health care costs. This is not
wishful thinking. An independent analysis of our diabetes
program confirmed that costs with 7,000 commercial HMO members
in seven different health plans were reduced 12.3 percent in
the first year.
Even better outcomes have been achieved and will be
released shortly for more than 20,000 individuals participating
in our program in four Medicare+Choice plans. Disease
management programs depend on the free flow of patient
information to provide the customized proactive interventions
which make these results possible. First, however, this
information is needed to identify and engage program
participants. After all, if we can't find them, we can't help
them.
Our experience has shown if we depend on patient or
physician referral as the entry mechanism, program
participation levels are significantly lower--never greater
than 30 percent, as compared to nearly 98 percent with a
proactive engagement model--and the individuals who do elect to
participate are the wrong ones, generally those who are
relatively healthy, well motivated or who have good self-
management skills. The people who both need and could benefit
the most, nearly two-thirds of the total, are left out and the
clinical and financial benefits are lost.
Is using personal health information to improve health
status appropriate? Our plan customers, their members and the
physicians in their networks must think so, since we have never
had a single complaint in that regard. We have achieved that
record through the use of stringent policies and procedures to
ensure both confidentiality and security. The information to
which we have access is never sold or disclosed to a third
party, nor do we use our communications with participants or
providers to advertise or market any drug, product or service.
Unfortunately, there are companies that do, and those
inappropriate disclosures should be prohibited. Providing
guidelines to distinguish between legitimate uses of personal
health information and significant abuses of confidentiality is
a worthy role for the proposed commission.
We would also ask that the commission be charged to issue a
clear recommendation with respect to preemption. Currently,
many State privacy laws directly conflict with each other,
making it impossible for national employers in health plans,
such as a Federal Express or a Cigna, to provide consistent
programs to residents of different States. And as you know, the
privacy regulations proposed by the Department of Health and
Human Services, if and when issued, will not preempt State
privacy laws. Only Congress can authorize preemption, and we
urge that the creation of a single national standard be part of
any further Federal legislation.
Ultimately, whatever legislation emerges from Congress must
not inadvertently bar the use of personal health information to
support better quality care and lower health care costs. The
proposed privacy commission can help ensure this outcome by
providing a clear road map through the complex privacy maze and
distinguishing between appropriate uses of personal health
information like disease management and those uses that are
purely commercial.
Thank you for your time. I am pleased to answer any
questions you may have.
[The prepared statement of Mr. Stone follows:]
[GRAPHIC] [TIFF OMITTED] T1178.030
[GRAPHIC] [TIFF OMITTED] T1178.031
[GRAPHIC] [TIFF OMITTED] T1178.032
[GRAPHIC] [TIFF OMITTED] T1178.033
[GRAPHIC] [TIFF OMITTED] T1178.034
[GRAPHIC] [TIFF OMITTED] T1178.035
[GRAPHIC] [TIFF OMITTED] T1178.036
[GRAPHIC] [TIFF OMITTED] T1178.037
Mr. Horn. Thank you. That is very helpful and a different
type of statement.
We will now go to questions and answers. The Members here,
we are going to limit each to 5 minutes, and we will rotate
until you are all worn out, so it will keep it interesting with
three of us here.
I will start with the first gentleman, who is the author of
the legislation, Mr. Asa Hutchinson of Arkansas, for 5 minutes
on questioning the witnesses.
Mr. Hutchinson. Thank you, Mr. Chairman. I want to
recognize Mr. Moran who came into the room, my cosponsor on
this, and thank him for his active participation and support
for it. I do thank each of the witnesses for their excellent
testimony and presentation and differing viewpoints on this
subject.
Mr. Spotila, let me start with you, expressing the
administration's viewpoint, and thank you for emphasizing the
common ground that we have sought.
You mentioned the administration's work in this regard and
that you don't want a commission just to duplicate what already
is out there. You cited a number of different commissions.
Let's see here--which is really the interagency privacy working
group, and the ones that you have cited here are agency driven;
am I correct?
Mr. Spotila. They are either agencies themselves or
interagency groups.
Mr. Hutchinson. Which is very important. I make a
distinction between a congressionally mandated approach to
privacy versus an agency.
Mr. Spotila. We do defer to a considerable degree to the
Congress in whatever you believe is appropriate to help inform
your judgment. Our concern is not delaying doing things that
are needed now.
Mr. Hutchinson. Your point is very well taken, and I would
emphasize the same point that you just made, that the intent of
this legislation is not to infringe upon the agencies as they
move forward. In fact, it is not going to stop. You've got them
moving forward into a final rulemaking position here long
before the commission will render any results.
Mr. Spotila. Clearly, we would continue to move forward in
areas where we could. There are legislative proposals in front
of the Congress that we think are urgently needed and so we do
have some concern, if the Congress were to halt its action
pending the report of a commission.
We also were attempting to share some of our experience,
and that is where we have found the greatest success has been
in very focused, targeted efforts rather than broad ones. This
is a huge topic. It is easy to be a mile wide and an inch deep.
That is not very helpful.
Mr. Hutchinson. I think part of your point is well taken.
Let me just respond in a couple of ways.
First, I think the work of the agencies is very important.
They have a lot of expertise in narrowly starting targeted
areas. So I think that is important. Again, I view this
commission as complementary to that.
Even if all of these regulations move forward without any
controversy, would you agree with me, 3 years from now we are
going to need to continue to review, whether through the agency
or the legislative body, the issues of privacy?
Mr. Spotila. Absolutely.
Mr. Hutchinson. Again, you make the case just by that
answer that it is an ongoing effort on privacy and there are
things--I have cosponsored legislation that ought to be done
now. But if everything on the table is adopted, we still need
to have a comprehensive review of it, as well, would be my
case.
When was the last time, to your knowledge, there was a
legislative effort/commission that reviewed privacy?
Mr. Spotila. I don't recall one certainly in recent times.
We can try to be more specific, but personally I don't recall
one recently.
Mr. Hutchinson. I would agree with you not in recent times.
I wouldn't consider 1974 recent, particularly in view of the
technological developments. I saw the 1974 legislative
commission report, and it was talking about privacy in the
Information Age. Well, the Information Age has dramatically
changed since 1974. So there has been a lot of agency work, but
not legislative work.
You make the point that if the commission is adopted, that
it should not be just going on and on without having anything
accomplished in the short term. You mention that it should be
done within a short timeframe.
Do you believe that an 18-month commission is too long or
too short?
Mr. Spotila. I think that our concern is that the
combination of a broad list of topics and an 18-month timeframe
suggests that the commission will not be as helpful as you
might like it to be; that targeted efforts that zero in on
particular aspects of privacy with a shorter timeframe, that
inform decisionmakers in concrete terms, will prove more
useful.
Mr. Hutchinson. I want to invite you because your point as
a concern has been expressed by others. The broadness--there is
some benefit because you are able to look at--rather than a
sectorial approach, you can look at it in a comprehensive
standpoint all across the line from on-line privacy, which
transects everything from medical records to educational
records, so there is some merit to that.
Also there is the danger of the commission having too much
to do and they don't know where to start.
I would welcome your view as to ways that the commission
can be pointed in the right direction; we would solicit your
views on that. I would point out that the 18-months is the
deadline, the drop-dead point. It is not just an ongoing thing,
it is going to cease to exist after 18 months. And it also
provides, if the commission deems it appropriate, they could
issue a report before then if there are some urgent matters to
address.
Do you believe that it is appropriate that you have an 18-
month deadline, that you can't go on beyond that?
Mr. Horn. We will have further rounds, but let's respond to
that question, and then we move to Mr. Moran.
Mr. Spotila. I think it is important to have some outside
date, clearly. I think our instinct is that 18 months may be
too long, but this is also related to the nature of the topics
that it would be looking at. We would be happy to continue to
work with the committee and with the Congress to try to refine
these approaches.
Mr. Hutchinson. Thank you.
I want to assure the other gentlemen that I have additional
questions. I was just taking them one at a time.
Thank you, Mr. Chairman.
Mr. Horn. I am now delighted to yield 6 minutes to the
gentleman from Virginia, Mr. Moran. If you have an opening
statement and you want to read some of it in, we will give you
additional time.
Mr. Moran. Well, thank you very much, Mr. Chairman. I will
just make some introductory comments. The first comment, of
course, is to thank you for having these hearings and to thank
my cosponsor, Mr. Hutchinson, for his excellent leadership on
this issue.
We know that the loss of personal privacy is a cutting-edge
issue and one of the topic issues that confront Americans
today. Personal medical information that is kept, stored,
transmitted, distributed to people without an individual's
knowledge makes them vulnerable. We know that profiling has
taken place among a number of electronic commerce companies,
presumably for the benefit of their customers, but obviously
for the benefit of companies and oftentimes without the
customer's knowledge.
But we also have to recognize that the reason--one of the
reasons at least that the United States is the leading economic
and social force in our global economy is because we have such
a favorable regulatory environment, so new ideas, new ventures
can sprout up, take form, and become successful.
We don't want more regulation than is absolutely necessary,
and I think the history of our economy has proven that that
should be the way in which we ought to operate. But the U.S.
Internet economy is now worth over $350 billion. I think we
have about 72 million American adults using the Internet today,
and those numbers are increasing; and as they increase,
obviously privacy is going to continue to be an acute concern
on the part of the people who use the Internet.
So our conclusion, the reason why we came up with the bill
is that we need a thoughtful, deliberative approach to a very
complex subject. And that is what we try to do. Maybe we have
too many members, but every group that I have talked to wants
to be represented so that is why we have as many as 17 members.
And if it is as difficult an issue to come to grips with and to
come up with constructive recommendations, we want to give an
adequate amount of time; and that is why we came up with about
18 months.
I know Mr. Hutchinson and Chairman Horn have had this
experience, any number of companies coming to us and showing
the technology that is developing, as we speak, that enables
the industry to self-police itself, to self-regulate itself,
but we still don't know what the proper role for the government
is and it would seem that there is a critical role for the
government to perform.
So that is the environment in which we have this hearing.
First of all, Mr. Chairman, I want to ask that two of the
speakers who wanted to present their testimony, Willis Ware, he
used to work with the RAND Corp., he has some very interesting
testimony; and Marjory Blumenthal, who is the Director of the
Computer Science and Telecommunications Board for The National
Academies, both speakers wanted their statements included for
the record so we ought to do that.
[The prepared statement of Ms. Blumenthal follows:]
[GRAPHIC] [TIFF OMITTED] T1178.038
[GRAPHIC] [TIFF OMITTED] T1178.039
[GRAPHIC] [TIFF OMITTED] T1178.040
[GRAPHIC] [TIFF OMITTED] T1178.041
[GRAPHIC] [TIFF OMITTED] T1178.042
Mr. Horn. Without objection, those statements will be put
in the record. At the end of the hearing you might want to read
some pertinent paragraphs.
Mr. Moran. Thank you, Mr. Chairman. I wanted to make sure
that I didn't forget, and I know that you keep the record open
for a couple of weeks.
[The prepared statement of Hon. James P. Moran follows:]
[GRAPHIC] [TIFF OMITTED] T1178.043
[GRAPHIC] [TIFF OMITTED] T1178.044
Mr. Moran. Now, the question that I was most interested in
asking was, first of all, Mr. Spotila, who is--you represent
the administration on the panel. We have had some prior efforts
to come up with studies relevant to consumer privacy. I know
with regard to medical privacy issues, HHS took up a major
privacy regulation--effort, last year.
Now, recommendations were made in September 1997, and a
proposed rule was made in November 1999. I understand that
HHS's efforts to examine medical privacy included a number of
consultations with various Federal agencies, and any number of
hearings as well; and the comments that they got were in the
tens of thousands.
Do you have any idea of the time and resources that were
required by the Department of Health and Human Services when--
in their preparation for coming up with the regulations that
were required in 1997, and which were finally issued last year?
Do we have any idea of the cost that was encompassed by
performing that task?
Mr. Spotila. I don't have, offhand, a dollar aggregate
cost. Clearly, there was a period of time when the agency was
waiting to see if Congress would take action; and then
certainly last year there was a major effort in which my office
participated in working with the Department to prepare that
proposed rule.
There was a team working at HHS on this subject. They
worked intensively on drafting the provision. The proposal did
get something like 53,000 comments. You are correct, we
received widespread public reaction to the proposal and, of
course the Department is looking right now at trying to
finalize that rule before the end of the year. If it is
important, we certainly could inquire and provide for the
committee whatever financial or economic estimates there might
be from the Department as to what that aggregate cost would be.
Mr. Moran. I think it would be an interesting
consideration. And similarly, the legislation on financial
services modernization required a similar type of study, and I
think it would be useful to know the resources that are being
required to conduct that study, as well, because both studies
seem to be relevant to the subject at hand.
Mr. Spotila. We can reach out and attempt to get that
information and submit it to the committee.
Mr. Moran. Thank you, Mr. Spotila.
Mr. Horn. We will put that in the record at this point
without objection. The 6 minutes plus I believe has expired.
But we will get back to that.
Mr. Moran. Thank you, Mr. Chairman.
Mr. Horn. Let me get my 5 minutes in.
Mr. Spotila, I am curious, what is your view of Mr. Stone's
objection to the preemption of State law?
Mr. Spotila. In general, we are deferential to State law
and to the desire of States to have stronger privacy
protections. That has been the approach we have engaged in, and
we are sensitive from a federalism standpoint to that type of
approach. We realize that there is benefit from having a common
standard, and Mr. Stone was alluding to the difficulty that can
occur if there is a hodge-podge of different standards that may
not be consistent.
So I think there is a need for balance. Our approach has
been to try to zero in on things that we felt did have common
application and that could form a basis, but not necessarily to
preempt altogether an area where the States have strong
interest and where they have had a historic activity.
Mr. Horn. Well, there is no question that industry and
other entities across America would like one policy and not 50
policies. But I do remember in this room a few years ago when
we had the frozen chicken hearing and that was because Tyson
and whoever else was running the Department of Agriculture, so
they had a softer freezing thing and California had a very high
standard.
I think it is still that way. California has a high
standard, but they were preempted by the Federal Government
with a weaker standard. So I wish you well when you are trying
to get a higher standard, because I think that is what we ought
to be moving for where we can, but we don't want to disrupt the
whole economy in the process.
I will be getting in, with some panels, the European
situation where every country in Europe is supposed to be
putting a privacy law on the books, and that will be a real
problem for American industry, and I have talked to a number of
presidents, prime ministers, defense ministers, foreign affairs
ministers and urged them to get subcommittee--or
subcorporations of European corporations and American
corporations to give them some advice on the practical aspects
of this.
Has your office done any of this in relation to the
Department of State?
Mr. Spotila. We have had some contact. Peter Swire has had
some coordination contact with European Union issues. In fact,
he is something of an expert from his work in the world of
academia.
I would emphasize also that we strongly encourage self-
regulatory efforts. We do so not only because that is always a
good thing to do but because very often with well-intentioned
and interested private sector parties, we can come up with
better and more sensible approaches. So our sense is that any
approach, Federal or State, should allow substantial room for
private, self-regulatory efforts as well.
Mr. Horn. What evidence do you have that the commission
could result in delays in the development of the privacy
initiatives?
Mr. Spotila. It is a general concern. We have seen some
suggestions that people who oppose privacy reform would welcome
any effort to add delay. My colleague from Minnesota was
mentioning this: now you have a commission, why don't we wait a
year and a half and hold up everything until the commission has
reported?
That is exactly what we think would be a mistake. I
recognize that you emphasized that is not the intention here,
but there is concern that there are those who might use it in
that way. We have to be sensitive to that concern in
considering any approach like this.
Mr. Horn. Well, I would think with 17 people there, there
could be a majority. I think if it is broadly spread out among
the various interests and not just one interest or two
interests, I would think that kind of dialog and discussion
would be worthwhile. I think back to the Hoover Commission in
the late 1940's and the early 1950's, and that made major
proposals to the Federal Government and a lot of progress was
made. And what I have found over the years, if you don't have a
mechanism which brings people together, gets a consensus, that
you are just going to be spinning the wheels in Congress, and
you would be better off having a group of people, including
experts and others, who just ask the question, ``Why? It sounds
dumb to me, now explain it to me. If you go through that
process, you are more likely to get legislation out of the
Congress, I would think. But you might take a look at it.
And then I guess I would ask you, Mr. Spotila, what section
of the bill puts at risk the release of classified information?
Where do you see that in the bill?
Mr. Spotila. This was a relatively late concern that we
received from the National Security Agency and the Department
of Defense. Their concern was that some of the broader
references to the commission getting information from the
agencies failed to make a distinction as to the handling of
classified information. So our sense is, that is something that
bears further discussion. I would be happy to get back to you
more specifically with that, although I don't have their
specific recommendation for how that might be addressed. They
certainly do feel there ought to be some specific approach to
classified materials to the extent that they might be drawn in.
Mr. Horn. Well, since Mr. Hutchinson is next with 5
minutes, you might want to continue that discussion, and I am
sure he has many more questions. We would like to know where he
thinks this great power is found.
Mr. Hutchinson. Thank you, Mr. Chairman.
I would very much like to address a concern which has been
raised on national security issue. That seems relatively simple
to fix, but very important and it sounds like you have put out
a request to different agencies, maybe responding to the
commission idea and getting some feedback; and I would love to
have the benefit of any concern, positive or negative, about
the commission.
Mr. Veator, thank you again for your testimony. If you
would give my regards to Lieutenant Governor Swift, I enjoyed
and appreciate her work on privacy. And one thing that struck
me about your testimony is that you mentioned two or three
bills are pending in State legislatures dealing with the
privacy issue now. In your State of Massachusetts, have you all
passed any substantive privacy legislation?
Mr. Veator. I think that there are--the short answer is no,
I think not in the last year or so. There are several bills
that are quite close, working their way through the legislature
relating to--primarily to medical and health privacy. There are
two bills relating to financial service, primarily to financial
services privacy.
Mr. Hutchinson. Are you aware of some States that are using
the commission approach to developing their own State policies
on privacy?
Mr. Veator. I am not aware of other States, just our
experience where we tried to pull together as many people we
could with diverse stakes, if you will.
Mr. Hutchinson. General Hatch may be aware of that. Are you
aware of any States, Mr. Hatch?
Mr. Hatch. In Minnesota, we did try to appoint a task
force. The problem is it ends up being, as you have indicated,
a lot of interest groups. The purpose of a task force is to do
one of three things: either find out the technology of an issue
that we cannot as lay people figure out; second is develop, by
consensus, on an issue that we cannot get people to agree; and
the third is to avoid the issue altogether.
In this case, there is no science. There is science creates
the issue. The technology brings in part the issue, but it is
not a hard one, a fundamental issue of privacy. It goes back to
the beginning of this country and even further than that. It is
a value issue. Restatement of torts, courts have covered it,
statutes have covered it.
It is not a consensus. We will never get a consensus on it.
You have got too many companies that make exchange on the data,
too much legal and I think questionable activity that goes on
by the use of the information versus the fundamental right of
privacy. So the third becomes the issue to defer.
When we tried it, we quickly recognized that it doesn't
work. You are not going to get a consensus on it. The first
meeting we figured that out. It isn't going to occur.
Mr. Hutchinson. Mr. Hatch, if I might follow on on some of
your comments, I think you are right. I think a task force, or
in this case a commission, can do a number of things. One is to
help build a consensus. You also mentioned the possibility of
delay. And again that is not the intent, nor do I think it
should be the result. I think it can be a very positive thing.
But a consensus to me is important.
You have introduced legislation in your State of Minnesota
addressing privacy, and I think specifically toughening up the
opt-in on the financial records.
Mr. Hatch. Right.
Mr. Hutchinson. Has that passed?
Mr. Hatch. It's passed one house and hopefully we have 2
days left, we can get the other house to do it. But we have 59
hurdles to overcome to get to those votes.
Mr. Hutchinson. You have 59 hurdles in Minnesota. We have
435 hurdles in the U.S. Congress. And so consensus is important
for us to build as well. And I disagree, I think that, you
know, you indicate that the American public either believe or
don't believe or industry believes or don't believe. I think
information is crucial. And I think that one of the things this
commission provides is that you have hearings. And it's not
just to receive information, but it's also an education
process. People have a great understanding as to how privacy
can be protected, but also that some exchange of information in
terms of health records or health might be important for
research.
So information is valuable in building that consensus, and
so I hope that that would be the goal of this commission.
Mr. Chairman, you were generous to offer to put things in
the record. It was pointed out by your staff that the committee
received a letter from the office of the Attorney General of
the State of Texas, and has that been made a part of the record
yet?
Mr. Horn. I was planning to make it at end of the hearing
and quote various paragraphs.
Mr. Hutchinson. Well, this is your thunder, but I was going
to ask whether Mr. Hatch--General Hatch, if other Attorney
Generals that you have talked to have looked at privacy in
their States in terms of whether it should be the State level
multitude of layers of privacy or whether there should be a
national standard. Has that been addressed?
Mr. Hatch. We've had discussions on it. I think it is safe
to say that most, I won't say all, but many of the Attorney
Generals are in agreement that it ought to be. It is a part of
the police powers of a State and it ought to be addressed at
the State level. It certainly ought to be addressed at the
Federal level. I think the confidence level that Congress will
address it is very low. We saw that with FSMA. The bill passed
and it was basically dressed up as a basic privacy act, but it
was a bank disclosure act. Banks have more authority to
disclose information.
Mr. Hutchinson. Are you speaking of the Gramm-Leach-Bliley
legislation that provided for an opt-out provision?
Mr. Hatch. Actually, it provided for, sir, a provision to
trade information without an opt-out to any affiliate. It
allows them to trade information without an opt-out to any
other company for the sale of financial products, and then it
defines a ``financial product'' very broadly. So it basically
did little, if anything. There would be an argument that it
tromped on the fiduciary laws that have been enacted and have
been longstanding in many States.
Mr. Hutchinson. I think my time has expired, Mr. Chairman.
I was going to have Mr. Spotila respond to that from the
administration standpoint, but I yield back to the Chair.
Mr. Horn. Go ahead. We will give Mr. Moran extra minutes.
Mr. Hutchinson. Mr. Spotila, do you believe that we should
have Congress address further the Gramm-Leach-Bliley provisions
that the Attorney General just referred to?
Mr. Spotila. It is our position that the statute was a step
in the right direction, but it did leave gaps that do need to
be addressed.
Mr. Hutchinson. And right now the administration is
adopting the regulations to carry that out. There is
legislation pending that would adjust that. It is my judgment,
there--this legislation might move forward. And if it can,
terrific, if you can build a consensus. But would a commission,
though, looking at this from a substantive standpoint, look at
the impact of your regulations that the administration is
putting out and how industry is adjusting to that, getting
consumer feedback; the commission would take that and make a
recommendation from there. Would that not be helpful in
building consensus to move forward?
Mr. Spotila. Actually, this is an interesting point,
because as I mentioned in my testimony, one of the areas we
have a lot of concern is that the commission might be a reason
for people not to take action on financial privacy legislation
that we think is clearly needed after that statute. If that
financial privacy legislation did move forward and the
commission was now studying what, if anything else--assuming
there was a commission--what, if anything else, was needed
after that, without having delayed this process, the argument
for it would I think be stronger than if it were to suggest
that we should hold up completely financial privacy legislation
and let the commission try to develop consensus and look at
this in a couple of years.
Our sense is that this is a more urgent priority and that
part of the challenge here as the Congress considers this bill,
is how it might form a mechanism or create a mechanism that
would allow us to consider that longer view in studying these
issues without paralyzing us in areas that are of real
priority, where action is clearly needed and needed more
swiftly.
This is actually one of the most sensitive areas about the
bill and one that gives us some discomfort for this reason.
If I might add, as to your earlier question on the issue of
classified information, the language in section 7(c), which
indicates that the commission may secure directly from any
department or agency information necessary to enable it to
carry out the act, and that the head of that department shall
furnish that information to the commission, is the language
that the agencies specifically are concerned about because it
does not differentiate whether that information is classified
or not. And there is no provision here that indicates the
commission is equipped to handle classified information.
So that is the specific provision that we are concerned
about. As to how, if at all, that could be refined, we would
have to get back to you.
Mr. Hutchinson. Thank you, Mr. Chairman.
Mr. Horn. The gentleman from Virginia. We are going to
start 10-minute rounds now. It is like a dance out of the
1930's. So go ahead, my friend.
Mr. Moran. Thank you, Mr. Horn. I don't want to put our
witnesses through too long a marathon session. I will try to
wrap up any further questions I have at least today in this
round.
Let me ask Mr. Spotila again, in light of the efforts that
were made with regard to medical privacy culminating in the
regulations in August 1999, and the financial services
modernization effort that is currently being made, has OMB done
any preliminary analysis as to what resources might be required
to perform the kind of commission that we are talking about?
Has there been any discussion in that regard?
Mr. Spotila. I'm not aware of OMB having tried to estimate
the cost of the commission. That's not necessarily something we
would try to do. I'm sure if you would like us to, we could
try----
Mr. Moran. Have there been discussions at OMB as to the
benefit of having a comprehensive study instead of the ad hoc
reactive study as a result of legislation, whether it be in
medical privacy or financial privacy areas?
Mr. Spotila. There has been discussion not only within OMB,
but within the administration on this issue of what I call the
more targeted approach. When it works well, it is targeted and
focused and very pragmatic, it doesn't, it is very ad hoc and
kind of irresponsible. This is versus a broad approach which
might be either visionary or a waste of time. We have had a lot
of discussion about this.
Our concern is, that if the commission is focused on too
broad an area, than it won't produce much of value, and if its
timeframe is too distant, it might not inform decisionmakers on
matters that need more urgent attention. That is not to say
that it is impossible for a commission to add value. That is
not what we are saying at all. We do have concerns about how
this balance might be struck, however, and concerns that the
way the bill is crafted now, it might not be striking the
balance correctly.
Mr. Moran. Give me a moment to consider what you just said,
that you might not be striking the balance correctly. I would
not have been surprised if the administration had recommended a
broad study so that it could make its recommendations in a
consistent framework, particularly given the resources that are
currently going into the information security effort, which is
very much related to this.
Mr. Spotila. Yes.
Mr. Moran. And I know that those efforts are substantial.
They are being coordinated--actually, we are trying to figure
out the best place for it to be coordinated. But there is an
office--you are involved in that coordination?
Mr. Spotila. Yes, I am.
Mr. Moran. And it would seem that when you make broad-based
policy recommendations that are applicable to medical privacy,
that there should be some consistency in terms of individual
privacy with regard to financial services as well, and that
would include profiling issues, the issues of shared
information that enhance customer service.
So I guess I was a little taken aback, or questioning at
least, of the effort on the part of the administration to take
a position that we need legislation immediately. And I'm
referring to the President's recent speech that protected
people's privacy without having a good idea of how it is that
you want to do that beyond what was included in the medical
effort that HHS conducted. In terms of financial services, we
haven't done it yet. I mean, we've got legislation. Regulations
haven't actually been issued. And my interest is in trying to
keep the issue from being politicized and to put forward
legislation that not only stands the test of time, but has some
consistent principles that are applied broadly, whether it be
in medicine or financial services or in any other area of
electronic commerce and communication.
But I'm not lecturing you. I just wondered--do you have any
comments on that before I go on?
Mr. Spotila. Again, when I talked about striking a balance,
what I meant to say was that we see pressing needs in the area
of protecting privacy, financial records, medical records,
genetic discrimination. There are pending legislative proposals
in front of the Congress that we believe are well conceived and
well drafted. They could perhaps be refined further, but they
are good pieces of legislation and we do not want to see those
bills frozen because a commission is set up to look at the
whole subject of privacy in all of its ramifications.
Now, having said that, that does not mean that we don't
share your sense that privacy is important and that we need to
study it in a comprehensive way and that we will need to be
doing this over a period of time.
Mr. Moran. And that we need some consistent principles in
the projection of government policy.
Mr. Spotila. Exactly.
Mr. Moran. Mr. Chairman, I'd like to ask of the three other
witnesses your expectation and recommendations with regard to
the issue of whether this commission should deal with State
legislation in terms of a Federal floor and what the downside
of doing that would be. Of course, the other alternative is to
simply preempt State legislation with Federal legislation and
there is precedent for doing both.
Maybe we can ask Mr. Veator and then Mr. Hatch and Mr.
Stone.
Mr. Veator. Thank you, Congressman. We obviously generally
do not like to have our efforts preempted. On the other hand, I
think that is one of the issues that the committee will have to
look at as to whether or not preemption, whether it is a floor
or overall preemption, should be applied differently to
different levels--excuse me different areas. To the extent that
we are talking about criminal statutes, that is traditionally
within the police powers of the State, then you may not want to
preempt those kinds of things.
On the other hand, financial services seem to be
increasingly, national if not international, so some level of
preemption may be more appealing. Oddly enough, health care and
health information, insurance companies that provide or pay for
health care generally are still licensed on a State-by-State
basis, so it may make sense for States to retain the ability to
legislate in those areas.
Mr. Moran. Would you narrow the scope of the commission to
what States--other State studies have done? Have you considered
that?
Mr. Veator. I don't--at some point, obviously, the
commission would want to figure out what needs to be looked at,
because as I think one of the witnesses said, privacy is
pervasive in every area and the things you keep hearing, again,
are financial services, health, identity theft, personal
security, that is sometimes threatened by the dissemination of
our information. I'm not so sure that the commission needs to
narrow its inquiry. In fact, I think one of the things that the
commission would have to do is see how all areas of privacy are
becoming increasingly related as industry converges as we go
on-line and information becomes more and more available.
Mr. Moran. Thank you. Mr. Hatch.
Mr. Hatch. Sir, I think that certainly with the Internet
you're dealing more with interstate commerce, and I think a
Federal approach to it would probably be best. With regard to
banks, insurance, the type of issues that have--medical, I
think the States certainly ought to be able to exercise their
police power. Once again, I'm not excited about the idea of a
commission. I just have bad vibrations about it, and in the
sense that I'm afraid that it's going to be used just to delay
action by policymakers.
And for what it's worth in terms of coming up with
consistent principles, I would recommend to Congress to look to
the restatement of torts on privacy. I mean, it has a very
long-debated, researched application of the law. The problem is
it doesn't--they have great principles, but nobody ever
anticipated the change in technology in terms of the speed with
which information is exchanged. But the principles are still
the same. It is a balance: your expectation of privacy versus
the right to know.
Mr. Moran. That's the point we make that things are
happening so fast that self-regulatory capacity seems to be
developing. Mr. Stone.
Mr. Stone. Thank you, Mr. Moran. I think that while the
concept of a Federal floor and individual State regulation or
legislation has some appeal, I think what we are going to be
left with is the same patchwork quilt of legislative and
regulatory requirements that we currently run the risk of
facing today. And as the chairman mentioned a few moments ago,
one of the issues that we have to deal with is where do you set
the standard for Federal preemption?
I think it is important to recognize that what we are
talking about here, at least from the perspective that we are
here today, is first and foremost people and their health. And
there is no standard essentially high enough that could be set
in protecting that.
On the other side of the coin, though, we've heard that we
have 2,000 to 3,000 pending privacy bills in State
legislatures, which makes my blood run cold in terms of trying
to provide services on a national basis. If you're an employer,
like a Federal Express with employees in all 50 States, Puerto
Rico, and in the District, and you want to provide a proven,
comprehensive health program to those employees, if you run
into the situation where you're able to do that in one
jurisdiction but not able to do that in another, there are
obviously some real problems.
I think 50 years ago, health care was very local. You had a
local physician, you had a local hospital, you never went
outside of town, maybe to the nearest big city for your health
care. I don't think that's true today. I think if any of you
gentlemen found yourself in need of hospitalization or health
care services here in the District, you would like that
institution and those caregivers to be able to communicate with
your caregivers in your home States. And it is not atypical
today for people to travel many States away for health care and
for us to be dealing with, because of technology and just
because of the aggregation of services, a provision of services
from people in States different than where the patient may
reside.
I suggest that that is a pretty good picture of what the
framers had in mind when they were talking about interstate
commerce, and I don't think that it is true today as it was
several years ago that health care is entirely local and
constrained within the boundaries of the State in which the
patient may reside or in which they may be living at the time
that they're receiving care.
So I would urge, again, for consideration of Federal
preemption, set the standard as high as consensus of you and
your colleagues will allow to protect both the rights of
privacy, the need for confidentiality and the ability to
provide services to the people of America.
Mr. Moran. Thank you. Thank you, Mr. Chairman.
Mr. Horn. I thank you, and will now go at a few other
questions that are somewhat generalist. Mr. Spotila, the
thought is that in view of the recent attack on the Federal
computer systems, what is the Office of Management and Budget
doing to ensure the security of the personal information that
is stored on government computers? And obviously that is a
major problem. We can do all the legislating we want to have
privacy, but if somebody can get access regardless of that,
what are the plans in that area the administration has?
Mr. Spotila. We have been giving this area priority for
some time now. And let me begin by saying that although we are
greatly committed to this, and are of the belief that we
currently offer good protection to that data, we also
understand that the security threat is an ongoing challenge and
that there is never a final answer here; that there is a need
to continue to maintain and upgrade security as one goes
forward in light of changes in technology and changes in the
possible threat.
We have been working at the Office of Management and Budget
with all of the agencies to improve their approach to
information security. We have put out best practices and sets
of principles. We have integrated the need to consider
information security planning into their information technology
planning in the budget process. There was significant
improvement last year and the Director this year has given new
guidance to the agencies so that this will be rolled into the
budget process from the very beginning, going forward.
We think that's extremely important. What we have said,
that security is not an add-on, and that one must approach
information security in an integrated way from the very
beginning as technology planning is done, reflects the best
advice of GAO and certainly our best thinking as well.
We are working, in addition to that, with our security
agencies, with the law enforcement agencies and with the
President's advisor on counterterrorism so that we can support
initiatives in that area.
This will be an ongoing challenge, and we certainly look
forward to working with you and this committee as we go forward
in this area.
Mr. Horn. In your testimony, you mentioned the Health
Insurance Portability and Accountability Act of 1996, and you
quote Assistant Secretary of Health and Human Services,
Margaret Hamburg, as to believing that legislation is the only
way to ensure health information privacy.
Has--and that's the bottom of page 4 of your testimony. And
the question would be, has the Department explored other
alternatives?
Mr. Spotila. Well, among other things, the Department is
working on finalizing the health privacy regulations that we
referred to earlier. It will be issuing a rule this year that
we think will be very constructive. We are just concerned that
the enforcement powers that are available under existing law
are not as effective as they should be and that Federal
legislation is needed so that anyone who would misuse personal
health information would be subject to accountability. It is
really a matter of building on some of the positive steps that
have taken place in the past, including these rules that will
be coming out this year, and filling in other gaps.
Mr. Horn. Is there any thought as to the type of penalty
that might apply at this point?
Mr. Spotila. Well, there has been a variety of testimony on
what new legislation in this area might look like or what it
ought to look like. We think it is necessary to set the
standard correctly first, and then to address penalties. I
think that we have to fill the gaps and make it clear that we
recognize the sensitivity of health records, that we think that
the individual should have some control over how those health
records are used and that they shouldn't be used without
consent. These principles are vitally important and there are
some gaps in terms of how they are applied.
The specific penalty could vary. I think the notion that
we've set those standards and that we've tried to address those
gaps is the most important principle.
Mr. Horn. Now, has the administration already come up with
that in the draft of the Health and Human Services--or do you
have other drafts going with the principal idea?
Mr. Spotila. There is, as I mentioned, a proposed rule that
went out for comment that got 53,000 comments. The Department
is working on finalizing that rule. It is a huge task.
Reviewing all of those comments and taking them into
consideration will be very time consuming. Our timeframe on
that is to get the rule out this year. The possibility of
future legislation is something that could be looked at.
Mr. Horn. We've got fiscal years, we've got calendar years.
Which year?
Mr. Spotila. I'm referring to calendar year 2000 for
getting the rule out, with the proviso that we would like to do
it as soon as it could be done. I don't mean to suggest that it
will be the last day of the calendar year.
Mr. Horn. I wanted to know if it was the midnight judges'
technique.
Mr. Spotila. We would very much like it not to be. Part of
a responsible approach to a rule like this is to consider
seriously those comments that members of the public made and to
take them into account and address in the preamble to the rule
what the Department believes about those comments. When you get
53,000, that's a big job. So we are trying to get it right. We
are trying also to be fair and proper in the process. So it
will be time consuming, but we think the rule will be a good
one when it comes out.
Mr. Horn. One of the arguments against developing a new
privacy commission is the potential that old work will be
duplicated. I just want to ask you if you and your staff and
the HHS staff, have they looked at other commission studies at
the State level and individuals in Washington think tanks? And
what kind of help have you relied on?
Mr. Spotila. We have attempted--and the Department,
obviously has had the lead here--we have attempted to draw on
all of those studies and all of the information that we know
of. So that would include those to which you refer. That in
going forward in setting up a sensible rule, we could take into
account that wisdom.
The comment about the commission or concern about the
commission is that it's important that any future effort that
studies the privacy area should also build on what has gone
before and that should be a guiding principle.
Mr. Horn. Moving to Mr. Veator, in your testimony you
mentioned that businesses were taking steps to protect private
information. Could you sort of describe the Massachusetts
experience and what is happening in that area and what
companies have been successful?
Mr. Veator. Well, since finalizing our legislation, we have
had the opportunity to meet with a number of businesses who are
either happy or concerned at different levels by it, and we
have had the opportunity to learn what their privacy protection
policies are. And I note that I think that the FTC sweeps Web
sites. Web sites with privacy protection policies have gone
from something like 14 percent to 56 percent in the last year.
So I think more and more companies are aware, especially on-
line, that they need have some sort of privacy protection right
up front.
Mr. Horn. Now, as I understand it, the Massachusetts
Lieutenant Governor has taken an active role in the issue of
privacy as a member of the Federal Trade Commission study on
privacy. So you found that to be helpful, I take it?
Mr. Veator. I think it was both helpful and informative as
to how a commission approach really could be very helpful. The
particular FTC committee was on providing consumers with access
to their personal data on-line and ensuring security of that
data at the same time. The committee managed to get 40
representatives, approximately, from industry, privacy advocacy
groups, from around the country, and the depth and wealth of
information I think that was available in the room when those
people met and on lots of conference calls was instrumental in
putting together what I think is a very robust analysis of
security and access.
Mr. Horn. Mr. Stone, I'm curious; in your testimony you
discuss the positive effects on disease management when medical
records are accessible to companies such as American Health
Ways. Now, beyond the patient's name and the physician's
diagnosis, what kind of information do these companies really
receive? Is it address, Social Security number, entire medical
history or what?
Mr. Stone. Mr. Chairman, it's the entire medical history,
both past and going forward, that is received and used by a
disease management organization. I think that recognizing we
are dealing with a chronic disease population, it's problematic
to think of the use of information in an episode-of-care kind
of fashion that permeates so much of American medicine. In
order to help people with chronic diseases who are ill from the
day they're diagnosed and until the day that they die, we need
to know how to work with them and their physicians in order to
develop and implement care plans that are responsive to the
changes in their condition over time.
So we start out with a complete medical record consisting
of claims information, the insurance company; pharmacy
information, the pharmacy benefits manager; lab information and
any information which we can get--which proves to be difficult
sometimes because physicians are still pretty much on paper
processes in their office--and information from the patient. As
this information is updated over time, the patient's
stratification within the system will change and the
interventions which are provided in support of their self-
management efforts and in support of their physician's care
plans will change as well.
So it becomes a rather comprehensive clinical and financial
database of information with respect to each of the patients
that are in the program.
Mr. Horn. Mr. Stone, are there other companies such as
yours?
Mr. Stone. Yes, sir, there are.
Mr. Horn. How many are we talking about?
Mr. Stone. Well, the current count is somewhere around 170.
I would suggest that a number of those organizations, however,
are claiming to provide disease management services in order to
take advantage of some of the protections that have been
afforded them under the HHS proposed regulations and which were
even included in Senator Jeffords' bill on privacy which did
not emerge from committee last year. And one of the things that
we hope that Congress and/or this commission can do is begin to
draw the distinction between those disease management efforts
which are legitimately aimed at improving individuals' health
and those that are masquerading as a way to offer that
chronically ill population something for sale.
Mr. Horn. So disease management would be a generic term,
then, for describing the 170; is that correct?
Mr. Stone. Yes, Mr. Chairman.
Mr. Horn. Do you know of any examples where other firms
than your own have violated a commonsense standard of privacy?
Mr. Stone. I can't say specifically. I think that if the
committee were to look at the broad variety of organizations
that are claiming to provide disease management services, and
the broad variety of the scope of services that are being
offered, staff might very quickly be able to identify segments
of the disease management industry that might fall into that
category.
Mr. Horn. Let me ask you this. We have in this country a
traditional checks-and-balance system, and on the health side
you have got outside company inspections. And groups that do
this are Veterans Administration, hospital consultants, and so
forth. And what other balances do you see to try and keep
privacy sacred, if you will, if the individual wants that?
Mr. Stone. Well, if I understand your question correctly,
Mr. Chairman, I think that it's important to recognize that
disease management as a concept is only 6 or 7 years old, and
has made significant strides toward professionalization and
self-regulation over the last year to 18 months. I fully
anticipate that within the next year to 18 months, we are going
to see emerge accrediting programs for disease management
organizations. I know that such programs are under
consideration by the Joint Commission on Accreditation of
Health Care Organizations, URAC and NCQA, among others, and I
think those are going to come into play in the relatively near
future. I think clearly that kind of good housekeeping seal of
approval will go a long way to assuring patients and physicians
and health plans that the information being received by
organizations with that kind of accreditation has met a certain
set of standards.
In the interim, the industry has--is working on its own
statement through the Disease Management Association of America
on privacy, on the minimum standards that should be in place,
and I think that we are going to see not only the accreditation
process develop but a rapid shrinking of the number of
organizations offering disease management services as those
industry efforts for self-regulation take hold.
Mr. Horn. Now, remind me on that. In your testimony it
seems to me there is real concern about State privacy laws that
inhibit people from getting the treatment they need. How
serious a situation is that and should that be Federal
preemption?
Mr. Stone. Well, I think, fortunately, the States have been
relatively slow to the legislative process. There is State law
in California which was passed at the 11th hour in their last
legislative session which is currently going under emergency
remediation because of the essentially chilling impact it had
on the delivery of disease management service.
I think everybody is familiar with the effort in the State
of Maine last year which, while well-intentioned, prevented
clergy from visiting people in the hospital because the
hospital couldn't tell the clergyman whether the patient was
actually there.
Mr. Horn. I thought the flowers example was particularly
upsetting.
Mr. Stone. Massachusetts has legislation pending. Texas has
legislation pending. Florida has legislation pending. Certainly
three bellwether States in terms of health care regulation.
All of which was modeled after the California bill which
managed to pass, and the industry association is also lobbying
hard in all of those States, pointing out that the California
bill is about to be repealed, at least as it relates to disease
management.
I think that to the extent that the organizations who are
providing these services on behalf of health plans, their
members and physicians recognized, again, that this is people's
health we are talking about, the issues become fairly
straightforward. It's when you fall over the line into the
provision of health care services or would-be provision of
health care services in support of commerce or some other
product or service that the abuses that we've all heard about
come to pass.
Mr. Horn. Attorney General Hatch, does Minnesota have a
Freedom of Information Act?
Mr. Hatch. Yes, sir, we call it the Data Practices Act; but
yes, sir.
Mr. Horn. Has the impact of privacy laws--or would it be,
in your mind--in any way change the Freedom of Information Act
or would the State have to change it if they had a privacy law?
Mr. Hatch. No, sir. We took--at least the way we're
approaching it is we take one segment of society, take it issue
by issue: banking, financial data, versus health data versus
government data. And oddly enough in Minnesota and I think most
States and certainly in the Federal Government, the issue of
government data has been with the Freedom of Information Act
and the Data Practices Act has been debated and there are
statutes in place. There is some effect on government data in
Minnesota with regard to the Shelby amendment on driver's
licenses. We are having a debate on that issue. But pretty much
government information is leaving it alone in terms of what the
Data Practices Act contains, which parallels very closely what
goes on at the Federal level.
Mr. Horn. Well, let's hear about the Federal level. Mr.
Spotila, how much, if any, would be a problem with, say, the
HHS privacy regulations which are out there now and the Freedom
of Information Act? Is there a problem there, and has anybody
between Justice and your office thought through those problems?
Mr. Spotila. Our sense is that there is not a problem, that
the Freedom of Information Act has always allowed for the
protection of private information of the sort that we are
talking about, individual information.
In terms of what the HHS rule will look like as a final
rule, that is still in the course of development. We're
certainly sensitive to not creating a problem with the Freedom
of Information Act; that would be something that we are always
going to be careful about.
Mr. Horn. Do any of you see any problems here that we
haven't brought up yet that you'd like to raise and maybe did
not raise in your own statements? Do you have something, Mr.
Spotila?
Mr. Spotila. Nothing else, other than as I mentioned, that
we welcome the good intentions that are reflected in this bill
and would look forward to working with the committee further.
Mr. Horn. Getting back to Mr. Hatch a minute, in your
testimony you talked about the need for the States to take
action on the issue of privacy. Our staff has talked with
people from the Mayo Clinic and the University of Minnesota.
They discussed their concerns with privacy legislation
initiated in the Minnesota legislature saying the opt-in policy
was not successful for them.
Mr. Hatch. Sir, what that relates to is it is a separate
bill. In Minnesota, health data is transferred to the
government without your permission; all patients without
permission, without knowledge. And what I proposed is a bill
saying at least you ought to get the consent of the patient.
Center for Disease Control, Mayo Clinic and everybody else does
it.
I am surprised that all of the health information, at least
health data is being transferred to the Minnesota Department of
Health Data Institute without even the knowledge of the
patients, and there are a number of issues that will be coming
out with regard to how that information is being used.
In that case, there were physicians at the Mayo Clinic who
were on the Health Data Institute who opposed it even though
only 60 percent of the--a little more than 60 percent of the
patient data that is being sent, again without knowledge,
people who are charity cases, people who pay cash, people that
go in for certain types of, say, cosmetic surgery surgeries
that are not covered by an HMO or insurer, are not transferred.
So actually, statistically, the information is not as credible
as a process where you do get the consent of a patient, simply
because 97 percent of them will consent to it. In this case it
is about 60.
I don't oppose having the information sent to the
government as long as you don't have a patient's name and
Social Security number attached to it. And there have been
examples of leaks; you mentioned yourself, sir, with regard to
government data being transmitted inadvertently. We had
examples in Florida of lists and certainly we have other
statutes that require listing of epidemics--epidemiology with
regard to transferable diseases. But they did disagree with the
idea that the patient ought to have to give consent because
their data is being sent.
Mr. Horn. Has there been any effect on the quality of
medical research to your knowledge?
Mr. Hatch. No.
Mr. Horn. Here people would argue the Shelby amendment is a
problem.
Mr. Hatch. Your Honor, in Minnesota the Department of
Health has never issued any studies. They gather the data but
no studies have ever been issued. And, indeed, if they did,
given the fact that only 60 percent of the data is being
transmitted, it is probably less credible than the research
facilities that do get patient consent. They get about 97
percent data response.
My beef with that is simply that you ought to at least
notify the patient. When you walk into a hospital you have to
sign three times. One of them is a consent form that basically
allows a transmission. It seems to me before it goes to the
government, there ought to be some acknowledgment by the
patient that it goes. Either that, or you can send the data,
but just don't send the patient's name with it. Give it a code.
That was my beef.
Mr. Horn. In other words, your State health department
could collect this data but would not need to have the address
and the name of the person that is the result of that data?
Mr. Hatch. Sir, yes, and my proposal did not pass. So
that's the one that did not get enacted.
Mr. Horn. How about it, Mr. Stone? How much of a difficulty
would that be with, say, the management--disease managment
companies?
Mr. Stone. I think, Mr. Chairman, there are significant
differences between research which requires aggregated data but
does not require, as General Hatch suggested, patient names and
identifiable information for the analysis on that data to be
carried out, and for activities that are in the stream of
delivering health care services, which is where our industry,
our company, HHS, Senator Frist and Breaux and the President
have all put disease management as part of the treatment side
of medicine.
And to do treatment effectively, you need to know who you
are talking to and where they live and how to contact them so
that you can have intermittent actions, whether those be face
to face, phone, Internet or whatever, with those individuals in
order to further their care.
Mr. Horn. But does the patient know that this personal
information is being released to you?
Mr. Stone. I would say probably not, since in our case,
anyway, all of our programs are private labeled for the insurer
who is our customer. So the patients and their physicians are
advised of a new diabetes program for Cigna Health Care. The
patients are given an opportunity, in our model specifically,
to opt out of participating in that program. Less than 2
percent do. And if they don't, they begin to receive
interactions as if our personnel were Cigna's personnel. So I
doubt that they know that it's coming from American Health
Ways.
Mr. Horn. Now, you operate in all 50 States or what?
Mr. Stone. We're currently operating, I think, in 33
States.
Mr. Horn. In 33 States; is there any way that employers,
insurance companies, could get those lists of yours with, say,
diabetes or cancer or whatever?
Mr. Stone. Other than the insurance company that we are
providing the program for? I guess there is, given the ability
to tap into electronic data systems. But it would be extremely
difficult since we are not using the Internet, we are operating
on a closed network at the moment and we are transferring
information back and forth with our insurance plan customers on
a weekly or monthly basis.
Mr. Horn. Well, what kind of data could you find in a small
Minnesota town, let's say, where you have got 200 people and
Olie is 57 years of age, you don't need his name, everybody in
town knows he's 57. Isn't that a worry for you? I think it is
for a lot of people who say, gee, the boss is going to hear
that I've got this disease and there goes my pension.
Mr. Stone. I think that the issue you're raising Mr.
Chairman, is a very real issue. Most of the companies that we
have talked to do not want to know, and create some very
serious iron walls between their H.R. functions as it relates
to their employees and those individuals in the organization
who may have personal health care information and the review,
hiring, firing processes of the company.
We do not provide information back to an individual's
employer. Our exchange is strictly limited to the health plan
that has hired us to work with their members and their
providers for the delivery of disease management services. So
it is a very tight network.
Mr. Horn. Well, could that health plan just cancel them
like that? I find health plans aren't exactly easy to deal
with.
Mr. Stone. Without meaning to, obviously, to step on our
customers' toes, again, I guess that's certainly possible. I
think what's happened in the health plan industry--and I would,
you know, defer to their industry association for more detailed
response--that they have recognized finally that the days of
riding the utilization review and contracting horses to margin
are over. And with somewhere between 10 and 15 percent of all
their members having chronic diseases, with all of us getting
older, and therefore sicker, health plans have begun to realize
that if they are going to ever return to any kind of reasonable
margin level, they are going to have to take care of patients.
And the basic premise underlying all disease management is that
healthy people cost less.
Mr. Horn. Now, you work with university medical researchers
on a lot of your work?
Mr. Stone. No, we don't.
Mr. Horn. You don't?
Mr. Stone. No.
Mr. Horn. So there aren't any studies being done, then, as
to the success or not success?
Mr. Stone. Well, in fact, there are. In 1998, there was a
study released by the Lewin Group, Dr. Rubin was the principal
author, former assistant Secretary of HHS, which validated our
outcomes for our diabetes program for 7,000 commercial members
in HMOs. And as I alluded to in my testimony, next week we will
be releasing a similar study on 20,000 HMO members in Medicare-
Plus Choice plans.
So despite the fact that we are a commercial venture, we
are fully prepared and have always been prepared to put our
results out there to stand the scrutiny of public and
scientific review, and in the hope that people will come to
recognize that these kinds of programs do improve health, do
create satisfied consumers and providers and save significant
amounts of money.
Mr. Horn. Let me round that one out. When an organization
or a company such as yours or other types in medical research
receive public money for, say, research, does the taxpayers or
the government at all levels have access to private records
used in a publicly funded study? I would be interested in what
you all think on that one.
Mr. Stone. I don't know that I have the expertise to
respond to that. I do know that 2 years ago we entered into an
agreement with NIH to provide them with blinded aggregate data
from our database. And it is now the largest single database on
diabetes in the country. NIH was perfectly happy to take that
data in a blinded format without any patient identifiers on it.
Although I have to admit in 2 years they have never once asked
us for anything.
Mr. Horn. Mr. Hatch.
Mr. Hatch. The issue I was going to advise in private
practice as a lawyer--I represented insurance companies and
third-party administrators as well as some patients, actually,
but the third-party administrators of self-insured plans all--I
shouldn't say all, but most at one time or another do get a
request from an employer with regard to issues concerning
health care. They were uniformly advised you have ADA issues
here; don't recommend that you be doing this. On the other hand
they are telling me: That is easy for to you say, but that is
my largest client.
And I recall vividly, one being a trucking company,
requests the copies of anyone having chemical dependencies. The
issues here--this is the other side of it. The public, if
you're a patient and you're aware that that data is going to be
transmitted beyond the doctor, you won't get treatment. I will
not go in for chemical dependency treatment if I know that my
employer will find out. Or as an Attorney General, if the
voters would find out, maybe it is something that I want to
keep confidential.
Too many areas, venereal diseases, there are too many
issues that crop up in our lives. But if I know that that is
being transmitted, that is going to interfere with the
physician's ability to treat the patient.
And I don't have any problem with aggregate data, even with
patient identifier data if the patient signs off, gives a
consent. And my understanding is that roughly 97 percent of the
public will give consent on that, at least participated in that
decision.
Mr. Horn. Mr. Veator.
Mr. Veator. We currently have a bill in front of the
Massachusetts Legislature relating to just that question. And I
think the issues have come down to the same, which is how do
you ensure or motivate the use of aggregated, deidentified
data, and then how do you protect people who want medical
services and at the same time are aware that either through
sharing information by insurance companies between either
health care insurers or life insurers, how you get medical
services when they're worried about that data being
disseminated, properly, as it turns out in many cases. Those
are the issues I know that the Massachusetts Legislature is
dealing with now.
Mr. Horn. In your research on that, in Massachusetts, are
there a number of States doing the same thing?
Mr. Veator. I think so. I know that California, for
example, has either enacted or has something pending along
those lines.
Mr. Horn. Let me ask you, Mr. Spotila, what's the Federal
Government's position on this?
Mr. Spotila. There are two aspects I would point out. Aside
from this issue of aggregate data versus treatment information,
we are also aware that the Centers for Disease Control and
perhaps other public health agencies might have access to
information about medical conditions. But they have handled
that information in accordance with the Privacy Act and other
confidentiality restrictions. There's always a need for balance
between proper use and privacy.
The proposed rule that the Department of Health and Human
Services has put out on health privacy also deals with this
subject. We are likely to see an addressing of it in the final
rule either through the setting of criteria or insistence that
the identification tags be removed from some of that
information.
It's an important question. It's very much on everyone's
mind, and we are trying to strike the right balance to make
certain that we don't lose some of the advantages, whether it
be improved treatment or public health response, as we take
better steps to protect individual privacy.
Mr. Horn. Let me move back to Attorney General Hatch now.
In your testimony, you mentioned how you took legal action
against the U.S. bank for selling personal information to
marketing companies such as Member Works Incorporated. I'm
curious, what additional actions did the Minnesota courts take
to protect the interests in personal privacy?
Mr. Hatch. The courts or the legislature? The courts?
Mr. Horn. The courts.
Mr. Hatch. Well, both cases settled, so they did not go any
further than that. I think there's still a class action that's
pending in the private side of it.
In the U.S. bank case, the bank did agree to prohibit--to
not agree to any distribution even with consent, basically.
They cannot distribute information to third-party marketers.
They can distribute to affiliates on an opt-out. So it is--
oddly enough, that bank is probably working under stricter
guidelines than any other bank in the country right now.
The Member Works we did settle. The allegation there was
essentially they took the data, including the date of birth,
and basically according to the audiotapes of the supposed
consent, our estimate is roughly half never agreed to any
acquisition. While we did not have statistics on it, I was
surprised at the age of people; it could be that they're the
only ones home that are answering the phones; could be they are
the ones that are most vulnerable to a direct sales pitch. But
it may also be that companies are targeting that group, and I
don't know. But we will have more knowledge on that I think by
year end as we're gathering through it and looking at other
cases.
But it appears that, you know, the financial data, two-
thirds of fraud basically is directed against senior citizens,
No. 1, because they've got the money, it is their nest egg; and
No. 2, they are perhaps more trusting, more vulnerable.
And financial data in the wrong hands is very--can be very
dangerous. And the courts have not gone further, but other than
that, we do have class actions pending.
Mr. Horn. We have another few hours this week, not for your
panel, but for the panel on Tuesday and we will set up another
panel, panels one and two, on the Tuesday one, and then we will
have a hearing later in the week on a related subject, which
involves Social Security in relation to privacy and the numbers
thereof.
So what I'm going to do today is just thank you all,
because you have given us a number of vital perspectives that
we really need, and we hadn't thought about. So I am most
grateful to you for the testimony you have given to us.
And I do want to thank the staff for putting this together
and that is J. Russell George, the staff director and chief
counsel for the Government Management, Information, and
Technology Subcommittee; and then on my left, your right,
Heather Bailey is the counsel for this hearing. Bonnie Heald,
director of communications back there next to Mr. George; Bryan
Sisk, the clerk; and Liz Seong, is an intern; and Michael Soon,
intern. And then Trey Henderson is counsel for Mr. Turner, the
ranking member, and the minority; Jean Gosa is minority clerk.
And we have today Doreen Dotzler and Joe Strickland as the
court reporters.
And I will now read the statement from the Attorney General
of the State of Texas and put that in the record.
I don't know if the Attorney General is Democrat or
Republican. You might know.
Mr. Hatch. He's a Republican.
Mr. Horn. He's a Republican, OK. Because I know the
Governor has a lot of Democrats in the State government, so I
did not quite know whether this was one of the Republicans that
got in. But his letter is very interesting. He said--this is
John Cornyn, Attorney General of Texas. He says:
I want to express my support for the privacy commission,
H.R. 4049, under consideration by our committee here. And this
legislation proposes the creation of a privacy commission that
will undertake a comprehensive study of the issues relating to
the protection of individual privacy and the appropriate
balance to be achieved between protecting individual privacy
and allowing appropriate uses of information.
With the advent of the Internet and the information era,
privacy has become a central issue for American citizens,
industry and policymakers. As consumers are becoming more aware
of the personal information that is being collected and used by
on-line companies, their concern about individual privacy is
growing.
The technology industry is also focused on the privacy
issue. Recognizing that the future of the Internet depends on
consumer confidence, the technology community has taken
laudable steps to develop self-regulatory standing programs to
build consumer trust in the new medium. The erosion of the
consumer trust poses a serious threat to personal privacy and
the future success of e-commerce and thus creates the need for
government to consider appropriate steps for the protection of
consumer privacy.
At the same time, however we must find a way to protect
consumer privacy without stifling growth and innovation in the
rapidly changing world of cyberspace. I believe the
establishment of this commission is a step in the right
direction toward achieving this balance.
Over the past few years, privacy initiatives have cropped
up across the country. The Federal Government, States, the
private sector, industry groups, and consumer groups have all
formed working groups to study the issue. None of these
initiatives, however, appear to be taking the coordinated
global approach proposed by the Privacy Commission Act.
Because the Internet has no boundaries, it is imperative
that Federal, State and local efforts to protect privacy and
encourage the growth of the new economy be coordinated.
Government, industry and consumer groups need to work together
to help define their appropriate roles in achieving a balanced
solution to the privacy problem. State attorneys general have a
unique perspective to share in this debate because we are
responsible for protecting consumers' rights in 50 States.
As the Attorney General of Texas, I am deeply concerned
about the privacy issue. In particular, I am concerned about
protecting children's privacy and maintaining the
confidentiality of sensitive medical and financial information.
In Texas, we are currently studying our laws to determine how
we can best protect consumer privacy while still encouraging
the growth of e-commerce.
My office has created an Internet bureau that will protect
consumers' privacy on-line in addition to fighting cybercrime.
Over the last month, I have met with numerous members of our
very large and growing technology community in Texas. I have
gained an understanding of the industry's concerns and its
efforts to regulate itself in the privacy arena. In Texas, we
are working to protect consumers while fostering the growth of
technology businesses.
Because I believe the proposed privacy commission will help
coordinate the efforts and perspectives of all of us involved
in the privacy debate, I encourage your subcommittee to support
the proposed Privacy Commission Act.
Thank you for your consideration of my views. I
respectfully request this letter be submitted for the record.
We thank you; and we thank Attorney General Hatch; and we
thank you, Mr. Veator, on the State perspective; and we thank
you, Mr. Stone, on the very interesting and unique model that
is going on in disease management. And we thank you, Mr.
Spotila, for giving us the broad view of what is going on in
the Federal Government. Thank you very much for coming.
Now, the Democratic staff and the Republican staff might
have additional questions, and if you don't mind we would like
you to respond to them because Mr. Turner had to go out for a
very important meeting. He might well have some questions, and
we would appreciate it if you would give those answers. We will
put them in the record without objection at this point.
At this point, we are recessing until Tuesday at 2 p.m. to
continue the rest of the panels, and that is in room 2247. The
full committee, I believe, is in here. It will be in room 2154.
The full committee is not meeting.
With that, we are adjourned.
[Whereupon, at 4:03 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T1178.045
[GRAPHIC] [TIFF OMITTED] T1178.046
[GRAPHIC] [TIFF OMITTED] T1178.047
[GRAPHIC] [TIFF OMITTED] T1178.048
[GRAPHIC] [TIFF OMITTED] T1178.049
[GRAPHIC] [TIFF OMITTED] T1178.050
[GRAPHIC] [TIFF OMITTED] T1178.051
[GRAPHIC] [TIFF OMITTED] T1178.052
[GRAPHIC] [TIFF OMITTED] T1178.053
H.R. 4049, TO ESTABLISH THE COMMISSION FOR COMPREHENSIVE STUDY OF
PRIVACY PROTECTION
----------
TUESDAY, MAY 16, 2000
House of Representatives,
Subcommittee on Government Management, Information,
and Technology,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2 p.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn, Turner, and Waxman (ex
officio).
Also present: Representatives Hutchinson and Moran of
Virginia.
Staff present: J. Russell George, staff director; Bonnie
Heald, communications director; Heather Bailey, professional
staff member; Bryan Sisk, clerk; Liz Seong and Michael Soon,
interns; Phil Barnett, minority chief counsel; Kristin
Amerling, minority deputy chief counsel; Michelle Ash and Trey
Henderson, minority counsels; and Jean Gosa, minority assistant
clerk.
Mr. Horn. A quorum is present. We have a vote on the floor,
and we will be in recess until 20 after 2. We're in recess.
[Recess.]
Mr. Horn. A quorum being present, this hearing of the
Subcommittee on Government Management, Information, and
Technology will resume.
The subcommittee is continuing its examination of H.R.
4049, a bill to establish a commission on the comprehensive
study of privacy protection.
Yesterday the Honorable John Spotila, Administrator of
Regulatory Affairs at the Office of Management and Budget,
testified about the efforts being taken by Federal agencies to
protect private information against inappropriate disclosure.
Minnesota's Attorney General Mike Hatch and Mr. David
Veator, from the Massachusetts' Office of Consumer Affairs and
Business Regulation discussed the complexities of attempting to
craft appropriate State legislation.
Our fourth witness was from the private sector and
discussed why such legislation is necessary. Mr. Robert Stone
is the executive vice president of American Healthways, a
company that provides disease management programs to about
170,000 people enrolled in health maintenance organizations.
His company sets up treatment plans for patients with chronic
illnesses. Mr. Stone testified that in many States HMOs share
their patients' medical records with disease management
companies such as American Healthways, even though most
patients are unaware that a third party is viewing their
personal records.
With that, we will proceed with the panels today, and we
will begin with panel one for Tuesday. Mr. Belair I see is
here, editor of Privacy & American Business; Dr. Mary Culnan,
professor, McDonough School of Business, Georgetown University;
Christine Varney, former Commissioner, Federal Trade
Commission; and Solveig Singleton, Director of Information
Studies at the CATO Institute; Ron Plesser, legislative
counsel, 1977 Privacy Commission, and Stanley Sokul, member of
the Advisory Commission on Electronic Commerce.
Let me explain how the subcommittee works. We work
essentially that once--we're going right down the line, and
your statement is fully put in the record. We'd like you to
summarize it in 5 minutes so we can have a dialog between the
Members here and the other witnesses so we get something from
that besides simply a written paper. In the case of government
agencies, usually the person's never written the paper, but
you're different, and I know you struggled over it probably
like all of us when we are in the private sector.
So we will also have panel two today, the Honorable Edward
Markey, Member from Massachusetts; the Honorable Joe Barton,
Member from Texas; the Honorable Jim Greenwood, Member from
Pennsylvania, and they will join us on panel two.
So we think we are without a lot of votes to disrupt us
today, but that's democracy, so we have to do that. It's always
a pleasure to take a walk anyhow around here.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T1178.054
[GRAPHIC] [TIFF OMITTED] T1178.055
Mr. Horn. So we will begin, then, with, besides my opening
statement, I believe the gentleman, the ranking member on the
full committee, Mr. Waxman for an opening statement.
Mr. Waxman. Thank you very much, Mr. Chairman. I want to
commend you for holding hearings today and yesterday on H.R.
4049. I regret I was unable to attend yesterday's session due
to a preexisting schedule conflict. I was flying back from Los
Angeles. You know how that is, Mr. Chairman. But I understand
the session was informative.
H.R. 4049 proposes a $2.5 million privacy commission to
study a wide range of very complex issues that affect a
tremendous number of stakeholders. It is important to examine
this proposal carefully and ensure that those with relevant
expertise and experience have had a chance to review it, and I
appreciate that you facilitated that process with this week's
hearings.
The schedule the subcommittee has set for moving this
legislation forward, however, may be self-defeating. Many of us
want strong privacy legislation, but the rushing pace we are
following with this bill may result in legislation that is
counterproductive to privacy efforts. H.R. 4049 was introduced
at the end of March. The subcommittee announced last week that
it is interested in having a markup by next week. This
intention to mark up this bill by next week was announced
before the subcommittee even heard from the many experts that
are coming before us this week, and as we saw from testimony
and statements provided yesterday, the bill poses numerous
issues that require careful thought. I fear that by rushing, we
could foreclose the opportunity to design a commission we can
be confident would be an effective use of taxpayers' dollars.
It would be ironic if those arguing for a deliberate, thorough
commission review of privacy issues do not give deliberate,
thorough consideration to issues relevant to establishing such
a commission.
I think it's worthy noting that the pace in which the
committee is moving on this proposal to study privacy stands in
stark contrast to the complete lack of attention the committee
has paid to legislation that would actually establish privacy
protections. For example, in May of last year, Mr. Condit,
myself, Mr. Markey, Mr. Dingell, Mr. Turner, and many other
colleagues on this committee and others introduced legislation
that would establish comprehensive privacy protections for
individuals' medical records. That bill was referred to this
very subcommittee, yet 12 months later there's been no
consideration whatsoever of that bill or other medical privacy
proposals that have been referred to this subcommittee.
As we examine the merits of H.R. 4049, it's imperative that
we remember that Congress has a responsibility to do more than
request the study of privacy issues. Congress should act
immediately to address serious privacy concerns in several
areas. For example, many individuals currently are withholding
medical information from their health care providers, even
avoiding medical care for fear of privacy violations.
Years of congressional hearings and study by governmental
and nongovernmental entities have provided us with more than
sufficient information to take action to enact comprehensive
medical privacy protections. Congress also must ensure that
adequate privacy protections apply to individuals' financial
information.
One of the questions that has arisen about the Privacy
Commission proposal is whether a commission would delay ongoing
privacy initiatives. I understand the proponents of the
legislation have emphasized that this measure is intended to
complement, not delay, ongoing efforts. However, I think that
an April 17, 2000, editorial in the Life and Financial Services
edition of the National Underwriter magazine provides insight
into this issue. The editorial chides the Financial Services
Coordinating Council, which represents insurance companies and
securities firms, for failing to endorse H.R. 4049, arguing
that, ``by not lending its considerable weight to the effort to
enact the bill, FSCC may be missing a golden opportunity to
forestall highly restrictive privacy measures that will be
introduced both in Congress and in State legislatures around
the country.''
The editorial further stated, ``If the financial services
industry can make a strong economic case for the consumer
benefits of information-sharing, the bipartisan Commission
proposed by Representatives Hutchison and Moran provides the
best forum to do it. Moreover, the presence of such a
commission will provide a strong argument for Congress and the
State legislators to wait for the results before enacting
highly restrictive privacy legislation.''
This editorial underscores that despite the best intentions
of the proposal's authors, others may well want to use it to
impede privacy protection efforts.
If we are to move forward with H.R. 4049, we must ensure
that any privacy commission created is structured so that its
deliberations will involve consensus-building instead of
divisiveness, and so that members on the Commission have
appropriate expertise and experience. Further, the Commission's
resources and powers must be consistent with the mandate it is
expected to carry out.
In this week's hearing on the bill, we are receiving
testimony from individuals who have been involved with the
study of privacy or who have worked on privacy initiatives.
These witnesses can help us better understand the issues
relevant to constructing an effective commission. I look
forward to the testimony of today's witnesses.
I want to note that in addition to statements submitted
yesterday for the record, I've received comments on this bill
from privacy consultant Robert Gelman and would like to enter
his statement into the record. I also request that we keep the
record open for 2 weeks.
Mr. Horn. Without objection, that will be put in the
record.
[The prepared statement of Hon. Henry A. Waxman follows:]
[GRAPHIC] [TIFF OMITTED] T1178.056
[GRAPHIC] [TIFF OMITTED] T1178.057
[GRAPHIC] [TIFF OMITTED] T1178.058
[GRAPHIC] [TIFF OMITTED] T1178.059
[GRAPHIC] [TIFF OMITTED] T1178.060
[GRAPHIC] [TIFF OMITTED] T1178.061
[GRAPHIC] [TIFF OMITTED] T1178.062
[GRAPHIC] [TIFF OMITTED] T1178.063
Mr. Waxman. My second request is that we keep the record
open for 2 weeks so that others with expertise and interest in
these issues may also submit their comments.
Mr. Horn. Well, let's try with 1 week, and if there's still
some more, because I wouldn't want us to adjourn too much and
not get this done. As you say, this is a very important issue,
and we've been trying to get a number of people to do something
about it. So that's why these hearings. We've got another
hearing this week, and everybody is welcome.
Mr. Waxman. Mr. Chairman, you're willing to have 1 week for
anyone to submit their comments for the record?
Mr. Horn. Yes, and if there's others, we'll work it out. We
don't really need a rule on it. We'll just put it all in the
record.
[The prepared statements of Hon. Jim Turner and Ms.
Blumenthal follow:]
[GRAPHIC] [TIFF OMITTED] T1178.064
[GRAPHIC] [TIFF OMITTED] T1178.065
[GRAPHIC] [TIFF OMITTED] T1178.066
[GRAPHIC] [TIFF OMITTED] T1178.067
[GRAPHIC] [TIFF OMITTED] T1178.068
[GRAPHIC] [TIFF OMITTED] T1178.069
Mr. Horn. The gentleman from Arkansas. Thank you. The other
member from the full committee. We're always glad to have you
here.
Mr. Hutchinson. Thank you, Mr. Chairman. I want to express
my appreciation to the ranking member of the full committee,
Mr. Waxman, for his thoughtful letter that he sent after the
first round of hearings.
As everyone knows, this is the third day of hearings on
this particular Privacy Commission proposal, and I think it is
good for America. It's certainly good for this Congress to hear
from such distinguished experts on the issues of privacy and to
learn the history of what we've done from a legislative
standpoint on the issues of privacy and what we need to do, and
Mr. Waxman's letter certainly provoked 2 more days of hearings,
which is exactly what we need, and I think it has been very,
very instructive. So I was pleased that the chairman responded
to that request from Mr. Waxman by scheduling yesterday's
hearings and today's as well.
I did want to respond to a couple of the remarks of the
ranking gentleman who mentioned that he was concerned that we
would rush to markup on this bill, a commission bill. Of
course, we've passed legislation out of the House in terms of--
even though it didn't come into law, we passed a commission for
studying campaign finance laws. We've had a Medicare
commission. So the structures of commissions have been on the
table for some time. But I think it is important that we get
the broadest range of input as possible, and I would solicit,
Mr. Waxman, any suggestions that you have. We've been in
contact with your staff, and we would certainly love your ideas
on how this legislation can be improved.
But I think there is a concern in terms of the markup. This
is May, and this legislative year consists of June and July.
We're out August and in September, and then it's gone. And in a
puff of smoke we're out of here, and it's going to be very
difficult even on a fast track to get legislation through the
House and Senate. And for that reason I would hope that we will
continue to move forward this proposal as well as other
proposals that have a consensus in this body in terms of
privacy. And I think it would be regretful if we went home the
end of this year and told the American people we did nothing on
privacy. So I hope that we can.
I'm glad the agencies are moving forward. Whatever happens
in terms of the agencies, whatever happens in terms of other
legislation, it's important that we continue to study this in a
thoughtful and comprehensive manner. This mission is designed
to complement, complement other issues that are out there and
not to be exclusive. I just want to assure the ranking member
that that is my intent, and I hope everyone in Congress looks
at it the same way.
With that I'll be happy to yield and look forward to the
testimony of the witnesses.
Mr. Horn. If the witnesses will stand and raise their right
hands to affirm the oath.
[Witnesses sworn.]
Mr. Horn. The six witnesses did affirm. The clerk will note
that, and we'll proceed with panel one. The first one is Bob
Belair, editor, Privacy & American Business. Glad to have you
here.
STATEMENTS OF BOB BELAIR, EDITOR, PRIVACY & AMERICAN BUSINESS;
MARY CULNAN, PROFESSOR, McDONOUGH SCHOOL OF BUSINESS,
GEORGETOWN UNIVERSITY; CHRISTINE VARNEY, FORMER COMMISSIONER,
FEDERAL TRADE COMMISSION; SOLVEIG SINGLETON, DIRECTOR OF
INFORMATION STUDIES, CATO INSTITUTE; RON PLESSER, LEGISLATIVE
COUNSEL, 1977 PRIVACY COMMISSION; AND STANLEY SOKUL, MEMBER,
ADVISORY COMMISSION ON ELECTRONIC COMMERCE
Mr. Belair. Thank you, Mr. Chairman. Let me commend you and
the members of the subcommittee, and Mr. Hutchison and my
Congressman Mr. Moran for your leadership on this bill. I'm
delighted to be here. I think I can catch you up a bit in terms
of time. I appreciate your rescheduling me from yesterday when
I couldn't make it to today, and mindful of that and the big
panel, I'll be very, very brief.
Let me just say first in response to Mr. Waxman's comments,
Privacy & American Business, we are not for delay. We have
supported health information privacy legislation. We have
supported other types of legislation when we think that that's
the right response and when we think it's ready. We will
support this legislation and the establishment of a commission
in one of our upcoming editorials. We will lay that out. And
we'll address our view that this will not lead to delay, as Mr.
Hutchison indicated, obviously.
And you folks know better than I do we're at the end of
this Congress. It's going to be very, very difficult to get
substantive privacy legislation through in this Congress.
Obviously it takes time to organize a new Congress, and your
bill does provide for interim reports as well, I'm sure, as
other kinds of periodic reports to the Congress as necessary.
We don't view it as delay. We view it as a very appropriate
opportunity to think comprehensively about the privacy issue.
And very briefly let me just say that we support the
legislation, and we support the concept of a new privacy
commission for three reasons. First of all, the activity with
respect to privacy rights now is extraordinary. It is truly
unprecedented. One example I think is dramatic. Last cycle, the
1999 cycle for State legislatures, we tracked over 7,000
privacy bills. That's one out of every five bills introduced in
the State legislatures. Obviously there's intense regulatory
activity at the State level behind that. There's intense
activity here. We don't want to slow that down, but on the
other hand we think that it's important to take a look at what
that legislation is and what it will do, what the consequences
and the unintended consequences are.
Second, the underlying developments that are fueling the
privacy debate are changing extraordinarily rapidly. The self-
regulatory environment changes. The technology environment
changes. I think if you would have asked folks in this room 3
years ago to define ``cookies,'' you would have gotten a
definition that today we would snicker at and think is very,
very naive. The international environment is changing and is
uncertain. The business models that have fueled the privacy
debate, affiliate sharing, personalization, these, too, are
terms that I don't think you would have heard in public debate
3 or 4 years ago. It's critical that we sort this out.
Finally, third, although we've all worked very hard at
privacy, and for many of us for a long time, there is an awful
lot, in fact, we don't know. The Internet privacy threat is
new, and the dimensions of that threat as well as the
consequences of regulating the Internet have an enormous number
of uncertainties. The public records debate is very important,
and what impact on the marketplace and on public safety
restrictions on public records could have in the name of
privacy is critical.
Obviously we don't yet know what the impact of the
Children's On-Line Privacy Protection Act is going to be or the
impact of Title V, the privacy provisions in last year's
Graham-Leach-Bliley bill. We don't even know--and certainly not
in a careful sense--when opt-out and a robust notice makes
sense versus when we ought to do opt-in. And if you look at the
factors that have been the pivot points for the privacy
legislation to date, sometimes it's subject matter such as in
financial or medical legislation. Sometimes it's the source,
such as legislation that would regulate access to motor vehicle
records. Sometimes it's the use that is the key determinant,
such as FCRA. Sometimes it's the type of consumer, such as
COPPA. Sometimes it's the amalgamation such as the number of
bills that would address amalgamating offline and on-line
information.
We still have debates about whether the U.S. traditional
approach, a sector-by-sector approach, makes sense. We have
debates about a privacy regulatory agency, and it's worth
noting that while we have been having that debate, the FTC--and
I used to be at the FTC, and one of my colleagues, of course,
on the panel is a former Commissioner--the FTC has done a lot
of good stuff, but the truth is they have emerged as the
Nation's privacy regulatory agency. Maybe that's OK, but it's
been done without a debate, without consideration.
Preemption remains an issue, and let me just close by
saying we really are at a juncture in the road. It's going to
change dramatically over the next few years. We need to figure
out a way to protect privacy, but also make sure that we use
personal information effectively for public safety, to deliver
goods and services to consumers for research, to personalize
the marketplace, which is going to be such an important
economic stimulator so the stakes are high. Let's do it right,
and I applaud the subcommittee, and I applaud the sponsors of
the legislation and will continue to be supportive. Thank you.
Mr. Horn. Well, I thank you. You did a fine job of summary,
and you did it under 6 minutes. So thank you.
[The prepared statement of Mr. Belair follows:]
[GRAPHIC] [TIFF OMITTED] T1178.070
[GRAPHIC] [TIFF OMITTED] T1178.071
[GRAPHIC] [TIFF OMITTED] T1178.072
[GRAPHIC] [TIFF OMITTED] T1178.073
[GRAPHIC] [TIFF OMITTED] T1178.074
[GRAPHIC] [TIFF OMITTED] T1178.075
[GRAPHIC] [TIFF OMITTED] T1178.076
Mr. Horn. Dr. Culnan.
Ms. Culnan. Thank you, Chairman Horn. Thank you for
inviting me to testify. I also want to thank Representative
Waxman for his interest in support of this issue, and to
Representative Hutchison for introducing the legislation.
My name is Mary Culnan, and I'm a professor at Georgetown
University, where I teach electronic commerce. I also bring
additional background to this panel as I have served as a
Commissioner on the President's Commission on Critical
Infrastructure Protection, and I also finished just this week
serving as a member of the FTC Advisory Committee on Access and
Security.
I also support the establishment of a privacy commission.
Bob Belair did an excellent job of summarizing some of the
issues that commend the establishment of such a commission. I
don't think anyone could have foreseen in 1977 the changes that
the personal computer and the Internet would bring in our work
lives, our home lives and in the world in general today. So I
think it's time to revisit these issues on a broad,
comprehensive scale, because most of our legislative efforts
have been sectoral.
I only want to address two primary concerns I do have about
the legislation, and I raise some other issues in my written
testimony. The first issue is that H.R. 4049 doesn't specify
any criteria for the Commission to use in performing its
evaluation, and I think this is a major shortcoming. Since the
PPSC issued its report in 1977, fair information practices have
emerged as a global standard for striking an appropriate
balance between protecting individual privacy and allowing
appropriate uses of information for a lot of the purposes that
Bob Belair described.
There is not consensus on how to implement fair information
practices, but there is a consensus that they are global
standards, and I believe the Commission's findings and
recommendations should be based on the extent to which fair
information practices have been implemented across the domains
of the Commission's work. They should also be used as criteria
to evaluate the current efforts that have been undertaken to
protect privacy that are specified in the legislation both in
the private sector, the Federal Government, and in the States.
My second concern is that of a taxpayer, since I will be
helping to fund the Commission. I think the legislation defines
an ambitious agenda for the Commission. I have some concerns
that the Commission will be able to complete its work in the
time specified, given that it's required to hold so many
hearings. I believe the number is 20. While public hearings are
an important way to gather information and to make the
Commission's work accessible to the public, many privacy issues
are complex, and public hearings are not necessarily the most
effective forum to sort these issues out in detail. When I
served on the PCCIP, we held one half-day public hearing in
each of five regions of the country. We also had meetings with
business executives, academics, and government officials in
each city. We held a number of conferences and workshops, and
we were briefed by a wide range of individuals and
organizations. Overall we had contacts with more than 6,000
associations, corporations, government agencies, and
individuals.
I think the Commission will need to use a variety of
methods, including public hearings, for gathering information.
Since the commissioners are going to be serving without pay,
the legislation will need to better balance the time demands of
serving on the Commission with the demands of the
Commissioners' existing job responsibilities. They will be able
to do much of their work electronically, but they will also
need to meet in person to take testimony, for briefings and to
deliberate. There should be at least one hearing in each region
of the country, but given there is probably an upper limit on
the amount of time people can devote, I think the Commission
should decide what methods will best help make its members able
to complete their work.
And then finally I would like to second Representative
Waxman's call about appointing people to the Commission who can
work together and promote a consensus, because these issues are
very difficult. It's very important that the Commission
represent a range of expertise and perspectives. Otherwise its
results will not be credible. But if the people--if it's a very
fractious group, also they won't be able to work together to
promote a consensus, and I think that's awfully important.
So I want to thank you again for inviting me to testify,
and I look forward to your questions.
Mr. Horn. Thank you very much. You did it all within 5
minutes. So thank you. I didn't know professors could speak in
less than 50-minute modules. Since I am a professor, I have
great difficulty with this committee. Thank you very much.
[The prepared statement of Ms. Culnan follows:]
[GRAPHIC] [TIFF OMITTED] T1178.077
[GRAPHIC] [TIFF OMITTED] T1178.078
[GRAPHIC] [TIFF OMITTED] T1178.079
[GRAPHIC] [TIFF OMITTED] T1178.080
[GRAPHIC] [TIFF OMITTED] T1178.081
[GRAPHIC] [TIFF OMITTED] T1178.082
Mr. Horn. Now Ms. Varney, former Commissioner in the
Federal Trade Commission.
Ms. Varney. Thank you, Mr. Chairman, Mr. Hutchison, Mr.
Waxman. Thank you very much for inviting me to testify this
afternoon on H.R. 4049, the Privacy Commission Act. My name is
Christine Varney. I'm currently a partner at Hogan & Hartson,
and where I chair the Internet Practice Group, and I have
served on the Federal Trade Commission from 1994 through 1997,
I believe, and did extensive work on privacy while at the
Commission.
With your permission, I have submitted for the record
extensive descriptions of fair information and privacy
practices that can be used for future reference, but I would
like to take a few minutes to discuss the bill.
As you know, privacy is not a new issue. As I think you
have heard from other panelists, here in the United States we
have a long history of examining the rights of Americans to be
free from unwanted and unwarranted intrusions, including the
collection, use of personal information about them without
their knowledge or consent. What is new, however, is that in
the information age, the ease with which information about
individuals can be gathered, aggregated, and disseminated is
unparalleled. There are virtually no costs or meaningful
economic barriers any longer to gathering extensive information
about individuals and using it for any purpose whatsoever.
This trend has not gone unnoticed by the American public.
In survey after survey, Americans are regularly responding that
privacy is their No. 1 concern on the Internet. However, this
concern goes beyond the Internet. Although the Internet make it
is easy to collect, aggregate and transfer information, privacy
concerns don't stop in cyberspace. As you know, there has been
concern around the use of personal information and potential
for abuse of that information for quite some time. Indeed,
Congress has already enacted several laws that deal with or
touch upon the use of personal information, including, to name
just a few, the Fair Credit Reporting Act, the Children's On-
Line Privacy Protection Act, the Financial Services
Modernization Act, the Electronic Funds Transfer Act, the
Electronic Communications Privacy Act, the Drivers Privacy
Protection Act, the Telephone Consumer Protection Act, the
Cable Communications Policy Act, the Video Privacy Protection
Act, and I could go on.
There are also a myriad of State law protections in place.
What is missing, in my view, is a comprehensive and thoughtful
review of the old and new laws and their effectiveness in the
information age. Therefore, I wholeheartedly support the
proposals in H.R. 4049 to create a privacy commission. I think
Dr. Culnan has raised some serious concern about how to
structure the Commission.
Let me say a few more words about commissions, having been
a Federal Trade Commissioner. As we have seen with other
commissions, the work and the results of the Commission can be
directly attributable to the composition of the Commission
itself. Should this Commission be established, I would urge
that all of those who have the ability to appoint Commissioners
consider the commitment of a potential appointee to reach
consensus as opposed to furthering an agenda. The issues are
complex, and the solutions must be equally comprehensive. Those
who have sat before you and talked about self-regulation as a
failure and legislation as the answer, or self-regulation as a
panacea and legislation as repugnant are, in my view, clearly
missing the point.
The point in the information age has to be how can American
consumers, whether they are consuming medical information and
services, financial information and services, or other
commercial information, protect themselves and their privacy
desires? In some instances there will be technological
solutions. In some instances there will be best practices, and
in other instances there may be loopholes in existing law that
need to be closed or absence of law altogether.
Too often the privacy debate has been polarized between
those who wish to prohibit the use of personal information for
any and all purposes and those who wish to exploit the use of
personal information for any and all purposes. Neither of these
postures addresses the increasing concerns of Americans
regarding protection of their personal privacy while allowing
for its beneficial use. Neither of these positions, frankly,
can bring a balanced, economically viable and societally
appropriate conclusion to the privacy debate.
Thus I would urge that this Commission be created, but that
the goal of the Commission be clearly articulated as suggesting
to the Congress a legal framework that balances both the
economic benefits of the free flow of information with the
rights of individuals to maintain their own preferred zones of
privacy through whatever means makes sense in any given
situation, be those means technological, legal or otherwise.
What will not advance the protection of privacy in the
information age is a deadlocked Commission with a faction
opposed to any meaningful use of information and a faction
opposed to any meaningful limits on the use of information.
Thank you very much.
Mr. Horn. We thank you. That's a very helpful statement,
and you're well within time.
[The prepared statement of Ms. Varney follows:]
[GRAPHIC] [TIFF OMITTED] T1178.083
[GRAPHIC] [TIFF OMITTED] T1178.084
[GRAPHIC] [TIFF OMITTED] T1178.085
[GRAPHIC] [TIFF OMITTED] T1178.086
[GRAPHIC] [TIFF OMITTED] T1178.087
[GRAPHIC] [TIFF OMITTED] T1178.088
[GRAPHIC] [TIFF OMITTED] T1178.089
[GRAPHIC] [TIFF OMITTED] T1178.090
[GRAPHIC] [TIFF OMITTED] T1178.091
[GRAPHIC] [TIFF OMITTED] T1178.092
[GRAPHIC] [TIFF OMITTED] T1178.093
[GRAPHIC] [TIFF OMITTED] T1178.094
[GRAPHIC] [TIFF OMITTED] T1178.095
[GRAPHIC] [TIFF OMITTED] T1178.096
[GRAPHIC] [TIFF OMITTED] T1178.097
[GRAPHIC] [TIFF OMITTED] T1178.098
Mr. Horn. And now our next individual is Solveig Singleton,
director of information studies for the CATO Institute.
You might tell in a little description what the CATO
Institute is.
Ms. Singleton. Sure, I will. Thank you, Mr. Chairman.
I'm Solveig Singleton, director of information studies at
the CATO Institute, which is a free market or libertarian think
tank based in Washington, DC. My area of expertise includes the
Internet and telecommunications regulation. My testimony today
is intended to illustrate how a privacy commission as proposed
in H.R. 4049 can be of help to Congress in understanding
privacy in the big picture in this country.
There are many privacy issues that come before Congress
piecemeal, and Congress is well-adapted to hearings on specific
topics like medical legislation or financial privacy and so on,
but Congress rarely has the leisure to sit back and consider a
comprehensive view of privacy overall across the economy.
Let me talk now a little bit about one of the questions I
think would be important for the Commission to consider. I
think the Commission could play a vital part in increasing
Congress' understanding of how the increased use of government
databases, new surveillance techniques and so on ultimately
will affect the relationship between the U.S. citizens and
their government.
Just in the past decade alone, we've had several new
Federal databases created. I'll just run down some of these
quickly. There's a National Directory of New Hires intended to
enforce child support orders, but, of course, everybody ends up
in it, not just parents. There's a new employment database for
the Workforce Investment Act, a national medical database with
proposed unique health identifiers, and there's a National
Center for Education Statistics. On top of that, there's been
various proposals for monitoring and tracing citizens'
activities such as FIDNET, Federal mandates for driver's
licenses, and an employment eligibility confirmation pilot
proposal from the Immigration and Naturalization Service.
Now, each of these databases and each of these proposals
comes along with good intentions, but the concern overall is
that ultimately what we may see in this country is the right to
work, the right to travel, the right to seek medical attention,
the right perhaps to consult a lawyer in confidence, that these
things are gradually transformed into privileges that are
enjoyed only by those people who have their paperwork in order.
And most Americans, I think, have better things to do than
wanting to be thinking about whether their paperwork is in
order all the time. People lose things, mistakes are made by
clerks and so on. So I think a privacy commission would be
ideally situated to look at these developments in the big
picture.
Second, I think a commission could add substantially to
Congress's understanding of the use of information about
consumers by private sector businesses. Now, those of you who
have heard me testify on Internet privacy will know I think
many concerns about business use information are overstated. I
basically think private businesses, they are either going to
sell you something or not sell you something. I think that when
it's a legitimate business that consumers need to be protected
from, that the need for protection for consumers is fairly
limited. But nevertheless, new technology makes people uneasy,
and there's a danger that Congress will face tremendous
pressure to move forward on privacy before they entirely
understand the economic consequences of regulation.
In particular there's been a lot of opinion, including my
own, brought forward in testimony, but very little actual
factual information about the way information is used in the
economy, what it means to businesses in terms of keeping costs
down, what it means to consumers in terms of getting
information about new products, new businesses, new services,
and in particular there's little hard information about the
impact of privacy regulation on small businesses including
Websites, startups of any kind, charities and grass-roots
political groups, many of whom trade actively in lists of
information about donors or subscribers in order to get their
foot in the door of civil society.
Third, a really critical issue, and where there is a real
danger to consumers, is in the area of fraud and identity
theft. There's some serious questions that need to be asked
about the best approach to fraud and security issues. Is it to
have less information circulating through the economy as a
whole, or is it, in fact, to have more information about people
of a kind that is easier to verify, such as digital signatures?
In some cases the use of biometric identifiers like
fingerprints might be appropriate. And finally, I think the
most important question of all is how can law enforcement be
more effective in enforcing existing laws against fraud and
identity theft? A lot of these questions may be enforcement
questions rather than questions of new laws or new policies
being needed.
So to conclude and second the comments of some of the other
panelists, I note that I think the proper role of the
Commission would be to provide balanced and objective analysis
and scholarship to fill gaps in our understanding of the
complexities of privacy. I think in particular it might be
valuable to have the Commission have the authority to contract
with a group--a reputable group, an independent group of
economists to come up with something like a cost-benefit
analysis of different types of proposed regulation.
With that I conclude.
Mr. Horn. We thank you. Those are some very helpful
suggestions.
[The prepared statement of Ms. Singleton follows:]
[GRAPHIC] [TIFF OMITTED] T1178.099
[GRAPHIC] [TIFF OMITTED] T1178.100
[GRAPHIC] [TIFF OMITTED] T1178.101
[GRAPHIC] [TIFF OMITTED] T1178.102
[GRAPHIC] [TIFF OMITTED] T1178.103
[GRAPHIC] [TIFF OMITTED] T1178.104
Mr. Horn. Mr. Ron Plesser is legislative counsel to the
1977 Privacy Commission. Mr. Plesser.
Mr. Plesser. I think I was general counsel, but ``was''
rather than ``is.''
Good afternoon, Mr. Chairman, members of the committee, and
thank you very much for the opportunity to appear before your
subcommittee as it examines the creation of a commission for
the study of privacy protection. My name is Ronald Plesser, and
I'm partner in the law firm of Piper Marbury Rudnick & Wolfe,
and I chair their Electronic Commerce and Privacy Group. I
served as general counsel for the Privacy Protection Study
Commission for the entire life of the Commission from 1975 to
1977, and most recently I've served along with Mary Culnan on
the Federal Trade Commission's Advisory Committee on Online
Access and Security.
I'm pleased to appear before you today to share my
experiences as a staff member of the first and only Privacy
Commission and to comment on H.R. 4049 and the potential
establishment of a new privacy commission.
Created by the Privacy Act of 1974, the Privacy Protection
Study Commission was directed by Congress to make a study of,
quote--study of the data banks, automatic data processing
programs, and information systems of governmental, regional,
and private organizations in order to determine the standards
and procedures in force for the protection of personal
information. The Commission also sought to examine the balances
between legitimate and at times competing interests of the
individual, the information system and society in general.
I would like to point out, as I think others have, that we
issued our report in 1977, which actually was the first year
that the personal computer was commercially available. So
there's obviously been a world of development and shift since
then, but I think their basic principles may have stayed more
the same than we could have imagined. The Commission
recommended ways of providing additional protection for the
privacy of individuals while meeting society's legitimate need
for information.
The Commission based its recommendations on the conclusion
that effective privacy protection must have three concurrent
objectives: one, minimize intrusiveness in the lives of
individuals, and this relates really to a large extent to
government issues; maximize fairness in institutional decisions
made about individuals--this is the famous fair information
practice principles; and provide individuals with legitimate,
enforceable expectations of confidentiality.
One of the critical findings of this report was that
privacy needs to be addressed on sector-specific basis, given
that there are different concerns raised by different
information systems. The Commission felt that the historic
development of privacy protection as well as the then current
realities required that each be dealt with separately.
The Commission explicitly rejected a proposal for an
omnibus privacy statute establishing government authority to
regulate the flow of all personal information. This rejection
was based on several considerations, including the danger of
government control over the flow of both public and private
information, the greater influence on the private sector than
the public sector of economic incentives that encourage
voluntary compliance with principles, and three, the difficulty
of legislating a single standard for widely varying
recordkeeping practices in the private sector.
I would like to highlight a few areas of the particular
bill you're looking at that I believe could pose obstacles to
the effective service of a commission based on my practical
experience. First, the Commission envisioned by the bill is
comprised of too many members. It was critical that there were
seven members of the Commission as compared to the 17
recommended by H.R. 4049. Broad representation of various
interests on the Commission is an important goal. However, for
management reasons and to enable group consensus, it is
important that the Commission be limited to a smaller number.
The second point, the Commission's effort needs to be
sufficiently funded to allow for careful, balanced
investigation. H.R. 4049 allocates $2.5 million in the year
2000, and you may be interested to know that that's exactly the
same amount of money that the Privacy Commission got in 1974,
and while we, I think, felt that was a fully sufficient amount
of money back in 1974, we had 60-some-odd days of hearings and
other stuff. I think that amount is woefully inadequate for an
adequate study today.
I've hit my time, and I wondered if I could have just
another minute to say that I think there are competing reasons
for and against the Privacy Commission. On one hand, I agree
with what everyone has said about the complexity of the issue
and that it needs additional study. Whether that initial study
has to be done by a new independent commission, or it can be
done by existing authorities I think is an issue.
I'm also concerned--I was very involved with the Children's
Online Privacy Protection Act representing several clients, and
I think we came out with a very balanced piece of legislation
that was supported by government, public interest groups, the
private sector and, of course, Congress. I wonder if we could
have developed something as carefully tuned and balanced as a
result of a commission process, or if it worked just as well by
having inquiry by Congress without having the added kind of
exposure and publicity that would be involved in a commission.
I think there are positions on both sides of it. I certainly
support Christine Varney's point of view on the need to have a
commission, but I think we should look at it very carefully as
we go forward. Thank you.
Mr. Horn. Thank you very much. Those are very helpful
suggestions.
[The prepared statement of Mr. Plesser follows:]
[GRAPHIC] [TIFF OMITTED] T1178.105
[GRAPHIC] [TIFF OMITTED] T1178.106
[GRAPHIC] [TIFF OMITTED] T1178.107
[GRAPHIC] [TIFF OMITTED] T1178.108
[GRAPHIC] [TIFF OMITTED] T1178.109
[GRAPHIC] [TIFF OMITTED] T1178.110
Mr. Horn. Our last witness on this panel is Stanley Sokul,
member of the Advisory Commission on Electronic Commerce. Why
don't you tell us a little bit about that advisory commission.
Mr. Sokul. Thank you. Thank you for inviting me to testify
today. As you noted, I served as a member of the Advisory
Commission on Electronic Commerce, which studied the issues
surrounding Internet taxation. We issued our report on April
12, and our tenure expired on April 21.
I'm here primarily to urge you not to neglect the privacy
implications of Internet taxation, but would also like to offer
some suggestions on a potential privacy commission based on my
Tax Commission experience.
If a commission on privacy is created, I hope the
subcommittee will consider an issue that the Tax Commission
uncovered but did not resolve. In order for States to
effectively collect taxes on Internet sales transactions, the
sales need to be identified on an individual basis. Such
government tracking of consumers' Internet purchases could have
significant privacy ramifications. The most striking example
involves the types of privacy invasions that would have to
occur for States to track and tax the purchase of digital
goods.
The Internet privacy debate generally focuses on the
activities of private entities, how companies compile on-line
purchase information and even track Web surfing for commercial
purposes. The debate revolves around the nature and extent of
consumer access to and control over the collection and use of
such information; for example, should an opt-in or opt-out
requirement be imposed on Internet data gathering and sharing.
In contrast, imposing a national system to collect State
sales taxes raises the specter of the government tracking
individual purchase information. In this environment, the
consumers would have no control. The only way for consumers to
opt out of the government tracking their purchase activity
would be to forego the Internet purchase altogether.
During the Tax Commission process, the State and local
organizations proposed a Streamlined Sales Tax System for the
21st century. This system would insert a new layer of
requirements into electronic sales transactions, a national
clearinghouse or database, to track Internet purchases so the
proper tax could be calculated, levied, and remitted to the
proper jurisdiction. This proposal raised some significant
privacy concerns, and ultimately the States stopped advocating
the system as a solution, at least before our Commission.
The effects a new Internet sales tax collection regime
would have on consumer privacy and thus Internet commerce
remain unexplored. Confronted with many concerns but few
details, the Tax Commission adopted a resolution I authored to
recommend that Congress study the privacy implications of
Internet taxation very carefully. It was one of the few items
that attained a two-thirds supermajority vote to constitute a
formal recommendation to Congress. We recommended that Congress
explore privacy issues involved in the collection and
administration of taxes on e-commerce, with special attention
given to the repercussions and impact that any new system of
revenue collection may have upon U.S. citizens.
Accordingly, because the Privacy Commission may be a key
vehicle through which Congress explores Internet privacy
issues, I would urge that the privacy implications of Internet
taxation be added to the Commission's agenda.
Finally, I would like to comment briefly on two problems
that the Tax Commission confronted. First, our Commission lost
nearly half of its 18-month tenure due to an appointment
controversy. The statute required equal representation from
State and local interests and business interests and gave the
House and Senate leaders a fixed number of appointments. When
all the appointments were announced, a statutory balance had
not been achieved, and the imbalance took 8 months to sort out.
H.R. 4049 as presently written provides leadership with
specific appointments, but does not specify that certain
interests must be represented on the Commission. If the
subcommittee ultimately decides to list different interests
that should be represented, I would suggest that you carefully
account for what will occur if the initial round of
appointments fails to fulfill the representational
requirements.
Second, the Tax Commission operated under a two-thirds
supermajority requirement to report findings and
recommendations to Congress. H.R. 4049 presently contains only
a simple majority requirement. I would urge you to consider a
supermajority provision. While the Tax Commission did not
ultimately achieve a two-thirds result for the bulk of its
report, and that failure created some controversy, I believe
still that the requirement created a healthy dynamic within the
Commission that encouraged the opposing interests to work
together. However, if you institute a supermajority provision,
the statute must be clear that a lack of one does not negate
the need to file a report.
Thank you again for the opportunity to testify, and I'll be
happy to answer any questions.
Mr. Horn. Well, thank you.
[The prepared statement of Mr. Sokul follows:]
[GRAPHIC] [TIFF OMITTED] T1178.111
[GRAPHIC] [TIFF OMITTED] T1178.112
[GRAPHIC] [TIFF OMITTED] T1178.113
[GRAPHIC] [TIFF OMITTED] T1178.114
[GRAPHIC] [TIFF OMITTED] T1178.115
[GRAPHIC] [TIFF OMITTED] T1178.116
Mr. Horn. And we will now go to questions, and we'll start
with--we're going to do it 5 minutes each side, everybody, so
we all get into this and rotate it a few times. So I'm going to
yield my time to the gentleman from Arkansas Mr. Hutchison, 5
minutes.
Mr. Hutchinson. Thank you, Mr. Chairman. I want to thank
each of the witnesses. That was outstanding testimony, very
thoughtful, and with your background and expertise, I think it
is very helpful to the committee.
First, Mr. Belair, I don't think you recounted a little bit
of your background on privacy. Could you do that for the
committee? I know it's in your written material, but could you
elaborate?
Mr. Belair. I'm happy to do it. I'm editor, along with Alan
Westin, which--of Privacy & American Business, which is a not-
for-profit, privacy-friendly, business-sensitive publication. I
also have a privacy consulting firm with Alan Westin, and I'm
partner in a law firm, Mullenholz, Brimsek & Belair, and my
practice there is all privacy-related. I was deputy general
counsel of the White House Privacy Committee in the Ford
administration. I said that the other night at the supper
table, and one of my teenagers said, the Ford administration,
God, you're old, and I guess that's probably right. I've also
been the general counsel of the National Commission on the
Confidentiality of Health Records and represented a number of
other both public sector and private organizations.
Mr. Hutchinson. I think that's extraordinary background,
and your testimony was that you supported the Privacy
Commission creation.
Mr. Belair. That's correct. I think it's--I not only
support it, I think it's really just the right thing at the
right time. I think it's critical.
Mr. Hutchinson. Dr. Culnan, you have raised some good
points. I thank you for your support for the legislation as
well, but you raised the concern about balancing the
Commission, and you heard the comments from our last witness.
Could you help us here as to what your suggestion is on how to
balance the Commission? Let me tell you, first of all, some of
the thinking in this that, one, it should be balanced. It's
very important, and we want to get people who are open-minded
and can promote a consensus. The option is, you know, to
specify who all should belong to it or leave it to the
political process, the people who are appointing, that you are
going to pressure them, we are going to pressure them to
appoint balanced people. I am open to any suggestions, but that
was the thinking.
Ms. Culnan. I think I would be against sort of a rigid set
of standards saying you have to have X number of people that
represent a certain point of view, but there might be a
statement in the legislation that encourages or advises, I
believe, the different people who are appointing Commissioners
to consider diversity of perspectives in terms of doing that.
One reason is because if it turns out the entire Commission is
tilted toward a particular point of view, it will not have a
lot of credibility, and there will be a lot of fighting and
yelling about the kind of things that go on when you don't have
multiple views reflected.
I also want to second Mr. Sokul's point about the
appointment process. The commission I was on, a lot of people
got tangled up in the appointment process, and I think that can
do great detriment to the Commission if people don't get
appointed quickly and get brought on board and the Commission
gets off and running. We had to have half private sector and
half Federal Government commissioners, and it took quite a
while to locate the private sector people who were willing to
serve.
Mr. Hutchinson. It shouldn't be as problematic if you do
not specify all of the backgrounds necessary. I agree with you,
and we've already half drafted some language that would talk
about the broad interests that should be represented on it and
the diversity of opinion reflected. I know I've raised--Ms.
Varney, do you have any comment on this, and I also wanted to
ask you specifically about your goal--or your statement that
the goals of the Commission should be clearly articulated. Help
me out here, again. The written copy I have did not elaborate
all the things that you said so well.
Ms. Varney. Well, I can give you this as well. I guess my
concern, Congressman, is that the privacy debate has generally
been very polarized. There are a lot of thoughtful people,
including people that you've heard from today and yesterday and
will be hearing from, who really are looking for a balance.
What I would hate to see in the Privacy Commission is this
division, this continued polarization. So if I could put my
desires in writing in a preamble, it would be to really give
the Commission guidance that its goal is to recommend to the
Congress a comprehensive approach to privacy that balances the
economic benefits of the free flow of information with the need
for citizens to be able to protect their own personal privacy
preferences.
Mr. Hutchinson. You think that language would be
sufficiently instructive to the Commission?
Ms. Varney. I think it would help, because I think what we
have seen in the privacy debate, this sort of view--a very
stark view that either the use of information without very
aggressive, very explicit consumer or patient or individual
written affirmations and consents ought to be prohibited, and
on the other side we've seen this view that all information
flow in the commercial arena has some benefit, and therefore,
anything that inhibits it is bad. That has really, in the short
time I've been doing this compared with my colleagues--I only
started dealing with this in 1994--that has really driven much
of the debate. You don't find a lot of balance.
Mr. Hutchinson. My time has expired. Thank you, Mr.
Chairman. Thank you.
Mr. Horn. We thank you.
Now I yield to the ranking member on the subcommittee who I
believe will yield to the ranking member on the full committee.
Mr. Turner. Thank you, Mr. Chairman. As you know, Mr.
Waxman, our ranking committee member is here with us. Mr.
Waxman has taken a great deal of interest in the subject of
privacy, particularly in his work to try to establish
protection of health information for all Americans, and I want
to yield to him or ask the Chair to yield to him for the
beginning of our round of questioning.
Mr. Horn. You can yield to him. Go ahead.
Mr. Turner. Mr. Waxman.
Mr. Waxman. I thank both of you for allowing me to question
the panel.
I want to thank the members of the panel for your
testimony.
Mr. Plesser, let me start with you. You testified that you
think 17 Commissioners is too great a number for reaching
consensus. Do you have any recommendations on what would be an
appropriate number of Commissioners to have and how to ensure
that appropriate stakeholders are represented?
Mr. Plesser. I was looking at it from the perspective of
staff working with diversity. You have to understand that
unlike a congressional committee, those members would not have
their individual staffs. So all of the kind of briefing, just
the mechanics of briefing and working with people to get them
up to speed, to make the decisions to have 17 is quite a lot. I
would think that single digit, 7, 8, 9, you have to decide the
odd-even issue, but I would think something under 10.
I think the question of balance, frankly, being on the FTC
Advisory Committee, I think you've got to go to 40, probably to
the size that that went to, to make sure you had somebody from
every sector, and even in that advisory committee that was 40,
I think there probably were some people and some interests that
felt that they weren't represented.
I think you really have to do what Christine has suggested,
which is try to get some very well-balanced, centered people in
the group, whether or not--you don't maybe try to get somebody
from the consumer group and the business group and this group,
but get people--certainly some academics, some people who have
been thoughtful on the issue, and I think more kind of
representatives more like we expect our Congress people to
exercise good judgment rather than come from a specific point
of view. But I think if you try to do 17, I just think we
also--let's stay and talk about what happened at the Internet
Tax Commission, but I think that when you have that large a
commission representing specific points of view, it's going to
deadlock, particularly in the situation where there's a
supermajority vote.
I agree with Stan, I think supermajority is good, but 17--
I'm a lawyer, but a lot of what I do is run coalitions, and 17
is a lot of people to get a good result with.
Mr. Waxman. I noticed other members of the panel are
shaking their head in the affirmative, so they seem to agree
with you about the size.
Let me ask you about the resources for such a commission.
Dr. Willis Ware served as vicechair of the 1975-77 Privacy
Protection Study Commission for which you were general counsel;
stated in written testimony to the subcommittee that the
Commission spent over $2 million, but just the effects of
inflation over 25 years would make a realistic funding more
like $4 to $5 million.
You mentioned in your testimony the importance of ensuring
that the Commission would be provided sufficient resources.
What do you think would be appropriate to meet the needs of a
proposed privacy----
Mr. Plesser. I'm totally unfamiliar with the current
policies of GSA and how much space costs. That was an issue
that shocked us, frankly, back in 1974 where a good part of our
budget had to go to rent. I think the overhead issues like that
I don't think any of us really think about. I think we had to
rent furniture or had some furniture charge. The government was
very helpful in that we got a lot of people from different
parts, HHS, HEW back in those days. We got a lot of loaners,
and that helped us expand and encouraged the Commission to have
loan personnel from certainly on medical records, to have some
HHS people and stuff like that is very helpful and critical to
the Commission.
I always agree with Dr. Ware, and so if he says $4 to $5
million, that sounds right, but I think my point is that there
has to be some really serious fact-finding, some balanced
hearings, an opportunity, as Mary suggested, for a lot of
people to input. I want a smaller number of Commissioners, but
I sure want it to have maximum outreach, and I think if you
keep the funding down too low, which gets a lot of press
releases and not a lot of careful investigations, I think
you're either in it or not, but I think it would be difficult
to cheap out.
I agree with Willis that 1974 and the year 2000, to fund
something at the same level is not realistic on inflation.
Mr. Waxman. My time is up. I had other questions, but we'll
get that to another round.
Mr. Horn. You may ask one more question.
Mr. Waxman. Let me ask Dr. Culnan what her thoughts are
about the sufficient resources to meet the mandates of this
bill, and what do you think we need to do to attract the high
caliber of personnel--not personnel to work on it, but the
members who actually serve on a commission?
Ms. Culnan. The issue is can people balance--they must feel
committed to serving on such a commission. Certainly if I were
invited, I would make every effort to serve because it would be
a tremendous honor to be asked. People need to feel, I think,
that it's going to be an important, substantive commission that
is going to yield a report that people are going to listen to;
that it will be of the same stature as the 1977 report. That is
an evergreen report. People still read and refer to that today
23 years later even though the technology is very different.
I also agree with Ron Plesser about appointing people who
themselves represent balanced interests, which is probably a
good way to deal with the diversity issue, as opposed to having
people that have their feet planted in a particular point of
view and are likely to dig in.
Mr. Waxman. Also people who are not going to give up their
day jobs, because they are not going to be paid to serve on
this. Is that going to be a problem for some of the people?
Ms. Culnan. It may be a problem depending on the time
constraints. If the 20-hearing rule is still in effect, and the
Commissioners are supposed to fly around the country, that's
going to take an enormous amount of time, and people will be
probably giving up 1 or 2 weeks a month of their time to do
this, let alone they also need to meet face to face to
deliberate. They do need to have a chance to absorb testimony
and information from a wide variety of experts and point of
views and should use whatever is the best way is to do this.
I would also say even if you were to pay people, it's very
difficult to find people who can take 18 months off from their
job, people who are willing to step off the fast track, and so
I don't think that would necessarily be the solution either.
Mr. Waxman. Thank you.
Thank you, Mr. Chairman.
Mr. Horn. We'll go to 6 minutes now for everybody.
Dr. Culnan, I'm curious. In your testimony you bring up the
fact that there are few laws that protect personal information
on Web databases. In your studies of the fourth amendment, what
type of legislation do you think is needed for the Web
databases?
Ms. Culnan. I have not studied this yet, but it--people
have raised this as an emerging issue in the future that we
need to look to. One of the issues I raised in my testimony is
that we be sure not to try to understand what may happen in the
future by looking in the rear-view mirror, and cited the issues
related to balancing national security interests versus civil
liberties in the area of protecting critical infrastructures
and the issues that when people put their personal information
in a database that's not stored on their personal computer, but
is on somebody else's server, that is raising new issues that
haven't been addressed, and hopefully the Commission would look
to some of these future and emerging issues as well as the
issues we're grappling with today.
Mr. Horn. Do you or any of the other presenters know people
that are working on the fourth amendment issue?
Ms. Culnan. The Center for Democracy and Technology is very
interested in this issue, and they are the ones who have
brought it to my attention.
Mr. Horn. Let me move now to Mr. Belair. I've had an
interest in the European situation for a number of years. I've
been on the delegation of the Congress to the European
Parliament, and we went over there just at the time when the
Parliament had asked all the member countries to develop a
privacy law. And the ones in the Polish Government had worked
with us over here, and I'm sure they worked with some of you
because they are very interested in what Americans develop in
this area. And I was just curious what you feel, Mr. Belair, as
to the impact of those policies on commerce, be it an American
going to Europe or Europe going to America. I know they have
got a moratorium on it for a while, but some of them in draft
seem to be fairly rigid.
And I had suggested, because we happened to be visiting
with the President and Prime Minister of France and Poland, I
suggested that they put together a commission, in the case of
Poland, of Polish companies that operate with subsidiaries in
the United States and then same with America and American
companies that operate in Poland; same with the President of
France. They thought that was a fairly good idea to get some
feeling as to what this really means when you have to relate it
to industrial data moving across the Atlantic, and I wondered
what you could educate us on, and do you feel that's a real
problem? Will it become simply a nontariff trade barrier, for
example?
Mr. Belair. Certainly has that potential. As you know, the
Department of Commerce has been at work with the EU to agree on
safe harbor accords, and they are close. Of course, they've
been close now for many, many months. Assuming that safe harbor
is negotiated, then I think we'll see some fascinating impacts
here as companies have a limited amount of time to decide
whether they are going to subscribe to those safe harbor
accords.
One of the things that the safe harbor accords do is bust
through the sectorial industry-by-industry approach that we
have always had and apply fairly generic privacy rules across
the whole range of personal information.
That's No. 1.
No. 2, are we going to see a bifurcation where we've got
some data that is subject to the safe harbor accords, namely
data that's moved over from Europe, and then a second set of
data that's domestic data that doesn't enjoy that kind of
protection, or are we going to end up, as many of us think,
with one approach, a global approach really, dictated to us by
the Europeans?
Third, and then I'll stop, although obviously it's a topic
that we could talk about for a long time, and that is that the
Europeans clearly have not thought through what the impact is
of the application of their rules in an on-line environment.
They would argue, for example, that even a United States
citizen who happens to be in France on a business trip and then
pulls up on his screen a United States Web site and engages in
some kind of a transaction that generates personal information,
that information is subject not to United States law, but
that's subject to the EU directive and, in this example I've
just given, the French national law.
So it certainly does hold the potential for having an
adverse impact on trade. I think--it's one of the things--the
reason I mentioned it is I think it still remains to be seen
how that sorts out.
Mr. Horn. I know there are scholars at the Brookings
Institution that are working on this. Do you know where
scholars are providing some initiative and some analysis of
these different policies that are evolving in legislative
committees in Europe? What's the best shot we can get from
people in that area?
Mr. Belair. I think you're right, there's an awful lot of
work and an awful lot of focus for a lot of groups back here
and a lot of groups over there. Privacy & American Business,
just to do a commercial since the segue is there, has a Web
site, PrivacyExchange.org, and on that Web site is all of the
latest information about the EU directive, about the national
laws, about other national privacy laws, about the safe harbor
accords, and we update that almost on a daily basis.
Mr. Horn. Mr. Belair, is there a negative effect on the
future legislation with regard to public records and with
respect to the Freedom of Information Act among others and the
Electronic Freedom of Information Act? And we asked that
yesterday, and I'm just curious if any of you have feelings on
that, but we'll start at this end.
Mr. Belair. I do. I think the public records debate, which,
as you know, the Vice President announced a couple of summers
ago that he was going to lead, is an extraordinarily important
public discussion. Personal information is available in public
record repositories for a reason, public safety reasons,
reasons that have to do with the operation of governmental
agencies, the fairness involved in giving individuals who have
availed themselves of governmental resources for a license for
some other kind of a benefit or a status, letting their fellow
citizens see who they are and what kinds of resources they are
using.
There are a lot of very important public purposes that are
served by access to public records. Now that these records
increasingly are automated and are commercially available,
we're faced with a decision that we weren't faced with 10 years
ago, and that is do we really mean that we want this
information to be fully and effectively and conveniently
public. The answer is--surely isn't to throw it out and close
down the records as we started to do with motor vehicle
information. The answer is the kind of balance we've been
talking about on this panel, figuring out, and I would hope
your Commission--I hope the Commission would tackle this--
figuring out what are the public values served by the access
and what kinds of privacy threats are incurred and then
striking a balance.
Mr. Horn. Dr. Culnan, you agree with that statement?
Ms. Culnan. In part. I think the public record issue is one
of the really difficult ones that merits an expansive public
conversation. The Internet has really changed the way public
records are now accessible to anyone for any purpose. I worked
on the Drivers Privacy Protection Act, Mr. Moran's bill, in the
House and testified at the Judiciary hearings on that bill
before it was passed.
I think the issue that concerns people is not that their
information is used for the purpose for which it was provided,
to drive a car, to register a car, to get a license to be in a
profession, or to fish or whatever, it's that the information
is available to anybody for any purpose, and in privacy, a
distinction is made between compatible and incompatible uses of
information or between the reason the information was collected
versus secondary uses, and I think the issue is how do you make
the information available for the purposes for which it was
collected, be they public service or public safety or other
types of important reasons and not allow them to be used for
marketing and people looking up other people's information out
of curiosity, which really has nothing to do with why the
information was collected, and which is the source of the
privacy concerns.
Mr. Horn. Ms. Varney, do you agree with that?
Ms. Varney. I agree with Dr. Culnan, but I'd modify her
last point where she said not allow the information to be used
for other purposes. I would say not allow the information to be
used for other purposes without consent.
Ms. Culnan. I would modify my statement to agree with that.
Choice.
Mr. Horn. Explain that a little more, because you talk
pretty fast, so let's slow it down and tell us what is your
real wording here.
Ms. Varney. My real wording is I do agree with what Dr.
Culnan said as she has now modified it. The balance between the
use of the information for purposes that it was provided and
intended to be used for and other uses, and I don't think that
we want to put a blanket prohibition on other uses. I think we
need to look at what are the other uses and what is the correct
level of choice that an individual needs to be able to exercise
over what may be called unrelated or incompatible uses.
When you go--I don't know if you ever used this example,
Mary, but when you go and get your driver's license, and you're
5-foot-4, and you put your weight in, and all of a sudden if
you weigh a fair amount, you may be getting mailers from the
Large and Heavy Dress Shop. That's not why I gave my weight
information for the Drivers Protection Act. However, I might
consent to the use of information if I'm 4-foot-10 because I
like to get catalogues for petite clothes. They are hard to
find.
So I think what you have to do, Mr. Chairman, is continue
to weigh in this debate what are the reasonable expectations of
the consumer, what are the economic benefits, and what are the
economic costs, and where do you--where can you empower
consumers to make their own choices and where can't you. And
the where can't you is where law needs to come in.
Mr. Horn. Your dilemma would make a good Cathy strip.
Ms. Singleton, what would you add to this?
Ms. Singleton. I'd question again the idea that marketing
uses should be presumed to be illegitimate. I think you have a
lot of existing businesses that are currently using public
records as a part of making goods and services available to
consumers, and it's particularly important for companies
offering financial services. Risk assessment is a large part of
their business, and they need information to do that
effectively.
What I would suggest is an alternative approach to the
public records problem, which is to focus on it as a security
issue, and that is to figure out ways to make sure that the
information can be in the hands of legitimate users whether
it's a business, trying to sell a product, or somebody looking
for their lost child or something like that, and yet keep it
out of the hands of people who will use it to do really serious
harm, such as stalkers and so on.
Mr. Horn. Mr. Plesser, how about you?
Mr. Plesser. I think I would go back to agreeing with Mr.
Belair, and just to reinforce that, I think there are public
record systems whose very purpose of collection is disclosure.
Real estate records have been collected by counties in the
United States since the beginning of government for the purpose
of disclosing ownership and who owns what, and it's been very
critical in the Midwest and other areas. People are concerned
about false ownership or use of nominees and all of that stuff,
environmental issues.
I don't think we can question each use. Where the system of
records was collected for the purpose of disclosure with UCC
filings, real estate filings, things like that, I think it is
critical to have those remain open to the public. If they are
now more efficiently distributed, then that's the society that
we live in. I think to restrict them to say that you can only
use--only licensed real estate agents can get real estate
records would really be a travesty and would really potentially
start to allow for some of the record control issues that we
don't like. And one of the reasons why we've rejected the
European system is because we don't want that kind of
oppressive government control. And if government records are
not open, even ones that have individual records, I think it
would really threaten the concept of the freedom of information
that you, Mr. Horn, have been very effective in the last number
of years in protecting in electronic format, and I would urge
you to continue to do that.
Mr. Horn. Mr. Sokul, last response to this question, and
then we'll escalate to 12-minute rounds.
Mr. Sokul. I just have a brief comment. My concern is more
along the lines--goes more toward the collection of new
information and in particular for tax purposes. I think that
privacy is going to be the sleeping giant and probably the
ultimate Achilles heel of what the States want to do in the
Internet tax arena. There is also a balance that comes into
play in terms of invasiveness and intrusiveness and what the
country will count for its tax collection.
Mr. Horn. I thank you all for answering that question. It
will be very helpful to us in a report to the full committee.
I now yield 13 minutes to the gentleman from Texas Mr.
Turner.
Mr. Turner. Thank you, Mr. Chairman. I want to revisit this
subject of the comp decision of the Commission. I have
cosponsored this bill because I feel that we have an issue on
our hands that is of such importance and is changing so rapidly
that the American people need to have discourse and dialog
about it. And this Commission is one way to generate that kind
of discussion, but I do think it's important to think about who
would serve on this Commission.
I noticed, Ms. Singleton, in your statement you said that
we should write specific membership requirements into the bill
in order to avoid what you call the usual suspects with an
agenda as Commission members. I might ask you to tell us what
you meant when you said that the usual suspects, and then
perhaps offer to us the type of individuals that perhaps should
serve on this Commission. You seem to emphasize the importance
of fact-finding, even suggesting that perhaps the members of
the Commission should not suggest policy or make policy
suggestions, but rather be more fact-finders. I think there had
been uniform agreement--I saw the heads nodding a minute ago--
17 might be too many, but if we're going to have a discussion
like this, we need all the stakeholders at the table.
Perhaps we could start with you, Ms. Singleton, and respond
to my question and then offer your suggestions on what the
Commission should look like, what type of individuals, what
background, and then I'll ask all the rest of you, and maybe we
can get a nice long list of the type of people who need to be
at the table.
Ms. Singleton. I don't have some of the same experiences
that some of my fellow panelists do with actually being on a
commission. Let me try to clarify, first of all, what I said in
my written statement.
I think the emphasis of the Commission should be rather
than replicating a lot of the testimony that has already been
generated in privacy debates and privacy legislation, should be
to focus on things that are unknowns, that there's very little
information about already. And I think in particular it would
be very beneficial to have a lot of hard economic information
there about, for example, the way small businesses use
information, the way nonprofits use information, that kind of
information. And so I think from my standpoint, it would be
very important to have one or two economists represented on the
Commission; I mean actual full-bore professional economists,
not lawyers who have clerked for judges who were economists.
Perhaps when I talk about the usual suspects on the panel,
I'm excluding myself more than anything because I'm not an
economist.
Mr. Turner. You're talking about lawyers as the usual
suspects?
Ms. Singleton. That would be me, yeah.
Mr. Turner. One or two economists. So obviously the
collection of the economic data you're talking about could be
done by staff, but you think we need someone with a background
in economics to be able to interpret it?
Ms. Singleton. Yes. I think that would be very helpful. I
think it's unreasonable that the Commission itself would
actually do the economic study. I think it would be more likely
that they would contract out with an independent firm that does
that kind of thing as a matter of course.
Mr. Turner. Let me just go down the panel because I'd like
to have your suggestions on what kind of individual, what
background an individual should have, what training and also to
think in terms of the broad range of individuals that should be
heard from if we expect to have a full dialog on this issue.
Let's start with Mr. Belair.
Mr. Belair. I think you're wise to go back to it. I think
it's a key issue, and it's a hard issue. I could probably
answer it better in terms of who shouldn't be on there.
I had the experience of being the reporter for the National
Conference of Commissioners on Uniform State Laws on their
health information privacy bill, and they pride themselves on
bringing to the table smart people who know nothing about the
area, who come at it absolutely clean. I can tell you that that
didn't work in the privacy area, and it seems to me with an 18-
month run here and a huge agenda, it won't work.
I've also had the experience recently of chairing an effort
to bring together experts on criminal justice privacy, and we
brought folks to the table with real agendas, real
stakeholders. The discussion was terrific, but we ended up of
necessity having to make the recommendations very generic and
very vanilla because we simply couldn't reach a consensus
otherwise.
I guess I wouldn't bring to the Commission table folks who
come really locked into a particular agenda or point of view
because then you're obligated to bring in their opposite
numbers, and there's no way you're ever going to get any kind
of a consensus.
I think probably Solveig has got the right idea, bring
people who have got some understanding and background with
privacy with particular areas of expertise, economics, law, and
we can all think of some other areas that would be important to
have there.
Ms. Culnan. I would agree that in the interest of getting
the Commission up and running quickly, it's important to have
people who are familiar with the privacy issue and have thought
about it and been involved in some of the previous discussions
about this. I think you should strive to bring people in who
are independent and open-minded to the extent that they can be,
and I would also argue in favor of selecting people that
represent different areas of subject expertise. And in
particular somebody with a technology background would be very
important because the technology is changing so quickly. It
would probably be useful to have someone who understands the
law, but you don't necessarily have to have a lawyer.
Ms. Varney. I would agree entirely. Seven to nine
Commissioners who are viewed as independent and not beholding
to any particular commercial or advocacy interest, with
particular subject matter expertise in economics, technology,
law, finance, and health information.
Mr. Plesser. I brought with me a relic, which is the report
of the Privacy Protection Study Commission that we issued in
1977, and I looked at the front page, and it occurred to me
that it might be helpful for this conversation for me to just
give you a quick rundown of what the backgrounds of the members
of the Commission back then were, because I think it really
did--whatever people say of the Privacy Commission, I think it
worked. People got together, they got along, and I think there
was consensus.
David Linowes was the chairman of the Commission. He was a
very experienced CPA, brought to the discussion a lot of
expertise and that was very important. He was also a professor
and a businessman.
Dr. Willis Ware, who was vicechair, was mentioned before,
was probably the leading technologist at the time. He was an
expert for Moran Corp. and was considered, I think, the leading
computer scientist in the United States at the time. Certainly
I would say what Christine said about the importance of having
really a world-class technologist. He was that.
William O. Bailey was the president of Aetna, major
businessman, CEO, major responsibilities, who did spend a week
a month or--the requirement.
Then we had Barry Goldwater, Jr., and Ed Koch, two
Congressmen who were very committed to the issue, and I see my
friend Ed Markey behind me, and the parallels remind me. But
the issue of having two Congressmen actually were effective.
They really brought a real sense of reality and realism. I'm
not suggesting that that necessarily be done, but I think they
were very effective members.
And there was Robert Hennason, and this is an important
category. He was a State Senator, and so we had the input, and
he had actually worked on Minnesota privacy code, so we had the
experience of somebody who really had worked with and
understood State problems.
And then finally we had William Dickinson, who was a
retired editor of the Philadelphia Inquirer, and it was
critical, I think very helpful, to have somebody with that kind
of a free press, open communication background.
So there was a balance in here from kind of professions and
general point of views. There was nobody, with the exception of
maybe Mr. Bailey, that you could say was an industry rep or an
anti-industry rep. Everybody else brought to it, I think, a
balance of professions, and I would suggest that the idea of
having a technologist, a journalist, an accountant, those are
all very important aspects.
Mr. Turner. Do you recall, Mr. Plesser, when the statute
that created that Commission in 1977, did they specify the type
of individuals that should serve, or did it just work out?
Mr. Plesser. I don't think so. It specified that three from
the executive branch, two from the House, and two from the
Senate. I don't recall if it required a specific qualification
of specific members like Stan's committee. I think it did say
that there should be a balance of interests, and I think
people--there was really no controversy, and I can tell you
that this group functioned extremely well. There was really
no--there was disagreement on policy issues, but it really was
a group, including Mr. Bailey at the time, who was kind of a
business representative, really worked hard to do the right
thing.
Mr. Turner. Mr. Sokul, what's your suggestions on
membership?
Mr. Sokul. Our Commission had 19 members, and that was
unwieldy. I remember the first meeting the whole morning was
just opening statements. But I think----
Mr. Horn. I might say that's a disease that also happens in
the Congress.
Mr. Sokul. I think that with your appointment process, when
you're having different people appoint different--a certain
number of appointments, it's going to be hard--unless you
legislate an individual person in, you're always going to be
rolling the dice. It's going to be very difficult to obtain the
balance or the perfection you want.
I think the most important thing or the two most important
things are that the people are committed and that they talk to
each other. I think the Members here probably understand that.
I think our best meeting was our final meeting where it wasn't
a formalized structure, but Governor Gilmore just adjourned the
meeting, and we were in recess in the back room, finally
talking to each other.
Maybe the best thing you could do is to exempt the
Commission for a few working meetings from the Sunshine Act and
just let them go off in private and talk to each other.
Mr. Turner. You think the Commission ought to have a little
privacy, I gather.
I think all your suggestions have been helpful. I guess the
next question is open, is whether there should be some
specification of these types of individuals in the legislation,
or in the alternative, should there be some prohibition
against, say, an industry representative or some other type of
individual from being able to serve. Do any of you have any
suggestions or thoughts on that point?
Ms. Singleton. I'll start, since it seems like nobody else
is going to. What I'll say is contrary to what some people have
said about avoiding extremes. I think part of the reason that
the debate has been polarized is that there are real
philosophical differences there, and I think it would be to
some extent a shame if the Commission did not reflect to some
extent those real philosophical differences. And at the same
time I think it's still possible to have a commission that
avoids fractiousness by--simply by choosing people with certain
personality types to be on the Commission as opposed to people
who are given to pounding the table with their shoes and so on.
That may be easier said than done, of course, but I think--I
don't think it would make sense to exclusively prohibit any
particular perspective from being expressed.
I won't say any more than that. I think probably others
have more expertise about whether it would be more effective to
list or not to list.
Mr. Belair. As I listened to the discussion, I think I was
convinced that certain kinds of subject matter expertise are
absolutely vital, technology, some kind of background in
finance, economics, and we spelled out several others. I think
I'd be tempted, if I were writing the bill, to spell that out a
little bit and maybe also allow for some flexibility as well in
the appointment process. But it seemed to me that I was
convinced that there ought to be some of those kinds of people
at the Commission table.
Mr. Plesser. I just think that while it's very important to
think about the Commission members and positions, I think it's
very important that we make sure that the inquiry is a full and
balanced one if we do do it. The Privacy Commission had
something like 60 days of hearings, had hundreds of witnesses,
and I think that that process really--I mean, if somebody had a
point of view, it would be very difficult to kind of just stay
on it. There was a public record and testimony and balanced
input.
I certainly agree that you shouldn't have all
businesspeople. You shouldn't all have all public interest
people. You shouldn't have all academics. There has to be some
balance, and I think hopefully the process of appointment will
do that, and I think you can say that appointments should
reflect a range of--I think at least I would like to avoid
saying there has to be one member who represents this interest,
one member who represents that interest. I think that would
probably not be good. It also would not be good if there were
nine CEOs of Web companies on there and nobody else. That would
not be a good result, nor would it be good to have nine public
privacy advocates on it.
So we have to work to get a process. I think the difficulty
is we don't want it to be like slots. We want good people,
balanced people representing a range of perspectives, at least
that's my view.
Ms. Culnan. I'll just add very quickly I think it's
important to have flexibility. You may get a person that is
representing more than one type of expertise, and so, again, by
specifying one person, one form of expertise, I think that's a
mistake.
I think it would also be a mistake to specify that certain
types of people are not to be appointed, to be as general as
possible to maintain flexibility to get the very best set of
people that you can get.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Horn. I thank the gentleman.
I now yield to the gentleman from Arkansas, Mr. Hutchison.
Mr. Hutchinson. Thank you, Mr. Chairman, and this has been
a long session, and then we've got another panel, but just to
further elaborate on the record somewhat, I did want to ask Mr.
Plesser some followup questions about the 1974 Privacy Study
Commission. You had some very positive comments to make
concerning that. Would you describe what the benefits were of
that Commission and what good came out of it from a
congressional standpoint?
Mr. Plesser. There was only one piece of legislation that I
think could be directly pointed. There were 164 recommendations
for some kind of legislative implementation. There was only
really one statute, the Right to Financial Privacy Act, that I
think resulted directly from the work of the Commission. During
the work of the Commission, the IRS statute in terms of
limiting the information that could be exchanged or given to
the executive branch was put in, but I think that would have
happened probably with or without us. I think the Right to
Financial Privacy Act was a direct result of what we did, which
protected people's interests in their checking accounts and
information that banks can disclose.
We recommended strongly regulation in the medical records
area. It isn't really until this year, 23 years later, that
we're seeing legislation in the medical area. My own view is
that it was much delayed, but I think even though Bob Belair
did kind of a subsequent inquiry into it, I think that the work
we did in medical records and employment and specific areas
made a great contribution, and I think it's still used today in
many areas in analyzing privacy.
Mr. Hutchinson. Let me just add when I look at a
commission, you never know what's going to happen down the
road, but I think information is invaluable to Congress, and
actually I think that the argument for the supermajority is
that it makes some requirement for consensus to be built, but
we also want--the consideration is that if you have a simple
majority, you will have a report that comes out and a minority
report, and it's information, different viewpoints. The
legislative processes still have to work, but it's a tool to
build consensus in this very difficult area.
And so I look back to the 1974 Commission. You're right,
legislation did result from it in not all of the arenas, but
the other information, someone referenced that it's still being
passed around today and studied today and referred to today. So
I see a lot of benefits from a Member of Congress's standpoint
to having this type of commission.
There was--one more question with regard to that.
Everybody's talked about the variety of people on the
Commission. Is there anything special about the 1974 Commission
as to who did the appointing process and who we should be
looking at? You've seen our bill, and we have it divided among
different congressional leaders and the executive branch.
Mr. Plesser. Well, the political--I forget exactly the
politics back then, but I think you had one party controlling
the House, Senate, and President and executive branch, so there
wasn't any real political controversy, and in that case you had
two from the Senate, two from the House, and three from the
administration, but the administration could name the Chair. So
that was--I think by having the ability of the administration
to do the Chair, they had a little edge, but--if you do a party
split. So that's the way that worked. Whether or not it's the
best way--it did work in practice. It was, as I said, a
balanced approach, but who knows what could have happened.
Did I respond to your question?
Mr. Hutchinson. Yes, you did. I'm grateful for that.
Did anyone raise the objection during that time about,
well, why do we want to have a commission? We just need to pass
legislation right now. We know what we need to do.
Mr. Plesser. Let me tell you, even though it was slightly
before my time, and I might say not only was the Commission
balanced, but I think the staff was balanced. Carol Parsons,
who was an extremely able executive director, and she had a
privacy background, and she was the executive director of the
very early HHS study on privacy, which really developed this
concept of fair information practices, and I was a freedom of
information lawyer. And so they had a privacy person and an
open government, open access person, and I think there was a
reason for having that balance, so I think that was effective.
Mr. Hutchinson. Were you leading to the question I just
asked, though?
Mr. Plesser. Sure. Could you repeat it? I interrupted. I'm
sorry.
Mr. Hutchinson. You're still on the other question, trying
to give a more complete answer. I was simply asking at that
time did people raise the objection that we don't need to have
a commission, we ought to just move forward with substantive
legislation now.
Mr. Plesser. What happened at that time was in 1974, the
Privacy Act was sponsored by Senator Ervin, and some version
recommended the omnibus approach for State and Federal--State,
Federal, and private sector records. The Privacy Act, some
earlier version was going to cover everything. There was a
split. There were a lot of people who did not want that to
happen, at least in terms of the private sector and State and
local government.
The compromise was the Commission. The compromise was to
say, OK, we'll pass the Privacy Act of 1974 in connection with
Federal records, but then we will throw this issue of whether
or not the principles of the Privacy Act should be extended to
private sector and State and local to the Commission. The
context was a little different. I mean, they started with a
comprehensive law. I think here now the context is somewhat
different.
Mr. Belair. I was at the White House Privacy Committee at
the time, and I think Ron is exactly right. There was a wide
consensus that we needed to sort out whether the standards that
would apply to Federal Government in the Privacy Act should be
applied to the private sector, but there was also a push back
in some areas. For example, health privacy even back then was a
major concern, and as we got later on into the 1970's, Senator
Javits had a bill. There were bills over here--Bella Abzug had
a number of bills--and there was a concern that the Privacy
Commission's work would slow down the march toward
comprehensive health information privacy legislation. As we've
seen with hindsight, there were so many things slowing down
that legislation, that the Privacy Commission made no
contribution to that.
Let me just say real briefly, though, I think Ron's being
modest a bit about the work of the Privacy Protection Study
Commission. It set the template. It set the model for not just
the U.S. thinking, but the whole world's thinking for many,
many years about privacy, fair information practices, a
distinction between uses of information that had an impact, a
tangible impact, on individuals and nonadministrative uses that
did not, a sector-by-sector approach, which the Europeans
eventually abandoned, but not right away. It had an absolutely,
I think, profound impact on the way in which the Nation thought
about privacy.
Mr. Hutchinson. Thank you.
Mr. Horn. I thank the gentleman, and I yield to the
gentleman from Virginia, who I believe will yield to the
gentleman from Massachusetts, who is welcome to bring up
himself to the podium here, or you can grab one of the mics.
Let me make a deal to you and your two colleagues that
disappeared. If you want to be the lead witnesses at 2 p.m., on
Thursday, we'd be glad to give you that.
Mr. Markey. Thank you, Mr. Chairman, but I think I would
rather be the last witness on this panel.
Mr. Moran. Do we have a choice as to whether you get the
last word?
Mr. Markey. You just chose, and I thank you so much.
Ms. Varney. Mr. Chairman, I have a child care conflict.
Could I be excused and give Mr. Markey my seat?
Mr. Horn. Certainly. If you don't mind, we're going to
close it down really after Mr. Markey, but we'd like to send
you a few questions. Would you mind responding to us for the
record?
Ms. Culnan. I'd be glad to.
Mr. Horn. The gentleman from Massachusetts.
Mr. Moran. We appreciate very much Ms. Varney coming to
testify. Thank you, Christine. If you want to get in the middle
here, you can.
The rest of the panel is going to stay because I know they
want to hear from you. I'm not going to ask questions. I can
review the testimony, but I've also got a prize constituent in
Mr. Belair, and I consult with him regularly, so I will take
advantage of that. So the floor is all yours.
STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MASSACHUSETTS
Mr. Markey. I thank you very much for your hospitality.
Here's my bottom-line point to you all. Members of Congress are
experts on privacy. Our privacy isn't invaded on an ongoing
basis. You don't have to be--there's a lot of things on which
congressional expert is an oxymoron, but compared to real
experts, we're really not. But on privacy, we're experts.
The reason that we are experts is for the most part that
we're human beings, and that's why we've been able to pass laws
over the last several years to deal with issues as they arose
that dealt with the privacy of Americans. For example, if
someone wants to divulge your driver's license, it's opt-in;
all that information, opt-in. That's a law. If someone wants to
transfer information about your videocassette rentals, all
those things that Judge Bork got in trouble for during this
confirmation hearing, Congress passed a law. They can't sell
that information to anybody anymore. Opt-in. You want people to
know every movie you rented? Opt-in. Pretty simple. What
protection would you want for your family? How complicated is
that?
How about the information dealing with whether or not the
cable company should be able to sell all the information where
you click on your cable stations, especially after midnight
when everyone is upstairs asleep, what channels you go to;
should that be public information everyone has access to? We
have a law in the country that says opt-in. Unless you want the
cable company to sell that information to people, no one knows
what channels you click to when everyone is upstairs asleep.
Good law.
How about your tax returns? Opt-in. Do we really have to be
experts? Do we have to have a panel put together to decide
whether or not we want our tax returns given out to everybody
in town, everybody should have access to it? Opt-in. Very
simple.
How about on your cell phone when you travel someplace, you
might not want everyone to know where you are going? How about
the cell phone companies selling that information where you've
been going? Opt-in. How about all your phone records, everyone
you're calling all day long, everyone in your family is calling
all day long? Should anyone be able to access that? Opt-in.
Very simple. Not complicated.
We don't need an expert panel on this subject, and we
definitely don't need an expert panel to study for 18 months.
That is absolutely beyond the pale.
Two years ago when there was a bill coming through to ban
pornography on-line, I said, fine, I'll go along with that, but
how about giving me an On-Line Child Privacy Protection Act,
too; any child 13 and under, unless their parent gives
permission, has all that information private. That's the law of
the Nation now. The Federal Trade Commission has promulgated
the rule. How complicated is that, information for 13 and under
should not be disclosed even if you got it on-line, even though
it might impede the new Internet revolution?
How about a child who's 13, 14, or 15, though. Do we need a
panel to discuss that one, 18 months for us all to figure it
out? I don't think so.
How about--how about our health records? How about the fact
that your husband or wife has prostate cancer or breast cancer,
or a child is on Ritalin or has a child psychiatrist? Should
all the medical exams in the insurance company be able to be
shared with all the stockbrokers that are in that same firm?
How about all the checks that you wrote; all the medical
information is on there. Do we need 18 months to figure this
out?
I think we need a panel of 17 Members of Congress to go
into a room, just give everyone the questions, and everyone
will decide, because this is an issue that ultimately deals
with your family.
Now, I think the biggest fear that everybody has, to be
honest with you, is whether or not any decisions we make are
going to affect the Internet and will be responsible for the
destruction of the Internet. We shouldn't actually value the
Internet the same way we value all companies, because if we
valued the Internet the way we value all companies, they'd have
to have earnings. They'd actually have to have profits. God
forbid we should actually have that standard. People who talk
about that lead to the NASDAQ collapsing 2,000 points. How can
we possibly have that standard? Obviously we shouldn't have--
otherwise everyone who's responsible for saying that they
should have profits or earnings or revenues are ruining the new
era.
How about fraud on-line or gambling on-line or selling
drugs on-line; do we need a study on these issues before we
pass any laws with regard to these things that are done on the
Internet? Why should we allow, then, for people to be able to
delay another 2 years? And that's what we're talking about
right here, sitting right here 2 years from now after an 18-
month study, which finally goes to the President later on this
year, is finally promulgated, and we're not going to move on
anything because there's a chorus here that is going to go out
there as soon as this becomes law saying, we've got to wait for
Congress now, we've got to wait for the expert panel. God
forbid we should decide.
The test here is whether or not we can construct a formula.
Commerce, yes, but commerce with a conscience. And the issue,
the way I see it, in this bill, by the way, is that, yeah, they
are going to look at how the government goes into your
business, but I really don't see the private sector--where is
the subpoena power for private corporations so you can look at
them or the right to depose private corporations? Because the
issue, ladies and gentlemen, is not Big Brother, it's Big
Browser. The problem is that you can now profile for profits.
You can take each one of us, each one of our families, gather
information from all these various sources that are now
available, put it in a big package, and then sell it to
hundreds of companies or others that want to look at our
families.
Now, I don't know why we want to study this for 2 more
years because we already know it's right on videocassettes, and
we know it's right on taxes, and we know its right on cell
phones, we know it's right on telephones, we know it's right on
everything, ladies and gentlemen. It's very simple.
So my bottom line on this is that this is a basic human
right, the right to be let alone, the right for the world not
to become--coming into our living room. Wall Street says, we're
going to give you a window on Wall Street. That's great. But
the American people just don't want Wall Street to have a
window in our living room. If we don't want them in our living
room, they don't have any right to come into our living room,
and if we want to opt in to get all this great information that
they want to give us, we can just check off someplace.
By the way, these same companies that say, oh, it's going
to be so difficult for us to construct an electronic way in
which people can check off they don't want privacy, these are
the same companies that tell us they can transfer $1 trillion
from here to Osaka in a nanosecond, that they can recreate
entire economies in China over the next 2 or 3 years if we are
allowed to sell telecommunications and Internet and software
technologies into that country, but we can't think, figure out
in our own country whether or not we want to protect children,
whether or not we want to protect health records? I don't think
so.
So this is without question, with all due respect, to all
the members of this panel, a central--maybe the central civil
rights issue of the 21st century. Eighteen months is too long.
This bill really is not going to give the proper authority, be
able to look at what the private sector is doing. The
Commission is totally tilted. You can wind up, if George Bush
is President, with 4 Democrats and 13 Members of the other
party are appointed by him, with industry representatives
dictating ultimately what they believe is best for their
business.
So at the end of the day, we have to have the new economy,
but the new economy with old values, and the old values of the
very same ones we grew up with, the nurse and the doctor that
probed our medical records, and no one else in town knows what
happened to us or member of our family; the banker who gave us
our little passbook when we went in for the first time, and no
one in the rest of the town is going to know what is in our
little passbook, and we know who he is and is going to protect
us. Same values.
These companies are going to make it, but they are going to
make it protecting against the compromise of our privacy by
engaging in other behavior which we all know is wrong. If they
are going to be profitable, they are going to have to do it the
old-fashioned way, protecting solid American values while using
new technology to drive the old companies out of business, but
not using new values to drive the old companies out of
business. They should be forced to compete on the same grounds
in terms of the values.
So I thank you, Mr. Chairman, for allowing me to testify.
This is a very important bill, and I think ultimately, with all
due respect to the gentleman from Arkansas who I respect very
much, I just think it delays too long congressional
consideration of this very important issue. Thank you.
Mr. Horn. I thank the gentleman for coming.
I wonder what you would think of the delay that we've had
between the Senate and the House. We wanted to get to this in
this committee 3 years ago, and everybody was going off in 20
different ways around here, and I just wonder what you think
about that if we'd done the Commission 3 or 4 years ago.
Mr. Markey. Again, we don't need a commission.
Mr. Horn. But somewhere you need people building a
consensus.
Mr. Markey. The consensus will be built. Eighty-five
percent of all Americans have the same view on this issue.
There's a consensus in America already. There's just no
consensus when you fill up the room with a bunch of lobbyists,
a bunch of industry representatives. Of course they are all no,
no, no. If you want to weight them equally with the 85 percent
of the American people who agree on every one of these health
care, financial records, child--go down the line--disclosure of
privacy, there's no debate in America. You can have a technical
debate over how to do it, but there's no debate on this
question.
This is the single highest polling issue in America. People
value their privacy, their individuality, their American--their
sense of independence of the big business and big government.
The far left and the libertarian right join on this issue,
doesn't leave a lot of room in the middle. They are fighting
this hard, Mr. Barton and I, Senator Shelby and Senator Bryan
in the Senate. It's the middle, the practical middle--actually
it's the business middle that objects.
So, yeah, we can pass this, but we pass it only for big
business, only for big bucks, only for Big Browser, but we're
not passing it for ordinary people. That's not what this study
is about, because every one of us know what protection we want
for our mothers, for our fathers, our wives, our husbands, for
our children. Every one of us know what that answer is on every
single subject. We're all experts on that.
Mr. Horn. Before you leave, I'll call on the author and
coauthor of the bill and see if you want to ask any questions
of the gentleman from Massachusetts. Mr. Moran still has plenty
of time.
Mr. Moran. But we don't have much time here. I've got to
get to a meeting with Mr. Gephardt that started at 4:15, so I
can't get into too much questioning.
We have heard from many people who are not tied into a
commercial entity, nor have a commercial motivation, who feel
that this is a more complex issue than it appears to be, and
certainly than you perceive it to be, Mr. Markey. There are a
number of different State approaches, some of them conflicting.
We have legislation that was passed with regard to medical
privacy that HHS has gotten tens of thousands of responses on
and has taken 2 or 3 years to try to come up with some
regulations. We have the financial services modernization bill
that was recently passed that is legislation. I know you
opposed it, but nevertheless--opposed at least parts of it. I
think you voted against the bill, as I recall, but nevertheless
was passed and is the law of the land and has a significant
implication for the--for the privacy issue in general, and
there will be others.
And one of the purposes of such a commission was to try to
establish some consistency, some fundamental principles, some
floor, if you will, when you talk about values, some value
floor that would either exempt or incorporate or preempt, I
should say, or incorporate State law. I don't think that we
want a potpourri of different State statutes. Clearly
electronic commerce is intrastate, can't be held within
boundaries, and we have a difficult issue with regard to
preemption or finding some kind of consistent uniformity.
We also have a difficult issue, if we're going to ad hoc
this kind of legislation, whether it be in financial services
or medical issues or other types of electronic commerce, how we
achieve consistency, and we also have very rapid developments
in the field itself and the industry, developments that are
customer-friendly, developments that respond to market
incentives.
People want privacy. We don't disagree that this is a
cutting-edge issue. If you poll them using any kind of
simplistic question, you're going to get very high responses.
People want privacy. And so the industries involved in the
Internet and information technology understand that and have
responded with any number of ways to protect people's privacy.
And so the intent of giving the Congress some analysis with
which to develop overarching legislation, if you will, was to
achieve consistency, was to recognize the central tenets of
federalism, and was to incorporate technological advances that
have been taking place in the private sector, and also to
figure out a way that we can coordinate the public and the
private sector, because we don't necessarily have the parallel
objectives here. There are some benefits to the public sector
having some information shared that the private sector
collects.
So for all those reasons, there seem to be some benefit to
studying the issue, and, as Mr. Horn said, no matter how
anxious many Members might be to get legislation enacted
immediately, it is not likely to happen. The history is that it
has held up for what seems to be interminable periods--
certainly longer than 18 months. If you look at financial
services, we've been working on that for what, 10 years.
Medical privacy took a significant amount of time to get
legislated, but even more time to get regulated. So you could
make an argument that if we could get a consistent format and
some consensus within 18 months, we'd be doing pretty well, and
even breaking some precedent.
Do you want to respond to those? I see you've been taking
some notes there.
Mr. Markey. I agree with you that each individual in
America should be able to avail themselves of the new privacy
technologies, encryption technologies that are being developed.
That's important. They also have basically a right to expect
industry to voluntarily step forward and put together industry
standards, and they are in some fields, some companies. But
because there are always going to be a significant number of
outliers, significant number of companies on-line, especially
who are just digital desperadoes, just trying to capture
whatever they can in a short period of time in this new
economy, there has to be a Federal floor. There has to be a
third level of Federal guarantee, a right to knowledge that
information is being gathered about you, a right to know that
it's going to be reused for purposes other than you and your
family intended it, and third a right to say no. And then
you've got some power, too, even if the technology doesn't work
to block it, even if the companies aren't going to be doing it.
You've got a right as an American, a right to protect your own
family's secrets, secrets you are not telling anyone else
about.
In Europe they have stronger standards, and from Citicorp
to every American company that is over there, they abide by
these stronger privacy codes, and our industry is thriving in
Europe, abiding by the tougher European privacy codes.
Many people say, we don't want the European standards here
in America, but when you poll in America, 85 percent of
Americans say they want the European standards. Now, we didn't
import 500 people for this poll. They are all Americans. They
are just ordinary people. They want the same standards. And the
reason that we didn't build in the right for an American to
stop the transfer of their medical insurance records in an
insurance company now to a broker or banking affiliate is that
the Rules Committee last year wouldn't allow my amendment out
on the floor because they knew it was going to pass 350-50.
That's the only reason it didn't pass. I couldn't get it made
in order. The industry said, don't allow that amendment,
because they had won in the Commerce Committee 42-0. No Member
wanted to vote against it when they were forced to in the
Commerce Committee that they would have their medical or
financial information transferred without their permission, so
they just blocked the vote on the floor. Didn't need any more
study. Every Member knew they didn't want their family's
medical privacy spread around town or those checks or those
insurance exams. It was the industry using the Rules Committee.
So, yeah, I guess you can say we can bottle everything up,
use the process to stop it, but I don't think it's an accurate
reflection of the amount of knowledge that we all have of what
it is that we want to be built into law for each of our
families. And all I'm doing is just reflecting my own mother's
mortification if someone knew of some illness that she had. She
wouldn't even tell her sisters, much less everyone in town, if
she was--if she had an incontinence pad. She wouldn't want
anyone to know that.
She should have a right to protect that. Every American
should have that right. I don't think we need to debate it. I
don't think we need to wait 2 more years for this industry to
have the same rules that the old industries have. I think we
owe that to Americans, and waiting 2 more years means waiting 4
more years.
Mr. Moran. I was just going to suggest that this may seem
like a plodding, tedious process to bring everybody together at
the same table and to try to reach some consensus, but
sometimes the plodding, tedious process actually accomplishes
more in terms of legislative enactment than the dance of
legislation, which can be more thrilling and seemingly
responsive, but can oftentimes take longer and can become even
more frustrating.
Mr. Markey. I'll tell you what happened. In the 1995
Telecommunications Act, our privacy bill of rights was built
into that act, and it was worked out by all the Democrats and
Republicans on the Commerce Committee, and it passed the House,
and you voted for it. Every Member here voted for it in 1995.
It was my bill. I worked it out with Jack Fields, I worked it
out with all the Republicans, and it was a comprehensive
privacy on-line bill of rights.
The reason it got knocked out was not that all the Members
didn't understand what the language was, it was because the
Republican leadership, a week before we finished the conference
in February 1996, just knocked it out, just knocked it out.
Somebody called them, and they just knocked it out. And I was
in the minority at that point, so I didn't have any power to
keep it back in, but it was all worked out in a bipartisan,
bicameral, industry-inclusive basis. That was 5 years ago now,
6 years ago.
So we can study it, I guess, until 10 years has elapsed
since the anniversary of the 1995 act passed on the floor of
the House, but I just don't think we all need to know much more
about this subject.
Mr. Moran. Well, you make a very persuasive presentation as
always, Mr. Markey.
Mr. Markey. It's the Jesuit education.
Mr. Moran. I was going to make a remark about that, but you
beat me to the punch.
Mr. Horn. I thought it was just being Irish.
The gentleman from Arkansas.
Mr. Hutchinson. Thank you, Mr. Chairman.
Being a visitor to your subcommittee, I want to tell you
how impressed I am with the depth of your hearings. This has
been extraordinarily a mind-expanding experience, and I want to
thank the gentleman from Massachusetts Mr. Markey for his
excellent presentation. I think that added certainly to the
debate today.
And I've been thinking about that we had a discussion early
on, and if we take this bill, Mr. Moran and I, we just took
this bill totally down and say we want to give it every shot,
we don't want to give anybody an excuse not to support industry
privacy legislation, in all honesty I don't think it's going
to--you'll build the consensus to move it forward this year. In
all honesty I don't think you've got the timeframe to get it
done this year.
That's just my view, but I don't want this again to be used
as an excuse not to move other legislation through. I see it
complementary. In some areas I think you can--we can all agree
upon the more simple, basic, fundamental areas of privacy, if
we need to do something, let's do it and get it done with.
I asked this from the White House yesterday, the gentleman
from the Office of Management and Budget, if you adopt these
other things you're interested in, would it be some benefit to
a commission looking at the ongoing technology, the ongoing
privacy issues? His answer was yes, because it's a changing
world out there. This issue is not--adopt everything that you
want to adopt, Mr. Markey, everything that you want to adopt,
and I still believe that we need a commission to look at the
ongoing developing issues in a comprehensive fashion. So that's
really my interest in it.
And then maybe--you raise these illustrations about opt-in,
and I--quite frankly, I don't know if it is that simple. There
was an instance the other day if there was an opt-in where
someone refused to give a consent for information to be
transferred, an opt-in for a cell phone company, what if a
person chooses not to opt in and they call from a cell phone
with an emergency, but the location of that emergency cannot be
divulged to law enforcement or the fire department? Now, it
could be a kidnapping, it could be a rape circumstance. And
actually this information was shared a few weeks ago when a
lady was kidnapped and she called the police, and the telephone
company did not want to share the information.
There very well is an answer to that, appropriate
exception, but I think the point is that this is--there's some
areas there that we need to--that should be debated, discussed.
It is not as simplistic as sometimes is presented on the front
end.
And so I hope we'll continue having this discussion, and I
want to thank you again, Mr. Markey, for your presentation.
You're making notes. I'll give you a chance to respond.
Mr. Markey. I thank you so much. On that specific issue
which you just raised, in fact, we passed a bill that does
prohibit the tracking of cell phone use, but with an emergency
exception, so in that particular instance, there was no reason
why the company could not transfer the information to the
police or the fire in order to provide rescue or emergency
medical service for that individual. As a matter of fact, we
passed a specific law a year ago in order to accomplish that
goal.
And on the other issue, again, I'm just reflecting my own
personal history, which is that the Rules Committee 3 years
ago, when we were bringing up the financial services bill, it
ultimately was a failed effort. They would not permit my
amendment on privacy to be put in order for the floor, but they
promised there would be comprehensive hearings. That was the
Banking Committee promise. There were no hearings. And last
year in 1999, when my amendment was denied consideration on the
House floor, they promised hearings this year. There have been
no hearings. So if we want to now conduct a study for 2 more
years, I think it passes prologue. We already see in the
conduct of----
Mr. Hutchinson. Mr. Markey, you mentioned 2 years a couple
of times. I do want to emphasize because of that point, there's
a provision that the Commission can report back early if they
deem it appropriate. If there's a consensus that develops
within 2 months, they report back to Congress. And so that is
an outside sunset time, and excuse me for interrupting, but I
did want to make that point.
Mr. Markey. With $2.5 million allocated, we're going to
invoke the rule that work expands the time allotted without
question, because the salaries of all these staffers that are
going to be hired and all the expert witnesses will guarantee
that they'll go right up to the very last minute.
Mr. Hutchinson. There was a comment. Mr. Plesser, you
raised your hand a moment ago.
Mr. Waxman. Are we doing the 5-minute rule?
Mr. Horn. We went to the 13-minute rule, and we'll be glad
to give you the same.
Mr. Plesser. If I can, and I appreciate all the comments
that Congressman Markey said. I just want to say that I think
his review of the statutes in saying opt-in simply reflect it's
somewhat more complex than that. I know he would agree with it,
although the legislation that he suggested does have some
affirmative consent proceedings in it, but it also has opt-out
in terms of the use of mailing lists, marketing lists, not of
the specifics of the transaction. But many of the statutes that
he referred to, the Cable Act and others, other of the statutes
do provide provisions, both a balanced view of opt-out and opt-
in. Mr. Markey has always had this wonderful concept of notice,
knowledge and no, which I think has really led the industry and
has led self-regulatory efforts, and I think we just want to
make sure that it still is notice, knowledge and no, and not
opt-in under some circumstances.
I would certainly agree in medical records and in detail
the kind of examples that he gave, but I think opt-out also has
a strong role, and I just wanted to just fulfill the record on
that point.
Mr. Markey. If I could just followup on that, I agree with
him, a lot of the medical and financial information is very
sensitive and should be given opt-in protection. And a lot of
the other information that's on-line is more prosaic and
probably doesn't deserve opt-in. But we don't need a year and a
half to figure out which is and which isn't. We can definitely
finish the medical and financial that we know should be given
that protection. The most important issue is the material that
deals with the financial and health information. We don't need
to wait another 18 months. If you want, we can have a
commission on what should be the rules for the prosaic
information, but I don't think we need more time on that.
Mr. Hutchinson. Mr. Chairman, I yield back. Thank you.
Mr. Horn. The gentleman from California Mr. Waxman, 10
minutes.
Mr. Waxman. Thank you, Mr. Chairman, for the time. I had a
conflict and couldn't be here. I thought the House rules
provided for 5 minutes. I wondered after 5 minutes had gone by
and no clock evidently keeping track of things of what the
rules were. I won't take 10 minutes, but I wanted a chance to
at least ask a few questions.
Mr. Markey, I can see you're frustrated. I'm frustrated
because we tried to do something in the area of medical privacy
together, and the legislation has been introduced. Other people
have introduced bills on medical privacy. This committee, which
has jurisdiction, hasn't even held a hearing on medical
privacy. We'll probably have a commission to review the
findings of the Commission, and then we have to wonder when are
we going to get to the point where we're going to do something
about it, because I think the American people are concerned.
In the area of medical privacy, individuals have expressed
concern that their employers or potential employers will have
an inappropriate access to personal information about their
health records, and I recently conducted a survey to
investigate how large employers handle their employees' health
records. I asked 48 top Fortune 500 companies to voluntarily
describe their privacy practices regarding handling of their
employees' health information and to voluntarily provide
documentation of their privacy policies.
While a few companies stood out for having quality
components to their policies, the survey found that only 15 of
the 48 companies provided documentation of company policies on
medical privacy, and many of the policies provided--lacked
critical details. Further, 11 of the 48 companies refused to
respond to any of the survey questions.
So I think it's fair to ask if companies are unwilling to
share information with Congress, why would they be any more
willing to volunteer information to a congressionally appointed
Privacy Commission?
Mr. Markey, you have been deeply involved in medical
privacy policy. If we do go forward with establishing a Privacy
Commission, do you think we should require the Commission to
examine employer practices and policies with respect to health
information of their employees, and do you think the Commission
should be given the power to secure information from companies
regarding such practices and policies?
Mr. Markey. I do. I think that there should be a power of
subpoena, there should be a right to depose, without question.
We're talking about the most fundamental civil rights that we
each have, which is the right to keep our own medical secrets
private. It's no one else's business. And if companies are out
there engaging in practices which compromise that, then I think
this committee--the Commission, as it's constructed, and as a
result the American people, should know this, and as a result
then the legislation which is formulated subsequent to that
would reflect the protections that have to be built in against
those practices.
Mr. Waxman. Another area which many individuals have
expressed concern is how financial institutions handle personal
information. The United Kingdom has recently established a
public registry that helps individuals learn about what types
of personal data is being maintained and used by data
collectors, meaning entities that decide how and why personal
data are processed. Under UK law, data controllers have to
provide details to the public, register about how they process
personal information. The registers can be searched on-line by
entering the name of the particular data controller. The
register includes a description of the different purposes for
which the controller holds or uses personal data, describes the
types of personal data held or maintained.
I want to share with you the results of a recent staff
search on this registry for Citibank International. The stated
purposes for which the personal data is held or used include
marketing and selling, including direct marketing to
individuals, personnel/employee administration and business and
technological intelligence, among many others. For each purpose
listed, the registry described the types of personal data held
or used. As an example, I'd like to turn to the category
marketing and selling including direct marketing to
individuals, and listed 46 different categories of information
including personal details, physical descriptions, habits,
personality, character, current marriage or partnership,
marital history, details of other family household members,
other social contacts, immigration status, leisure activities
interests, lifestyle, academic record, court tribunal inquiry
proceedings, liabilities, outgoings, loans, mortgages, credits,
dietary and other special health requirements, and religious
beliefs. Obviously the register established in the United
Kingdom provides individuals with a tool for obtaining
substantial information about the practices of data
controllers.
Mr. Markey, you've worked for many years on financial
privacy policy. Do you think it would be a good use of
resources to study whether an information register like the one
established in the United Kingdom would be a valuable system to
establish in the United States, and if we move forward with
legislation to establish a Privacy Commission, do you think the
bill should require the Commission to review the United
Kingdom's public register system and make recommendations
regarding establishing a similar system in the United States?
And do you think the Commission should have the power to secure
information from companies relevant to this study?
Mr. Markey. I do. What you're now describing is something
that was required from the World Wide Web consortium, and the
British, as a result, were saying to Citicorp, you've got to
tell us what you're using this information for, give us your
white paper, tell us what's in there. So you just basically
listed a financial services FBI file on an individual gathered
by Citicorp on these Europeans. And Citicorp was very unhappy
about that, that it was disclosed to the public, because they
might get the jitters that that kind of detailed profile on
them is being gathered.
Now, there's one thing we can be sure of, that Citicorp is
doing the same thing to all of its customers in America, except
we don't know about it because we don't have law the way they
have over there, this data protection registry in Great
Britain. And once the public understood it, they obviously were
outraged. So we need a way in which the public and the United
States knows about what Citicorp and every other corporation is
doing in terms of this information, and if we don't do that,
then we're going to ultimately wind up with all of us having
this--you know, this digital dossier being developed on us and
our families that tells those companies more about ourselves
than any member of our own family know about us as individuals.
So you put your finger right on it, Mr. Waxman. There's the
core problem, and I think we could have corrected it in the
financial services bill last year. I think we can correct it
this year. We had a week of hearings now. We can all agree on
what should be done. I don't think we have to wait 18 months.
Mr. Waxman. Do any of the members of the panel think we
ought to have this Commission with the power to get this
information from employers as to what they do on medical
privacy and be hired to study the system in the UK and how they
are handling these data controllers? Anybody on the panel want
to talk to those issues?
Mr. Belair. Let me speak to the situation in Europe. I
think it's tempting to look across the Atlantic and see a very
robust privacy environment. I spent a lot of time in Europe
this year. I know Ron has, and I'm sure others have as well. Of
course, a number of the EU nations have not yet implemented
their own national law. In addition, the EU is suing some of
those nations for their failure to comply, and what's
fascinating about the European situation, it took a while to
figure that out, but as you talk to the American, the United
States affiliates over there or multinational corporations,
there's such a different enforcement culture there that, in
fact, I think it's fair to say, and indeed many Europeans say,
that there is a very liberal interpretation of both the EU
directive and the national laws. And so I think one----
Mr. Waxman. What is your conclusion? You don't think we
ought to study it because it's too different?
Mr. Belair. No, I think it bears study, but I don't think
it is necessarily a model for us. I do believe, and I think
probably----
Mr. Waxman. We don't know that until we study it.
Do you think a commission ought to be able to study this
and ought to be looking at other models?
Mr. Belair. No question about it. Absolutely. I said that
in my testimony.
Mr. Waxman. How about some of the others? If you want to
talk about the medical privacy issue, if employers are not
willing to respond to Congress on what their policies are, do
we need to give a subpoena power to this Commission to get the
information?
Ms. Culnan. I would say there's clearly a need for better
notice in this country. I'm not sure that a registration system
run by the government is the way to do it, but I think clearly
that the Commission certainly could look at comparative models
and see what could work here and what wouldn't. But it's
particularly important, as Mr. Markey said, that people be
informed what information organizations hold on them, and
what's the most effective way to do that I think is the real
issue.
I think in terms of collecting information from companies,
I think it would be important to assure them anonymity. To me,
I don't think there's any particular benefit in naming names
and saying one company does this and one company does that, but
it would be very important to get a sense of the landscape in
terms of where the problems are, as I said in my testimony, the
extent to which fair information practices are applied, and
that would include do employees know what companies are doing
with their information.
Mr. Waxman. I see my time is up. I don't know if the
chairman wants to allow anybody else to speak on this issue.
Mr. Horn. Once you ask the question, the Horn rule is to
let everybody else answer, but that's it. Then we move to the
next person.
Mr. Greenwood is with us.
Who else would like to answer----
Mr. Waxman. Anybody. I just wanted to know if anybody
wanted to respond. I didn't ask each one to respond.
Ms. Singleton. Just a very quick comment. I understand
Germany also looked at the possibility of a central registry
and rejected the possibility because they were concerned it
could become a target for human rights violations to have a
list somewhere of all the information and immediately somebody
who you don't want to have access to that list get access to
it. It becomes a tool in the wrong hands.
With respect to the subpoena power, I second Professor
Culnan's remarks on the anonymity. I think it would be very
valuable to get a picture of how information is actually used
in the economy, particularly in the form of a survey, and that
anonymity would help to ensure great participation.
Mr. Plesser. On the subpoena power question, yes, no
question, the Privacy Commission had it in the mid-1970's. It
was horrible and unwieldy to use, and I don't think we ever
used it, but the threat of it was effective. Without it I don't
think anybody would have spoken to us.
Whether or not you go forward with a commission, I think
broader subpoena power is a good idea. I don't think there
should be any limit on what you want to study. I think if you
want to study data registration in Europe, that's fine. There
has been one issue of which there is total unanimity among
every person who has looked at privacy in the United States.
Every privacy advocate, every expert, everybody that I've known
or ever spoke to have always opposed the concept of data
registration being imported to the United States. I've never
heard even the most radical privacy advocate ask for that.
I think it's important to study it, to consider it. I think
in the end the comment we just heard that it's really anti-
privacy rather than pro-privacy is appropriate because then the
officials know where to go, then they know how to organize it
and have the map. I think the problem of data registration is a
significant one, and it's antithetical to our tradition and
never really has been seriously suggested for the United
States. But absolutely, let's have a study, let's look at it
and see if there's a way that some of those concepts are
helpful, but also to find out what the negative concepts would
be. Thank you.
Mr. Horn. Mr. Sokul, any comment to Mr. Waxman's question?
Thank you very much.
We now have Mr. Greenwood, Jim Greenwood from the State of
Pennsylvania.
Mr. Hutchinson. Mr. Chairman, are the panelists that have
been here, are they expected to stay?
Mr. Horn. Well, we'd certainly welcome them, but the dialog
with the Members--I think Mr. Waxman's question deserved an
answer, and we went down the line, but you're certainly free to
leave, and we will, as I said earlier, send you some questions,
if you don't mind. We're going to ask Democratic counsel and
Republican counsel what key questions did we miss, and we'd
appreciate your writing us back. We'll put it at this point in
the record without objection.
So we now turn to Mr. Greenwood, and we're delighted to
have him here. He had to suffer the long wait that you and Mr.
Markey and Mr. Barton gave up, I gather, and you're always
welcome. You're a real leader in the House, and we're glad to
have you here.
Mr. Greenwood. Thank you, Mr. Chairman. I will be brief
because, unfortunately, my schedule is going to require that as
well.
You've been listening to testimony for 3 hours on this
issue, so I'm not sure how much more enlightenment I can offer.
But I would like to share with you why it is that I am prime
sponsor of H.R. 2470, which is the Medical Information
Protection and Research Enhancement Act, which is an attempt to
legislate this issue this year, and I'm also a sponsor of Mr.
Hutchison's bill, H.R. 4049, the Privacy Commission Act bill,
which you've been hearing of.
As you know, this is a long-standing and highly
controversial issue and a very important issue. Back in 1996,
the Congress basically directed and passed HIPAA, that
required, if we couldn't get our act together legislatively by
the summer of last year, that HCFA would do the regulations. We
couldn't. We failed as a Congress to legislate. During that 3-
year interim, I introduced my bill in July of last year, and
we've not been able to move it, and there are reasons for that.
This is like any other controversy. This issue involves the
collision of a couple of values: of course, the commitment that
we all have to protect privacy with regard to the most intimate
details of our lives. The second one is that there's a terrific
benefit to society when medical outcomes can be--that data can
be collected and can be used by researchers and health care
providers and insurers and others to try to enhance therapies
and treatments for all of us. So the challenge in this issue is
how do you merge these two values without compromising, on the
one hand, confidentiality, nor compromising, on the other hand,
the ability of society to benefit from this data.
My experience with this issue is that there are two
fundamental policy roadblocks, the first of those has to do
with liability. The consumer advocates generally represented by
the Democrats in the House advocate for a relatively liberal
policy with regard to liability. They believe that if one's
confidentiality is breached in any way, that there ought to be
ready access to the courts.
The other issue of controversy has to do with preemption.
Many of us, including myself, perceive that in this digital
age, information travels from our health care provider, to our
health insurer, to a researcher across the State lines at the
speed of light, and if we are going to use the values of the
information age, we need to make sure that this data doesn't
have to stop at every State boundary on the way. It won't work
that way. The States have moved ahead and have, in some cases,
passed some very strict confidentiality laws as it relates to
issues like AIDS, mental health, and genetic information.
I believe that we need to find a way to build a very
airtight channel for this information to move from State to
State without violating confidentiality. We haven't been able
to do that. I've worked with Congressman Waxman, Congressman
Markey, Congressman Brown, and Congresswoman Eshoo on the
Commerce Committee trying to forge bipartisan support for the
bill, and frankly we just haven't succeeded. We just haven't
been able--in good faith negotiations to reach consensus.
So my first wish would be that my legislation could pass,
and we could have it enacted in this Congress. I don't see
that, frankly, as being likely. So my second priority would be
that Mr. Hutchinson's bill becomes enacted so that we can find,
through the use of a commission, the consensus that we've not
been able to find legislatively. In my view, the worst of all
possible scenarios is that nothing happens, and that this issue
drags on for failure on our part to find bipartisan consensus.
Mr. Horn. Does the gentleman from Arkansas have any
questions of the witness?
Mr. Hutchinson. No. I just want to thank you for putting a
good cap on this hearing today. You expressed really what my
attitude is. I'd like to see your legislation move forward
first and foremost, and I appreciate your understanding that
this commission bill--I don't want it to be a threat to
anyone's individual bill. I want to it to be complementary, I
want it to be helpful and take a long-term look.
So thank you very much for expressing that so succinctly
and for your support and your initiative, which I'm delighted
to support, and also for your support of the Commission.
So thank you, Mr. Greenwood.
Mr. Greenwood. If Mr. Horn would take my bill up and move
it, I would be happy to have it transfered to this committee.
Mr. Horn. It's sitting in the Commerce Committee. Can you
get it over here? We'll give you a fast 24-hour look at it.
We have to vote on the floor, and I want to thank the staff
that helped prepare this hearing. We will hold another hearing
tomorrow, which I believe will be Thursday--yes, Thursday at 2,
and it will be on privacy. I guess we haven't learned enough
yet.
And we want to thank the court reporter Laurie Harris. I
don't know how you stood it, Laurie. You should have nodded, I
guess.
And the staff director and Chief Counsel George has been
with us in and out. Heather Bailey is to my left, your right,
as the professional staff member putting things together here;
and Bonnie Heald, director of communication; Bryan Sisk, clerk;
Liz Seong, intern; and Michael Soon, intern. Trey Henderson is
counsel for the minority, and Jean Gosa is minority clerk. And
with that, we adjourn the meeting.
[Whereupon, at 5:06 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T1178.117
[GRAPHIC] [TIFF OMITTED] T1178.118
[GRAPHIC] [TIFF OMITTED] T1178.119
[GRAPHIC] [TIFF OMITTED] T1178.120
[GRAPHIC] [TIFF OMITTED] T1178.121
[GRAPHIC] [TIFF OMITTED] T1178.122
[GRAPHIC] [TIFF OMITTED] T1178.123
[GRAPHIC] [TIFF OMITTED] T1178.124
[GRAPHIC] [TIFF OMITTED] T1178.125
[GRAPHIC] [TIFF OMITTED] T1178.126
[GRAPHIC] [TIFF OMITTED] T1178.127
[GRAPHIC] [TIFF OMITTED] T1178.128
[GRAPHIC] [TIFF OMITTED] T1178.129
[GRAPHIC] [TIFF OMITTED] T1178.130
[GRAPHIC] [TIFF OMITTED] T1178.131
[GRAPHIC] [TIFF OMITTED] T1178.132
[GRAPHIC] [TIFF OMITTED] T1178.133
[GRAPHIC] [TIFF OMITTED] T1178.134
[GRAPHIC] [TIFF OMITTED] T1178.135
[GRAPHIC] [TIFF OMITTED] T1178.136
[GRAPHIC] [TIFF OMITTED] T1178.137
[GRAPHIC] [TIFF OMITTED] T1178.138
[GRAPHIC] [TIFF OMITTED] T1178.139
[GRAPHIC] [TIFF OMITTED] T1178.140
�