A State of the Union for Privacy: Fall, 2002 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Privacy Officers

Embed Size (px)

Text of A State of the Union for Privacy: Fall, 2002 Professor Peter P. Swire Ohio State University...

  • Slide 1

A State of the Union for Privacy: Fall, 2002 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP International Privacy Officers Association October 18, 2002 Slide 2 Overview n Privacy and Government The Lawless State and the 1970s Reaction Since September 11 n Privacy in the Private Sector Medical, financial, Internet, international n What to Do Next Slide 3 I. The Lawless State n By the mid-1970s, there was clearly substantiated evidence of widespread lawlessness and surveillance by the FBI, CIA, and other federal agencies n The Lawless State by Jerry Berman & others n Church Committee hearings Slide 4 The Lawless State n Surveillance and smears of MLK, Jr. n FBI infiltration of political groups FBI agents in KKK to Black Panthers, including participating in bombings, etc. Fringe groups? Large fraction of delegates to 1972 Democratic National Convention under surveillance Blackmail files on political officials Slide 5 The Lawless State n IRS files routinely scanned for political advantage n CIA prohibited from acting in U.S. But, active in ports Then active in hundreds of other domestic operations Allende assassination plans, secret funding in foreign elections, and other black ops overseas Slide 6 The Lawless State n National security powers President and A.G. claimed unlimited ability to wiretap within the U.S. for national security purposes n State wiretaps No federal law limiting wiretaps by state officials until 1968 Slide 7 Reactions to the Lawless State n Title III (1968) -- wiretaps only under strict, federal standards n Privacy Act, 1974 n Government in the Sunshine FOIA Amendments, 1974 Open meeting & whistleblower laws n Foreign Intelligence Surveillance Act, 1978 n Electronic Comm. Privacy Act, 1984 Slide 8 Summary on the Lawless State n Demonstrated history of abuse of power and lack of accountability n New laws going beyond constitutional minimum, to limit surveillance and protect privacy n New laws to create openness in government, to promote accountability Slide 9 II. Privacy -- the Next Generation n Clinton years Chief Counselor for Privacy HIPAA, GLB, COPPA, and more 2000 proposal to update wiretap laws n Initial Bush Administration Pro-privacy statements by the President Decision not to cancel medical privacy rule Likely would have had a Federal CPO by now Slide 10 9/11 and USA-PATRIOT n Legal changes: significant rollback but not repeal of surveillance law n Updating with the surveillance powers from 2000 Clinton proposal n Double that, especially for FISA and computer trespasser n None of the proposed privacy updating No suppression for illegal email/web snooping That evidence can be used in court Slide 11 USA PATRIOT Act & After n Implementation changes: use authorities to the limit, and perhaps beyond n Political changes: protecting privacy means weak on terrorism n Not all proposals enacted: Some proposals taken out of bill E.g., proposal for CIA to get IRS records Sunset for some surveillance in fall, 2005 Slide 12 The Effects of 9/11 n Less known -- the theory change n Viet Dinh in DOJ, seek powers to the limit permitted by the Constitution n Sounds good, but means repeal of much of the 1970s laws Often no reasonable expectation of privacy Often records held by 3d parties, who can consent to release Surge in secrecy -- FOIA not in Constitution Slide 13 Homeland Security Department n Beginning of a return to previous privacy politics n House hearing and bill CPO for the Department Privacy Impact Assessments No authorization for national ID TIPS (Armey) n Senate? Commission on Privacy & H.S.? Slide 14 Cyber-Security Report n Released September, 2002 n Section of report on privacy First Bush Administration written statements (that I have found) on the importance of building privacy into government practices Excellent on this: should build in privacy when upgrade systems for security Report widely criticized for good intentions, but few actual action items Slide 15 Summary on Government Access to Records n Some Congressional return now to previous pro-privacy politics n September 11 and USA-PATRIOT effects continue n Administration statements: privacy should be based on what is required by the Constitution n That is less than I believe most Americans will want Slide 16 III. Privacy & the Private Sector n Medical n Financial n On-line and more generally n International Slide 17 Medical Privacy & HIPAA n I commend the Bush Administration for going forward with HIPAA Have historic one-time shift from paper to electronic medical records Is of course a difficult transition for a huge industry to new IT systems Overwhelming majority of Americans expect security and privacy to be built into the new medical record systems Slide 18 HIPAA n What about the changes to the rule? I estimate HHS kept 90-95% of the 2000 rule Many changes sensible & fix problems Biggest mismatch of rule and consumers on marketing n Now permits a covered entity to do unlimited marketing for health-related products and services n Covered entity can be paid for this, no disclosure n No disclosure of source of communication n Likely biggest impetus for Congressional action Slide 19 HIPAA n HHS staff: professional, thoughtful, & hardworking n Administration leadership: Has done the minimum necessary for achieving HIPAA goals NCVHS (HHS Committee): call for far more guidance, education, and outreach from HHS Abject failure to promulgate Security Rule, with needless cost to industry Slide 20 Financial Privacy n Implementing Gramm-Leach-Bliley Pretty routine for many companies Should have layered notices such as HHS encourages for HIPAA Slide 21 Changes in Financial Privacy? n Fair Credit Reporting Act reauthorization due in 2003 n FCRA preemption of state law expires n State law changes possible for GLB California, North Dakota n Sarbanes hearing last month, and he has supported Clinton 2000 bill n Unclear what will happen Slide 22 Online and Other Privacy n Progress thus far without legislation 15% privacy policies in 1998 (commercial) 88% privacy policies in 2000 n FTC/Muris commitment to enforcement n Question is the quality of policies Cautious lawyers and promise as little as possible Many policies weaker today than 2 years ago Slide 23 What next for Online? n Stearns and Hollings bills n No action unless there is Remember Sarbanes bill for Enron reforms Dead in the water Now, have Sarbanes-Oxley Act n Big issue: online only? FTC approach that cant promise online and treat offline data differently Likely the best approach Slide 24 International Data Flows n E.U. Privacy Directive Beginning of some enforcement with significant fines n E.U.-compatible privacy regimes E.U. neighbors New Zealand & Australia Canada More coming: Malaysia? Everyone else? Slide 25 International Issues n Safe harbor for financial services No agreement yet, truly difficult issues n The reality for global companies Compliance with privacy regimes outside the U.S. What to do inside the U.S.? n Conclusion: ongoing international pressure for more privacy laws in the U.S. Slide 26 IV. Conclusion: Private Sector n Privacy is not dead n HIPAA is the biggest privacy compliance in U.S. history n More federal financial privacy legislation if the states get active n Internet legislation is one scandal away n Global companies face continuing pressure from almost all our trading partners Slide 27 Conclusion: Government Access n The Bush Administration is at risk if privacy politics continue to shift back n It has taken stands as a friend of government surveillance and secrecy n It has not designated officials to address privacy and ensure that privacy values are incorporated in new initiatives Slide 28 Conclusion: Privacy & Security n First, does the intrusive measure in fact improve security? n Second, is the measure designed to improve security while also respecting privacy where possible? n Third, have we built the new checks and balances appropriate to the new surveillance? Slide 29 Finally... n Dont let the anti-terrorism measures of today turn into the anti-communist excesses of decades past. n Weve seen what abuses in the name of liberty look like -- lack of accountability and institutionalized lawlessness. n We must assure that does not happen again. n You as privacy professionals can help assure it does not. Slide 30 Contact Information n Professor Peter P. Swire n web: www.peterswire.net n phone: (240) 994-4142 n email: pswire@mofo.com