WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 2001 >> [2001] EPICAlert 6

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 8.06 [2001] EPICAlert 6


Volume 8.06 March 29, 2001

Published by the Electronic Privacy Information Center (EPIC)
Washington, D.C.

Table of Contents

[1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights
[2] Future of Medical Privacy Regulations Uncertain
[3] Annenberg Releases Report on Kids Privacy Compliance
[4] Bush Administration Criticizes EU Privacy Rules
[5] Public Voice Submits Dot Force Report
[6] EPIC Bill-Track: New Bills in Congress
[7] EPIC Bookstore - The Internet, Law and Society
[8] Upcoming Conferences and Events

[1] EU Privacy Leaders: Cybercrime Treaty May Violate Rights

The controversial Council of Europe (CoE) draft Cybercrime Conventionhas encountered new opposition from an important quarter. In a formalopinion released on March 22, the European Union's independentAdvisory Body on Data Protection and Privacy criticized the proposedinternational treaty as providing inadequate protections for personalprivacy. The advisory group, also known as the Article 29 WorkingParty, includes the national privacy commissioners of the EU memberstates. The group said it wanted to send "a strong message that afair balance must be struck between anti-cyber-crime efforts and thefundamental rights to privacy and personal data protection ofindividuals."

Noting that the CoE proposal makes reference to several internationalhuman rights documents, the Working Party found that "the draftConvention does not harmonise the safeguards and conditions"
envisioned in those treaties, nor does it "require such safeguards andconditions effectively being in place." The Working Party concludedthat the provisions contained in the draft treaty "are not sufficientto fully safeguard the fundamental rights to privacy and personal dataprotection."

On one issue, the advisory group noted an improvement over earlierdrafts of the cybercrime treaty. The Working Party "welcomes" thefact that the current version of the Convention (Version 25) no longerincludes a "general surveillance obligation consisting in the routineretention of all traffic data." But despite that one change, thegroup found that the draft's "wording is often too vague andconfusing," a shortcoming that is particularly problemmatic in adocument containing "mandatory measures that are intended to lawfullylimit fundamental rights and freedoms."

The Working Party also criticizes "the very late release of relevantdocuments," referring to the fact that no public version of the drafttreaty was released until Version 19 last year. While the CoEdrafters are seeking to conclude deliberations on the Convention thisspring, the EU advisory group recommends that "the public debate beprolonged" and that it include "all parties concerned (human rightsorganisations, industry, etc.)," and not just the police and lawenforcement officials (including the U.S. Department of Justice) whohave dominated the drafting process.

The Article 29 Working Party opinion is available at:
The current draft of the CoE Convention on Cybercrime is available at:

[2] Future of Medical Privacy Regulations Uncertain

Implementation of the first federal health privacy regulations havebeen delayed by the Bush administration and are almost certain to beweakened by Health and Human Services (HHS) Secretary Tommy Thompson.
Although health care industry lobbyists have pressured lawmakers tooppose the regulations, there is still significant support in Congressto implement the rules immediately. Last week, sixty-one lawmakerssigned a letter urging Thompson to implement the regulations. Thelack of support for medical privacy protections represents an abruptchange in the Bush Administration's stance on privacy (see item

In statements reported in the Wall Street Journal and the Bureau ofNational Affairs Health Care Daily Report, Thompson promised to"simplify" the regulations and lessen the financial burden to healthcare providers. It remains unclear how the rules will be"simplified."

The rules as formulated by the Clinton administration would have givenpatients the right to clear notice of privacy practices, the right tolimit disclosures of medical records, the right to access records andamend inaccurate information, and the right to file complaints withHHS. However, the rules did contain significant exemptions that couldhave compromised patients' privacy rights. For instance, health careinformation could have been used for marketing purposes, and patientswould have been required to opt-out of such marketing. In addition,
law enforcement officials could have accessed health informationwithout judicial review under the rules.

HHS will continue to accept comments on the privacy regulationsthrough its website until Friday, March 30 at 5 p.m. (ET).

A template letter supporting the medical privacy rules is availablefrom the Health Privacy Project:

The Department of Health and Human Services (HHS) Electronic CommentSubmission Form is available at:

[3] Annenberg Releases Report on Kids Privacy Compliance

On March 28, the Annenberg Public Policy Center at the University ofPennsylvania released a report, "Privacy Policies on Children'sWebsites: Do They Play By the Rules?," analyzing current levels ofcompliance with the Children's Online Privacy Protection Act (COPPA).
COPPA was enacted by Congress in 1998 and its rules became effective ayear ago in April 2000. The Act is enforced by the Federal TradeCommission (FTC).

The study reviewed 162 websites that are among the most popular forInternet users under the age of thirteen. Of those 162 websites, 114displayed a privacy policy on the homepage and 90 of those sitescollected personal information from minors. Fourteen other sitescollecting personal information did not display any privacy policy,
clearly violating COPPA. In addition, the content of those privacypolicies were often found not to alert parents to all of COPPA'sprivacy protections. Only 55 percent of privacy policies told parentsthat websites could not collect more information than what is"reasonably necessary" and only 62 percent of those statements toldparents that they could review personal information already collectedfrom their children. The study did not examine the extent to whichthese websites complied with COPPA in practice, apart from privacypolicies. Unlike most websites, sites targeted at minors must providethe privacy provisions as outlined in COPPA regardless of the contentof their privacy policies.

In the conclusion of the report, the researchers suggest requiringwebsites to display a prominent icon that indicates COPPA complianceand greater efforts to standardize privacy policies. The study alsonotes that the easiest way to comply with COPPA is not to collect anypersonal information from minors.

"Privacy Policies on Children's Websites: Do They Play By the Rules?":
More information about the Children's Online Privacy Protection Act(COPPA) is available at:

[4] Bush Administration Criticizes EU Privacy Rules

On March 23, representatives of the Bush administration sent a letterto the European Commission Internal Market Directorate criticizingproposed European standards for protecting the privacy of transborderdata flows.

The letter concerns the model contractual clauses that have beenproposed by the European Commission to govern the exchange of consumerinformation between EU and U.S. companies, such as financialinstitutions, that are not covered by the previously negotiated "SafeHarbor" agreement. As Article 25 of the 1995 EU Data ProtectionDirective prohibits European data processors from "exporting" thepersonal information of European citizens to countries that do nothave adequate privacy protection laws in place, these contracts arenecessary to ensure the continued flow of information between Europeand the United States. The EU Data Protection Directive's protectionsonly apply to information collected from EU citizens.

According to the letter sent from the Departments of Commerce andTreasury, the contracts would require U.S. companies to follow higherstandards of privacy protection than are currently required by U.S.
law. As a result, the officials warn that "there is a serious dangerthe adoption of the standard clauses as drafted will create a de factostandard that would raise the bar for U.S firms." They continue thatthe requirements are "unduly burdensome" and "incompatible with realworld operations" and urge the European Commission to defer furtherconsideration of them. Consumer organizations, such as the TransAtlantic Consumer Dialogue (TACD), have previously raised questionsabout the adequacy of privacy protection in the United States.

The Bush Administration's resistance to strengthening consumer privacyprotection is seemingly inconsistent with many pro-privacy statementsmade by, or on behalf, of candidate Bush during the recentpresidential election campaign. For example, in a May 19 interviewwith BusinessWeek, then-Governor Bush stated that "I'm aprivacy-rights person. The marketplace can function withoutsacrificing the privacy of individuals. Customers should be allowedto opt in . . . the company has got to ask permission." Later, in anOctober 17 debate sponsored by George Washington University,
then-domestic policy advisor Stephen Goldsmith stated on behalf ofBush that "There is a role for Congress ... in requiring that there beprovisions for an opt-in on medical and financial information."

The draft version of the European Commission's Model ContractProvisions and comments of the U.S. Department of Commerce:
March 23 Letter sent from the Departments of Commerce and Treasury tothe European Commission:

[5] Public Voice Submits Digital Divide Report

The Public Voice is a project of EPIC that seeks to promote theparticipation of NGOs in international decision-making bodies thataddress Internet policy. As part of that project, EPIC solicitedcomments from the public, in cooperation with the Association forProgressive Communications (APC), on the Digital Divide (see EPICAlert 8.02). "The Public Voice and the Digital Divide: A Report tothe DOT Force" is a compilation of the public's ideas and views on theDigital Divide and will be submitted to the Digital Opportunities TaskForce (DOT Force), a Digital Divide initiative of the G-8. The DOTForce was created by the G-8 in July 2000.

The Public Voice report addresses four different topics: what are thebest approaches to address the digital divide?; what are the currentbarriers to greater Internet access?; what organizations are currentlyworking on the Digital Divide?; how should groups narrow the DigitalDivide? A wide variety of approaches were recommended such as the useof free or open-source software, greater emphasis on education andtraining and the creation of more local content. Unlike most policypapers, the Public Voice report is largely made up of directquotations from public comments.

The DOT Force will release its final action plan at the next G-8meeting to take place in Genoa, Italy this July. A draft version ofits report is currently available through the DOT Force website.

"The Public Voice and the Digital Divide: A Report to the DOT Force"
is available at:
For more information about the Digital Opportunities Task Force:

[6] EPIC Bill-Track: New Bills in Congress


H.R.972 Parent Act of 2001. To amend the Elementary and SecondaryEducation Act of 1965 to strengthen the involvement of parents in theeducation of their children, and for other purposes. Sponsor: RepWoolsey, Lynn C (D-CA). Latest Major Action: 3/8/2001 Referred toHouse committee: House Education and the Workforce.

H.R.1152 Human Rights Information Act. To promote human rights,
democracy, and the rule of law by providing a process for executiveagencies for declassifying on an expedited basis and disclosingcertain documents relating to human rights abuses in countries otherthan the United States. Sponsor: Rep Lantos, Tom (D-CA). Latest MajorAction: 3/21/2001 Referred to House Committee on Government Reform.

H.R.1158 National Homeland Security Agency Act. To establish theNational Homeland Security Agency. Sponsor: Rep Thornberry, William(Mac) (R-TX). Latest Major Action: 3/21/2001 Referred to Housecommittee Committees: House Government Reform.

H.R.1176 Fair Credit Reporting Act Amendments of 2001. To amend theFair Credit Reporting Act to protect consumers from the adverseconsequences of incomplete and inaccurate consumer credit reports, andfor other purposes. Sponsor: Rep Ford, Harold, Jr. (D-TN). LatestMajor Action: 3/22/2001 Referred to House committee: House FinancialServices.

H. J. RES. 38. Disapproving the rule submitted by the Department ofHealth and Human Services on December 28, 2000, relating to standardsfor privacy of individually identifiable health information. Sponsor:
Rep Paul, Ron (R-TX). Referred to House Committees on Education andthe Workforce, Energy and Commerce and Ways and Means.

EPIC Bill Track: Tracking Privacy, Speech, and Cyber-Liberties Billsin the 107th Congress, is available at:

[7] EPIC Bookstore - The Internet, Law and Society

The Internet, Law and Society. Edited by Yaman Akdeniz, Clive Walker,
and David Wall.

The advent of a global information society demands a new understandingof the complexities of the architecture of that society and itsimplications for existing social institutions such as law andgovernment. This authoritative and innovative book takes as its themethe Internet within the settings of law, politics and society. Itrelates and analyses their interactions and draw out the implicationsof "cyberspace" for law and society. It therefore has a wider andmore critical agenda that existing, more technical expositions ofcomputer or Internet law. It is about the "law in action" and notjust the "law in books." It examines Internet activity that takesplace in the shadow of law where there is a fascinating range ofregulatory responses and governance strategies. The book covers, infour Parts: the Internet, law and society; governance and theInternet; legal institutions and professions and the Internet; and,
legal controversies in cyberspace.

For other books recommended by EPIC, browse the EPIC Bookshelf at:

EPIC Publications:

"The Consumer Law Sourcebook 2000: Electronic Commerce and the GlobalEconomy," Sarah Andrews, editor (EPIC 2000). Price: $40.

The Consumer Law Sourcebook provides a basic set of materials forconsumers, policy makers, practitioners and researchers who areinterested in the emerging field of electronic commerce. The focus ison framework legislation that articulates basic rights for consumersand the basic responsibilities for businesses in the online economy.

"Privacy & Human Rights 2000: An International Survey of Privacy Lawsand Developments," David Banisar, author (EPIC 2000).
Price: $20.

This survey, by EPIC and Privacy International, reviews the state ofprivacy in over fifty countries around the world. The survey examinesa wide range of privacy issues including, data protection, telephonetapping, genetic databases, ID systems and freedom of informationlaws.

"The Privacy Law Sourcebook 2000: United States Law, InternationalLaw, and Recent Developments," Marc Rotenberg, editor (EPIC 2000).
Price: $40.

The "Physicians Desk Reference of the privacy world." An invaluableresource for students, attorneys, researchers and journalists who needan up-to-date collection of U.S. and International privacy law, aswell as a comprehensive listing of privacy resources.

"Cryptography and Liberty 2000: An International Survey of EncryptionPolicy," Wayne Madsen and David Banisar, authors (EPIC 2000).
Price: $20.

EPIC's third survey of encryption policies around the world. Theresults indicate that the efforts to reduce export controls on strongencryption products have largely succeeded, although severalgovernments are gaining new powers to combat the perceived threats ofencryption to law enforcement.

"Filters and Freedom: Free Speech Perspectives on Internet ContentControls," David Sobel, editor (EPIC 1999). Price: $20.

A collection of essays, studies, and critiques of Internet contentfiltering. These papers are instrumental in explaining why filteringthreatens free expression.

Additional titles on privacy, open government, free expression,
computer security, and crypto, as well as films and DVDs can beordered through the EPIC Bookstore:

[8] Upcoming Conferences and Events

Online, Offshore and Cross-Border: Regulating Global E-Commerce.
Washington College of Law, American University. March 30, 2001.
Washington, DC. For more information:
Call For Papers - March 31, 2001 (prizes available for graduatestudent papers). The 29th Research Conference on Communication,
Information and Internet Policy. October 27-29, 2001. Alexandria, VA.
For more information:
BNA Public Policy Forum: Cybersecurity and Privacy. Pike and Fischer,
Inc. April 4, 2001. Washington, DC. For more information:

First International Conference on Human Aspects of the InformationSociety. Information Management Research Institute, University ofNorthumbria at Newcastle. April 9-11, 2001. Newcastle upon Tyne,
England. For more information:
Corporate Privacy Officers Program 2001: Washington Briefing and PeerWorkshop. Privacy and American Business. April 11-12, 2001.
Washington, DC. For more information:

National Summit on Electronic Privacy. The National Institute forGovernment Innovation. April 23-24, 2001. Washington, DC. For moreinformation:

The First Annual Privacy and Data Protection Summit. Privacy OfficersAssociation. May 2-4, 2001. Arlington, VA. For more information:
The 26th Annual AAAS Colloquium on Science and Technology Policy.
American Association for the Advancement of Science. May 3-4, 2001.
Washington, DC. For more information:
Future of the Internet: Preserving the Internet's Openness, Freedom,
and Diversity. Center for Media Education and Center for DigitalDemocracy. May 9, 2001. Washington, DC. For more information:
The Internet and State Security Forum (ISSF). Cambridge Review ofInternational Affairs. May 19, 2001. Cambridge, England. For moreinformation:

Communication Research and Policy Workshop. Ford Foundation andComputer Professionals for Social Responsibility (CPSR). May 24, 2001.
Washington, DC. For more information:
The Internet Security Conference (TISC) 2001. Core Competence, Inc.
June 4-8, 2001. Los Angeles, CA. For more information:

INET 2001: A Net Odyssey, Mobility and the Internet. The 11th AnnualInternet Society Conference. June 5-8, 2001. Stockholm, Sweden. Formore information:

ETHICOMP 2001: Systems of the Information Society. Telecommunicationsand Informatics Technical University of Gdansk, Poland. June 18-20,
2001. Gdansk, Poland. For more information:

Democracy Forum 2001: Democracy and the Information Revolution.
International Institute for Democracy and Electoral Assistance. June27-29, 2001. Stockholm, Sweden. For more information:
Call for Papers - June 30, 20001. CEPE2001: Computer Ethics,
Philosophical Enquiries. Lancaster University (UK). Centre for Studyof Technology in Organizations, Institute for Environment, Philosophyand Public Policy. December 14-16, 2001. For more information:

Call For Submissions - August 3, 2001. Workshop on Security andPrivacy in Digital Rights Management 2001. Eighth Association forComputing Machinery (ACM) Conference on Computer and CommunicationsSecurity. November 5, 2001. For more information:

ICSC 2001: International Conference on Social Computing. University ofBremen. October 1-3, 2001. Bremen, Germany. For more information:

Privacy2001: Information, Security & Ethics for the New Century.
Technology Policy Group. October 3-4, 2001. Cleveland, Ohio. For moreinformation:

Learning for the Future. Business for Social Responsibility's NinthAnnual Conference. November 7-9, 2001. Seattle, WA. For moreinformation:

Subscription Information

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. A Web-based form is available forsubscribing or unsubscribing at:
To subscribe or unsubscribe using email, send email with the subject: "subscribe" (no quotes) or"unsubscribe".

Back issues are available at:

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and tosend notices about EPIC activities. We do not sell, rent or share ourmailing list. We also intend to challenge any subpoena or other legalprocess seeking access to our mailing list. We do not enhance (linkto other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your email addressfrom this list, please follow the above instructions under"subscription information". Please contact if you haveany other questions.

About EPIC

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues such as the ClipperChip, the Digital Telephony proposal, national ID cards, medicalrecord privacy, and the collection and sale of personal information.
EPIC publishes the EPIC Alert, pursues Freedom of Information Actlitigation, and conducts policy research. For more information,
e-mail, or write EPIC, 1718Connecticut Ave., NW, Suite 200, Washington, DC 20009.
+1 202 483 1140 (tel), +1 202 483 1248 (fax).

If you'd like to support the work of the Electronic PrivacyInformation Center, contributions are welcome and fullytax-deductible. Checks should be made out to "EPIC" and sent to1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009.
Or you can contribute online at
Your contributions will help support Freedom of Information Act andFirst Amendment litigation, strong and effective advocacy for theright of privacy and efforts to oppose government regulation ofencryption and expanding wiretapping powers.

Thank you for your support.

END EPIC Alert 8.06


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback