<DOC> [106th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:71178.wais] H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF PRIVACY PROTECTION ======================================================================= HEARINGS before the SUBCOMMITTEE ON GOVERNMENT MANAGEMENT, INFORMATION, AND TECHNOLOGY of the COMMITTEE ON GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION ON H.R. 4049 TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF PRIVACY PROTECTION __________ MAY 15 AND 16, 2000 __________ Serial No. 106-204 __________ Printed for the use of the Committee on Government Reform Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform ---------- U.S. GOVERNMENT PRINTING OFFICE 71-178 WASHINGTON : 2001 _______________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut ROBERT E. WISE, Jr., West Virginia ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania JOHN L. MICA, Florida PATSY T. MINK, Hawaii THOMAS M. DAVIS, Virginia CAROLYN B. MALONEY, New York DAVID M. McINTOSH, Indiana ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC JOE SCARBOROUGH, Florida CHAKA FATTAH, Pennsylvania STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland MARSHALL ``MARK'' SANFORD, South DENNIS J. KUCINICH, Ohio Carolina ROD R. BLAGOJEVICH, Illinois BOB BARR, Georgia DANNY K. DAVIS, Illinois DAN MILLER, Florida JOHN F. TIERNEY, Massachusetts ASA HUTCHINSON, Arkansas JIM TURNER, Texas LEE TERRY, Nebraska THOMAS H. ALLEN, Maine JUDY BIGGERT, Illinois HAROLD E. FORD, Jr., Tennessee GREG WALDEN, Oregon JANICE D. SCHAKOWSKY, Illinois DOUG OSE, California ------ PAUL RYAN, Wisconsin BERNARD SANDERS, Vermont HELEN CHENOWETH-HAGE, Idaho (Independent) DAVID VITTER, Louisiana Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director David A. Kass, Deputy Counsel and Parliamentarian Lisa Smith Arafune, Chief Clerk Phil Schiliro, Minority Staff Director ------ Subcommittee on Government Management, Information, and Technology STEPHEN HORN, California, Chairman JUDY BIGGERT, Illinois JIM TURNER, Texas THOMAS M. DAVIS, Virginia PAUL E. KANJORSKI, Pennsylvania GREG WALDEN, Oregon MAJOR R. OWENS, New York DOUG OSE, California PATSY T. MINK, Hawaii PAUL RYAN, Wisconsin CAROLYN B. MALONEY, New York Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California J. Russell George, Staff Director and Chief Counsel Robert Alloway, Professional Staff Member Bryan Sisk, Clerk Mark Stephenson, Minority Professional Staff Member C O N T E N T S ---------- Page Hearing held on: May 15, 2000................................................. 1 May 16, 2000................................................. 93 Text of H.R. 4049................................................ 2 Statement of: Belair, Bob, editor, Privacy & American Business; Mary Culnan, professor, McDonough School of Business, Georgetown University; Christine Varney, former Commissioner, Federal Trade Commission; Solveig Singleton, Director of Information Studies, CATO Institute; Ron Plesser, legislative counsel, 1977 Privacy Commission; and Stanley Sokul, member, Advisory Commission on Electronic Commerce.. 115 Hatch, Mike, Minnesota State Attorney General................ 33 Markey, Hon. Edward J., a Representative in Congress from the State of Massachusetts..................................... 189 Spotila, John, Administrator, Office of Regulatory Affairs, Office of Management and Budget............................ 17 Stone, Robert, executive vice president, American Healthways. 41 Veator, David, Office of Consumer Affairs and Business Regulation, State of Massachusetts......................... 27 Letters, statements, etc., submitted for the record by: Belair, Bob, editor, Privacy & American Business, prepared statement of............................................... 117 Culnan, Mary, professor, McDonough School of Business, Georgetown University, prepared statement of............... 126 Hatch, Mike, Minnesota State Attorney General, prepared statement of............................................... 35 Horn, Hon. Stephen, a Representative in Congress from the State of California, prepared statement of................. 95 Moran, Hon. James P., a Representative in Congress from the State of Virginia: Prepared statement of.................................... 61 Prepared statement of Marjory Blumenthal, Director, Computer Science and Telecommunications Board, the National Academies................................... 55, 109 Plesser, Ron, legislative counsel, 1977 Privacy Commission, prepared statement of...................................... 160 Singleton, Solveig, Director of Information Studies, CATO Institute, prepared statement of........................... 152 Sokul, Stanley, member, Advisory Commission on Electronic Commerce, prepared statement of............................ 168 Spotila, John, Administrator, Office of Regulatory Affairs, Office of Management and Budget, prepared statement of..... 20 Stone, Robert, executive vice president, American Healthways, prepared statement of...................................... 43 Turner, Hon. Jim, a Representative in Congress from the State of Texas, prepared statement of............................ 108 Varney, Christine, former Commissioner, Federal Trade Commission, prepared statement of.......................... 134 Veator, David, Office of Consumer Affairs and Business Regulation, State of Massachusetts, prepared statement of.. 30 Waxman, Hon. Henry A., a Representative in Congress from the State of California, prepared statement of................. 99 H.R. 4049, TO ESTABLISH THE COMMISSION FOR THE COMPREHENSIVE STUDY OF PRIVACY PROTECTION ---------- MONDAY, MAY 15, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2 p.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn and Turner. Also present: Representatives Hutchinson and Moran. Staff present: J. Russell George, staff director and chief counsel; Heather Bailey, professional staff member; Bonnie Heald, director of communications; Bryan Sisk, clerk; Liz Seong and Michael Soon, interns; Kristin Amerling, minority deputy chief counsel; Michelle Ash and Trey Henderson, minority counsels; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum being present, this hearing of the Subcommittee on Government Management, Information, and Technology will come to order. At the request of the subcommittee's minority members, we will continue our April 12th examination of H.R. 4049, a bill that would establish a Federal commission to study privacy protection. [The text of H.R. 4049 follows:] [GRAPHIC] [TIFF OMITTED] T1178.001 [GRAPHIC] [TIFF OMITTED] T1178.002 [GRAPHIC] [TIFF OMITTED] T1178.003 [GRAPHIC] [TIFF OMITTED] T1178.004 [GRAPHIC] [TIFF OMITTED] T1178.005 [GRAPHIC] [TIFF OMITTED] T1178.006 [GRAPHIC] [TIFF OMITTED] T1178.007 [GRAPHIC] [TIFF OMITTED] T1178.008 [GRAPHIC] [TIFF OMITTED] T1178.009 [GRAPHIC] [TIFF OMITTED] T1178.010 [GRAPHIC] [TIFF OMITTED] T1178.011 [GRAPHIC] [TIFF OMITTED] T1178.012 [GRAPHIC] [TIFF OMITTED] T1178.013 Mr. Horn. At the subcommittee's first hearing on H.R. 4049, experts in the areas of medicine, finance, and Internet privacy shared their views on the many challenges involved in protecting privacy. Witnesses discussed their concerns about the increasing accessibility to personal information, such as medical records, Social Security numbers, and credit card records. Both today and tomorrow, the subcommittee will continue this discussion with people knowledgeable in privacy issues. I welcome our witnesses, and look forward to their testimony. Let me just explain how the panels work. We will be swearing in all witnesses today. We would like you to summarize your statements. We have read all of them, and we would like you to do that in 5 minutes. So we will now finish with the opening statements, and I will give you the oath when those statements are through. I now call on the gentleman from Texas, the ranking member, Mr. Turner, for his opening statement. Mr. Turner. Thank you, Mr. Chairman. This is the second of three hearings that we have had scheduled on H.R. 4049, and I want to thank the chairman for prioritizing the need to study this very important issue. There is no doubt that privacy is one of the top concerns of the American people and one of the most important issues facing this Congress. I am pleased to be a cosponsor of this legislation which would create a commission that will enable us to have a full and open discussion with the American people about privacy so we can address it in an appropriate manner. However, I do not want us to rush forward with the bill without proceeding cautiously and considering a number of issues surrounding the creation of this commission. I commend Congressman Hutchinson for his leadership on this very important issue. At our first hearing, witnesses raised questions regarding the relationship the commission's work would have with privacy efforts by other entities. Specifically, concerns were voiced as to whether the commission could serve as a delay to regulations, studies that are currently moving forward. For example, witnesses pointed out that a bipartisan congressional privacy caucus is currently pushing for passage of a financial privacy measure. Pursuant to the congressional mandate, the Secretary of HHS is now in the process of finalizing medical privacy regulations. Additionally, the Department of Treasury study on financial privacy regulations is soon to be completed. We have many issues that need to be dealt with immediately, and I was pleased to hear Congressman Hutchinson state that the intent of the bill was not to impede the progress of other regulations which may reach consensus during the commission, rather, to be used as a sounding board to those initiatives. Questions have arisen regarding the composition and expertise of members selected to the commission. Currently, the bill does not contain requirements regarding the qualifications of commission members. We need to ensure that an appropriate balance between all stakeholders in this issue is represented. Witnesses also questioned the scope of the commission's mandate, which currently is not set forth in the bill. We should be concerned about duplicating work which has already been done and consider whether it might be more productive for the commission to focus on specific privacy issues. In light of the concerns that witnesses raised at the first hearing, members of the past and present entities charged with studying privacy issues as well as Federal and State government representatives who have been active on privacy matters have been identified and asked to testify before this subcommittee. These witnesses are expected to address the types of expertise and background that should be sought in the commission members, the types of issues that should receive focus and the types of reviews that may be redundant. Again, I want to thank the chairman for holding the hearings; and I welcome the witnesses here today. Mr. Waxman also advises me that he appreciates you scheduling the hearings to ensure that the issues raised by the legislation receive careful consideration. Mr. Waxman sends his regrets. He is unable to be here today, but he plans to attend tomorrow's hearing and looks forward to receiving the testimony from today's hearing. The American people deserve to have their privacy protected in a correct and timely fashion. It is my hope that as a result of these hearings, we will be closer to that goal. Thank you, Mr. Chairman. Mr. Horn. We thank you. And now we have a member of the full committee who is the author of the legislation, the gentleman from Arkansas, Mr. Hutchinson, for an opening statement. Mr. Hutchinson. I thank the chairman, and I just want to take a moment to express my appreciation to you and the committee for scheduling a second day of hearings. During the last break, I believe it was, I received a copy of a letter from Mr. Waxman requesting additional hearings; and as one of the lead sponsors of this legislation I was delighted of his interest in it; and I appreciate the chairman scheduling this hearing so promptly to followup on Mr. Waxman's request. I also appreciate Mr. Turner, the ranking member, and his leadership on this issue which has been critical from the very beginning. It has been a goal to make sure that this is-- privacy is pursued in a bipartisan fashion, and the participation of Mr. Turner and the many Democrats who have joined on this legislation is important to its success and ultimate credibility. Mr. Turner outlined a number of concerns--I wouldn't say a number. There were serious concerns raised in the last hearing that are very legitimate in terms of we should discuss those and perhaps look at amending the legislation, if necessary, as we go through the markup process. It is certainly not the intent of the privacy commission to serve as a delay on other legitimate efforts to address privacy concerns. I have always viewed this as complementary. Whatever happens in other arenas on a smaller scale, it is important to look at privacy in a comprehensive way and in an ongoing way. Second, it was discussed about the diversity of the commission members, and certainly I believe that the point of authority should seek to ensure that membership of the commission will represent a diversity of views and experiences on the issues that they will address in terms of privacy, and that is important. So we are happy to work with those who are supportive of privacy--of the privacy commission to make sure that it is drafted in a fair manner and move this ball forward and protect privacy in a balanced way. Mr. Chairman, I thank you; and I look forward to the testimony of the witnesses. Mr. Horn. I thank the gentleman. Now if the witnesses will stand. [Witnesses sworn.] Mr. Horn. The clerk will note that there are five witnesses that accepted the oath. The Honorable John Spotila is the Administrator of the Office of Regulatory Affairs in the Office of Management and Budget. Mr. Spotila. STATEMENT OF JOHN SPOTILA, ADMINISTRATOR, OFFICE OF REGULATORY AFFAIRS, OFFICE OF MANAGEMENT AND BUDGET Mr. Spotila. Mr. Chairman and members of the committee, thank you for inviting me here to present the administration's views on H.R. 4049, the Privacy Commission Act. As Administrator of OMB's Office of Information and Regulatory Affairs, I care deeply about the protection of privacy. In 1998, OIRA took on enhanced responsibility for coordinating privacy policy throughout the administration. OIRA already had policy responsibility under the Privacy Act of 1974 which applies to Federal Government systems of records. Now it plays a central coordinating role for privacy policy more generally. Last year OMB appointed its first Chief Counselor for Privacy, Peter Swire, to be the point person in this coordination effort; and Peter is here with me today and available if needed. The President and the Vice President are committed to the protection of individual privacy. As President Clinton said on April 30 when announcing his new financial privacy proposal, ``From our earliest days, part of what has made America unique has been our dedication to freedom and the clear understanding that real freedom requires a certain space of personal privacy.'' In studying the proposed findings for H.R. 4049, we find much common ground. We agree that Americans are increasingly concerned about the security and use of their personal information. We agree that the shift from an industry-focused economy to an information-focused economy calls for reassessing the way we balance personal privacy and information use. As Administrator of OIRA, I work extensively on information policy issues relating to computer security, privacy, information collection, and our transition to the electronic delivery of government services. In these and other areas, we are working hard to gain the advantages that come from new technologies while guarding against possible costs to privacy and security that can come from badly crafted uses of those technologies. In some areas, we already know that we must act swiftly to protect privacy and security. Indeed, the administration's biggest concern with H.R. 4049 is the risk that you highlighted earlier, the risk that some might use the commission as a reason to delay much-needed privacy legislation. We understand that supporters of H.R. 4049 have emphasized that it should not be used as a reason for delay, and we agree with that, but we are concerned that there are those that would oppose privacy reform who would prefer to have Congress study the issue indefinitely rather than take action. We cannot afford to take a year and a half off in protecting Americans' privacy. We believe that action is needed now in the areas of financial privacy, medical records privacy, and genetic discrimination. There have been extensive initiatives by the Federal Government since 1993 to study and take appropriate action in the area of privacy protection. Study of privacy was an integral part of the National Information Infrastructure project, sometimes called the ``information superhighway'' effort, with the issuance in 1995 by an interagency privacy working group of principles for providing and using personal information. This effort was led by OIRA--before I was there, I will admit. With the administration's support, Congress has passed a long list of privacy legislation. In my written statement, we provide details about these laws and other activities by the administration to protect Americans' privacy. My statement also explains the legislation that is now before the Congress to provide legal protections for three especially sensitive categories of personal information: financial records, medical records, and genetic discrimination. Let me turn again to the specifics of H.R. 4049. The administration does have concerns that the study commission might be used as an excuse for delaying needed activity in privacy protection, and we appreciate the strong statements we heard today that indicate that you agree that should not happen. These concerns would be especially acute for these important topics such as medical, financial, and genetic information. We know there has already been extensive discussion of these proposals, and we would not want to see further study duplicating the public examination that has already taken place without adding real value. We recognize that the Congress needs to make its own judgments on these matters, and we defer to it in its assessment of what it needs to inform those judgments. It seems sensible, however, to adopt a focused approach to exploring these topics. Ideally, any further study efforts should be done within a short timeframe and would build on, not duplicate, existing studies. If there were to be a commission, we should ensure that it focuses its efforts in an effective way. Casting too broad a net would delay the work of any new commission, with uncertain results. We note, for example, that the treatment of data collected on-line has been the subject of extensive hearings in Congress as well as public workshops, public comments, studies, and reports. The Federal Trade Commission is about to issue a major report. We recognize that this is a complicated area that requires careful evaluation and an understanding of new technology. It is not clear, however, that a commission lasting 18 months will give decisionmakers the help they need in this area. Rather than have a commission pursuing a very broad set of topics, it might be more productive to have technology and policy experts address specific, emerging issues that have not yet benefited from much attention. One targeted way to study such issues might be to enlist the expertise of the National Academy of Sciences/National Research Council, which has already produced studies in areas such as cryptography and medical records privacy. We could call it in again on emerging areas of concern. These might be particularly appropriate for examining authentication technologies and their privacy implications and the topic of biometrics and privacy. For all of these reasons, we believe that there may be sound alternatives to a privacy commission. If legislation creating a commission does move forward, however, we do have some specific concerns about the method of appointment of commissioners, and the possibility that the current draft could lead to the release of classified information. We share with Congress a very strong interest in protecting privacy. We look forward to working with you to find suitable new ways to improve that protection. We understand the good intentions motivating the sponsors of H.R. 4049; and, despite our reservations about the specifics of this bill, we welcome the commitment to privacy protection that they seek to demonstrate. Thank you once again for the invitation to discuss these issues. Mr. Horn. We thank you for that very concise presentation. [The prepared statement of Mr. Spotila follows:] [GRAPHIC] [TIFF OMITTED] T1178.014 [GRAPHIC] [TIFF OMITTED] T1178.015 [GRAPHIC] [TIFF OMITTED] T1178.016 [GRAPHIC] [TIFF OMITTED] T1178.017 [GRAPHIC] [TIFF OMITTED] T1178.018 [GRAPHIC] [TIFF OMITTED] T1178.019 [GRAPHIC] [TIFF OMITTED] T1178.020 Mr. Horn. Our next presenter is David Veator, who is with the Office of Consumer Affairs and Business Regulation for the State of Massachusetts. Mr. Veator. STATEMENT OF DAVID VEATOR, OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION, STATE OF MASSACHUSETTS Mr. Veator. Thank you, Mr. Chairman and members of the committee. My name is David Veator, and I am the general counsel for the Massachusetts Office of Consumer Affairs and Business Regulation. Our office is charged with the oversight of all State-chartered banks, insurance companies, most of the professional trades and the supervision of the State's consumer protection laws. Because issues of privacy are of growing importance both to consumers and the businesses that my agency regulates, our agency is the one in Massachusetts that has been tapped with supporting Governor Cellucci and Lieutenant Governor Swift's privacy agenda, and on behalf of them, I am pleased to testify in support of the privacy commission proposed in H.R. 4049. As this committee knows, privacy issues are now at the forefront of the national discourse. As we say in our prepared statement, the information age has brought many good things to people, but no silver lining is without its cloud. With the rapid growth in technology to collect and compile personal information, citizens face unprecedented threats to their personal privacy. One recent poll conducted by Lou Harris & Associates noted that 88 percent of Americans are concerned about threats to personal privacy and that 83 percent believe that consumers have lost all control over how companies collect and use their personal information. For a small fee there are companies that can collect more information than you would have believed about you and compile it and disseminate it, and one of the witnesses in this committee's last hearing demonstrated that in some detail. I am sure that each of the members of this committee is aware that this widespread perception of privacy abuse has already translated into action at the State and Federal level. Although this action has resulted in good legislation and improving industry practices, it is fair to say that our approach to privacy is disjointed and ad hoc. According to several commentators, between 2,000 and 3,000 privacy-related bills are currently pending in State legislatures. Many of these bills deal with multiple privacy issues. It would appear that this less-than-coordinated approach to privacy cannot be an efficient way to deal with the subject. Another problem with our approach to privacy to date has been a criticism that it is too sectorial, that is, different legislation tends to tackle privacy issues with respect to different industries. As a result, we have on-line privacy rules, privacy rules for brick and mortar companies, banking privacy rules, insurance privacy rules, and telecommunications privacy rules. Privacy in American Business reported that, by the end of 1999, 179 different privacy laws relating to health care had been enacted, as had 65 privacy laws related to direct marketing or telecommunications, 59 relating to financial services, 39 relating to insurance and 14 relating to on-line or Internet activity. This approach may have been workable in the past, but as the nature of our economy changes it may no longer make sense. For example, as the financial services industry has revolutionized and converged, several isolated privacy statutes that deal with banking or insurance or securities may no longer have much application. We think that the commission proposed by Congressmen Hutchinson and Moran is a logical way to approach the question of privacy. There are obvious advantages to taking a comprehensive look at the array of complex privacy issues such as financial privacy, identity theft, biometrics and children's privacy, etc. The most obvious benefits are the ability to take advantage of work that has been done both at the Federal level and at the various States and take advantage of nationwide expertise. I would like to offer the experience of Massachusetts. Shortly after their election, Governor Cellucci and Lieutenant Governor Swift convened a working group to examine the quality of life in Massachusetts. We were able to consult with privacy experts, local business leaders, and law enforcement, and shortly thereafter Governor Cellucci and Lieutenant Governor Swift filed a comprehensive bill on privacy that updated existing privacy laws to reflect the technological changes that have occurred since their inception and instituted new protections to address new technology. The intent of the bill was to empower consumers in the 21st century economy while continuing to allow Massachusetts business to flourish. I can also point to the experience of the FTC Subcommittee on Access and Security which recently reported to the FTC, and the FTC I think was able to develop a committee that provided a robust analysis precisely because it had many viewpoints from across the country on that committee. I would like to close by saying a few words about one State's view of the roles of both Federal and State examination of privacy. I think the States will continue to legislate and act to protect their citizens, but we believe that the Congress has a unique capacity to develop workable privacy protections. It may be that most States would prefer not to act unilaterally if we were assured that the Federal Government and private industry are striking the right balance between the need of businesses for information and the right of citizens to personal privacy. Indeed, a uniform approach to privacy confers two advantages from a State's point of view. It makes interstate commerce easier for businesses which only have to follow one set of rules rather than 50, and by establishing at least baseline standards for all States means that no State will have to potentially disadvantage its own economy by establishing on its own minimum protections for its own consumers. In closing, I would like to thank the committee on behalf of Governor Cellucci and Lieutenant Governor Swift for this opportunity to testify. We support H.R. 4049 as a means for taking, for the first time, a national approach to privacy in a new economy. As I indicated, our economy has undergone a technological revolution, and the way in which privacy catches up to this revolution will have important consequences for us as individuals and for our new economy. Thank you. Mr. Horn. Well, we thank you. That is very helpful testimony, and we always appreciate it from the State of Massachusetts. You are usually ahead of the rest of the country quite a bit. [The prepared statement of Mr. Veator follows:] [GRAPHIC] [TIFF OMITTED] T1178.021 [GRAPHIC] [TIFF OMITTED] T1178.022 [GRAPHIC] [TIFF OMITTED] T1178.023 Mr. Horn. Our next presenter is from another very progressive State and that is the State of Minnesota. We have the Attorney General from the State of Minnesota, Mike Hatch. STATEMENT OF MIKE HATCH, MINNESOTA STATE ATTORNEY GENERAL Mr. Hatch. Mr. Chairman and members of the committee, I have read the testimony that was presented at your prior hearing, and it is apparent that you have full grasp of this issue. You have examples of everything from perpetrators on the Internet taking photos out of yearbooks and putting them on pornography, displaying them out for the public. You have corporations asking self-insured administrators and even the government to draw profiles of their employees' health care and health conditions. You have telemarketing companies using bank data to target senior citizens, perpetrating financial fraud far beyond what was contemplated by enactment of the Vulnerable Adult Act. It is very plain that something ought to be done now by policymakers. My concern with regard to a commission and with all due respect for studying it, this is an issue that is the result of technology, but it is not the issue of technology itself. It can be addressed and ought to be addressed, and all too often in our society--and I am afraid that is the case here--commissions or task forces are appointed to delay, to try to escape an issue. Last year, Congress passed the Financial Services Modernization Act, and they lifted the Pandora's lid on privacy. They basically permitted banks to exchange information which under State law in most States fiduciary obligations would have prevented them or left them open to litigation for doing so. By opening that Pandora's lid, the playing field has changed so that now those institutions don't want to change. They have got it. Yet the public, by margins that were pointed out in poll after poll by the prior speaker, 85 percent strongly believe that action ought to be taken now. Congress lifted the lid last year. It ought to put the lid back on--and I am talking about financial privacy, health care, the Internet--and start addressing the issue. Don't study it, but move on it. Now, at the State level, we have several bills. We have gotten them through the Senate, and we are hopeful that we can get some bills through the House on this. We had over 100 lobbyists representing, according to the chairman of the Commerce Committee in the House, 59 interests at one hearing, which is considerable for a State legislature. They are all opposed to any change, and what their cry was, ``leave it to Congress. Congress will change it. It is a Federal issue.'' And you know what is going to happen. You pass a bill having a commission, all 59 will be back. Let this commission come back. But every day that we delay we have another stakeholder on this privacy issue. More data is exchanged about each of us. More privacy is invaded, more stakeholders and more lobbying techniques will follow. It is important. It is an important issue. People feel strongly about it. If a privacy commission were established where something was stated very clearly that the States should move forward now, that Congress should move forward now, that would be one thing. But it is extremely important--I don't think we have done very much on this issue, contrary to perhaps some of the other speakers here, and I think the time is now for policymakers to stand up and have the courage to take on these interests and start enacting some legislation. Mr. Horn. I thank you very much for your presentation. You can probably look around behind you and see a lot of interest there, too. [The prepared statement of Mr. Hatch follows:] [GRAPHIC] [TIFF OMITTED] T1178.024 [GRAPHIC] [TIFF OMITTED] T1178.025 [GRAPHIC] [TIFF OMITTED] T1178.026 [GRAPHIC] [TIFF OMITTED] T1178.027 [GRAPHIC] [TIFF OMITTED] T1178.028 [GRAPHIC] [TIFF OMITTED] T1178.029 Mr. Horn. We now have Mr. Robert Stone, who is the executive vice president of American Healthways. If you would, I would like you to explain what American Healthways is. I find it a rather unique operation. STATEMENT OF ROBERT STONE, EXECUTIVE VICE PRESIDENT, AMERICAN HEALTHWAYS Mr. Stone. Thank you, Mr. Chairman and members of the committee. Thank you for the opportunity to appear before you today. My name is Robert Stone, and I am executive vice president of American Healthways, the Nation's largest disease management organization. I am also a board member of the Disease Management Association of America. Today, American Healthways serves approximately 170,000 people afflicted with diabetes, cardiac, and/or respiratory disease and the more than 30,000 physicians who care for them. My oral testimony today highlights the written testimony already submitted to you. How to protect individual privacy, particularly the privacy of personal health information, is extremely important. It is for this reason that we strongly support H.R. 4049. But in health care, perhaps more than any other area, balance is required. The proposed commission should therefore carefully weigh the protection of Americans from inappropriate uses of our personal information against the need to ensure access to that information for the effective provision of health care, particularly to the 50 million Americans with chronic disease. No one understands the need for this balance better than patients themselves. With her permission, of course, let me share my wife's perspective. Having had Type 1 diabetes for 24 years, she frequently serves as my resident consumer expert. I asked her recently if her privacy would be violated if she received a letter from her health plan advising her of a program to help her better manage her diabetes; her response, a simple, ``Of course not.'' Without further prompting, however, she went on to say she would be outraged if she then received a letter from a pharmaceutical company, a medical device manufacturer, or other organization trying to sell her a product or service related to her diabetes. She recognizes, as do most consumers, that the motives behind the use of her personal health information in these two examples are clearly different. One is designed to help her, the other to sell her something by capitalizing on her illness. It is disease management programs that provide the coordination, integration, and management of care processes necessary to help people with chronic diseases more effectively control their illness; and by improving overall health status, these programs also reduce health care costs. This is not wishful thinking. An independent analysis of our diabetes program confirmed that costs with 7,000 commercial HMO members in seven different health plans were reduced 12.3 percent in the first year. Even better outcomes have been achieved and will be released shortly for more than 20,000 individuals participating in our program in four Medicare+Choice plans. Disease management programs depend on the free flow of patient information to provide the customized proactive interventions which make these results possible. First, however, this information is needed to identify and engage program participants. After all, if we can't find them, we can't help them. Our experience has shown if we depend on patient or physician referral as the entry mechanism, program participation levels are significantly lower--never greater than 30 percent, as compared to nearly 98 percent with a proactive engagement model--and the individuals who do elect to participate are the wrong ones, generally those who are relatively healthy, well motivated or who have good self- management skills. The people who both need and could benefit the most, nearly two-thirds of the total, are left out and the clinical and financial benefits are lost. Is using personal health information to improve health status appropriate? Our plan customers, their members and the physicians in their networks must think so, since we have never had a single complaint in that regard. We have achieved that record through the use of stringent policies and procedures to ensure both confidentiality and security. The information to which we have access is never sold or disclosed to a third party, nor do we use our communications with participants or providers to advertise or market any drug, product or service. Unfortunately, there are companies that do, and those inappropriate disclosures should be prohibited. Providing guidelines to distinguish between legitimate uses of personal health information and significant abuses of confidentiality is a worthy role for the proposed commission. We would also ask that the commission be charged to issue a clear recommendation with respect to preemption. Currently, many State privacy laws directly conflict with each other, making it impossible for national employers in health plans, such as a Federal Express or a Cigna, to provide consistent programs to residents of different States. And as you know, the privacy regulations proposed by the Department of Health and Human Services, if and when issued, will not preempt State privacy laws. Only Congress can authorize preemption, and we urge that the creation of a single national standard be part of any further Federal legislation. Ultimately, whatever legislation emerges from Congress must not inadvertently bar the use of personal health information to support better quality care and lower health care costs. The proposed privacy commission can help ensure this outcome by providing a clear road map through the complex privacy maze and distinguishing between appropriate uses of personal health information like disease management and those uses that are purely commercial. Thank you for your time. I am pleased to answer any questions you may have. [The prepared statement of Mr. Stone follows:] [GRAPHIC] [TIFF OMITTED] T1178.030 [GRAPHIC] [TIFF OMITTED] T1178.031 [GRAPHIC] [TIFF OMITTED] T1178.032 [GRAPHIC] [TIFF OMITTED] T1178.033 [GRAPHIC] [TIFF OMITTED] T1178.034 [GRAPHIC] [TIFF OMITTED] T1178.035 [GRAPHIC] [TIFF OMITTED] T1178.036 [GRAPHIC] [TIFF OMITTED] T1178.037 Mr. Horn. Thank you. That is very helpful and a different type of statement. We will now go to questions and answers. The Members here, we are going to limit each to 5 minutes, and we will rotate until you are all worn out, so it will keep it interesting with three of us here. I will start with the first gentleman, who is the author of the legislation, Mr. Asa Hutchinson of Arkansas, for 5 minutes on questioning the witnesses. Mr. Hutchinson. Thank you, Mr. Chairman. I want to recognize Mr. Moran who came into the room, my cosponsor on this, and thank him for his active participation and support for it. I do thank each of the witnesses for their excellent testimony and presentation and differing viewpoints on this subject. Mr. Spotila, let me start with you, expressing the administration's viewpoint, and thank you for emphasizing the common ground that we have sought. You mentioned the administration's work in this regard and that you don't want a commission just to duplicate what already is out there. You cited a number of different commissions. Let's see here--which is really the interagency privacy working group, and the ones that you have cited here are agency driven; am I correct? Mr. Spotila. They are either agencies themselves or interagency groups. Mr. Hutchinson. Which is very important. I make a distinction between a congressionally mandated approach to privacy versus an agency. Mr. Spotila. We do defer to a considerable degree to the Congress in whatever you believe is appropriate to help inform your judgment. Our concern is not delaying doing things that are needed now. Mr. Hutchinson. Your point is very well taken, and I would emphasize the same point that you just made, that the intent of this legislation is not to infringe upon the agencies as they move forward. In fact, it is not going to stop. You've got them moving forward into a final rulemaking position here long before the commission will render any results. Mr. Spotila. Clearly, we would continue to move forward in areas where we could. There are legislative proposals in front of the Congress that we think are urgently needed and so we do have some concern, if the Congress were to halt its action pending the report of a commission. We also were attempting to share some of our experience, and that is where we have found the greatest success has been in very focused, targeted efforts rather than broad ones. This is a huge topic. It is easy to be a mile wide and an inch deep. That is not very helpful. Mr. Hutchinson. I think part of your point is well taken. Let me just respond in a couple of ways. First, I think the work of the agencies is very important. They have a lot of expertise in narrowly starting targeted areas. So I think that is important. Again, I view this commission as complementary to that. Even if all of these regulations move forward without any controversy, would you agree with me, 3 years from now we are going to need to continue to review, whether through the agency or the legislative body, the issues of privacy? Mr. Spotila. Absolutely. Mr. Hutchinson. Again, you make the case just by that answer that it is an ongoing effort on privacy and there are things--I have cosponsored legislation that ought to be done now. But if everything on the table is adopted, we still need to have a comprehensive review of it, as well, would be my case. When was the last time, to your knowledge, there was a legislative effort/commission that reviewed privacy? Mr. Spotila. I don't recall one certainly in recent times. We can try to be more specific, but personally I don't recall one recently. Mr. Hutchinson. I would agree with you not in recent times. I wouldn't consider 1974 recent, particularly in view of the technological developments. I saw the 1974 legislative commission report, and it was talking about privacy in the Information Age. Well, the Information Age has dramatically changed since 1974. So there has been a lot of agency work, but not legislative work. You make the point that if the commission is adopted, that it should not be just going on and on without having anything accomplished in the short term. You mention that it should be done within a short timeframe. Do you believe that an 18-month commission is too long or too short? Mr. Spotila. I think that our concern is that the combination of a broad list of topics and an 18-month timeframe suggests that the commission will not be as helpful as you might like it to be; that targeted efforts that zero in on particular aspects of privacy with a shorter timeframe, that inform decisionmakers in concrete terms, will prove more useful. Mr. Hutchinson. I want to invite you because your point as a concern has been expressed by others. The broadness--there is some benefit because you are able to look at--rather than a sectorial approach, you can look at it in a comprehensive standpoint all across the line from on-line privacy, which transects everything from medical records to educational records, so there is some merit to that. Also there is the danger of the commission having too much to do and they don't know where to start. I would welcome your view as to ways that the commission can be pointed in the right direction; we would solicit your views on that. I would point out that the 18-months is the deadline, the drop-dead point. It is not just an ongoing thing, it is going to cease to exist after 18 months. And it also provides, if the commission deems it appropriate, they could issue a report before then if there are some urgent matters to address. Do you believe that it is appropriate that you have an 18- month deadline, that you can't go on beyond that? Mr. Horn. We will have further rounds, but let's respond to that question, and then we move to Mr. Moran. Mr. Spotila. I think it is important to have some outside date, clearly. I think our instinct is that 18 months may be too long, but this is also related to the nature of the topics that it would be looking at. We would be happy to continue to work with the committee and with the Congress to try to refine these approaches. Mr. Hutchinson. Thank you. I want to assure the other gentlemen that I have additional questions. I was just taking them one at a time. Thank you, Mr. Chairman. Mr. Horn. I am now delighted to yield 6 minutes to the gentleman from Virginia, Mr. Moran. If you have an opening statement and you want to read some of it in, we will give you additional time. Mr. Moran. Well, thank you very much, Mr. Chairman. I will just make some introductory comments. The first comment, of course, is to thank you for having these hearings and to thank my cosponsor, Mr. Hutchinson, for his excellent leadership on this issue. We know that the loss of personal privacy is a cutting-edge issue and one of the topic issues that confront Americans today. Personal medical information that is kept, stored, transmitted, distributed to people without an individual's knowledge makes them vulnerable. We know that profiling has taken place among a number of electronic commerce companies, presumably for the benefit of their customers, but obviously for the benefit of companies and oftentimes without the customer's knowledge. But we also have to recognize that the reason--one of the reasons at least that the United States is the leading economic and social force in our global economy is because we have such a favorable regulatory environment, so new ideas, new ventures can sprout up, take form, and become successful. We don't want more regulation than is absolutely necessary, and I think the history of our economy has proven that that should be the way in which we ought to operate. But the U.S. Internet economy is now worth over $350 billion. I think we have about 72 million American adults using the Internet today, and those numbers are increasing; and as they increase, obviously privacy is going to continue to be an acute concern on the part of the people who use the Internet. So our conclusion, the reason why we came up with the bill is that we need a thoughtful, deliberative approach to a very complex subject. And that is what we try to do. Maybe we have too many members, but every group that I have talked to wants to be represented so that is why we have as many as 17 members. And if it is as difficult an issue to come to grips with and to come up with constructive recommendations, we want to give an adequate amount of time; and that is why we came up with about 18 months. I know Mr. Hutchinson and Chairman Horn have had this experience, any number of companies coming to us and showing the technology that is developing, as we speak, that enables the industry to self-police itself, to self-regulate itself, but we still don't know what the proper role for the government is and it would seem that there is a critical role for the government to perform. So that is the environment in which we have this hearing. First of all, Mr. Chairman, I want to ask that two of the speakers who wanted to present their testimony, Willis Ware, he used to work with the RAND Corp., he has some very interesting testimony; and Marjory Blumenthal, who is the Director of the Computer Science and Telecommunications Board for The National Academies, both speakers wanted their statements included for the record so we ought to do that. [The prepared statement of Ms. Blumenthal follows:] [GRAPHIC] [TIFF OMITTED] T1178.038 [GRAPHIC] [TIFF OMITTED] T1178.039 [GRAPHIC] [TIFF OMITTED] T1178.040 [GRAPHIC] [TIFF OMITTED] T1178.041 [GRAPHIC] [TIFF OMITTED] T1178.042 Mr. Horn. Without objection, those statements will be put in the record. At the end of the hearing you might want to read some pertinent paragraphs. Mr. Moran. Thank you, Mr. Chairman. I wanted to make sure that I didn't forget, and I know that you keep the record open for a couple of weeks. [The prepared statement of Hon. James P. Moran follows:] [GRAPHIC] [TIFF OMITTED] T1178.043 [GRAPHIC] [TIFF OMITTED] T1178.044 Mr. Moran. Now, the question that I was most interested in asking was, first of all, Mr. Spotila, who is--you represent the administration on the panel. We have had some prior efforts to come up with studies relevant to consumer privacy. I know with regard to medical privacy issues, HHS took up a major privacy regulation--effort, last year. Now, recommendations were made in September 1997, and a proposed rule was made in November 1999. I understand that HHS's efforts to examine medical privacy included a number of consultations with various Federal agencies, and any number of hearings as well; and the comments that they got were in the tens of thousands. Do you have any idea of the time and resources that were required by the Department of Health and Human Services when-- in their preparation for coming up with the regulations that were required in 1997, and which were finally issued last year? Do we have any idea of the cost that was encompassed by performing that task? Mr. Spotila. I don't have, offhand, a dollar aggregate cost. Clearly, there was a period of time when the agency was waiting to see if Congress would take action; and then certainly last year there was a major effort in which my office participated in working with the Department to prepare that proposed rule. There was a team working at HHS on this subject. They worked intensively on drafting the provision. The proposal did get something like 53,000 comments. You are correct, we received widespread public reaction to the proposal and, of course the Department is looking right now at trying to finalize that rule before the end of the year. If it is important, we certainly could inquire and provide for the committee whatever financial or economic estimates there might be from the Department as to what that aggregate cost would be. Mr. Moran. I think it would be an interesting consideration. And similarly, the legislation on financial services modernization required a similar type of study, and I think it would be useful to know the resources that are being required to conduct that study, as well, because both studies seem to be relevant to the subject at hand. Mr. Spotila. We can reach out and attempt to get that information and submit it to the committee. Mr. Moran. Thank you, Mr. Spotila. Mr. Horn. We will put that in the record at this point without objection. The 6 minutes plus I believe has expired. But we will get back to that. Mr. Moran. Thank you, Mr. Chairman. Mr. Horn. Let me get my 5 minutes in. Mr. Spotila, I am curious, what is your view of Mr. Stone's objection to the preemption of State law? Mr. Spotila. In general, we are deferential to State law and to the desire of States to have stronger privacy protections. That has been the approach we have engaged in, and we are sensitive from a federalism standpoint to that type of approach. We realize that there is benefit from having a common standard, and Mr. Stone was alluding to the difficulty that can occur if there is a hodge-podge of different standards that may not be consistent. So I think there is a need for balance. Our approach has been to try to zero in on things that we felt did have common application and that could form a basis, but not necessarily to preempt altogether an area where the States have strong interest and where they have had a historic activity. Mr. Horn. Well, there is no question that industry and other entities across America would like one policy and not 50 policies. But I do remember in this room a few years ago when we had the frozen chicken hearing and that was because Tyson and whoever else was running the Department of Agriculture, so they had a softer freezing thing and California had a very high standard. I think it is still that way. California has a high standard, but they were preempted by the Federal Government with a weaker standard. So I wish you well when you are trying to get a higher standard, because I think that is what we ought to be moving for where we can, but we don't want to disrupt the whole economy in the process. I will be getting in, with some panels, the European situation where every country in Europe is supposed to be putting a privacy law on the books, and that will be a real problem for American industry, and I have talked to a number of presidents, prime ministers, defense ministers, foreign affairs ministers and urged them to get subcommittee--or subcorporations of European corporations and American corporations to give them some advice on the practical aspects of this. Has your office done any of this in relation to the Department of State? Mr. Spotila. We have had some contact. Peter Swire has had some coordination contact with European Union issues. In fact, he is something of an expert from his work in the world of academia. I would emphasize also that we strongly encourage self- regulatory efforts. We do so not only because that is always a good thing to do but because very often with well-intentioned and interested private sector parties, we can come up with better and more sensible approaches. So our sense is that any approach, Federal or State, should allow substantial room for private, self-regulatory efforts as well. Mr. Horn. What evidence do you have that the commission could result in delays in the development of the privacy initiatives? Mr. Spotila. It is a general concern. We have seen some suggestions that people who oppose privacy reform would welcome any effort to add delay. My colleague from Minnesota was mentioning this: now you have a commission, why don't we wait a year and a half and hold up everything until the commission has reported? That is exactly what we think would be a mistake. I recognize that you emphasized that is not the intention here, but there is concern that there are those who might use it in that way. We have to be sensitive to that concern in considering any approach like this. Mr. Horn. Well, I would think with 17 people there, there could be a majority. I think if it is broadly spread out among the various interests and not just one interest or two interests, I would think that kind of dialog and discussion would be worthwhile. I think back to the Hoover Commission in the late 1940's and the early 1950's, and that made major proposals to the Federal Government and a lot of progress was made. And what I have found over the years, if you don't have a mechanism which brings people together, gets a consensus, that you are just going to be spinning the wheels in Congress, and you would be better off having a group of people, including experts and others, who just ask the question, ``Why? It sounds dumb to me, now explain it to me. If you go through that process, you are more likely to get legislation out of the Congress, I would think. But you might take a look at it. And then I guess I would ask you, Mr. Spotila, what section of the bill puts at risk the release of classified information? Where do you see that in the bill? Mr. Spotila. This was a relatively late concern that we received from the National Security Agency and the Department of Defense. Their concern was that some of the broader references to the commission getting information from the agencies failed to make a distinction as to the handling of classified information. So our sense is, that is something that bears further discussion. I would be happy to get back to you more specifically with that, although I don't have their specific recommendation for how that might be addressed. They certainly do feel there ought to be some specific approach to classified materials to the extent that they might be drawn in. Mr. Horn. Well, since Mr. Hutchinson is next with 5 minutes, you might want to continue that discussion, and I am sure he has many more questions. We would like to know where he thinks this great power is found. Mr. Hutchinson. Thank you, Mr. Chairman. I would very much like to address a concern which has been raised on national security issue. That seems relatively simple to fix, but very important and it sounds like you have put out a request to different agencies, maybe responding to the commission idea and getting some feedback; and I would love to have the benefit of any concern, positive or negative, about the commission. Mr. Veator, thank you again for your testimony. If you would give my regards to Lieutenant Governor Swift, I enjoyed and appreciate her work on privacy. And one thing that struck me about your testimony is that you mentioned two or three bills are pending in State legislatures dealing with the privacy issue now. In your State of Massachusetts, have you all passed any substantive privacy legislation? Mr. Veator. I think that there are--the short answer is no, I think not in the last year or so. There are several bills that are quite close, working their way through the legislature relating to--primarily to medical and health privacy. There are two bills relating to financial service, primarily to financial services privacy. Mr. Hutchinson. Are you aware of some States that are using the commission approach to developing their own State policies on privacy? Mr. Veator. I am not aware of other States, just our experience where we tried to pull together as many people we could with diverse stakes, if you will. Mr. Hutchinson. General Hatch may be aware of that. Are you aware of any States, Mr. Hatch? Mr. Hatch. In Minnesota, we did try to appoint a task force. The problem is it ends up being, as you have indicated, a lot of interest groups. The purpose of a task force is to do one of three things: either find out the technology of an issue that we cannot as lay people figure out; second is develop, by consensus, on an issue that we cannot get people to agree; and the third is to avoid the issue altogether. In this case, there is no science. There is science creates the issue. The technology brings in part the issue, but it is not a hard one, a fundamental issue of privacy. It goes back to the beginning of this country and even further than that. It is a value issue. Restatement of torts, courts have covered it, statutes have covered it. It is not a consensus. We will never get a consensus on it. You have got too many companies that make exchange on the data, too much legal and I think questionable activity that goes on by the use of the information versus the fundamental right of privacy. So the third becomes the issue to defer. When we tried it, we quickly recognized that it doesn't work. You are not going to get a consensus on it. The first meeting we figured that out. It isn't going to occur. Mr. Hutchinson. Mr. Hatch, if I might follow on on some of your comments, I think you are right. I think a task force, or in this case a commission, can do a number of things. One is to help build a consensus. You also mentioned the possibility of delay. And again that is not the intent, nor do I think it should be the result. I think it can be a very positive thing. But a consensus to me is important. You have introduced legislation in your State of Minnesota addressing privacy, and I think specifically toughening up the opt-in on the financial records. Mr. Hatch. Right. Mr. Hutchinson. Has that passed? Mr. Hatch. It's passed one house and hopefully we have 2 days left, we can get the other house to do it. But we have 59 hurdles to overcome to get to those votes. Mr. Hutchinson. You have 59 hurdles in Minnesota. We have 435 hurdles in the U.S. Congress. And so consensus is important for us to build as well. And I disagree, I think that, you know, you indicate that the American public either believe or don't believe or industry believes or don't believe. I think information is crucial. And I think that one of the things this commission provides is that you have hearings. And it's not just to receive information, but it's also an education process. People have a great understanding as to how privacy can be protected, but also that some exchange of information in terms of health records or health might be important for research. So information is valuable in building that consensus, and so I hope that that would be the goal of this commission. Mr. Chairman, you were generous to offer to put things in the record. It was pointed out by your staff that the committee received a letter from the office of the Attorney General of the State of Texas, and has that been made a part of the record yet? Mr. Horn. I was planning to make it at end of the hearing and quote various paragraphs. Mr. Hutchinson. Well, this is your thunder, but I was going to ask whether Mr. Hatch--General Hatch, if other Attorney Generals that you have talked to have looked at privacy in their States in terms of whether it should be the State level multitude of layers of privacy or whether there should be a national standard. Has that been addressed? Mr. Hatch. We've had discussions on it. I think it is safe to say that most, I won't say all, but many of the Attorney Generals are in agreement that it ought to be. It is a part of the police powers of a State and it ought to be addressed at the State level. It certainly ought to be addressed at the Federal level. I think the confidence level that Congress will address it is very low. We saw that with FSMA. The bill passed and it was basically dressed up as a basic privacy act, but it was a bank disclosure act. Banks have more authority to disclose information. Mr. Hutchinson. Are you speaking of the Gramm-Leach-Bliley legislation that provided for an opt-out provision? Mr. Hatch. Actually, it provided for, sir, a provision to trade information without an opt-out to any affiliate. It allows them to trade information without an opt-out to any other company for the sale of financial products, and then it defines a ``financial product'' very broadly. So it basically did little, if anything. There would be an argument that it tromped on the fiduciary laws that have been enacted and have been longstanding in many States. Mr. Hutchinson. I think my time has expired, Mr. Chairman. I was going to have Mr. Spotila respond to that from the administration standpoint, but I yield back to the Chair. Mr. Horn. Go ahead. We will give Mr. Moran extra minutes. Mr. Hutchinson. Mr. Spotila, do you believe that we should have Congress address further the Gramm-Leach-Bliley provisions that the Attorney General just referred to? Mr. Spotila. It is our position that the statute was a step in the right direction, but it did leave gaps that do need to be addressed. Mr. Hutchinson. And right now the administration is adopting the regulations to carry that out. There is legislation pending that would adjust that. It is my judgment, there--this legislation might move forward. And if it can, terrific, if you can build a consensus. But would a commission, though, looking at this from a substantive standpoint, look at the impact of your regulations that the administration is putting out and how industry is adjusting to that, getting consumer feedback; the commission would take that and make a recommendation from there. Would that not be helpful in building consensus to move forward? Mr. Spotila. Actually, this is an interesting point, because as I mentioned in my testimony, one of the areas we have a lot of concern is that the commission might be a reason for people not to take action on financial privacy legislation that we think is clearly needed after that statute. If that financial privacy legislation did move forward and the commission was now studying what, if anything else--assuming there was a commission--what, if anything else, was needed after that, without having delayed this process, the argument for it would I think be stronger than if it were to suggest that we should hold up completely financial privacy legislation and let the commission try to develop consensus and look at this in a couple of years. Our sense is that this is a more urgent priority and that part of the challenge here as the Congress considers this bill, is how it might form a mechanism or create a mechanism that would allow us to consider that longer view in studying these issues without paralyzing us in areas that are of real priority, where action is clearly needed and needed more swiftly. This is actually one of the most sensitive areas about the bill and one that gives us some discomfort for this reason. If I might add, as to your earlier question on the issue of classified information, the language in section 7(c), which indicates that the commission may secure directly from any department or agency information necessary to enable it to carry out the act, and that the head of that department shall furnish that information to the commission, is the language that the agencies specifically are concerned about because it does not differentiate whether that information is classified or not. And there is no provision here that indicates the commission is equipped to handle classified information. So that is the specific provision that we are concerned about. As to how, if at all, that could be refined, we would have to get back to you. Mr. Hutchinson. Thank you, Mr. Chairman. Mr. Horn. The gentleman from Virginia. We are going to start 10-minute rounds now. It is like a dance out of the 1930's. So go ahead, my friend. Mr. Moran. Thank you, Mr. Horn. I don't want to put our witnesses through too long a marathon session. I will try to wrap up any further questions I have at least today in this round. Let me ask Mr. Spotila again, in light of the efforts that were made with regard to medical privacy culminating in the regulations in August 1999, and the financial services modernization effort that is currently being made, has OMB done any preliminary analysis as to what resources might be required to perform the kind of commission that we are talking about? Has there been any discussion in that regard? Mr. Spotila. I'm not aware of OMB having tried to estimate the cost of the commission. That's not necessarily something we would try to do. I'm sure if you would like us to, we could try---- Mr. Moran. Have there been discussions at OMB as to the benefit of having a comprehensive study instead of the ad hoc reactive study as a result of legislation, whether it be in medical privacy or financial privacy areas? Mr. Spotila. There has been discussion not only within OMB, but within the administration on this issue of what I call the more targeted approach. When it works well, it is targeted and focused and very pragmatic, it doesn't, it is very ad hoc and kind of irresponsible. This is versus a broad approach which might be either visionary or a waste of time. We have had a lot of discussion about this. Our concern is, that if the commission is focused on too broad an area, than it won't produce much of value, and if its timeframe is too distant, it might not inform decisionmakers on matters that need more urgent attention. That is not to say that it is impossible for a commission to add value. That is not what we are saying at all. We do have concerns about how this balance might be struck, however, and concerns that the way the bill is crafted now, it might not be striking the balance correctly. Mr. Moran. Give me a moment to consider what you just said, that you might not be striking the balance correctly. I would not have been surprised if the administration had recommended a broad study so that it could make its recommendations in a consistent framework, particularly given the resources that are currently going into the information security effort, which is very much related to this. Mr. Spotila. Yes. Mr. Moran. And I know that those efforts are substantial. They are being coordinated--actually, we are trying to figure out the best place for it to be coordinated. But there is an office--you are involved in that coordination? Mr. Spotila. Yes, I am. Mr. Moran. And it would seem that when you make broad-based policy recommendations that are applicable to medical privacy, that there should be some consistency in terms of individual privacy with regard to financial services as well, and that would include profiling issues, the issues of shared information that enhance customer service. So I guess I was a little taken aback, or questioning at least, of the effort on the part of the administration to take a position that we need legislation immediately. And I'm referring to the President's recent speech that protected people's privacy without having a good idea of how it is that you want to do that beyond what was included in the medical effort that HHS conducted. In terms of financial services, we haven't done it yet. I mean, we've got legislation. Regulations haven't actually been issued. And my interest is in trying to keep the issue from being politicized and to put forward legislation that not only stands the test of time, but has some consistent principles that are applied broadly, whether it be in medicine or financial services or in any other area of electronic commerce and communication. But I'm not lecturing you. I just wondered--do you have any comments on that before I go on? Mr. Spotila. Again, when I talked about striking a balance, what I meant to say was that we see pressing needs in the area of protecting privacy, financial records, medical records, genetic discrimination. There are pending legislative proposals in front of the Congress that we believe are well conceived and well drafted. They could perhaps be refined further, but they are good pieces of legislation and we do not want to see those bills frozen because a commission is set up to look at the whole subject of privacy in all of its ramifications. Now, having said that, that does not mean that we don't share your sense that privacy is important and that we need to study it in a comprehensive way and that we will need to be doing this over a period of time. Mr. Moran. And that we need some consistent principles in the projection of government policy. Mr. Spotila. Exactly. Mr. Moran. Mr. Chairman, I'd like to ask of the three other witnesses your expectation and recommendations with regard to the issue of whether this commission should deal with State legislation in terms of a Federal floor and what the downside of doing that would be. Of course, the other alternative is to simply preempt State legislation with Federal legislation and there is precedent for doing both. Maybe we can ask Mr. Veator and then Mr. Hatch and Mr. Stone. Mr. Veator. Thank you, Congressman. We obviously generally do not like to have our efforts preempted. On the other hand, I think that is one of the issues that the committee will have to look at as to whether or not preemption, whether it is a floor or overall preemption, should be applied differently to different levels--excuse me different areas. To the extent that we are talking about criminal statutes, that is traditionally within the police powers of the State, then you may not want to preempt those kinds of things. On the other hand, financial services seem to be increasingly, national if not international, so some level of preemption may be more appealing. Oddly enough, health care and health information, insurance companies that provide or pay for health care generally are still licensed on a State-by-State basis, so it may make sense for States to retain the ability to legislate in those areas. Mr. Moran. Would you narrow the scope of the commission to what States--other State studies have done? Have you considered that? Mr. Veator. I don't--at some point, obviously, the commission would want to figure out what needs to be looked at, because as I think one of the witnesses said, privacy is pervasive in every area and the things you keep hearing, again, are financial services, health, identity theft, personal security, that is sometimes threatened by the dissemination of our information. I'm not so sure that the commission needs to narrow its inquiry. In fact, I think one of the things that the commission would have to do is see how all areas of privacy are becoming increasingly related as industry converges as we go on-line and information becomes more and more available. Mr. Moran. Thank you. Mr. Hatch. Mr. Hatch. Sir, I think that certainly with the Internet you're dealing more with interstate commerce, and I think a Federal approach to it would probably be best. With regard to banks, insurance, the type of issues that have--medical, I think the States certainly ought to be able to exercise their police power. Once again, I'm not excited about the idea of a commission. I just have bad vibrations about it, and in the sense that I'm afraid that it's going to be used just to delay action by policymakers. And for what it's worth in terms of coming up with consistent principles, I would recommend to Congress to look to the restatement of torts on privacy. I mean, it has a very long-debated, researched application of the law. The problem is it doesn't--they have great principles, but nobody ever anticipated the change in technology in terms of the speed with which information is exchanged. But the principles are still the same. It is a balance: your expectation of privacy versus the right to know. Mr. Moran. That's the point we make that things are happening so fast that self-regulatory capacity seems to be developing. Mr. Stone. Mr. Stone. Thank you, Mr. Moran. I think that while the concept of a Federal floor and individual State regulation or legislation has some appeal, I think what we are going to be left with is the same patchwork quilt of legislative and regulatory requirements that we currently run the risk of facing today. And as the chairman mentioned a few moments ago, one of the issues that we have to deal with is where do you set the standard for Federal preemption? I think it is important to recognize that what we are talking about here, at least from the perspective that we are here today, is first and foremost people and their health. And there is no standard essentially high enough that could be set in protecting that. On the other side of the coin, though, we've heard that we have 2,000 to 3,000 pending privacy bills in State legislatures, which makes my blood run cold in terms of trying to provide services on a national basis. If you're an employer, like a Federal Express with employees in all 50 States, Puerto Rico, and in the District, and you want to provide a proven, comprehensive health program to those employees, if you run into the situation where you're able to do that in one jurisdiction but not able to do that in another, there are obviously some real problems. I think 50 years ago, health care was very local. You had a local physician, you had a local hospital, you never went outside of town, maybe to the nearest big city for your health care. I don't think that's true today. I think if any of you gentlemen found yourself in need of hospitalization or health care services here in the District, you would like that institution and those caregivers to be able to communicate with your caregivers in your home States. And it is not atypical today for people to travel many States away for health care and for us to be dealing with, because of technology and just because of the aggregation of services, a provision of services from people in States different than where the patient may reside. I suggest that that is a pretty good picture of what the framers had in mind when they were talking about interstate commerce, and I don't think that it is true today as it was several years ago that health care is entirely local and constrained within the boundaries of the State in which the patient may reside or in which they may be living at the time that they're receiving care. So I would urge, again, for consideration of Federal preemption, set the standard as high as consensus of you and your colleagues will allow to protect both the rights of privacy, the need for confidentiality and the ability to provide services to the people of America. Mr. Moran. Thank you. Thank you, Mr. Chairman. Mr. Horn. I thank you, and will now go at a few other questions that are somewhat generalist. Mr. Spotila, the thought is that in view of the recent attack on the Federal computer systems, what is the Office of Management and Budget doing to ensure the security of the personal information that is stored on government computers? And obviously that is a major problem. We can do all the legislating we want to have privacy, but if somebody can get access regardless of that, what are the plans in that area the administration has? Mr. Spotila. We have been giving this area priority for some time now. And let me begin by saying that although we are greatly committed to this, and are of the belief that we currently offer good protection to that data, we also understand that the security threat is an ongoing challenge and that there is never a final answer here; that there is a need to continue to maintain and upgrade security as one goes forward in light of changes in technology and changes in the possible threat. We have been working at the Office of Management and Budget with all of the agencies to improve their approach to information security. We have put out best practices and sets of principles. We have integrated the need to consider information security planning into their information technology planning in the budget process. There was significant improvement last year and the Director this year has given new guidance to the agencies so that this will be rolled into the budget process from the very beginning, going forward. We think that's extremely important. What we have said, that security is not an add-on, and that one must approach information security in an integrated way from the very beginning as technology planning is done, reflects the best advice of GAO and certainly our best thinking as well. We are working, in addition to that, with our security agencies, with the law enforcement agencies and with the President's advisor on counterterrorism so that we can support initiatives in that area. This will be an ongoing challenge, and we certainly look forward to working with you and this committee as we go forward in this area. Mr. Horn. In your testimony, you mentioned the Health Insurance Portability and Accountability Act of 1996, and you quote Assistant Secretary of Health and Human Services, Margaret Hamburg, as to believing that legislation is the only way to ensure health information privacy. Has--and that's the bottom of page 4 of your testimony. And the question would be, has the Department explored other alternatives? Mr. Spotila. Well, among other things, the Department is working on finalizing the health privacy regulations that we referred to earlier. It will be issuing a rule this year that we think will be very constructive. We are just concerned that the enforcement powers that are available under existing law are not as effective as they should be and that Federal legislation is needed so that anyone who would misuse personal health information would be subject to accountability. It is really a matter of building on some of the positive steps that have taken place in the past, including these rules that will be coming out this year, and filling in other gaps. Mr. Horn. Is there any thought as to the type of penalty that might apply at this point? Mr. Spotila. Well, there has been a variety of testimony on what new legislation in this area might look like or what it ought to look like. We think it is necessary to set the standard correctly first, and then to address penalties. I think that we have to fill the gaps and make it clear that we recognize the sensitivity of health records, that we think that the individual should have some control over how those health records are used and that they shouldn't be used without consent. These principles are vitally important and there are some gaps in terms of how they are applied. The specific penalty could vary. I think the notion that we've set those standards and that we've tried to address those gaps is the most important principle. Mr. Horn. Now, has the administration already come up with that in the draft of the Health and Human Services--or do you have other drafts going with the principal idea? Mr. Spotila. There is, as I mentioned, a proposed rule that went out for comment that got 53,000 comments. The Department is working on finalizing that rule. It is a huge task. Reviewing all of those comments and taking them into consideration will be very time consuming. Our timeframe on that is to get the rule out this year. The possibility of future legislation is something that could be looked at. Mr. Horn. We've got fiscal years, we've got calendar years. Which year? Mr. Spotila. I'm referring to calendar year 2000 for getting the rule out, with the proviso that we would like to do it as soon as it could be done. I don't mean to suggest that it will be the last day of the calendar year. Mr. Horn. I wanted to know if it was the midnight judges' technique. Mr. Spotila. We would very much like it not to be. Part of a responsible approach to a rule like this is to consider seriously those comments that members of the public made and to take them into account and address in the preamble to the rule what the Department believes about those comments. When you get 53,000, that's a big job. So we are trying to get it right. We are trying also to be fair and proper in the process. So it will be time consuming, but we think the rule will be a good one when it comes out. Mr. Horn. One of the arguments against developing a new privacy commission is the potential that old work will be duplicated. I just want to ask you if you and your staff and the HHS staff, have they looked at other commission studies at the State level and individuals in Washington think tanks? And what kind of help have you relied on? Mr. Spotila. We have attempted--and the Department, obviously has had the lead here--we have attempted to draw on all of those studies and all of the information that we know of. So that would include those to which you refer. That in going forward in setting up a sensible rule, we could take into account that wisdom. The comment about the commission or concern about the commission is that it's important that any future effort that studies the privacy area should also build on what has gone before and that should be a guiding principle. Mr. Horn. Moving to Mr. Veator, in your testimony you mentioned that businesses were taking steps to protect private information. Could you sort of describe the Massachusetts experience and what is happening in that area and what companies have been successful? Mr. Veator. Well, since finalizing our legislation, we have had the opportunity to meet with a number of businesses who are either happy or concerned at different levels by it, and we have had the opportunity to learn what their privacy protection policies are. And I note that I think that the FTC sweeps Web sites. Web sites with privacy protection policies have gone from something like 14 percent to 56 percent in the last year. So I think more and more companies are aware, especially on- line, that they need have some sort of privacy protection right up front. Mr. Horn. Now, as I understand it, the Massachusetts Lieutenant Governor has taken an active role in the issue of privacy as a member of the Federal Trade Commission study on privacy. So you found that to be helpful, I take it? Mr. Veator. I think it was both helpful and informative as to how a commission approach really could be very helpful. The particular FTC committee was on providing consumers with access to their personal data on-line and ensuring security of that data at the same time. The committee managed to get 40 representatives, approximately, from industry, privacy advocacy groups, from around the country, and the depth and wealth of information I think that was available in the room when those people met and on lots of conference calls was instrumental in putting together what I think is a very robust analysis of security and access. Mr. Horn. Mr. Stone, I'm curious; in your testimony you discuss the positive effects on disease management when medical records are accessible to companies such as American Health Ways. Now, beyond the patient's name and the physician's diagnosis, what kind of information do these companies really receive? Is it address, Social Security number, entire medical history or what? Mr. Stone. Mr. Chairman, it's the entire medical history, both past and going forward, that is received and used by a disease management organization. I think that recognizing we are dealing with a chronic disease population, it's problematic to think of the use of information in an episode-of-care kind of fashion that permeates so much of American medicine. In order to help people with chronic diseases who are ill from the day they're diagnosed and until the day that they die, we need to know how to work with them and their physicians in order to develop and implement care plans that are responsive to the changes in their condition over time. So we start out with a complete medical record consisting of claims information, the insurance company; pharmacy information, the pharmacy benefits manager; lab information and any information which we can get--which proves to be difficult sometimes because physicians are still pretty much on paper processes in their office--and information from the patient. As this information is updated over time, the patient's stratification within the system will change and the interventions which are provided in support of their self- management efforts and in support of their physician's care plans will change as well. So it becomes a rather comprehensive clinical and financial database of information with respect to each of the patients that are in the program. Mr. Horn. Mr. Stone, are there other companies such as yours? Mr. Stone. Yes, sir, there are. Mr. Horn. How many are we talking about? Mr. Stone. Well, the current count is somewhere around 170. I would suggest that a number of those organizations, however, are claiming to provide disease management services in order to take advantage of some of the protections that have been afforded them under the HHS proposed regulations and which were even included in Senator Jeffords' bill on privacy which did not emerge from committee last year. And one of the things that we hope that Congress and/or this commission can do is begin to draw the distinction between those disease management efforts which are legitimately aimed at improving individuals' health and those that are masquerading as a way to offer that chronically ill population something for sale. Mr. Horn. So disease management would be a generic term, then, for describing the 170; is that correct? Mr. Stone. Yes, Mr. Chairman. Mr. Horn. Do you know of any examples where other firms than your own have violated a commonsense standard of privacy? Mr. Stone. I can't say specifically. I think that if the committee were to look at the broad variety of organizations that are claiming to provide disease management services, and the broad variety of the scope of services that are being offered, staff might very quickly be able to identify segments of the disease management industry that might fall into that category. Mr. Horn. Let me ask you this. We have in this country a traditional checks-and-balance system, and on the health side you have got outside company inspections. And groups that do this are Veterans Administration, hospital consultants, and so forth. And what other balances do you see to try and keep privacy sacred, if you will, if the individual wants that? Mr. Stone. Well, if I understand your question correctly, Mr. Chairman, I think that it's important to recognize that disease management as a concept is only 6 or 7 years old, and has made significant strides toward professionalization and self-regulation over the last year to 18 months. I fully anticipate that within the next year to 18 months, we are going to see emerge accrediting programs for disease management organizations. I know that such programs are under consideration by the Joint Commission on Accreditation of Health Care Organizations, URAC and NCQA, among others, and I think those are going to come into play in the relatively near future. I think clearly that kind of good housekeeping seal of approval will go a long way to assuring patients and physicians and health plans that the information being received by organizations with that kind of accreditation has met a certain set of standards. In the interim, the industry has--is working on its own statement through the Disease Management Association of America on privacy, on the minimum standards that should be in place, and I think that we are going to see not only the accreditation process develop but a rapid shrinking of the number of organizations offering disease management services as those industry efforts for self-regulation take hold. Mr. Horn. Now, remind me on that. In your testimony it seems to me there is real concern about State privacy laws that inhibit people from getting the treatment they need. How serious a situation is that and should that be Federal preemption? Mr. Stone. Well, I think, fortunately, the States have been relatively slow to the legislative process. There is State law in California which was passed at the 11th hour in their last legislative session which is currently going under emergency remediation because of the essentially chilling impact it had on the delivery of disease management service. I think everybody is familiar with the effort in the State of Maine last year which, while well-intentioned, prevented clergy from visiting people in the hospital because the hospital couldn't tell the clergyman whether the patient was actually there. Mr. Horn. I thought the flowers example was particularly upsetting. Mr. Stone. Massachusetts has legislation pending. Texas has legislation pending. Florida has legislation pending. Certainly three bellwether States in terms of health care regulation. All of which was modeled after the California bill which managed to pass, and the industry association is also lobbying hard in all of those States, pointing out that the California bill is about to be repealed, at least as it relates to disease management. I think that to the extent that the organizations who are providing these services on behalf of health plans, their members and physicians recognized, again, that this is people's health we are talking about, the issues become fairly straightforward. It's when you fall over the line into the provision of health care services or would-be provision of health care services in support of commerce or some other product or service that the abuses that we've all heard about come to pass. Mr. Horn. Attorney General Hatch, does Minnesota have a Freedom of Information Act? Mr. Hatch. Yes, sir, we call it the Data Practices Act; but yes, sir. Mr. Horn. Has the impact of privacy laws--or would it be, in your mind--in any way change the Freedom of Information Act or would the State have to change it if they had a privacy law? Mr. Hatch. No, sir. We took--at least the way we're approaching it is we take one segment of society, take it issue by issue: banking, financial data, versus health data versus government data. And oddly enough in Minnesota and I think most States and certainly in the Federal Government, the issue of government data has been with the Freedom of Information Act and the Data Practices Act has been debated and there are statutes in place. There is some effect on government data in Minnesota with regard to the Shelby amendment on driver's licenses. We are having a debate on that issue. But pretty much government information is leaving it alone in terms of what the Data Practices Act contains, which parallels very closely what goes on at the Federal level. Mr. Horn. Well, let's hear about the Federal level. Mr. Spotila, how much, if any, would be a problem with, say, the HHS privacy regulations which are out there now and the Freedom of Information Act? Is there a problem there, and has anybody between Justice and your office thought through those problems? Mr. Spotila. Our sense is that there is not a problem, that the Freedom of Information Act has always allowed for the protection of private information of the sort that we are talking about, individual information. In terms of what the HHS rule will look like as a final rule, that is still in the course of development. We're certainly sensitive to not creating a problem with the Freedom of Information Act; that would be something that we are always going to be careful about. Mr. Horn. Do any of you see any problems here that we haven't brought up yet that you'd like to raise and maybe did not raise in your own statements? Do you have something, Mr. Spotila? Mr. Spotila. Nothing else, other than as I mentioned, that we welcome the good intentions that are reflected in this bill and would look forward to working with the committee further. Mr. Horn. Getting back to Mr. Hatch a minute, in your testimony you talked about the need for the States to take action on the issue of privacy. Our staff has talked with people from the Mayo Clinic and the University of Minnesota. They discussed their concerns with privacy legislation initiated in the Minnesota legislature saying the opt-in policy was not successful for them. Mr. Hatch. Sir, what that relates to is it is a separate bill. In Minnesota, health data is transferred to the government without your permission; all patients without permission, without knowledge. And what I proposed is a bill saying at least you ought to get the consent of the patient. Center for Disease Control, Mayo Clinic and everybody else does it. I am surprised that all of the health information, at least health data is being transferred to the Minnesota Department of Health Data Institute without even the knowledge of the patients, and there are a number of issues that will be coming out with regard to how that information is being used. In that case, there were physicians at the Mayo Clinic who were on the Health Data Institute who opposed it even though only 60 percent of the--a little more than 60 percent of the patient data that is being sent, again without knowledge, people who are charity cases, people who pay cash, people that go in for certain types of, say, cosmetic surgery surgeries that are not covered by an HMO or insurer, are not transferred. So actually, statistically, the information is not as credible as a process where you do get the consent of a patient, simply because 97 percent of them will consent to it. In this case it is about 60. I don't oppose having the information sent to the government as long as you don't have a patient's name and Social Security number attached to it. And there have been examples of leaks; you mentioned yourself, sir, with regard to government data being transmitted inadvertently. We had examples in Florida of lists and certainly we have other statutes that require listing of epidemics--epidemiology with regard to transferable diseases. But they did disagree with the idea that the patient ought to have to give consent because their data is being sent. Mr. Horn. Has there been any effect on the quality of medical research to your knowledge? Mr. Hatch. No. Mr. Horn. Here people would argue the Shelby amendment is a problem. Mr. Hatch. Your Honor, in Minnesota the Department of Health has never issued any studies. They gather the data but no studies have ever been issued. And, indeed, if they did, given the fact that only 60 percent of the data is being transmitted, it is probably less credible than the research facilities that do get patient consent. They get about 97 percent data response. My beef with that is simply that you ought to at least notify the patient. When you walk into a hospital you have to sign three times. One of them is a consent form that basically allows a transmission. It seems to me before it goes to the government, there ought to be some acknowledgment by the patient that it goes. Either that, or you can send the data, but just don't send the patient's name with it. Give it a code. That was my beef. Mr. Horn. In other words, your State health department could collect this data but would not need to have the address and the name of the person that is the result of that data? Mr. Hatch. Sir, yes, and my proposal did not pass. So that's the one that did not get enacted. Mr. Horn. How about it, Mr. Stone? How much of a difficulty would that be with, say, the management--disease managment companies? Mr. Stone. I think, Mr. Chairman, there are significant differences between research which requires aggregated data but does not require, as General Hatch suggested, patient names and identifiable information for the analysis on that data to be carried out, and for activities that are in the stream of delivering health care services, which is where our industry, our company, HHS, Senator Frist and Breaux and the President have all put disease management as part of the treatment side of medicine. And to do treatment effectively, you need to know who you are talking to and where they live and how to contact them so that you can have intermittent actions, whether those be face to face, phone, Internet or whatever, with those individuals in order to further their care. Mr. Horn. But does the patient know that this personal information is being released to you? Mr. Stone. I would say probably not, since in our case, anyway, all of our programs are private labeled for the insurer who is our customer. So the patients and their physicians are advised of a new diabetes program for Cigna Health Care. The patients are given an opportunity, in our model specifically, to opt out of participating in that program. Less than 2 percent do. And if they don't, they begin to receive interactions as if our personnel were Cigna's personnel. So I doubt that they know that it's coming from American Health Ways. Mr. Horn. Now, you operate in all 50 States or what? Mr. Stone. We're currently operating, I think, in 33 States. Mr. Horn. In 33 States; is there any way that employers, insurance companies, could get those lists of yours with, say, diabetes or cancer or whatever? Mr. Stone. Other than the insurance company that we are providing the program for? I guess there is, given the ability to tap into electronic data systems. But it would be extremely difficult since we are not using the Internet, we are operating on a closed network at the moment and we are transferring information back and forth with our insurance plan customers on a weekly or monthly basis. Mr. Horn. Well, what kind of data could you find in a small Minnesota town, let's say, where you have got 200 people and Olie is 57 years of age, you don't need his name, everybody in town knows he's 57. Isn't that a worry for you? I think it is for a lot of people who say, gee, the boss is going to hear that I've got this disease and there goes my pension. Mr. Stone. I think that the issue you're raising Mr. Chairman, is a very real issue. Most of the companies that we have talked to do not want to know, and create some very serious iron walls between their H.R. functions as it relates to their employees and those individuals in the organization who may have personal health care information and the review, hiring, firing processes of the company. We do not provide information back to an individual's employer. Our exchange is strictly limited to the health plan that has hired us to work with their members and their providers for the delivery of disease management services. So it is a very tight network. Mr. Horn. Well, could that health plan just cancel them like that? I find health plans aren't exactly easy to deal with. Mr. Stone. Without meaning to, obviously, to step on our customers' toes, again, I guess that's certainly possible. I think what's happened in the health plan industry--and I would, you know, defer to their industry association for more detailed response--that they have recognized finally that the days of riding the utilization review and contracting horses to margin are over. And with somewhere between 10 and 15 percent of all their members having chronic diseases, with all of us getting older, and therefore sicker, health plans have begun to realize that if they are going to ever return to any kind of reasonable margin level, they are going to have to take care of patients. And the basic premise underlying all disease management is that healthy people cost less. Mr. Horn. Now, you work with university medical researchers on a lot of your work? Mr. Stone. No, we don't. Mr. Horn. You don't? Mr. Stone. No. Mr. Horn. So there aren't any studies being done, then, as to the success or not success? Mr. Stone. Well, in fact, there are. In 1998, there was a study released by the Lewin Group, Dr. Rubin was the principal author, former assistant Secretary of HHS, which validated our outcomes for our diabetes program for 7,000 commercial members in HMOs. And as I alluded to in my testimony, next week we will be releasing a similar study on 20,000 HMO members in Medicare- Plus Choice plans. So despite the fact that we are a commercial venture, we are fully prepared and have always been prepared to put our results out there to stand the scrutiny of public and scientific review, and in the hope that people will come to recognize that these kinds of programs do improve health, do create satisfied consumers and providers and save significant amounts of money. Mr. Horn. Let me round that one out. When an organization or a company such as yours or other types in medical research receive public money for, say, research, does the taxpayers or the government at all levels have access to private records used in a publicly funded study? I would be interested in what you all think on that one. Mr. Stone. I don't know that I have the expertise to respond to that. I do know that 2 years ago we entered into an agreement with NIH to provide them with blinded aggregate data from our database. And it is now the largest single database on diabetes in the country. NIH was perfectly happy to take that data in a blinded format without any patient identifiers on it. Although I have to admit in 2 years they have never once asked us for anything. Mr. Horn. Mr. Hatch. Mr. Hatch. The issue I was going to advise in private practice as a lawyer--I represented insurance companies and third-party administrators as well as some patients, actually, but the third-party administrators of self-insured plans all--I shouldn't say all, but most at one time or another do get a request from an employer with regard to issues concerning health care. They were uniformly advised you have ADA issues here; don't recommend that you be doing this. On the other hand they are telling me: That is easy for to you say, but that is my largest client. And I recall vividly, one being a trucking company, requests the copies of anyone having chemical dependencies. The issues here--this is the other side of it. The public, if you're a patient and you're aware that that data is going to be transmitted beyond the doctor, you won't get treatment. I will not go in for chemical dependency treatment if I know that my employer will find out. Or as an Attorney General, if the voters would find out, maybe it is something that I want to keep confidential. Too many areas, venereal diseases, there are too many issues that crop up in our lives. But if I know that that is being transmitted, that is going to interfere with the physician's ability to treat the patient. And I don't have any problem with aggregate data, even with patient identifier data if the patient signs off, gives a consent. And my understanding is that roughly 97 percent of the public will give consent on that, at least participated in that decision. Mr. Horn. Mr. Veator. Mr. Veator. We currently have a bill in front of the Massachusetts Legislature relating to just that question. And I think the issues have come down to the same, which is how do you ensure or motivate the use of aggregated, deidentified data, and then how do you protect people who want medical services and at the same time are aware that either through sharing information by insurance companies between either health care insurers or life insurers, how you get medical services when they're worried about that data being disseminated, properly, as it turns out in many cases. Those are the issues I know that the Massachusetts Legislature is dealing with now. Mr. Horn. In your research on that, in Massachusetts, are there a number of States doing the same thing? Mr. Veator. I think so. I know that California, for example, has either enacted or has something pending along those lines. Mr. Horn. Let me ask you, Mr. Spotila, what's the Federal Government's position on this? Mr. Spotila. There are two aspects I would point out. Aside from this issue of aggregate data versus treatment information, we are also aware that the Centers for Disease Control and perhaps other public health agencies might have access to information about medical conditions. But they have handled that information in accordance with the Privacy Act and other confidentiality restrictions. There's always a need for balance between proper use and privacy. The proposed rule that the Department of Health and Human Services has put out on health privacy also deals with this subject. We are likely to see an addressing of it in the final rule either through the setting of criteria or insistence that the identification tags be removed from some of that information. It's an important question. It's very much on everyone's mind, and we are trying to strike the right balance to make certain that we don't lose some of the advantages, whether it be improved treatment or public health response, as we take better steps to protect individual privacy. Mr. Horn. Let me move back to Attorney General Hatch now. In your testimony, you mentioned how you took legal action against the U.S. bank for selling personal information to marketing companies such as Member Works Incorporated. I'm curious, what additional actions did the Minnesota courts take to protect the interests in personal privacy? Mr. Hatch. The courts or the legislature? The courts? Mr. Horn. The courts. Mr. Hatch. Well, both cases settled, so they did not go any further than that. I think there's still a class action that's pending in the private side of it. In the U.S. bank case, the bank did agree to prohibit--to not agree to any distribution even with consent, basically. They cannot distribute information to third-party marketers. They can distribute to affiliates on an opt-out. So it is-- oddly enough, that bank is probably working under stricter guidelines than any other bank in the country right now. The Member Works we did settle. The allegation there was essentially they took the data, including the date of birth, and basically according to the audiotapes of the supposed consent, our estimate is roughly half never agreed to any acquisition. While we did not have statistics on it, I was surprised at the age of people; it could be that they're the only ones home that are answering the phones; could be they are the ones that are most vulnerable to a direct sales pitch. But it may also be that companies are targeting that group, and I don't know. But we will have more knowledge on that I think by year end as we're gathering through it and looking at other cases. But it appears that, you know, the financial data, two- thirds of fraud basically is directed against senior citizens, No. 1, because they've got the money, it is their nest egg; and No. 2, they are perhaps more trusting, more vulnerable. And financial data in the wrong hands is very--can be very dangerous. And the courts have not gone further, but other than that, we do have class actions pending. Mr. Horn. We have another few hours this week, not for your panel, but for the panel on Tuesday and we will set up another panel, panels one and two, on the Tuesday one, and then we will have a hearing later in the week on a related subject, which involves Social Security in relation to privacy and the numbers thereof. So what I'm going to do today is just thank you all, because you have given us a number of vital perspectives that we really need, and we hadn't thought about. So I am most grateful to you for the testimony you have given to us. And I do want to thank the staff for putting this together and that is J. Russell George, the staff director and chief counsel for the Government Management, Information, and Technology Subcommittee; and then on my left, your right, Heather Bailey is the counsel for this hearing. Bonnie Heald, director of communications back there next to Mr. George; Bryan Sisk, the clerk; and Liz Seong, is an intern; and Michael Soon, intern. And then Trey Henderson is counsel for Mr. Turner, the ranking member, and the minority; Jean Gosa is minority clerk. And we have today Doreen Dotzler and Joe Strickland as the court reporters. And I will now read the statement from the Attorney General of the State of Texas and put that in the record. I don't know if the Attorney General is Democrat or Republican. You might know. Mr. Hatch. He's a Republican. Mr. Horn. He's a Republican, OK. Because I know the Governor has a lot of Democrats in the State government, so I did not quite know whether this was one of the Republicans that got in. But his letter is very interesting. He said--this is John Cornyn, Attorney General of Texas. He says: I want to express my support for the privacy commission, H.R. 4049, under consideration by our committee here. And this legislation proposes the creation of a privacy commission that will undertake a comprehensive study of the issues relating to the protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing appropriate uses of information. With the advent of the Internet and the information era, privacy has become a central issue for American citizens, industry and policymakers. As consumers are becoming more aware of the personal information that is being collected and used by on-line companies, their concern about individual privacy is growing. The technology industry is also focused on the privacy issue. Recognizing that the future of the Internet depends on consumer confidence, the technology community has taken laudable steps to develop self-regulatory standing programs to build consumer trust in the new medium. The erosion of the consumer trust poses a serious threat to personal privacy and the future success of e-commerce and thus creates the need for government to consider appropriate steps for the protection of consumer privacy. At the same time, however we must find a way to protect consumer privacy without stifling growth and innovation in the rapidly changing world of cyberspace. I believe the establishment of this commission is a step in the right direction toward achieving this balance. Over the past few years, privacy initiatives have cropped up across the country. The Federal Government, States, the private sector, industry groups, and consumer groups have all formed working groups to study the issue. None of these initiatives, however, appear to be taking the coordinated global approach proposed by the Privacy Commission Act. Because the Internet has no boundaries, it is imperative that Federal, State and local efforts to protect privacy and encourage the growth of the new economy be coordinated. Government, industry and consumer groups need to work together to help define their appropriate roles in achieving a balanced solution to the privacy problem. State attorneys general have a unique perspective to share in this debate because we are responsible for protecting consumers' rights in 50 States. As the Attorney General of Texas, I am deeply concerned about the privacy issue. In particular, I am concerned about protecting children's privacy and maintaining the confidentiality of sensitive medical and financial information. In Texas, we are currently studying our laws to determine how we can best protect consumer privacy while still encouraging the growth of e-commerce. My office has created an Internet bureau that will protect consumers' privacy on-line in addition to fighting cybercrime. Over the last month, I have met with numerous members of our very large and growing technology community in Texas. I have gained an understanding of the industry's concerns and its efforts to regulate itself in the privacy arena. In Texas, we are working to protect consumers while fostering the growth of technology businesses. Because I believe the proposed privacy commission will help coordinate the efforts and perspectives of all of us involved in the privacy debate, I encourage your subcommittee to support the proposed Privacy Commission Act. Thank you for your consideration of my views. I respectfully request this letter be submitted for the record. We thank you; and we thank Attorney General Hatch; and we thank you, Mr. Veator, on the State perspective; and we thank you, Mr. Stone, on the very interesting and unique model that is going on in disease management. And we thank you, Mr. Spotila, for giving us the broad view of what is going on in the Federal Government. Thank you very much for coming. Now, the Democratic staff and the Republican staff might have additional questions, and if you don't mind we would like you to respond to them because Mr. Turner had to go out for a very important meeting. He might well have some questions, and we would appreciate it if you would give those answers. We will put them in the record without objection at this point. At this point, we are recessing until Tuesday at 2 p.m. to continue the rest of the panels, and that is in room 2247. The full committee, I believe, is in here. It will be in room 2154. The full committee is not meeting. With that, we are adjourned. [Whereupon, at 4:03 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T1178.045 [GRAPHIC] [TIFF OMITTED] T1178.046 [GRAPHIC] [TIFF OMITTED] T1178.047 [GRAPHIC] [TIFF OMITTED] T1178.048 [GRAPHIC] [TIFF OMITTED] T1178.049 [GRAPHIC] [TIFF OMITTED] T1178.050 [GRAPHIC] [TIFF OMITTED] T1178.051 [GRAPHIC] [TIFF OMITTED] T1178.052 [GRAPHIC] [TIFF OMITTED] T1178.053 H.R. 4049, TO ESTABLISH THE COMMISSION FOR COMPREHENSIVE STUDY OF PRIVACY PROTECTION ---------- TUESDAY, MAY 16, 2000 House of Representatives, Subcommittee on Government Management, Information, and Technology, Committee on Government Reform, Washington, DC. The subcommittee met, pursuant to notice, at 2 p.m., in room 2154, Rayburn House Office Building, Hon. Stephen Horn (chairman of the subcommittee) presiding. Present: Representatives Horn, Turner, and Waxman (ex officio). Also present: Representatives Hutchinson and Moran of Virginia. Staff present: J. Russell George, staff director; Bonnie Heald, communications director; Heather Bailey, professional staff member; Bryan Sisk, clerk; Liz Seong and Michael Soon, interns; Phil Barnett, minority chief counsel; Kristin Amerling, minority deputy chief counsel; Michelle Ash and Trey Henderson, minority counsels; and Jean Gosa, minority assistant clerk. Mr. Horn. A quorum is present. We have a vote on the floor, and we will be in recess until 20 after 2. We're in recess. [Recess.] Mr. Horn. A quorum being present, this hearing of the Subcommittee on Government Management, Information, and Technology will resume. The subcommittee is continuing its examination of H.R. 4049, a bill to establish a commission on the comprehensive study of privacy protection. Yesterday the Honorable John Spotila, Administrator of Regulatory Affairs at the Office of Management and Budget, testified about the efforts being taken by Federal agencies to protect private information against inappropriate disclosure. Minnesota's Attorney General Mike Hatch and Mr. David Veator, from the Massachusetts' Office of Consumer Affairs and Business Regulation discussed the complexities of attempting to craft appropriate State legislation. Our fourth witness was from the private sector and discussed why such legislation is necessary. Mr. Robert Stone is the executive vice president of American Healthways, a company that provides disease management programs to about 170,000 people enrolled in health maintenance organizations. His company sets up treatment plans for patients with chronic illnesses. Mr. Stone testified that in many States HMOs share their patients' medical records with disease management companies such as American Healthways, even though most patients are unaware that a third party is viewing their personal records. With that, we will proceed with the panels today, and we will begin with panel one for Tuesday. Mr. Belair I see is here, editor of Privacy & American Business; Dr. Mary Culnan, professor, McDonough School of Business, Georgetown University; Christine Varney, former Commissioner, Federal Trade Commission; and Solveig Singleton, Director of Information Studies at the CATO Institute; Ron Plesser, legislative counsel, 1977 Privacy Commission, and Stanley Sokul, member of the Advisory Commission on Electronic Commerce. Let me explain how the subcommittee works. We work essentially that once--we're going right down the line, and your statement is fully put in the record. We'd like you to summarize it in 5 minutes so we can have a dialog between the Members here and the other witnesses so we get something from that besides simply a written paper. In the case of government agencies, usually the person's never written the paper, but you're different, and I know you struggled over it probably like all of us when we are in the private sector. So we will also have panel two today, the Honorable Edward Markey, Member from Massachusetts; the Honorable Joe Barton, Member from Texas; the Honorable Jim Greenwood, Member from Pennsylvania, and they will join us on panel two. So we think we are without a lot of votes to disrupt us today, but that's democracy, so we have to do that. It's always a pleasure to take a walk anyhow around here. [The prepared statement of Hon. Stephen Horn follows:] [GRAPHIC] [TIFF OMITTED] T1178.054 [GRAPHIC] [TIFF OMITTED] T1178.055 Mr. Horn. So we will begin, then, with, besides my opening statement, I believe the gentleman, the ranking member on the full committee, Mr. Waxman for an opening statement. Mr. Waxman. Thank you very much, Mr. Chairman. I want to commend you for holding hearings today and yesterday on H.R. 4049. I regret I was unable to attend yesterday's session due to a preexisting schedule conflict. I was flying back from Los Angeles. You know how that is, Mr. Chairman. But I understand the session was informative. H.R. 4049 proposes a $2.5 million privacy commission to study a wide range of very complex issues that affect a tremendous number of stakeholders. It is important to examine this proposal carefully and ensure that those with relevant expertise and experience have had a chance to review it, and I appreciate that you facilitated that process with this week's hearings. The schedule the subcommittee has set for moving this legislation forward, however, may be self-defeating. Many of us want strong privacy legislation, but the rushing pace we are following with this bill may result in legislation that is counterproductive to privacy efforts. H.R. 4049 was introduced at the end of March. The subcommittee announced last week that it is interested in having a markup by next week. This intention to mark up this bill by next week was announced before the subcommittee even heard from the many experts that are coming before us this week, and as we saw from testimony and statements provided yesterday, the bill poses numerous issues that require careful thought. I fear that by rushing, we could foreclose the opportunity to design a commission we can be confident would be an effective use of taxpayers' dollars. It would be ironic if those arguing for a deliberate, thorough commission review of privacy issues do not give deliberate, thorough consideration to issues relevant to establishing such a commission. I think it's worthy noting that the pace in which the committee is moving on this proposal to study privacy stands in stark contrast to the complete lack of attention the committee has paid to legislation that would actually establish privacy protections. For example, in May of last year, Mr. Condit, myself, Mr. Markey, Mr. Dingell, Mr. Turner, and many other colleagues on this committee and others introduced legislation that would establish comprehensive privacy protections for individuals' medical records. That bill was referred to this very subcommittee, yet 12 months later there's been no consideration whatsoever of that bill or other medical privacy proposals that have been referred to this subcommittee. As we examine the merits of H.R. 4049, it's imperative that we remember that Congress has a responsibility to do more than request the study of privacy issues. Congress should act immediately to address serious privacy concerns in several areas. For example, many individuals currently are withholding medical information from their health care providers, even avoiding medical care for fear of privacy violations. Years of congressional hearings and study by governmental and nongovernmental entities have provided us with more than sufficient information to take action to enact comprehensive medical privacy protections. Congress also must ensure that adequate privacy protections apply to individuals' financial information. One of the questions that has arisen about the Privacy Commission proposal is whether a commission would delay ongoing privacy initiatives. I understand the proponents of the legislation have emphasized that this measure is intended to complement, not delay, ongoing efforts. However, I think that an April 17, 2000, editorial in the Life and Financial Services edition of the National Underwriter magazine provides insight into this issue. The editorial chides the Financial Services Coordinating Council, which represents insurance companies and securities firms, for failing to endorse H.R. 4049, arguing that, ``by not lending its considerable weight to the effort to enact the bill, FSCC may be missing a golden opportunity to forestall highly restrictive privacy measures that will be introduced both in Congress and in State legislatures around the country.'' The editorial further stated, ``If the financial services industry can make a strong economic case for the consumer benefits of information-sharing, the bipartisan Commission proposed by Representatives Hutchison and Moran provides the best forum to do it. Moreover, the presence of such a commission will provide a strong argument for Congress and the State legislators to wait for the results before enacting highly restrictive privacy legislation.'' This editorial underscores that despite the best intentions of the proposal's authors, others may well want to use it to impede privacy protection efforts. If we are to move forward with H.R. 4049, we must ensure that any privacy commission created is structured so that its deliberations will involve consensus-building instead of divisiveness, and so that members on the Commission have appropriate expertise and experience. Further, the Commission's resources and powers must be consistent with the mandate it is expected to carry out. In this week's hearing on the bill, we are receiving testimony from individuals who have been involved with the study of privacy or who have worked on privacy initiatives. These witnesses can help us better understand the issues relevant to constructing an effective commission. I look forward to the testimony of today's witnesses. I want to note that in addition to statements submitted yesterday for the record, I've received comments on this bill from privacy consultant Robert Gelman and would like to enter his statement into the record. I also request that we keep the record open for 2 weeks. Mr. Horn. Without objection, that will be put in the record. [The prepared statement of Hon. Henry A. Waxman follows:] [GRAPHIC] [TIFF OMITTED] T1178.056 [GRAPHIC] [TIFF OMITTED] T1178.057 [GRAPHIC] [TIFF OMITTED] T1178.058 [GRAPHIC] [TIFF OMITTED] T1178.059 [GRAPHIC] [TIFF OMITTED] T1178.060 [GRAPHIC] [TIFF OMITTED] T1178.061 [GRAPHIC] [TIFF OMITTED] T1178.062 [GRAPHIC] [TIFF OMITTED] T1178.063 Mr. Waxman. My second request is that we keep the record open for 2 weeks so that others with expertise and interest in these issues may also submit their comments. Mr. Horn. Well, let's try with 1 week, and if there's still some more, because I wouldn't want us to adjourn too much and not get this done. As you say, this is a very important issue, and we've been trying to get a number of people to do something about it. So that's why these hearings. We've got another hearing this week, and everybody is welcome. Mr. Waxman. Mr. Chairman, you're willing to have 1 week for anyone to submit their comments for the record? Mr. Horn. Yes, and if there's others, we'll work it out. We don't really need a rule on it. We'll just put it all in the record. [The prepared statements of Hon. Jim Turner and Ms. Blumenthal follow:] [GRAPHIC] [TIFF OMITTED] T1178.064 [GRAPHIC] [TIFF OMITTED] T1178.065 [GRAPHIC] [TIFF OMITTED] T1178.066 [GRAPHIC] [TIFF OMITTED] T1178.067 [GRAPHIC] [TIFF OMITTED] T1178.068 [GRAPHIC] [TIFF OMITTED] T1178.069 Mr. Horn. The gentleman from Arkansas. Thank you. The other member from the full committee. We're always glad to have you here. Mr. Hutchinson. Thank you, Mr. Chairman. I want to express my appreciation to the ranking member of the full committee, Mr. Waxman, for his thoughtful letter that he sent after the first round of hearings. As everyone knows, this is the third day of hearings on this particular Privacy Commission proposal, and I think it is good for America. It's certainly good for this Congress to hear from such distinguished experts on the issues of privacy and to learn the history of what we've done from a legislative standpoint on the issues of privacy and what we need to do, and Mr. Waxman's letter certainly provoked 2 more days of hearings, which is exactly what we need, and I think it has been very, very instructive. So I was pleased that the chairman responded to that request from Mr. Waxman by scheduling yesterday's hearings and today's as well. I did want to respond to a couple of the remarks of the ranking gentleman who mentioned that he was concerned that we would rush to markup on this bill, a commission bill. Of course, we've passed legislation out of the House in terms of-- even though it didn't come into law, we passed a commission for studying campaign finance laws. We've had a Medicare commission. So the structures of commissions have been on the table for some time. But I think it is important that we get the broadest range of input as possible, and I would solicit, Mr. Waxman, any suggestions that you have. We've been in contact with your staff, and we would certainly love your ideas on how this legislation can be improved. But I think there is a concern in terms of the markup. This is May, and this legislative year consists of June and July. We're out August and in September, and then it's gone. And in a puff of smoke we're out of here, and it's going to be very difficult even on a fast track to get legislation through the House and Senate. And for that reason I would hope that we will continue to move forward this proposal as well as other proposals that have a consensus in this body in terms of privacy. And I think it would be regretful if we went home the end of this year and told the American people we did nothing on privacy. So I hope that we can. I'm glad the agencies are moving forward. Whatever happens in terms of the agencies, whatever happens in terms of other legislation, it's important that we continue to study this in a thoughtful and comprehensive manner. This mission is designed to complement, complement other issues that are out there and not to be exclusive. I just want to assure the ranking member that that is my intent, and I hope everyone in Congress looks at it the same way. With that I'll be happy to yield and look forward to the testimony of the witnesses. Mr. Horn. If the witnesses will stand and raise their right hands to affirm the oath. [Witnesses sworn.] Mr. Horn. The six witnesses did affirm. The clerk will note that, and we'll proceed with panel one. The first one is Bob Belair, editor, Privacy & American Business. Glad to have you here. STATEMENTS OF BOB BELAIR, EDITOR, PRIVACY & AMERICAN BUSINESS; MARY CULNAN, PROFESSOR, McDONOUGH SCHOOL OF BUSINESS, GEORGETOWN UNIVERSITY; CHRISTINE VARNEY, FORMER COMMISSIONER, FEDERAL TRADE COMMISSION; SOLVEIG SINGLETON, DIRECTOR OF INFORMATION STUDIES, CATO INSTITUTE; RON PLESSER, LEGISLATIVE COUNSEL, 1977 PRIVACY COMMISSION; AND STANLEY SOKUL, MEMBER, ADVISORY COMMISSION ON ELECTRONIC COMMERCE Mr. Belair. Thank you, Mr. Chairman. Let me commend you and the members of the subcommittee, and Mr. Hutchison and my Congressman Mr. Moran for your leadership on this bill. I'm delighted to be here. I think I can catch you up a bit in terms of time. I appreciate your rescheduling me from yesterday when I couldn't make it to today, and mindful of that and the big panel, I'll be very, very brief. Let me just say first in response to Mr. Waxman's comments, Privacy & American Business, we are not for delay. We have supported health information privacy legislation. We have supported other types of legislation when we think that that's the right response and when we think it's ready. We will support this legislation and the establishment of a commission in one of our upcoming editorials. We will lay that out. And we'll address our view that this will not lead to delay, as Mr. Hutchison indicated, obviously. And you folks know better than I do we're at the end of this Congress. It's going to be very, very difficult to get substantive privacy legislation through in this Congress. Obviously it takes time to organize a new Congress, and your bill does provide for interim reports as well, I'm sure, as other kinds of periodic reports to the Congress as necessary. We don't view it as delay. We view it as a very appropriate opportunity to think comprehensively about the privacy issue. And very briefly let me just say that we support the legislation, and we support the concept of a new privacy commission for three reasons. First of all, the activity with respect to privacy rights now is extraordinary. It is truly unprecedented. One example I think is dramatic. Last cycle, the 1999 cycle for State legislatures, we tracked over 7,000 privacy bills. That's one out of every five bills introduced in the State legislatures. Obviously there's intense regulatory activity at the State level behind that. There's intense activity here. We don't want to slow that down, but on the other hand we think that it's important to take a look at what that legislation is and what it will do, what the consequences and the unintended consequences are. Second, the underlying developments that are fueling the privacy debate are changing extraordinarily rapidly. The self- regulatory environment changes. The technology environment changes. I think if you would have asked folks in this room 3 years ago to define ``cookies,'' you would have gotten a definition that today we would snicker at and think is very, very naive. The international environment is changing and is uncertain. The business models that have fueled the privacy debate, affiliate sharing, personalization, these, too, are terms that I don't think you would have heard in public debate 3 or 4 years ago. It's critical that we sort this out. Finally, third, although we've all worked very hard at privacy, and for many of us for a long time, there is an awful lot, in fact, we don't know. The Internet privacy threat is new, and the dimensions of that threat as well as the consequences of regulating the Internet have an enormous number of uncertainties. The public records debate is very important, and what impact on the marketplace and on public safety restrictions on public records could have in the name of privacy is critical. Obviously we don't yet know what the impact of the Children's On-Line Privacy Protection Act is going to be or the impact of Title V, the privacy provisions in last year's Graham-Leach-Bliley bill. We don't even know--and certainly not in a careful sense--when opt-out and a robust notice makes sense versus when we ought to do opt-in. And if you look at the factors that have been the pivot points for the privacy legislation to date, sometimes it's subject matter such as in financial or medical legislation. Sometimes it's the source, such as legislation that would regulate access to motor vehicle records. Sometimes it's the use that is the key determinant, such as FCRA. Sometimes it's the type of consumer, such as COPPA. Sometimes it's the amalgamation such as the number of bills that would address amalgamating offline and on-line information. We still have debates about whether the U.S. traditional approach, a sector-by-sector approach, makes sense. We have debates about a privacy regulatory agency, and it's worth noting that while we have been having that debate, the FTC--and I used to be at the FTC, and one of my colleagues, of course, on the panel is a former Commissioner--the FTC has done a lot of good stuff, but the truth is they have emerged as the Nation's privacy regulatory agency. Maybe that's OK, but it's been done without a debate, without consideration. Preemption remains an issue, and let me just close by saying we really are at a juncture in the road. It's going to change dramatically over the next few years. We need to figure out a way to protect privacy, but also make sure that we use personal information effectively for public safety, to deliver goods and services to consumers for research, to personalize the marketplace, which is going to be such an important economic stimulator so the stakes are high. Let's do it right, and I applaud the subcommittee, and I applaud the sponsors of the legislation and will continue to be supportive. Thank you. Mr. Horn. Well, I thank you. You did a fine job of summary, and you did it under 6 minutes. So thank you. [The prepared statement of Mr. Belair follows:] [GRAPHIC] [TIFF OMITTED] T1178.070 [GRAPHIC] [TIFF OMITTED] T1178.071 [GRAPHIC] [TIFF OMITTED] T1178.072 [GRAPHIC] [TIFF OMITTED] T1178.073 [GRAPHIC] [TIFF OMITTED] T1178.074 [GRAPHIC] [TIFF OMITTED] T1178.075 [GRAPHIC] [TIFF OMITTED] T1178.076 Mr. Horn. Dr. Culnan. Ms. Culnan. Thank you, Chairman Horn. Thank you for inviting me to testify. I also want to thank Representative Waxman for his interest in support of this issue, and to Representative Hutchison for introducing the legislation. My name is Mary Culnan, and I'm a professor at Georgetown University, where I teach electronic commerce. I also bring additional background to this panel as I have served as a Commissioner on the President's Commission on Critical Infrastructure Protection, and I also finished just this week serving as a member of the FTC Advisory Committee on Access and Security. I also support the establishment of a privacy commission. Bob Belair did an excellent job of summarizing some of the issues that commend the establishment of such a commission. I don't think anyone could have foreseen in 1977 the changes that the personal computer and the Internet would bring in our work lives, our home lives and in the world in general today. So I think it's time to revisit these issues on a broad, comprehensive scale, because most of our legislative efforts have been sectoral. I only want to address two primary concerns I do have about the legislation, and I raise some other issues in my written testimony. The first issue is that H.R. 4049 doesn't specify any criteria for the Commission to use in performing its evaluation, and I think this is a major shortcoming. Since the PPSC issued its report in 1977, fair information practices have emerged as a global standard for striking an appropriate balance between protecting individual privacy and allowing appropriate uses of information for a lot of the purposes that Bob Belair described. There is not consensus on how to implement fair information practices, but there is a consensus that they are global standards, and I believe the Commission's findings and recommendations should be based on the extent to which fair information practices have been implemented across the domains of the Commission's work. They should also be used as criteria to evaluate the current efforts that have been undertaken to protect privacy that are specified in the legislation both in the private sector, the Federal Government, and in the States. My second concern is that of a taxpayer, since I will be helping to fund the Commission. I think the legislation defines an ambitious agenda for the Commission. I have some concerns that the Commission will be able to complete its work in the time specified, given that it's required to hold so many hearings. I believe the number is 20. While public hearings are an important way to gather information and to make the Commission's work accessible to the public, many privacy issues are complex, and public hearings are not necessarily the most effective forum to sort these issues out in detail. When I served on the PCCIP, we held one half-day public hearing in each of five regions of the country. We also had meetings with business executives, academics, and government officials in each city. We held a number of conferences and workshops, and we were briefed by a wide range of individuals and organizations. Overall we had contacts with more than 6,000 associations, corporations, government agencies, and individuals. I think the Commission will need to use a variety of methods, including public hearings, for gathering information. Since the commissioners are going to be serving without pay, the legislation will need to better balance the time demands of serving on the Commission with the demands of the Commissioners' existing job responsibilities. They will be able to do much of their work electronically, but they will also need to meet in person to take testimony, for briefings and to deliberate. There should be at least one hearing in each region of the country, but given there is probably an upper limit on the amount of time people can devote, I think the Commission should decide what methods will best help make its members able to complete their work. And then finally I would like to second Representative Waxman's call about appointing people to the Commission who can work together and promote a consensus, because these issues are very difficult. It's very important that the Commission represent a range of expertise and perspectives. Otherwise its results will not be credible. But if the people--if it's a very fractious group, also they won't be able to work together to promote a consensus, and I think that's awfully important. So I want to thank you again for inviting me to testify, and I look forward to your questions. Mr. Horn. Thank you very much. You did it all within 5 minutes. So thank you. I didn't know professors could speak in less than 50-minute modules. Since I am a professor, I have great difficulty with this committee. Thank you very much. [The prepared statement of Ms. Culnan follows:] [GRAPHIC] [TIFF OMITTED] T1178.077 [GRAPHIC] [TIFF OMITTED] T1178.078 [GRAPHIC] [TIFF OMITTED] T1178.079 [GRAPHIC] [TIFF OMITTED] T1178.080 [GRAPHIC] [TIFF OMITTED] T1178.081 [GRAPHIC] [TIFF OMITTED] T1178.082 Mr. Horn. Now Ms. Varney, former Commissioner in the Federal Trade Commission. Ms. Varney. Thank you, Mr. Chairman, Mr. Hutchison, Mr. Waxman. Thank you very much for inviting me to testify this afternoon on H.R. 4049, the Privacy Commission Act. My name is Christine Varney. I'm currently a partner at Hogan & Hartson, and where I chair the Internet Practice Group, and I have served on the Federal Trade Commission from 1994 through 1997, I believe, and did extensive work on privacy while at the Commission. With your permission, I have submitted for the record extensive descriptions of fair information and privacy practices that can be used for future reference, but I would like to take a few minutes to discuss the bill. As you know, privacy is not a new issue. As I think you have heard from other panelists, here in the United States we have a long history of examining the rights of Americans to be free from unwanted and unwarranted intrusions, including the collection, use of personal information about them without their knowledge or consent. What is new, however, is that in the information age, the ease with which information about individuals can be gathered, aggregated, and disseminated is unparalleled. There are virtually no costs or meaningful economic barriers any longer to gathering extensive information about individuals and using it for any purpose whatsoever. This trend has not gone unnoticed by the American public. In survey after survey, Americans are regularly responding that privacy is their No. 1 concern on the Internet. However, this concern goes beyond the Internet. Although the Internet make it is easy to collect, aggregate and transfer information, privacy concerns don't stop in cyberspace. As you know, there has been concern around the use of personal information and potential for abuse of that information for quite some time. Indeed, Congress has already enacted several laws that deal with or touch upon the use of personal information, including, to name just a few, the Fair Credit Reporting Act, the Children's On- Line Privacy Protection Act, the Financial Services Modernization Act, the Electronic Funds Transfer Act, the Electronic Communications Privacy Act, the Drivers Privacy Protection Act, the Telephone Consumer Protection Act, the Cable Communications Policy Act, the Video Privacy Protection Act, and I could go on. There are also a myriad of State law protections in place. What is missing, in my view, is a comprehensive and thoughtful review of the old and new laws and their effectiveness in the information age. Therefore, I wholeheartedly support the proposals in H.R. 4049 to create a privacy commission. I think Dr. Culnan has raised some serious concern about how to structure the Commission. Let me say a few more words about commissions, having been a Federal Trade Commissioner. As we have seen with other commissions, the work and the results of the Commission can be directly attributable to the composition of the Commission itself. Should this Commission be established, I would urge that all of those who have the ability to appoint Commissioners consider the commitment of a potential appointee to reach consensus as opposed to furthering an agenda. The issues are complex, and the solutions must be equally comprehensive. Those who have sat before you and talked about self-regulation as a failure and legislation as the answer, or self-regulation as a panacea and legislation as repugnant are, in my view, clearly missing the point. The point in the information age has to be how can American consumers, whether they are consuming medical information and services, financial information and services, or other commercial information, protect themselves and their privacy desires? In some instances there will be technological solutions. In some instances there will be best practices, and in other instances there may be loopholes in existing law that need to be closed or absence of law altogether. Too often the privacy debate has been polarized between those who wish to prohibit the use of personal information for any and all purposes and those who wish to exploit the use of personal information for any and all purposes. Neither of these postures addresses the increasing concerns of Americans regarding protection of their personal privacy while allowing for its beneficial use. Neither of these positions, frankly, can bring a balanced, economically viable and societally appropriate conclusion to the privacy debate. Thus I would urge that this Commission be created, but that the goal of the Commission be clearly articulated as suggesting to the Congress a legal framework that balances both the economic benefits of the free flow of information with the rights of individuals to maintain their own preferred zones of privacy through whatever means makes sense in any given situation, be those means technological, legal or otherwise. What will not advance the protection of privacy in the information age is a deadlocked Commission with a faction opposed to any meaningful use of information and a faction opposed to any meaningful limits on the use of information. Thank you very much. Mr. Horn. We thank you. That's a very helpful statement, and you're well within time. [The prepared statement of Ms. Varney follows:] [GRAPHIC] [TIFF OMITTED] T1178.083 [GRAPHIC] [TIFF OMITTED] T1178.084 [GRAPHIC] [TIFF OMITTED] T1178.085 [GRAPHIC] [TIFF OMITTED] T1178.086 [GRAPHIC] [TIFF OMITTED] T1178.087 [GRAPHIC] [TIFF OMITTED] T1178.088 [GRAPHIC] [TIFF OMITTED] T1178.089 [GRAPHIC] [TIFF OMITTED] T1178.090 [GRAPHIC] [TIFF OMITTED] T1178.091 [GRAPHIC] [TIFF OMITTED] T1178.092 [GRAPHIC] [TIFF OMITTED] T1178.093 [GRAPHIC] [TIFF OMITTED] T1178.094 [GRAPHIC] [TIFF OMITTED] T1178.095 [GRAPHIC] [TIFF OMITTED] T1178.096 [GRAPHIC] [TIFF OMITTED] T1178.097 [GRAPHIC] [TIFF OMITTED] T1178.098 Mr. Horn. And now our next individual is Solveig Singleton, director of information studies for the CATO Institute. You might tell in a little description what the CATO Institute is. Ms. Singleton. Sure, I will. Thank you, Mr. Chairman. I'm Solveig Singleton, director of information studies at the CATO Institute, which is a free market or libertarian think tank based in Washington, DC. My area of expertise includes the Internet and telecommunications regulation. My testimony today is intended to illustrate how a privacy commission as proposed in H.R. 4049 can be of help to Congress in understanding privacy in the big picture in this country. There are many privacy issues that come before Congress piecemeal, and Congress is well-adapted to hearings on specific topics like medical legislation or financial privacy and so on, but Congress rarely has the leisure to sit back and consider a comprehensive view of privacy overall across the economy. Let me talk now a little bit about one of the questions I think would be important for the Commission to consider. I think the Commission could play a vital part in increasing Congress' understanding of how the increased use of government databases, new surveillance techniques and so on ultimately will affect the relationship between the U.S. citizens and their government. Just in the past decade alone, we've had several new Federal databases created. I'll just run down some of these quickly. There's a National Directory of New Hires intended to enforce child support orders, but, of course, everybody ends up in it, not just parents. There's a new employment database for the Workforce Investment Act, a national medical database with proposed unique health identifiers, and there's a National Center for Education Statistics. On top of that, there's been various proposals for monitoring and tracing citizens' activities such as FIDNET, Federal mandates for driver's licenses, and an employment eligibility confirmation pilot proposal from the Immigration and Naturalization Service. Now, each of these databases and each of these proposals comes along with good intentions, but the concern overall is that ultimately what we may see in this country is the right to work, the right to travel, the right to seek medical attention, the right perhaps to consult a lawyer in confidence, that these things are gradually transformed into privileges that are enjoyed only by those people who have their paperwork in order. And most Americans, I think, have better things to do than wanting to be thinking about whether their paperwork is in order all the time. People lose things, mistakes are made by clerks and so on. So I think a privacy commission would be ideally situated to look at these developments in the big picture. Second, I think a commission could add substantially to Congress's understanding of the use of information about consumers by private sector businesses. Now, those of you who have heard me testify on Internet privacy will know I think many concerns about business use information are overstated. I basically think private businesses, they are either going to sell you something or not sell you something. I think that when it's a legitimate business that consumers need to be protected from, that the need for protection for consumers is fairly limited. But nevertheless, new technology makes people uneasy, and there's a danger that Congress will face tremendous pressure to move forward on privacy before they entirely understand the economic consequences of regulation. In particular there's been a lot of opinion, including my own, brought forward in testimony, but very little actual factual information about the way information is used in the economy, what it means to businesses in terms of keeping costs down, what it means to consumers in terms of getting information about new products, new businesses, new services, and in particular there's little hard information about the impact of privacy regulation on small businesses including Websites, startups of any kind, charities and grass-roots political groups, many of whom trade actively in lists of information about donors or subscribers in order to get their foot in the door of civil society. Third, a really critical issue, and where there is a real danger to consumers, is in the area of fraud and identity theft. There's some serious questions that need to be asked about the best approach to fraud and security issues. Is it to have less information circulating through the economy as a whole, or is it, in fact, to have more information about people of a kind that is easier to verify, such as digital signatures? In some cases the use of biometric identifiers like fingerprints might be appropriate. And finally, I think the most important question of all is how can law enforcement be more effective in enforcing existing laws against fraud and identity theft? A lot of these questions may be enforcement questions rather than questions of new laws or new policies being needed. So to conclude and second the comments of some of the other panelists, I note that I think the proper role of the Commission would be to provide balanced and objective analysis and scholarship to fill gaps in our understanding of the complexities of privacy. I think in particular it might be valuable to have the Commission have the authority to contract with a group--a reputable group, an independent group of economists to come up with something like a cost-benefit analysis of different types of proposed regulation. With that I conclude. Mr. Horn. We thank you. Those are some very helpful suggestions. [The prepared statement of Ms. Singleton follows:] [GRAPHIC] [TIFF OMITTED] T1178.099 [GRAPHIC] [TIFF OMITTED] T1178.100 [GRAPHIC] [TIFF OMITTED] T1178.101 [GRAPHIC] [TIFF OMITTED] T1178.102 [GRAPHIC] [TIFF OMITTED] T1178.103 [GRAPHIC] [TIFF OMITTED] T1178.104 Mr. Horn. Mr. Ron Plesser is legislative counsel to the 1977 Privacy Commission. Mr. Plesser. Mr. Plesser. I think I was general counsel, but ``was'' rather than ``is.'' Good afternoon, Mr. Chairman, members of the committee, and thank you very much for the opportunity to appear before your subcommittee as it examines the creation of a commission for the study of privacy protection. My name is Ronald Plesser, and I'm partner in the law firm of Piper Marbury Rudnick & Wolfe, and I chair their Electronic Commerce and Privacy Group. I served as general counsel for the Privacy Protection Study Commission for the entire life of the Commission from 1975 to 1977, and most recently I've served along with Mary Culnan on the Federal Trade Commission's Advisory Committee on Online Access and Security. I'm pleased to appear before you today to share my experiences as a staff member of the first and only Privacy Commission and to comment on H.R. 4049 and the potential establishment of a new privacy commission. Created by the Privacy Act of 1974, the Privacy Protection Study Commission was directed by Congress to make a study of, quote--study of the data banks, automatic data processing programs, and information systems of governmental, regional, and private organizations in order to determine the standards and procedures in force for the protection of personal information. The Commission also sought to examine the balances between legitimate and at times competing interests of the individual, the information system and society in general. I would like to point out, as I think others have, that we issued our report in 1977, which actually was the first year that the personal computer was commercially available. So there's obviously been a world of development and shift since then, but I think their basic principles may have stayed more the same than we could have imagined. The Commission recommended ways of providing additional protection for the privacy of individuals while meeting society's legitimate need for information. The Commission based its recommendations on the conclusion that effective privacy protection must have three concurrent objectives: one, minimize intrusiveness in the lives of individuals, and this relates really to a large extent to government issues; maximize fairness in institutional decisions made about individuals--this is the famous fair information practice principles; and provide individuals with legitimate, enforceable expectations of confidentiality. One of the critical findings of this report was that privacy needs to be addressed on sector-specific basis, given that there are different concerns raised by different information systems. The Commission felt that the historic development of privacy protection as well as the then current realities required that each be dealt with separately. The Commission explicitly rejected a proposal for an omnibus privacy statute establishing government authority to regulate the flow of all personal information. This rejection was based on several considerations, including the danger of government control over the flow of both public and private information, the greater influence on the private sector than the public sector of economic incentives that encourage voluntary compliance with principles, and three, the difficulty of legislating a single standard for widely varying recordkeeping practices in the private sector. I would like to highlight a few areas of the particular bill you're looking at that I believe could pose obstacles to the effective service of a commission based on my practical experience. First, the Commission envisioned by the bill is comprised of too many members. It was critical that there were seven members of the Commission as compared to the 17 recommended by H.R. 4049. Broad representation of various interests on the Commission is an important goal. However, for management reasons and to enable group consensus, it is important that the Commission be limited to a smaller number. The second point, the Commission's effort needs to be sufficiently funded to allow for careful, balanced investigation. H.R. 4049 allocates $2.5 million in the year 2000, and you may be interested to know that that's exactly the same amount of money that the Privacy Commission got in 1974, and while we, I think, felt that was a fully sufficient amount of money back in 1974, we had 60-some-odd days of hearings and other stuff. I think that amount is woefully inadequate for an adequate study today. I've hit my time, and I wondered if I could have just another minute to say that I think there are competing reasons for and against the Privacy Commission. On one hand, I agree with what everyone has said about the complexity of the issue and that it needs additional study. Whether that initial study has to be done by a new independent commission, or it can be done by existing authorities I think is an issue. I'm also concerned--I was very involved with the Children's Online Privacy Protection Act representing several clients, and I think we came out with a very balanced piece of legislation that was supported by government, public interest groups, the private sector and, of course, Congress. I wonder if we could have developed something as carefully tuned and balanced as a result of a commission process, or if it worked just as well by having inquiry by Congress without having the added kind of exposure and publicity that would be involved in a commission. I think there are positions on both sides of it. I certainly support Christine Varney's point of view on the need to have a commission, but I think we should look at it very carefully as we go forward. Thank you. Mr. Horn. Thank you very much. Those are very helpful suggestions. [The prepared statement of Mr. Plesser follows:] [GRAPHIC] [TIFF OMITTED] T1178.105 [GRAPHIC] [TIFF OMITTED] T1178.106 [GRAPHIC] [TIFF OMITTED] T1178.107 [GRAPHIC] [TIFF OMITTED] T1178.108 [GRAPHIC] [TIFF OMITTED] T1178.109 [GRAPHIC] [TIFF OMITTED] T1178.110 Mr. Horn. Our last witness on this panel is Stanley Sokul, member of the Advisory Commission on Electronic Commerce. Why don't you tell us a little bit about that advisory commission. Mr. Sokul. Thank you. Thank you for inviting me to testify today. As you noted, I served as a member of the Advisory Commission on Electronic Commerce, which studied the issues surrounding Internet taxation. We issued our report on April 12, and our tenure expired on April 21. I'm here primarily to urge you not to neglect the privacy implications of Internet taxation, but would also like to offer some suggestions on a potential privacy commission based on my Tax Commission experience. If a commission on privacy is created, I hope the subcommittee will consider an issue that the Tax Commission uncovered but did not resolve. In order for States to effectively collect taxes on Internet sales transactions, the sales need to be identified on an individual basis. Such government tracking of consumers' Internet purchases could have significant privacy ramifications. The most striking example involves the types of privacy invasions that would have to occur for States to track and tax the purchase of digital goods. The Internet privacy debate generally focuses on the activities of private entities, how companies compile on-line purchase information and even track Web surfing for commercial purposes. The debate revolves around the nature and extent of consumer access to and control over the collection and use of such information; for example, should an opt-in or opt-out requirement be imposed on Internet data gathering and sharing. In contrast, imposing a national system to collect State sales taxes raises the specter of the government tracking individual purchase information. In this environment, the consumers would have no control. The only way for consumers to opt out of the government tracking their purchase activity would be to forego the Internet purchase altogether. During the Tax Commission process, the State and local organizations proposed a Streamlined Sales Tax System for the 21st century. This system would insert a new layer of requirements into electronic sales transactions, a national clearinghouse or database, to track Internet purchases so the proper tax could be calculated, levied, and remitted to the proper jurisdiction. This proposal raised some significant privacy concerns, and ultimately the States stopped advocating the system as a solution, at least before our Commission. The effects a new Internet sales tax collection regime would have on consumer privacy and thus Internet commerce remain unexplored. Confronted with many concerns but few details, the Tax Commission adopted a resolution I authored to recommend that Congress study the privacy implications of Internet taxation very carefully. It was one of the few items that attained a two-thirds supermajority vote to constitute a formal recommendation to Congress. We recommended that Congress explore privacy issues involved in the collection and administration of taxes on e-commerce, with special attention given to the repercussions and impact that any new system of revenue collection may have upon U.S. citizens. Accordingly, because the Privacy Commission may be a key vehicle through which Congress explores Internet privacy issues, I would urge that the privacy implications of Internet taxation be added to the Commission's agenda. Finally, I would like to comment briefly on two problems that the Tax Commission confronted. First, our Commission lost nearly half of its 18-month tenure due to an appointment controversy. The statute required equal representation from State and local interests and business interests and gave the House and Senate leaders a fixed number of appointments. When all the appointments were announced, a statutory balance had not been achieved, and the imbalance took 8 months to sort out. H.R. 4049 as presently written provides leadership with specific appointments, but does not specify that certain interests must be represented on the Commission. If the subcommittee ultimately decides to list different interests that should be represented, I would suggest that you carefully account for what will occur if the initial round of appointments fails to fulfill the representational requirements. Second, the Tax Commission operated under a two-thirds supermajority requirement to report findings and recommendations to Congress. H.R. 4049 presently contains only a simple majority requirement. I would urge you to consider a supermajority provision. While the Tax Commission did not ultimately achieve a two-thirds result for the bulk of its report, and that failure created some controversy, I believe still that the requirement created a healthy dynamic within the Commission that encouraged the opposing interests to work together. However, if you institute a supermajority provision, the statute must be clear that a lack of one does not negate the need to file a report. Thank you again for the opportunity to testify, and I'll be happy to answer any questions. Mr. Horn. Well, thank you. [The prepared statement of Mr. Sokul follows:] [GRAPHIC] [TIFF OMITTED] T1178.111 [GRAPHIC] [TIFF OMITTED] T1178.112 [GRAPHIC] [TIFF OMITTED] T1178.113 [GRAPHIC] [TIFF OMITTED] T1178.114 [GRAPHIC] [TIFF OMITTED] T1178.115 [GRAPHIC] [TIFF OMITTED] T1178.116 Mr. Horn. And we will now go to questions, and we'll start with--we're going to do it 5 minutes each side, everybody, so we all get into this and rotate it a few times. So I'm going to yield my time to the gentleman from Arkansas Mr. Hutchison, 5 minutes. Mr. Hutchinson. Thank you, Mr. Chairman. I want to thank each of the witnesses. That was outstanding testimony, very thoughtful, and with your background and expertise, I think it is very helpful to the committee. First, Mr. Belair, I don't think you recounted a little bit of your background on privacy. Could you do that for the committee? I know it's in your written material, but could you elaborate? Mr. Belair. I'm happy to do it. I'm editor, along with Alan Westin, which--of Privacy & American Business, which is a not- for-profit, privacy-friendly, business-sensitive publication. I also have a privacy consulting firm with Alan Westin, and I'm partner in a law firm, Mullenholz, Brimsek & Belair, and my practice there is all privacy-related. I was deputy general counsel of the White House Privacy Committee in the Ford administration. I said that the other night at the supper table, and one of my teenagers said, the Ford administration, God, you're old, and I guess that's probably right. I've also been the general counsel of the National Commission on the Confidentiality of Health Records and represented a number of other both public sector and private organizations. Mr. Hutchinson. I think that's extraordinary background, and your testimony was that you supported the Privacy Commission creation. Mr. Belair. That's correct. I think it's--I not only support it, I think it's really just the right thing at the right time. I think it's critical. Mr. Hutchinson. Dr. Culnan, you have raised some good points. I thank you for your support for the legislation as well, but you raised the concern about balancing the Commission, and you heard the comments from our last witness. Could you help us here as to what your suggestion is on how to balance the Commission? Let me tell you, first of all, some of the thinking in this that, one, it should be balanced. It's very important, and we want to get people who are open-minded and can promote a consensus. The option is, you know, to specify who all should belong to it or leave it to the political process, the people who are appointing, that you are going to pressure them, we are going to pressure them to appoint balanced people. I am open to any suggestions, but that was the thinking. Ms. Culnan. I think I would be against sort of a rigid set of standards saying you have to have X number of people that represent a certain point of view, but there might be a statement in the legislation that encourages or advises, I believe, the different people who are appointing Commissioners to consider diversity of perspectives in terms of doing that. One reason is because if it turns out the entire Commission is tilted toward a particular point of view, it will not have a lot of credibility, and there will be a lot of fighting and yelling about the kind of things that go on when you don't have multiple views reflected. I also want to second Mr. Sokul's point about the appointment process. The commission I was on, a lot of people got tangled up in the appointment process, and I think that can do great detriment to the Commission if people don't get appointed quickly and get brought on board and the Commission gets off and running. We had to have half private sector and half Federal Government commissioners, and it took quite a while to locate the private sector people who were willing to serve. Mr. Hutchinson. It shouldn't be as problematic if you do not specify all of the backgrounds necessary. I agree with you, and we've already half drafted some language that would talk about the broad interests that should be represented on it and the diversity of opinion reflected. I know I've raised--Ms. Varney, do you have any comment on this, and I also wanted to ask you specifically about your goal--or your statement that the goals of the Commission should be clearly articulated. Help me out here, again. The written copy I have did not elaborate all the things that you said so well. Ms. Varney. Well, I can give you this as well. I guess my concern, Congressman, is that the privacy debate has generally been very polarized. There are a lot of thoughtful people, including people that you've heard from today and yesterday and will be hearing from, who really are looking for a balance. What I would hate to see in the Privacy Commission is this division, this continued polarization. So if I could put my desires in writing in a preamble, it would be to really give the Commission guidance that its goal is to recommend to the Congress a comprehensive approach to privacy that balances the economic benefits of the free flow of information with the need for citizens to be able to protect their own personal privacy preferences. Mr. Hutchinson. You think that language would be sufficiently instructive to the Commission? Ms. Varney. I think it would help, because I think what we have seen in the privacy debate, this sort of view--a very stark view that either the use of information without very aggressive, very explicit consumer or patient or individual written affirmations and consents ought to be prohibited, and on the other side we've seen this view that all information flow in the commercial arena has some benefit, and therefore, anything that inhibits it is bad. That has really, in the short time I've been doing this compared with my colleagues--I only started dealing with this in 1994--that has really driven much of the debate. You don't find a lot of balance. Mr. Hutchinson. My time has expired. Thank you, Mr. Chairman. Thank you. Mr. Horn. We thank you. Now I yield to the ranking member on the subcommittee who I believe will yield to the ranking member on the full committee. Mr. Turner. Thank you, Mr. Chairman. As you know, Mr. Waxman, our ranking committee member is here with us. Mr. Waxman has taken a great deal of interest in the subject of privacy, particularly in his work to try to establish protection of health information for all Americans, and I want to yield to him or ask the Chair to yield to him for the beginning of our round of questioning. Mr. Horn. You can yield to him. Go ahead. Mr. Turner. Mr. Waxman. Mr. Waxman. I thank both of you for allowing me to question the panel. I want to thank the members of the panel for your testimony. Mr. Plesser, let me start with you. You testified that you think 17 Commissioners is too great a number for reaching consensus. Do you have any recommendations on what would be an appropriate number of Commissioners to have and how to ensure that appropriate stakeholders are represented? Mr. Plesser. I was looking at it from the perspective of staff working with diversity. You have to understand that unlike a congressional committee, those members would not have their individual staffs. So all of the kind of briefing, just the mechanics of briefing and working with people to get them up to speed, to make the decisions to have 17 is quite a lot. I would think that single digit, 7, 8, 9, you have to decide the odd-even issue, but I would think something under 10. I think the question of balance, frankly, being on the FTC Advisory Committee, I think you've got to go to 40, probably to the size that that went to, to make sure you had somebody from every sector, and even in that advisory committee that was 40, I think there probably were some people and some interests that felt that they weren't represented. I think you really have to do what Christine has suggested, which is try to get some very well-balanced, centered people in the group, whether or not--you don't maybe try to get somebody from the consumer group and the business group and this group, but get people--certainly some academics, some people who have been thoughtful on the issue, and I think more kind of representatives more like we expect our Congress people to exercise good judgment rather than come from a specific point of view. But I think if you try to do 17, I just think we also--let's stay and talk about what happened at the Internet Tax Commission, but I think that when you have that large a commission representing specific points of view, it's going to deadlock, particularly in the situation where there's a supermajority vote. I agree with Stan, I think supermajority is good, but 17-- I'm a lawyer, but a lot of what I do is run coalitions, and 17 is a lot of people to get a good result with. Mr. Waxman. I noticed other members of the panel are shaking their head in the affirmative, so they seem to agree with you about the size. Let me ask you about the resources for such a commission. Dr. Willis Ware served as vicechair of the 1975-77 Privacy Protection Study Commission for which you were general counsel; stated in written testimony to the subcommittee that the Commission spent over $2 million, but just the effects of inflation over 25 years would make a realistic funding more like $4 to $5 million. You mentioned in your testimony the importance of ensuring that the Commission would be provided sufficient resources. What do you think would be appropriate to meet the needs of a proposed privacy---- Mr. Plesser. I'm totally unfamiliar with the current policies of GSA and how much space costs. That was an issue that shocked us, frankly, back in 1974 where a good part of our budget had to go to rent. I think the overhead issues like that I don't think any of us really think about. I think we had to rent furniture or had some furniture charge. The government was very helpful in that we got a lot of people from different parts, HHS, HEW back in those days. We got a lot of loaners, and that helped us expand and encouraged the Commission to have loan personnel from certainly on medical records, to have some HHS people and stuff like that is very helpful and critical to the Commission. I always agree with Dr. Ware, and so if he says $4 to $5 million, that sounds right, but I think my point is that there has to be some really serious fact-finding, some balanced hearings, an opportunity, as Mary suggested, for a lot of people to input. I want a smaller number of Commissioners, but I sure want it to have maximum outreach, and I think if you keep the funding down too low, which gets a lot of press releases and not a lot of careful investigations, I think you're either in it or not, but I think it would be difficult to cheap out. I agree with Willis that 1974 and the year 2000, to fund something at the same level is not realistic on inflation. Mr. Waxman. My time is up. I had other questions, but we'll get that to another round. Mr. Horn. You may ask one more question. Mr. Waxman. Let me ask Dr. Culnan what her thoughts are about the sufficient resources to meet the mandates of this bill, and what do you think we need to do to attract the high caliber of personnel--not personnel to work on it, but the members who actually serve on a commission? Ms. Culnan. The issue is can people balance--they must feel committed to serving on such a commission. Certainly if I were invited, I would make every effort to serve because it would be a tremendous honor to be asked. People need to feel, I think, that it's going to be an important, substantive commission that is going to yield a report that people are going to listen to; that it will be of the same stature as the 1977 report. That is an evergreen report. People still read and refer to that today 23 years later even though the technology is very different. I also agree with Ron Plesser about appointing people who themselves represent balanced interests, which is probably a good way to deal with the diversity issue, as opposed to having people that have their feet planted in a particular point of view and are likely to dig in. Mr. Waxman. Also people who are not going to give up their day jobs, because they are not going to be paid to serve on this. Is that going to be a problem for some of the people? Ms. Culnan. It may be a problem depending on the time constraints. If the 20-hearing rule is still in effect, and the Commissioners are supposed to fly around the country, that's going to take an enormous amount of time, and people will be probably giving up 1 or 2 weeks a month of their time to do this, let alone they also need to meet face to face to deliberate. They do need to have a chance to absorb testimony and information from a wide variety of experts and point of views and should use whatever is the best way is to do this. I would also say even if you were to pay people, it's very difficult to find people who can take 18 months off from their job, people who are willing to step off the fast track, and so I don't think that would necessarily be the solution either. Mr. Waxman. Thank you. Thank you, Mr. Chairman. Mr. Horn. We'll go to 6 minutes now for everybody. Dr. Culnan, I'm curious. In your testimony you bring up the fact that there are few laws that protect personal information on Web databases. In your studies of the fourth amendment, what type of legislation do you think is needed for the Web databases? Ms. Culnan. I have not studied this yet, but it--people have raised this as an emerging issue in the future that we need to look to. One of the issues I raised in my testimony is that we be sure not to try to understand what may happen in the future by looking in the rear-view mirror, and cited the issues related to balancing national security interests versus civil liberties in the area of protecting critical infrastructures and the issues that when people put their personal information in a database that's not stored on their personal computer, but is on somebody else's server, that is raising new issues that haven't been addressed, and hopefully the Commission would look to some of these future and emerging issues as well as the issues we're grappling with today. Mr. Horn. Do you or any of the other presenters know people that are working on the fourth amendment issue? Ms. Culnan. The Center for Democracy and Technology is very interested in this issue, and they are the ones who have brought it to my attention. Mr. Horn. Let me move now to Mr. Belair. I've had an interest in the European situation for a number of years. I've been on the delegation of the Congress to the European Parliament, and we went over there just at the time when the Parliament had asked all the member countries to develop a privacy law. And the ones in the Polish Government had worked with us over here, and I'm sure they worked with some of you because they are very interested in what Americans develop in this area. And I was just curious what you feel, Mr. Belair, as to the impact of those policies on commerce, be it an American going to Europe or Europe going to America. I know they have got a moratorium on it for a while, but some of them in draft seem to be fairly rigid. And I had suggested, because we happened to be visiting with the President and Prime Minister of France and Poland, I suggested that they put together a commission, in the case of Poland, of Polish companies that operate with subsidiaries in the United States and then same with America and American companies that operate in Poland; same with the President of France. They thought that was a fairly good idea to get some feeling as to what this really means when you have to relate it to industrial data moving across the Atlantic, and I wondered what you could educate us on, and do you feel that's a real problem? Will it become simply a nontariff trade barrier, for example? Mr. Belair. Certainly has that potential. As you know, the Department of Commerce has been at work with the EU to agree on safe harbor accords, and they are close. Of course, they've been close now for many, many months. Assuming that safe harbor is negotiated, then I think we'll see some fascinating impacts here as companies have a limited amount of time to decide whether they are going to subscribe to those safe harbor accords. One of the things that the safe harbor accords do is bust through the sectorial industry-by-industry approach that we have always had and apply fairly generic privacy rules across the whole range of personal information. That's No. 1. No. 2, are we going to see a bifurcation where we've got some data that is subject to the safe harbor accords, namely data that's moved over from Europe, and then a second set of data that's domestic data that doesn't enjoy that kind of protection, or are we going to end up, as many of us think, with one approach, a global approach really, dictated to us by the Europeans? Third, and then I'll stop, although obviously it's a topic that we could talk about for a long time, and that is that the Europeans clearly have not thought through what the impact is of the application of their rules in an on-line environment. They would argue, for example, that even a United States citizen who happens to be in France on a business trip and then pulls up on his screen a United States Web site and engages in some kind of a transaction that generates personal information, that information is subject not to United States law, but that's subject to the EU directive and, in this example I've just given, the French national law. So it certainly does hold the potential for having an adverse impact on trade. I think--it's one of the things--the reason I mentioned it is I think it still remains to be seen how that sorts out. Mr. Horn. I know there are scholars at the Brookings Institution that are working on this. Do you know where scholars are providing some initiative and some analysis of these different policies that are evolving in legislative committees in Europe? What's the best shot we can get from people in that area? Mr. Belair. I think you're right, there's an awful lot of work and an awful lot of focus for a lot of groups back here and a lot of groups over there. Privacy & American Business, just to do a commercial since the segue is there, has a Web site, PrivacyExchange.org, and on that Web site is all of the latest information about the EU directive, about the national laws, about other national privacy laws, about the safe harbor accords, and we update that almost on a daily basis. Mr. Horn. Mr. Belair, is there a negative effect on the future legislation with regard to public records and with respect to the Freedom of Information Act among others and the Electronic Freedom of Information Act? And we asked that yesterday, and I'm just curious if any of you have feelings on that, but we'll start at this end. Mr. Belair. I do. I think the public records debate, which, as you know, the Vice President announced a couple of summers ago that he was going to lead, is an extraordinarily important public discussion. Personal information is available in public record repositories for a reason, public safety reasons, reasons that have to do with the operation of governmental agencies, the fairness involved in giving individuals who have availed themselves of governmental resources for a license for some other kind of a benefit or a status, letting their fellow citizens see who they are and what kinds of resources they are using. There are a lot of very important public purposes that are served by access to public records. Now that these records increasingly are automated and are commercially available, we're faced with a decision that we weren't faced with 10 years ago, and that is do we really mean that we want this information to be fully and effectively and conveniently public. The answer is--surely isn't to throw it out and close down the records as we started to do with motor vehicle information. The answer is the kind of balance we've been talking about on this panel, figuring out, and I would hope your Commission--I hope the Commission would tackle this-- figuring out what are the public values served by the access and what kinds of privacy threats are incurred and then striking a balance. Mr. Horn. Dr. Culnan, you agree with that statement? Ms. Culnan. In part. I think the public record issue is one of the really difficult ones that merits an expansive public conversation. The Internet has really changed the way public records are now accessible to anyone for any purpose. I worked on the Drivers Privacy Protection Act, Mr. Moran's bill, in the House and testified at the Judiciary hearings on that bill before it was passed. I think the issue that concerns people is not that their information is used for the purpose for which it was provided, to drive a car, to register a car, to get a license to be in a profession, or to fish or whatever, it's that the information is available to anybody for any purpose, and in privacy, a distinction is made between compatible and incompatible uses of information or between the reason the information was collected versus secondary uses, and I think the issue is how do you make the information available for the purposes for which it was collected, be they public service or public safety or other types of important reasons and not allow them to be used for marketing and people looking up other people's information out of curiosity, which really has nothing to do with why the information was collected, and which is the source of the privacy concerns. Mr. Horn. Ms. Varney, do you agree with that? Ms. Varney. I agree with Dr. Culnan, but I'd modify her last point where she said not allow the information to be used for other purposes. I would say not allow the information to be used for other purposes without consent. Ms. Culnan. I would modify my statement to agree with that. Choice. Mr. Horn. Explain that a little more, because you talk pretty fast, so let's slow it down and tell us what is your real wording here. Ms. Varney. My real wording is I do agree with what Dr. Culnan said as she has now modified it. The balance between the use of the information for purposes that it was provided and intended to be used for and other uses, and I don't think that we want to put a blanket prohibition on other uses. I think we need to look at what are the other uses and what is the correct level of choice that an individual needs to be able to exercise over what may be called unrelated or incompatible uses. When you go--I don't know if you ever used this example, Mary, but when you go and get your driver's license, and you're 5-foot-4, and you put your weight in, and all of a sudden if you weigh a fair amount, you may be getting mailers from the Large and Heavy Dress Shop. That's not why I gave my weight information for the Drivers Protection Act. However, I might consent to the use of information if I'm 4-foot-10 because I like to get catalogues for petite clothes. They are hard to find. So I think what you have to do, Mr. Chairman, is continue to weigh in this debate what are the reasonable expectations of the consumer, what are the economic benefits, and what are the economic costs, and where do you--where can you empower consumers to make their own choices and where can't you. And the where can't you is where law needs to come in. Mr. Horn. Your dilemma would make a good Cathy strip. Ms. Singleton, what would you add to this? Ms. Singleton. I'd question again the idea that marketing uses should be presumed to be illegitimate. I think you have a lot of existing businesses that are currently using public records as a part of making goods and services available to consumers, and it's particularly important for companies offering financial services. Risk assessment is a large part of their business, and they need information to do that effectively. What I would suggest is an alternative approach to the public records problem, which is to focus on it as a security issue, and that is to figure out ways to make sure that the information can be in the hands of legitimate users whether it's a business, trying to sell a product, or somebody looking for their lost child or something like that, and yet keep it out of the hands of people who will use it to do really serious harm, such as stalkers and so on. Mr. Horn. Mr. Plesser, how about you? Mr. Plesser. I think I would go back to agreeing with Mr. Belair, and just to reinforce that, I think there are public record systems whose very purpose of collection is disclosure. Real estate records have been collected by counties in the United States since the beginning of government for the purpose of disclosing ownership and who owns what, and it's been very critical in the Midwest and other areas. People are concerned about false ownership or use of nominees and all of that stuff, environmental issues. I don't think we can question each use. Where the system of records was collected for the purpose of disclosure with UCC filings, real estate filings, things like that, I think it is critical to have those remain open to the public. If they are now more efficiently distributed, then that's the society that we live in. I think to restrict them to say that you can only use--only licensed real estate agents can get real estate records would really be a travesty and would really potentially start to allow for some of the record control issues that we don't like. And one of the reasons why we've rejected the European system is because we don't want that kind of oppressive government control. And if government records are not open, even ones that have individual records, I think it would really threaten the concept of the freedom of information that you, Mr. Horn, have been very effective in the last number of years in protecting in electronic format, and I would urge you to continue to do that. Mr. Horn. Mr. Sokul, last response to this question, and then we'll escalate to 12-minute rounds. Mr. Sokul. I just have a brief comment. My concern is more along the lines--goes more toward the collection of new information and in particular for tax purposes. I think that privacy is going to be the sleeping giant and probably the ultimate Achilles heel of what the States want to do in the Internet tax arena. There is also a balance that comes into play in terms of invasiveness and intrusiveness and what the country will count for its tax collection. Mr. Horn. I thank you all for answering that question. It will be very helpful to us in a report to the full committee. I now yield 13 minutes to the gentleman from Texas Mr. Turner. Mr. Turner. Thank you, Mr. Chairman. I want to revisit this subject of the comp decision of the Commission. I have cosponsored this bill because I feel that we have an issue on our hands that is of such importance and is changing so rapidly that the American people need to have discourse and dialog about it. And this Commission is one way to generate that kind of discussion, but I do think it's important to think about who would serve on this Commission. I noticed, Ms. Singleton, in your statement you said that we should write specific membership requirements into the bill in order to avoid what you call the usual suspects with an agenda as Commission members. I might ask you to tell us what you meant when you said that the usual suspects, and then perhaps offer to us the type of individuals that perhaps should serve on this Commission. You seem to emphasize the importance of fact-finding, even suggesting that perhaps the members of the Commission should not suggest policy or make policy suggestions, but rather be more fact-finders. I think there had been uniform agreement--I saw the heads nodding a minute ago-- 17 might be too many, but if we're going to have a discussion like this, we need all the stakeholders at the table. Perhaps we could start with you, Ms. Singleton, and respond to my question and then offer your suggestions on what the Commission should look like, what type of individuals, what background, and then I'll ask all the rest of you, and maybe we can get a nice long list of the type of people who need to be at the table. Ms. Singleton. I don't have some of the same experiences that some of my fellow panelists do with actually being on a commission. Let me try to clarify, first of all, what I said in my written statement. I think the emphasis of the Commission should be rather than replicating a lot of the testimony that has already been generated in privacy debates and privacy legislation, should be to focus on things that are unknowns, that there's very little information about already. And I think in particular it would be very beneficial to have a lot of hard economic information there about, for example, the way small businesses use information, the way nonprofits use information, that kind of information. And so I think from my standpoint, it would be very important to have one or two economists represented on the Commission; I mean actual full-bore professional economists, not lawyers who have clerked for judges who were economists. Perhaps when I talk about the usual suspects on the panel, I'm excluding myself more than anything because I'm not an economist. Mr. Turner. You're talking about lawyers as the usual suspects? Ms. Singleton. That would be me, yeah. Mr. Turner. One or two economists. So obviously the collection of the economic data you're talking about could be done by staff, but you think we need someone with a background in economics to be able to interpret it? Ms. Singleton. Yes. I think that would be very helpful. I think it's unreasonable that the Commission itself would actually do the economic study. I think it would be more likely that they would contract out with an independent firm that does that kind of thing as a matter of course. Mr. Turner. Let me just go down the panel because I'd like to have your suggestions on what kind of individual, what background an individual should have, what training and also to think in terms of the broad range of individuals that should be heard from if we expect to have a full dialog on this issue. Let's start with Mr. Belair. Mr. Belair. I think you're wise to go back to it. I think it's a key issue, and it's a hard issue. I could probably answer it better in terms of who shouldn't be on there. I had the experience of being the reporter for the National Conference of Commissioners on Uniform State Laws on their health information privacy bill, and they pride themselves on bringing to the table smart people who know nothing about the area, who come at it absolutely clean. I can tell you that that didn't work in the privacy area, and it seems to me with an 18- month run here and a huge agenda, it won't work. I've also had the experience recently of chairing an effort to bring together experts on criminal justice privacy, and we brought folks to the table with real agendas, real stakeholders. The discussion was terrific, but we ended up of necessity having to make the recommendations very generic and very vanilla because we simply couldn't reach a consensus otherwise. I guess I wouldn't bring to the Commission table folks who come really locked into a particular agenda or point of view because then you're obligated to bring in their opposite numbers, and there's no way you're ever going to get any kind of a consensus. I think probably Solveig has got the right idea, bring people who have got some understanding and background with privacy with particular areas of expertise, economics, law, and we can all think of some other areas that would be important to have there. Ms. Culnan. I would agree that in the interest of getting the Commission up and running quickly, it's important to have people who are familiar with the privacy issue and have thought about it and been involved in some of the previous discussions about this. I think you should strive to bring people in who are independent and open-minded to the extent that they can be, and I would also argue in favor of selecting people that represent different areas of subject expertise. And in particular somebody with a technology background would be very important because the technology is changing so quickly. It would probably be useful to have someone who understands the law, but you don't necessarily have to have a lawyer. Ms. Varney. I would agree entirely. Seven to nine Commissioners who are viewed as independent and not beholding to any particular commercial or advocacy interest, with particular subject matter expertise in economics, technology, law, finance, and health information. Mr. Plesser. I brought with me a relic, which is the report of the Privacy Protection Study Commission that we issued in 1977, and I looked at the front page, and it occurred to me that it might be helpful for this conversation for me to just give you a quick rundown of what the backgrounds of the members of the Commission back then were, because I think it really did--whatever people say of the Privacy Commission, I think it worked. People got together, they got along, and I think there was consensus. David Linowes was the chairman of the Commission. He was a very experienced CPA, brought to the discussion a lot of expertise and that was very important. He was also a professor and a businessman. Dr. Willis Ware, who was vicechair, was mentioned before, was probably the leading technologist at the time. He was an expert for Moran Corp. and was considered, I think, the leading computer scientist in the United States at the time. Certainly I would say what Christine said about the importance of having really a world-class technologist. He was that. William O. Bailey was the president of Aetna, major businessman, CEO, major responsibilities, who did spend a week a month or--the requirement. Then we had Barry Goldwater, Jr., and Ed Koch, two Congressmen who were very committed to the issue, and I see my friend Ed Markey behind me, and the parallels remind me. But the issue of having two Congressmen actually were effective. They really brought a real sense of reality and realism. I'm not suggesting that that necessarily be done, but I think they were very effective members. And there was Robert Hennason, and this is an important category. He was a State Senator, and so we had the input, and he had actually worked on Minnesota privacy code, so we had the experience of somebody who really had worked with and understood State problems. And then finally we had William Dickinson, who was a retired editor of the Philadelphia Inquirer, and it was critical, I think very helpful, to have somebody with that kind of a free press, open communication background. So there was a balance in here from kind of professions and general point of views. There was nobody, with the exception of maybe Mr. Bailey, that you could say was an industry rep or an anti-industry rep. Everybody else brought to it, I think, a balance of professions, and I would suggest that the idea of having a technologist, a journalist, an accountant, those are all very important aspects. Mr. Turner. Do you recall, Mr. Plesser, when the statute that created that Commission in 1977, did they specify the type of individuals that should serve, or did it just work out? Mr. Plesser. I don't think so. It specified that three from the executive branch, two from the House, and two from the Senate. I don't recall if it required a specific qualification of specific members like Stan's committee. I think it did say that there should be a balance of interests, and I think people--there was really no controversy, and I can tell you that this group functioned extremely well. There was really no--there was disagreement on policy issues, but it really was a group, including Mr. Bailey at the time, who was kind of a business representative, really worked hard to do the right thing. Mr. Turner. Mr. Sokul, what's your suggestions on membership? Mr. Sokul. Our Commission had 19 members, and that was unwieldy. I remember the first meeting the whole morning was just opening statements. But I think---- Mr. Horn. I might say that's a disease that also happens in the Congress. Mr. Sokul. I think that with your appointment process, when you're having different people appoint different--a certain number of appointments, it's going to be hard--unless you legislate an individual person in, you're always going to be rolling the dice. It's going to be very difficult to obtain the balance or the perfection you want. I think the most important thing or the two most important things are that the people are committed and that they talk to each other. I think the Members here probably understand that. I think our best meeting was our final meeting where it wasn't a formalized structure, but Governor Gilmore just adjourned the meeting, and we were in recess in the back room, finally talking to each other. Maybe the best thing you could do is to exempt the Commission for a few working meetings from the Sunshine Act and just let them go off in private and talk to each other. Mr. Turner. You think the Commission ought to have a little privacy, I gather. I think all your suggestions have been helpful. I guess the next question is open, is whether there should be some specification of these types of individuals in the legislation, or in the alternative, should there be some prohibition against, say, an industry representative or some other type of individual from being able to serve. Do any of you have any suggestions or thoughts on that point? Ms. Singleton. I'll start, since it seems like nobody else is going to. What I'll say is contrary to what some people have said about avoiding extremes. I think part of the reason that the debate has been polarized is that there are real philosophical differences there, and I think it would be to some extent a shame if the Commission did not reflect to some extent those real philosophical differences. And at the same time I think it's still possible to have a commission that avoids fractiousness by--simply by choosing people with certain personality types to be on the Commission as opposed to people who are given to pounding the table with their shoes and so on. That may be easier said than done, of course, but I think--I don't think it would make sense to exclusively prohibit any particular perspective from being expressed. I won't say any more than that. I think probably others have more expertise about whether it would be more effective to list or not to list. Mr. Belair. As I listened to the discussion, I think I was convinced that certain kinds of subject matter expertise are absolutely vital, technology, some kind of background in finance, economics, and we spelled out several others. I think I'd be tempted, if I were writing the bill, to spell that out a little bit and maybe also allow for some flexibility as well in the appointment process. But it seemed to me that I was convinced that there ought to be some of those kinds of people at the Commission table. Mr. Plesser. I just think that while it's very important to think about the Commission members and positions, I think it's very important that we make sure that the inquiry is a full and balanced one if we do do it. The Privacy Commission had something like 60 days of hearings, had hundreds of witnesses, and I think that that process really--I mean, if somebody had a point of view, it would be very difficult to kind of just stay on it. There was a public record and testimony and balanced input. I certainly agree that you shouldn't have all businesspeople. You shouldn't all have all public interest people. You shouldn't have all academics. There has to be some balance, and I think hopefully the process of appointment will do that, and I think you can say that appointments should reflect a range of--I think at least I would like to avoid saying there has to be one member who represents this interest, one member who represents that interest. I think that would probably not be good. It also would not be good if there were nine CEOs of Web companies on there and nobody else. That would not be a good result, nor would it be good to have nine public privacy advocates on it. So we have to work to get a process. I think the difficulty is we don't want it to be like slots. We want good people, balanced people representing a range of perspectives, at least that's my view. Ms. Culnan. I'll just add very quickly I think it's important to have flexibility. You may get a person that is representing more than one type of expertise, and so, again, by specifying one person, one form of expertise, I think that's a mistake. I think it would also be a mistake to specify that certain types of people are not to be appointed, to be as general as possible to maintain flexibility to get the very best set of people that you can get. Mr. Turner. Thank you, Mr. Chairman. Mr. Horn. I thank the gentleman. I now yield to the gentleman from Arkansas, Mr. Hutchison. Mr. Hutchinson. Thank you, Mr. Chairman, and this has been a long session, and then we've got another panel, but just to further elaborate on the record somewhat, I did want to ask Mr. Plesser some followup questions about the 1974 Privacy Study Commission. You had some very positive comments to make concerning that. Would you describe what the benefits were of that Commission and what good came out of it from a congressional standpoint? Mr. Plesser. There was only one piece of legislation that I think could be directly pointed. There were 164 recommendations for some kind of legislative implementation. There was only really one statute, the Right to Financial Privacy Act, that I think resulted directly from the work of the Commission. During the work of the Commission, the IRS statute in terms of limiting the information that could be exchanged or given to the executive branch was put in, but I think that would have happened probably with or without us. I think the Right to Financial Privacy Act was a direct result of what we did, which protected people's interests in their checking accounts and information that banks can disclose. We recommended strongly regulation in the medical records area. It isn't really until this year, 23 years later, that we're seeing legislation in the medical area. My own view is that it was much delayed, but I think even though Bob Belair did kind of a subsequent inquiry into it, I think that the work we did in medical records and employment and specific areas made a great contribution, and I think it's still used today in many areas in analyzing privacy. Mr. Hutchinson. Let me just add when I look at a commission, you never know what's going to happen down the road, but I think information is invaluable to Congress, and actually I think that the argument for the supermajority is that it makes some requirement for consensus to be built, but we also want--the consideration is that if you have a simple majority, you will have a report that comes out and a minority report, and it's information, different viewpoints. The legislative processes still have to work, but it's a tool to build consensus in this very difficult area. And so I look back to the 1974 Commission. You're right, legislation did result from it in not all of the arenas, but the other information, someone referenced that it's still being passed around today and studied today and referred to today. So I see a lot of benefits from a Member of Congress's standpoint to having this type of commission. There was--one more question with regard to that. Everybody's talked about the variety of people on the Commission. Is there anything special about the 1974 Commission as to who did the appointing process and who we should be looking at? You've seen our bill, and we have it divided among different congressional leaders and the executive branch. Mr. Plesser. Well, the political--I forget exactly the politics back then, but I think you had one party controlling the House, Senate, and President and executive branch, so there wasn't any real political controversy, and in that case you had two from the Senate, two from the House, and three from the administration, but the administration could name the Chair. So that was--I think by having the ability of the administration to do the Chair, they had a little edge, but--if you do a party split. So that's the way that worked. Whether or not it's the best way--it did work in practice. It was, as I said, a balanced approach, but who knows what could have happened. Did I respond to your question? Mr. Hutchinson. Yes, you did. I'm grateful for that. Did anyone raise the objection during that time about, well, why do we want to have a commission? We just need to pass legislation right now. We know what we need to do. Mr. Plesser. Let me tell you, even though it was slightly before my time, and I might say not only was the Commission balanced, but I think the staff was balanced. Carol Parsons, who was an extremely able executive director, and she had a privacy background, and she was the executive director of the very early HHS study on privacy, which really developed this concept of fair information practices, and I was a freedom of information lawyer. And so they had a privacy person and an open government, open access person, and I think there was a reason for having that balance, so I think that was effective. Mr. Hutchinson. Were you leading to the question I just asked, though? Mr. Plesser. Sure. Could you repeat it? I interrupted. I'm sorry. Mr. Hutchinson. You're still on the other question, trying to give a more complete answer. I was simply asking at that time did people raise the objection that we don't need to have a commission, we ought to just move forward with substantive legislation now. Mr. Plesser. What happened at that time was in 1974, the Privacy Act was sponsored by Senator Ervin, and some version recommended the omnibus approach for State and Federal--State, Federal, and private sector records. The Privacy Act, some earlier version was going to cover everything. There was a split. There were a lot of people who did not want that to happen, at least in terms of the private sector and State and local government. The compromise was the Commission. The compromise was to say, OK, we'll pass the Privacy Act of 1974 in connection with Federal records, but then we will throw this issue of whether or not the principles of the Privacy Act should be extended to private sector and State and local to the Commission. The context was a little different. I mean, they started with a comprehensive law. I think here now the context is somewhat different. Mr. Belair. I was at the White House Privacy Committee at the time, and I think Ron is exactly right. There was a wide consensus that we needed to sort out whether the standards that would apply to Federal Government in the Privacy Act should be applied to the private sector, but there was also a push back in some areas. For example, health privacy even back then was a major concern, and as we got later on into the 1970's, Senator Javits had a bill. There were bills over here--Bella Abzug had a number of bills--and there was a concern that the Privacy Commission's work would slow down the march toward comprehensive health information privacy legislation. As we've seen with hindsight, there were so many things slowing down that legislation, that the Privacy Commission made no contribution to that. Let me just say real briefly, though, I think Ron's being modest a bit about the work of the Privacy Protection Study Commission. It set the template. It set the model for not just the U.S. thinking, but the whole world's thinking for many, many years about privacy, fair information practices, a distinction between uses of information that had an impact, a tangible impact, on individuals and nonadministrative uses that did not, a sector-by-sector approach, which the Europeans eventually abandoned, but not right away. It had an absolutely, I think, profound impact on the way in which the Nation thought about privacy. Mr. Hutchinson. Thank you. Mr. Horn. I thank the gentleman, and I yield to the gentleman from Virginia, who I believe will yield to the gentleman from Massachusetts, who is welcome to bring up himself to the podium here, or you can grab one of the mics. Let me make a deal to you and your two colleagues that disappeared. If you want to be the lead witnesses at 2 p.m., on Thursday, we'd be glad to give you that. Mr. Markey. Thank you, Mr. Chairman, but I think I would rather be the last witness on this panel. Mr. Moran. Do we have a choice as to whether you get the last word? Mr. Markey. You just chose, and I thank you so much. Ms. Varney. Mr. Chairman, I have a child care conflict. Could I be excused and give Mr. Markey my seat? Mr. Horn. Certainly. If you don't mind, we're going to close it down really after Mr. Markey, but we'd like to send you a few questions. Would you mind responding to us for the record? Ms. Culnan. I'd be glad to. Mr. Horn. The gentleman from Massachusetts. Mr. Moran. We appreciate very much Ms. Varney coming to testify. Thank you, Christine. If you want to get in the middle here, you can. The rest of the panel is going to stay because I know they want to hear from you. I'm not going to ask questions. I can review the testimony, but I've also got a prize constituent in Mr. Belair, and I consult with him regularly, so I will take advantage of that. So the floor is all yours. STATEMENT OF HON. EDWARD J. MARKEY, A REPRESENTATIVE IN CONGRESS FROM THE STATE OF MASSACHUSETTS Mr. Markey. I thank you very much for your hospitality. Here's my bottom-line point to you all. Members of Congress are experts on privacy. Our privacy isn't invaded on an ongoing basis. You don't have to be--there's a lot of things on which congressional expert is an oxymoron, but compared to real experts, we're really not. But on privacy, we're experts. The reason that we are experts is for the most part that we're human beings, and that's why we've been able to pass laws over the last several years to deal with issues as they arose that dealt with the privacy of Americans. For example, if someone wants to divulge your driver's license, it's opt-in; all that information, opt-in. That's a law. If someone wants to transfer information about your videocassette rentals, all those things that Judge Bork got in trouble for during this confirmation hearing, Congress passed a law. They can't sell that information to anybody anymore. Opt-in. You want people to know every movie you rented? Opt-in. Pretty simple. What protection would you want for your family? How complicated is that? How about the information dealing with whether or not the cable company should be able to sell all the information where you click on your cable stations, especially after midnight when everyone is upstairs asleep, what channels you go to; should that be public information everyone has access to? We have a law in the country that says opt-in. Unless you want the cable company to sell that information to people, no one knows what channels you click to when everyone is upstairs asleep. Good law. How about your tax returns? Opt-in. Do we really have to be experts? Do we have to have a panel put together to decide whether or not we want our tax returns given out to everybody in town, everybody should have access to it? Opt-in. Very simple. How about on your cell phone when you travel someplace, you might not want everyone to know where you are going? How about the cell phone companies selling that information where you've been going? Opt-in. How about all your phone records, everyone you're calling all day long, everyone in your family is calling all day long? Should anyone be able to access that? Opt-in. Very simple. Not complicated. We don't need an expert panel on this subject, and we definitely don't need an expert panel to study for 18 months. That is absolutely beyond the pale. Two years ago when there was a bill coming through to ban pornography on-line, I said, fine, I'll go along with that, but how about giving me an On-Line Child Privacy Protection Act, too; any child 13 and under, unless their parent gives permission, has all that information private. That's the law of the Nation now. The Federal Trade Commission has promulgated the rule. How complicated is that, information for 13 and under should not be disclosed even if you got it on-line, even though it might impede the new Internet revolution? How about a child who's 13, 14, or 15, though. Do we need a panel to discuss that one, 18 months for us all to figure it out? I don't think so. How about--how about our health records? How about the fact that your husband or wife has prostate cancer or breast cancer, or a child is on Ritalin or has a child psychiatrist? Should all the medical exams in the insurance company be able to be shared with all the stockbrokers that are in that same firm? How about all the checks that you wrote; all the medical information is on there. Do we need 18 months to figure this out? I think we need a panel of 17 Members of Congress to go into a room, just give everyone the questions, and everyone will decide, because this is an issue that ultimately deals with your family. Now, I think the biggest fear that everybody has, to be honest with you, is whether or not any decisions we make are going to affect the Internet and will be responsible for the destruction of the Internet. We shouldn't actually value the Internet the same way we value all companies, because if we valued the Internet the way we value all companies, they'd have to have earnings. They'd actually have to have profits. God forbid we should actually have that standard. People who talk about that lead to the NASDAQ collapsing 2,000 points. How can we possibly have that standard? Obviously we shouldn't have-- otherwise everyone who's responsible for saying that they should have profits or earnings or revenues are ruining the new era. How about fraud on-line or gambling on-line or selling drugs on-line; do we need a study on these issues before we pass any laws with regard to these things that are done on the Internet? Why should we allow, then, for people to be able to delay another 2 years? And that's what we're talking about right here, sitting right here 2 years from now after an 18- month study, which finally goes to the President later on this year, is finally promulgated, and we're not going to move on anything because there's a chorus here that is going to go out there as soon as this becomes law saying, we've got to wait for Congress now, we've got to wait for the expert panel. God forbid we should decide. The test here is whether or not we can construct a formula. Commerce, yes, but commerce with a conscience. And the issue, the way I see it, in this bill, by the way, is that, yeah, they are going to look at how the government goes into your business, but I really don't see the private sector--where is the subpoena power for private corporations so you can look at them or the right to depose private corporations? Because the issue, ladies and gentlemen, is not Big Brother, it's Big Browser. The problem is that you can now profile for profits. You can take each one of us, each one of our families, gather information from all these various sources that are now available, put it in a big package, and then sell it to hundreds of companies or others that want to look at our families. Now, I don't know why we want to study this for 2 more years because we already know it's right on videocassettes, and we know it's right on taxes, and we know its right on cell phones, we know it's right on telephones, we know it's right on everything, ladies and gentlemen. It's very simple. So my bottom line on this is that this is a basic human right, the right to be let alone, the right for the world not to become--coming into our living room. Wall Street says, we're going to give you a window on Wall Street. That's great. But the American people just don't want Wall Street to have a window in our living room. If we don't want them in our living room, they don't have any right to come into our living room, and if we want to opt in to get all this great information that they want to give us, we can just check off someplace. By the way, these same companies that say, oh, it's going to be so difficult for us to construct an electronic way in which people can check off they don't want privacy, these are the same companies that tell us they can transfer $1 trillion from here to Osaka in a nanosecond, that they can recreate entire economies in China over the next 2 or 3 years if we are allowed to sell telecommunications and Internet and software technologies into that country, but we can't think, figure out in our own country whether or not we want to protect children, whether or not we want to protect health records? I don't think so. So this is without question, with all due respect, to all the members of this panel, a central--maybe the central civil rights issue of the 21st century. Eighteen months is too long. This bill really is not going to give the proper authority, be able to look at what the private sector is doing. The Commission is totally tilted. You can wind up, if George Bush is President, with 4 Democrats and 13 Members of the other party are appointed by him, with industry representatives dictating ultimately what they believe is best for their business. So at the end of the day, we have to have the new economy, but the new economy with old values, and the old values of the very same ones we grew up with, the nurse and the doctor that probed our medical records, and no one else in town knows what happened to us or member of our family; the banker who gave us our little passbook when we went in for the first time, and no one in the rest of the town is going to know what is in our little passbook, and we know who he is and is going to protect us. Same values. These companies are going to make it, but they are going to make it protecting against the compromise of our privacy by engaging in other behavior which we all know is wrong. If they are going to be profitable, they are going to have to do it the old-fashioned way, protecting solid American values while using new technology to drive the old companies out of business, but not using new values to drive the old companies out of business. They should be forced to compete on the same grounds in terms of the values. So I thank you, Mr. Chairman, for allowing me to testify. This is a very important bill, and I think ultimately, with all due respect to the gentleman from Arkansas who I respect very much, I just think it delays too long congressional consideration of this very important issue. Thank you. Mr. Horn. I thank the gentleman for coming. I wonder what you would think of the delay that we've had between the Senate and the House. We wanted to get to this in this committee 3 years ago, and everybody was going off in 20 different ways around here, and I just wonder what you think about that if we'd done the Commission 3 or 4 years ago. Mr. Markey. Again, we don't need a commission. Mr. Horn. But somewhere you need people building a consensus. Mr. Markey. The consensus will be built. Eighty-five percent of all Americans have the same view on this issue. There's a consensus in America already. There's just no consensus when you fill up the room with a bunch of lobbyists, a bunch of industry representatives. Of course they are all no, no, no. If you want to weight them equally with the 85 percent of the American people who agree on every one of these health care, financial records, child--go down the line--disclosure of privacy, there's no debate in America. You can have a technical debate over how to do it, but there's no debate on this question. This is the single highest polling issue in America. People value their privacy, their individuality, their American--their sense of independence of the big business and big government. The far left and the libertarian right join on this issue, doesn't leave a lot of room in the middle. They are fighting this hard, Mr. Barton and I, Senator Shelby and Senator Bryan in the Senate. It's the middle, the practical middle--actually it's the business middle that objects. So, yeah, we can pass this, but we pass it only for big business, only for big bucks, only for Big Browser, but we're not passing it for ordinary people. That's not what this study is about, because every one of us know what protection we want for our mothers, for our fathers, our wives, our husbands, for our children. Every one of us know what that answer is on every single subject. We're all experts on that. Mr. Horn. Before you leave, I'll call on the author and coauthor of the bill and see if you want to ask any questions of the gentleman from Massachusetts. Mr. Moran still has plenty of time. Mr. Moran. But we don't have much time here. I've got to get to a meeting with Mr. Gephardt that started at 4:15, so I can't get into too much questioning. We have heard from many people who are not tied into a commercial entity, nor have a commercial motivation, who feel that this is a more complex issue than it appears to be, and certainly than you perceive it to be, Mr. Markey. There are a number of different State approaches, some of them conflicting. We have legislation that was passed with regard to medical privacy that HHS has gotten tens of thousands of responses on and has taken 2 or 3 years to try to come up with some regulations. We have the financial services modernization bill that was recently passed that is legislation. I know you opposed it, but nevertheless--opposed at least parts of it. I think you voted against the bill, as I recall, but nevertheless was passed and is the law of the land and has a significant implication for the--for the privacy issue in general, and there will be others. And one of the purposes of such a commission was to try to establish some consistency, some fundamental principles, some floor, if you will, when you talk about values, some value floor that would either exempt or incorporate or preempt, I should say, or incorporate State law. I don't think that we want a potpourri of different State statutes. Clearly electronic commerce is intrastate, can't be held within boundaries, and we have a difficult issue with regard to preemption or finding some kind of consistent uniformity. We also have a difficult issue, if we're going to ad hoc this kind of legislation, whether it be in financial services or medical issues or other types of electronic commerce, how we achieve consistency, and we also have very rapid developments in the field itself and the industry, developments that are customer-friendly, developments that respond to market incentives. People want privacy. We don't disagree that this is a cutting-edge issue. If you poll them using any kind of simplistic question, you're going to get very high responses. People want privacy. And so the industries involved in the Internet and information technology understand that and have responded with any number of ways to protect people's privacy. And so the intent of giving the Congress some analysis with which to develop overarching legislation, if you will, was to achieve consistency, was to recognize the central tenets of federalism, and was to incorporate technological advances that have been taking place in the private sector, and also to figure out a way that we can coordinate the public and the private sector, because we don't necessarily have the parallel objectives here. There are some benefits to the public sector having some information shared that the private sector collects. So for all those reasons, there seem to be some benefit to studying the issue, and, as Mr. Horn said, no matter how anxious many Members might be to get legislation enacted immediately, it is not likely to happen. The history is that it has held up for what seems to be interminable periods-- certainly longer than 18 months. If you look at financial services, we've been working on that for what, 10 years. Medical privacy took a significant amount of time to get legislated, but even more time to get regulated. So you could make an argument that if we could get a consistent format and some consensus within 18 months, we'd be doing pretty well, and even breaking some precedent. Do you want to respond to those? I see you've been taking some notes there. Mr. Markey. I agree with you that each individual in America should be able to avail themselves of the new privacy technologies, encryption technologies that are being developed. That's important. They also have basically a right to expect industry to voluntarily step forward and put together industry standards, and they are in some fields, some companies. But because there are always going to be a significant number of outliers, significant number of companies on-line, especially who are just digital desperadoes, just trying to capture whatever they can in a short period of time in this new economy, there has to be a Federal floor. There has to be a third level of Federal guarantee, a right to knowledge that information is being gathered about you, a right to know that it's going to be reused for purposes other than you and your family intended it, and third a right to say no. And then you've got some power, too, even if the technology doesn't work to block it, even if the companies aren't going to be doing it. You've got a right as an American, a right to protect your own family's secrets, secrets you are not telling anyone else about. In Europe they have stronger standards, and from Citicorp to every American company that is over there, they abide by these stronger privacy codes, and our industry is thriving in Europe, abiding by the tougher European privacy codes. Many people say, we don't want the European standards here in America, but when you poll in America, 85 percent of Americans say they want the European standards. Now, we didn't import 500 people for this poll. They are all Americans. They are just ordinary people. They want the same standards. And the reason that we didn't build in the right for an American to stop the transfer of their medical insurance records in an insurance company now to a broker or banking affiliate is that the Rules Committee last year wouldn't allow my amendment out on the floor because they knew it was going to pass 350-50. That's the only reason it didn't pass. I couldn't get it made in order. The industry said, don't allow that amendment, because they had won in the Commerce Committee 42-0. No Member wanted to vote against it when they were forced to in the Commerce Committee that they would have their medical or financial information transferred without their permission, so they just blocked the vote on the floor. Didn't need any more study. Every Member knew they didn't want their family's medical privacy spread around town or those checks or those insurance exams. It was the industry using the Rules Committee. So, yeah, I guess you can say we can bottle everything up, use the process to stop it, but I don't think it's an accurate reflection of the amount of knowledge that we all have of what it is that we want to be built into law for each of our families. And all I'm doing is just reflecting my own mother's mortification if someone knew of some illness that she had. She wouldn't even tell her sisters, much less everyone in town, if she was--if she had an incontinence pad. She wouldn't want anyone to know that. She should have a right to protect that. Every American should have that right. I don't think we need to debate it. I don't think we need to wait 2 more years for this industry to have the same rules that the old industries have. I think we owe that to Americans, and waiting 2 more years means waiting 4 more years. Mr. Moran. I was just going to suggest that this may seem like a plodding, tedious process to bring everybody together at the same table and to try to reach some consensus, but sometimes the plodding, tedious process actually accomplishes more in terms of legislative enactment than the dance of legislation, which can be more thrilling and seemingly responsive, but can oftentimes take longer and can become even more frustrating. Mr. Markey. I'll tell you what happened. In the 1995 Telecommunications Act, our privacy bill of rights was built into that act, and it was worked out by all the Democrats and Republicans on the Commerce Committee, and it passed the House, and you voted for it. Every Member here voted for it in 1995. It was my bill. I worked it out with Jack Fields, I worked it out with all the Republicans, and it was a comprehensive privacy on-line bill of rights. The reason it got knocked out was not that all the Members didn't understand what the language was, it was because the Republican leadership, a week before we finished the conference in February 1996, just knocked it out, just knocked it out. Somebody called them, and they just knocked it out. And I was in the minority at that point, so I didn't have any power to keep it back in, but it was all worked out in a bipartisan, bicameral, industry-inclusive basis. That was 5 years ago now, 6 years ago. So we can study it, I guess, until 10 years has elapsed since the anniversary of the 1995 act passed on the floor of the House, but I just don't think we all need to know much more about this subject. Mr. Moran. Well, you make a very persuasive presentation as always, Mr. Markey. Mr. Markey. It's the Jesuit education. Mr. Moran. I was going to make a remark about that, but you beat me to the punch. Mr. Horn. I thought it was just being Irish. The gentleman from Arkansas. Mr. Hutchinson. Thank you, Mr. Chairman. Being a visitor to your subcommittee, I want to tell you how impressed I am with the depth of your hearings. This has been extraordinarily a mind-expanding experience, and I want to thank the gentleman from Massachusetts Mr. Markey for his excellent presentation. I think that added certainly to the debate today. And I've been thinking about that we had a discussion early on, and if we take this bill, Mr. Moran and I, we just took this bill totally down and say we want to give it every shot, we don't want to give anybody an excuse not to support industry privacy legislation, in all honesty I don't think it's going to--you'll build the consensus to move it forward this year. In all honesty I don't think you've got the timeframe to get it done this year. That's just my view, but I don't want this again to be used as an excuse not to move other legislation through. I see it complementary. In some areas I think you can--we can all agree upon the more simple, basic, fundamental areas of privacy, if we need to do something, let's do it and get it done with. I asked this from the White House yesterday, the gentleman from the Office of Management and Budget, if you adopt these other things you're interested in, would it be some benefit to a commission looking at the ongoing technology, the ongoing privacy issues? His answer was yes, because it's a changing world out there. This issue is not--adopt everything that you want to adopt, Mr. Markey, everything that you want to adopt, and I still believe that we need a commission to look at the ongoing developing issues in a comprehensive fashion. So that's really my interest in it. And then maybe--you raise these illustrations about opt-in, and I--quite frankly, I don't know if it is that simple. There was an instance the other day if there was an opt-in where someone refused to give a consent for information to be transferred, an opt-in for a cell phone company, what if a person chooses not to opt in and they call from a cell phone with an emergency, but the location of that emergency cannot be divulged to law enforcement or the fire department? Now, it could be a kidnapping, it could be a rape circumstance. And actually this information was shared a few weeks ago when a lady was kidnapped and she called the police, and the telephone company did not want to share the information. There very well is an answer to that, appropriate exception, but I think the point is that this is--there's some areas there that we need to--that should be debated, discussed. It is not as simplistic as sometimes is presented on the front end. And so I hope we'll continue having this discussion, and I want to thank you again, Mr. Markey, for your presentation. You're making notes. I'll give you a chance to respond. Mr. Markey. I thank you so much. On that specific issue which you just raised, in fact, we passed a bill that does prohibit the tracking of cell phone use, but with an emergency exception, so in that particular instance, there was no reason why the company could not transfer the information to the police or the fire in order to provide rescue or emergency medical service for that individual. As a matter of fact, we passed a specific law a year ago in order to accomplish that goal. And on the other issue, again, I'm just reflecting my own personal history, which is that the Rules Committee 3 years ago, when we were bringing up the financial services bill, it ultimately was a failed effort. They would not permit my amendment on privacy to be put in order for the floor, but they promised there would be comprehensive hearings. That was the Banking Committee promise. There were no hearings. And last year in 1999, when my amendment was denied consideration on the House floor, they promised hearings this year. There have been no hearings. So if we want to now conduct a study for 2 more years, I think it passes prologue. We already see in the conduct of---- Mr. Hutchinson. Mr. Markey, you mentioned 2 years a couple of times. I do want to emphasize because of that point, there's a provision that the Commission can report back early if they deem it appropriate. If there's a consensus that develops within 2 months, they report back to Congress. And so that is an outside sunset time, and excuse me for interrupting, but I did want to make that point. Mr. Markey. With $2.5 million allocated, we're going to invoke the rule that work expands the time allotted without question, because the salaries of all these staffers that are going to be hired and all the expert witnesses will guarantee that they'll go right up to the very last minute. Mr. Hutchinson. There was a comment. Mr. Plesser, you raised your hand a moment ago. Mr. Waxman. Are we doing the 5-minute rule? Mr. Horn. We went to the 13-minute rule, and we'll be glad to give you the same. Mr. Plesser. If I can, and I appreciate all the comments that Congressman Markey said. I just want to say that I think his review of the statutes in saying opt-in simply reflect it's somewhat more complex than that. I know he would agree with it, although the legislation that he suggested does have some affirmative consent proceedings in it, but it also has opt-out in terms of the use of mailing lists, marketing lists, not of the specifics of the transaction. But many of the statutes that he referred to, the Cable Act and others, other of the statutes do provide provisions, both a balanced view of opt-out and opt- in. Mr. Markey has always had this wonderful concept of notice, knowledge and no, which I think has really led the industry and has led self-regulatory efforts, and I think we just want to make sure that it still is notice, knowledge and no, and not opt-in under some circumstances. I would certainly agree in medical records and in detail the kind of examples that he gave, but I think opt-out also has a strong role, and I just wanted to just fulfill the record on that point. Mr. Markey. If I could just followup on that, I agree with him, a lot of the medical and financial information is very sensitive and should be given opt-in protection. And a lot of the other information that's on-line is more prosaic and probably doesn't deserve opt-in. But we don't need a year and a half to figure out which is and which isn't. We can definitely finish the medical and financial that we know should be given that protection. The most important issue is the material that deals with the financial and health information. We don't need to wait another 18 months. If you want, we can have a commission on what should be the rules for the prosaic information, but I don't think we need more time on that. Mr. Hutchinson. Mr. Chairman, I yield back. Thank you. Mr. Horn. The gentleman from California Mr. Waxman, 10 minutes. Mr. Waxman. Thank you, Mr. Chairman, for the time. I had a conflict and couldn't be here. I thought the House rules provided for 5 minutes. I wondered after 5 minutes had gone by and no clock evidently keeping track of things of what the rules were. I won't take 10 minutes, but I wanted a chance to at least ask a few questions. Mr. Markey, I can see you're frustrated. I'm frustrated because we tried to do something in the area of medical privacy together, and the legislation has been introduced. Other people have introduced bills on medical privacy. This committee, which has jurisdiction, hasn't even held a hearing on medical privacy. We'll probably have a commission to review the findings of the Commission, and then we have to wonder when are we going to get to the point where we're going to do something about it, because I think the American people are concerned. In the area of medical privacy, individuals have expressed concern that their employers or potential employers will have an inappropriate access to personal information about their health records, and I recently conducted a survey to investigate how large employers handle their employees' health records. I asked 48 top Fortune 500 companies to voluntarily describe their privacy practices regarding handling of their employees' health information and to voluntarily provide documentation of their privacy policies. While a few companies stood out for having quality components to their policies, the survey found that only 15 of the 48 companies provided documentation of company policies on medical privacy, and many of the policies provided--lacked critical details. Further, 11 of the 48 companies refused to respond to any of the survey questions. So I think it's fair to ask if companies are unwilling to share information with Congress, why would they be any more willing to volunteer information to a congressionally appointed Privacy Commission? Mr. Markey, you have been deeply involved in medical privacy policy. If we do go forward with establishing a Privacy Commission, do you think we should require the Commission to examine employer practices and policies with respect to health information of their employees, and do you think the Commission should be given the power to secure information from companies regarding such practices and policies? Mr. Markey. I do. I think that there should be a power of subpoena, there should be a right to depose, without question. We're talking about the most fundamental civil rights that we each have, which is the right to keep our own medical secrets private. It's no one else's business. And if companies are out there engaging in practices which compromise that, then I think this committee--the Commission, as it's constructed, and as a result the American people, should know this, and as a result then the legislation which is formulated subsequent to that would reflect the protections that have to be built in against those practices. Mr. Waxman. Another area which many individuals have expressed concern is how financial institutions handle personal information. The United Kingdom has recently established a public registry that helps individuals learn about what types of personal data is being maintained and used by data collectors, meaning entities that decide how and why personal data are processed. Under UK law, data controllers have to provide details to the public, register about how they process personal information. The registers can be searched on-line by entering the name of the particular data controller. The register includes a description of the different purposes for which the controller holds or uses personal data, describes the types of personal data held or maintained. I want to share with you the results of a recent staff search on this registry for Citibank International. The stated purposes for which the personal data is held or used include marketing and selling, including direct marketing to individuals, personnel/employee administration and business and technological intelligence, among many others. For each purpose listed, the registry described the types of personal data held or used. As an example, I'd like to turn to the category marketing and selling including direct marketing to individuals, and listed 46 different categories of information including personal details, physical descriptions, habits, personality, character, current marriage or partnership, marital history, details of other family household members, other social contacts, immigration status, leisure activities interests, lifestyle, academic record, court tribunal inquiry proceedings, liabilities, outgoings, loans, mortgages, credits, dietary and other special health requirements, and religious beliefs. Obviously the register established in the United Kingdom provides individuals with a tool for obtaining substantial information about the practices of data controllers. Mr. Markey, you've worked for many years on financial privacy policy. Do you think it would be a good use of resources to study whether an information register like the one established in the United Kingdom would be a valuable system to establish in the United States, and if we move forward with legislation to establish a Privacy Commission, do you think the bill should require the Commission to review the United Kingdom's public register system and make recommendations regarding establishing a similar system in the United States? And do you think the Commission should have the power to secure information from companies relevant to this study? Mr. Markey. I do. What you're now describing is something that was required from the World Wide Web consortium, and the British, as a result, were saying to Citicorp, you've got to tell us what you're using this information for, give us your white paper, tell us what's in there. So you just basically listed a financial services FBI file on an individual gathered by Citicorp on these Europeans. And Citicorp was very unhappy about that, that it was disclosed to the public, because they might get the jitters that that kind of detailed profile on them is being gathered. Now, there's one thing we can be sure of, that Citicorp is doing the same thing to all of its customers in America, except we don't know about it because we don't have law the way they have over there, this data protection registry in Great Britain. And once the public understood it, they obviously were outraged. So we need a way in which the public and the United States knows about what Citicorp and every other corporation is doing in terms of this information, and if we don't do that, then we're going to ultimately wind up with all of us having this--you know, this digital dossier being developed on us and our families that tells those companies more about ourselves than any member of our own family know about us as individuals. So you put your finger right on it, Mr. Waxman. There's the core problem, and I think we could have corrected it in the financial services bill last year. I think we can correct it this year. We had a week of hearings now. We can all agree on what should be done. I don't think we have to wait 18 months. Mr. Waxman. Do any of the members of the panel think we ought to have this Commission with the power to get this information from employers as to what they do on medical privacy and be hired to study the system in the UK and how they are handling these data controllers? Anybody on the panel want to talk to those issues? Mr. Belair. Let me speak to the situation in Europe. I think it's tempting to look across the Atlantic and see a very robust privacy environment. I spent a lot of time in Europe this year. I know Ron has, and I'm sure others have as well. Of course, a number of the EU nations have not yet implemented their own national law. In addition, the EU is suing some of those nations for their failure to comply, and what's fascinating about the European situation, it took a while to figure that out, but as you talk to the American, the United States affiliates over there or multinational corporations, there's such a different enforcement culture there that, in fact, I think it's fair to say, and indeed many Europeans say, that there is a very liberal interpretation of both the EU directive and the national laws. And so I think one---- Mr. Waxman. What is your conclusion? You don't think we ought to study it because it's too different? Mr. Belair. No, I think it bears study, but I don't think it is necessarily a model for us. I do believe, and I think probably---- Mr. Waxman. We don't know that until we study it. Do you think a commission ought to be able to study this and ought to be looking at other models? Mr. Belair. No question about it. Absolutely. I said that in my testimony. Mr. Waxman. How about some of the others? If you want to talk about the medical privacy issue, if employers are not willing to respond to Congress on what their policies are, do we need to give a subpoena power to this Commission to get the information? Ms. Culnan. I would say there's clearly a need for better notice in this country. I'm not sure that a registration system run by the government is the way to do it, but I think clearly that the Commission certainly could look at comparative models and see what could work here and what wouldn't. But it's particularly important, as Mr. Markey said, that people be informed what information organizations hold on them, and what's the most effective way to do that I think is the real issue. I think in terms of collecting information from companies, I think it would be important to assure them anonymity. To me, I don't think there's any particular benefit in naming names and saying one company does this and one company does that, but it would be very important to get a sense of the landscape in terms of where the problems are, as I said in my testimony, the extent to which fair information practices are applied, and that would include do employees know what companies are doing with their information. Mr. Waxman. I see my time is up. I don't know if the chairman wants to allow anybody else to speak on this issue. Mr. Horn. Once you ask the question, the Horn rule is to let everybody else answer, but that's it. Then we move to the next person. Mr. Greenwood is with us. Who else would like to answer---- Mr. Waxman. Anybody. I just wanted to know if anybody wanted to respond. I didn't ask each one to respond. Ms. Singleton. Just a very quick comment. I understand Germany also looked at the possibility of a central registry and rejected the possibility because they were concerned it could become a target for human rights violations to have a list somewhere of all the information and immediately somebody who you don't want to have access to that list get access to it. It becomes a tool in the wrong hands. With respect to the subpoena power, I second Professor Culnan's remarks on the anonymity. I think it would be very valuable to get a picture of how information is actually used in the economy, particularly in the form of a survey, and that anonymity would help to ensure great participation. Mr. Plesser. On the subpoena power question, yes, no question, the Privacy Commission had it in the mid-1970's. It was horrible and unwieldy to use, and I don't think we ever used it, but the threat of it was effective. Without it I don't think anybody would have spoken to us. Whether or not you go forward with a commission, I think broader subpoena power is a good idea. I don't think there should be any limit on what you want to study. I think if you want to study data registration in Europe, that's fine. There has been one issue of which there is total unanimity among every person who has looked at privacy in the United States. Every privacy advocate, every expert, everybody that I've known or ever spoke to have always opposed the concept of data registration being imported to the United States. I've never heard even the most radical privacy advocate ask for that. I think it's important to study it, to consider it. I think in the end the comment we just heard that it's really anti- privacy rather than pro-privacy is appropriate because then the officials know where to go, then they know how to organize it and have the map. I think the problem of data registration is a significant one, and it's antithetical to our tradition and never really has been seriously suggested for the United States. But absolutely, let's have a study, let's look at it and see if there's a way that some of those concepts are helpful, but also to find out what the negative concepts would be. Thank you. Mr. Horn. Mr. Sokul, any comment to Mr. Waxman's question? Thank you very much. We now have Mr. Greenwood, Jim Greenwood from the State of Pennsylvania. Mr. Hutchinson. Mr. Chairman, are the panelists that have been here, are they expected to stay? Mr. Horn. Well, we'd certainly welcome them, but the dialog with the Members--I think Mr. Waxman's question deserved an answer, and we went down the line, but you're certainly free to leave, and we will, as I said earlier, send you some questions, if you don't mind. We're going to ask Democratic counsel and Republican counsel what key questions did we miss, and we'd appreciate your writing us back. We'll put it at this point in the record without objection. So we now turn to Mr. Greenwood, and we're delighted to have him here. He had to suffer the long wait that you and Mr. Markey and Mr. Barton gave up, I gather, and you're always welcome. You're a real leader in the House, and we're glad to have you here. Mr. Greenwood. Thank you, Mr. Chairman. I will be brief because, unfortunately, my schedule is going to require that as well. You've been listening to testimony for 3 hours on this issue, so I'm not sure how much more enlightenment I can offer. But I would like to share with you why it is that I am prime sponsor of H.R. 2470, which is the Medical Information Protection and Research Enhancement Act, which is an attempt to legislate this issue this year, and I'm also a sponsor of Mr. Hutchison's bill, H.R. 4049, the Privacy Commission Act bill, which you've been hearing of. As you know, this is a long-standing and highly controversial issue and a very important issue. Back in 1996, the Congress basically directed and passed HIPAA, that required, if we couldn't get our act together legislatively by the summer of last year, that HCFA would do the regulations. We couldn't. We failed as a Congress to legislate. During that 3- year interim, I introduced my bill in July of last year, and we've not been able to move it, and there are reasons for that. This is like any other controversy. This issue involves the collision of a couple of values: of course, the commitment that we all have to protect privacy with regard to the most intimate details of our lives. The second one is that there's a terrific benefit to society when medical outcomes can be--that data can be collected and can be used by researchers and health care providers and insurers and others to try to enhance therapies and treatments for all of us. So the challenge in this issue is how do you merge these two values without compromising, on the one hand, confidentiality, nor compromising, on the other hand, the ability of society to benefit from this data. My experience with this issue is that there are two fundamental policy roadblocks, the first of those has to do with liability. The consumer advocates generally represented by the Democrats in the House advocate for a relatively liberal policy with regard to liability. They believe that if one's confidentiality is breached in any way, that there ought to be ready access to the courts. The other issue of controversy has to do with preemption. Many of us, including myself, perceive that in this digital age, information travels from our health care provider, to our health insurer, to a researcher across the State lines at the speed of light, and if we are going to use the values of the information age, we need to make sure that this data doesn't have to stop at every State boundary on the way. It won't work that way. The States have moved ahead and have, in some cases, passed some very strict confidentiality laws as it relates to issues like AIDS, mental health, and genetic information. I believe that we need to find a way to build a very airtight channel for this information to move from State to State without violating confidentiality. We haven't been able to do that. I've worked with Congressman Waxman, Congressman Markey, Congressman Brown, and Congresswoman Eshoo on the Commerce Committee trying to forge bipartisan support for the bill, and frankly we just haven't succeeded. We just haven't been able--in good faith negotiations to reach consensus. So my first wish would be that my legislation could pass, and we could have it enacted in this Congress. I don't see that, frankly, as being likely. So my second priority would be that Mr. Hutchinson's bill becomes enacted so that we can find, through the use of a commission, the consensus that we've not been able to find legislatively. In my view, the worst of all possible scenarios is that nothing happens, and that this issue drags on for failure on our part to find bipartisan consensus. Mr. Horn. Does the gentleman from Arkansas have any questions of the witness? Mr. Hutchinson. No. I just want to thank you for putting a good cap on this hearing today. You expressed really what my attitude is. I'd like to see your legislation move forward first and foremost, and I appreciate your understanding that this commission bill--I don't want it to be a threat to anyone's individual bill. I want to it to be complementary, I want it to be helpful and take a long-term look. So thank you very much for expressing that so succinctly and for your support and your initiative, which I'm delighted to support, and also for your support of the Commission. So thank you, Mr. Greenwood. Mr. Greenwood. If Mr. Horn would take my bill up and move it, I would be happy to have it transfered to this committee. Mr. Horn. It's sitting in the Commerce Committee. Can you get it over here? We'll give you a fast 24-hour look at it. We have to vote on the floor, and I want to thank the staff that helped prepare this hearing. We will hold another hearing tomorrow, which I believe will be Thursday--yes, Thursday at 2, and it will be on privacy. I guess we haven't learned enough yet. And we want to thank the court reporter Laurie Harris. I don't know how you stood it, Laurie. You should have nodded, I guess. And the staff director and Chief Counsel George has been with us in and out. Heather Bailey is to my left, your right, as the professional staff member putting things together here; and Bonnie Heald, director of communication; Bryan Sisk, clerk; Liz Seong, intern; and Michael Soon, intern. Trey Henderson is counsel for the minority, and Jean Gosa is minority clerk. And with that, we adjourn the meeting. [Whereupon, at 5:06 p.m., the subcommittee was adjourned.] [Additional information submitted for the hearing record follows:] [GRAPHIC] [TIFF OMITTED] T1178.117 [GRAPHIC] [TIFF OMITTED] T1178.118 [GRAPHIC] [TIFF OMITTED] T1178.119 [GRAPHIC] [TIFF OMITTED] T1178.120 [GRAPHIC] [TIFF OMITTED] T1178.121 [GRAPHIC] [TIFF OMITTED] T1178.122 [GRAPHIC] [TIFF OMITTED] T1178.123 [GRAPHIC] [TIFF OMITTED] T1178.124 [GRAPHIC] [TIFF OMITTED] T1178.125 [GRAPHIC] [TIFF OMITTED] T1178.126 [GRAPHIC] [TIFF OMITTED] T1178.127 [GRAPHIC] [TIFF OMITTED] T1178.128 [GRAPHIC] [TIFF OMITTED] T1178.129 [GRAPHIC] [TIFF OMITTED] T1178.130 [GRAPHIC] [TIFF OMITTED] T1178.131 [GRAPHIC] [TIFF OMITTED] T1178.132 [GRAPHIC] [TIFF OMITTED] T1178.133 [GRAPHIC] [TIFF OMITTED] T1178.134 [GRAPHIC] [TIFF OMITTED] T1178.135 [GRAPHIC] [TIFF OMITTED] T1178.136 [GRAPHIC] [TIFF OMITTED] T1178.137 [GRAPHIC] [TIFF OMITTED] T1178.138 [GRAPHIC] [TIFF OMITTED] T1178.139 [GRAPHIC] [TIFF OMITTED] T1178.140