E P I C A l e r t
On November 18, 2008, the First Circuit Court of Appeals upheld a New Hampshire law that bans the sale of prescriber-identifiable prescription drug data for marketing purposes. In August, EPIC and 16 experts in privacy and technology filed a "friend of the court" brief in the case, IMS v. Ayotte. The EPIC brief urged the federal appellate court to reverse a lower court ruling that delayed enforcement of the New Hampshire Prescription Confidentiality Act. The experts said the lower court should be reversed because there is a substantial privacy interest in patient data that the lower court failed to consider. The New Hampshire Attorney General also defended the law, calling pharmaceutical representatives "invisible intruder[s] in the physician's examination room." Data mining companies challenged the law, claiming that the privacy measure violated their free speech rights. Two of the three appellate judges concluded that the law does not regulate speech, and the third said that although it could be considered a regulation of speech, such regulation was justified in this instance.
There are approximately 1.4 million health care providers in the United States. These providers write billions of prescriptions each year for more than 8,000 different pharmaceutical products, which are filled at 54,000 retail pharmacies throughout the country. For every prescription they fill, the retail pharmacies acquire records, which include: patient name; prescriber identification; drug name; dosage requirement; quantity; and date filled. In order to comply with federal and state privacy laws, patient-identifying information is encrypted and de-identified, often with software installed by the data mining companies themselves. The rest of the prescription record remains intact. Thus, a patient's entire drug history is correlated, and each provider can be identified along with its prescribing habits. This practice raises privacy concerns for both patients and health care providers, said EPIC and the 16 experts in their brief.
On June 30, 2006, the New Hampshire legislature unanimously passed the Prescription Confidentiality Act, which prohibits prescription information records that contain patient- or prescriber-identifiable data from being transferred, licensed, sold, or used for most commercial purposes. This includes marketing, advertising, and other forms of promotion. The Act specifically bars the use of prescriber- identifiable data for "physician detailing," which involves the sale of patient prescription records to data mining firms that generate sales leads for pharmaceutical companies. The Act explicitly permits the use of this data for such non-commercial purposes as research and education.
New Hampshire is one of several states that sought to regulate the practice of "detailing." The New Hampshire law said that "records relative to prescription information containing patient-identifiable and prescriber-identifiable data shall not be licensed, transferred, used or sold by any pharmacy benefits manager, insurance company, electronic-transmission intermediary, retail, mail order or Internet pharmacy or other similar entity, for any commercial purpose, except for the limited purposes of pharmacy reimbursement; formulary compliance; care management; utilization review by a healthcare provider, the patient's insurance provider or the agent of either; healthcare research; or as otherwise provided by law." Vermont and Maine are presently defending First Amendment lawsuits challenging similar prescription privacy laws. Maine resides in the First Circuit, and stands to be directly affected by the appellate court's resolution of IMS v. Ayotte.
The Plaintiffs-Appellees, IMS Health and Verispan, are both data mining companies that purchase and compile prescription information in order to sell the data. IMS Health and Verispan alleged that the New Hampshire law violated their First Amendment right to free speech, claiming that: 1) the law was subject to strict scrutiny because it provided a content-based restriction on non-commercial free speech; 2) the law violated the First Amendment because it was not narrowly tailored to serve compelling state interests; and 3) if the judge determined that the law was subject to intermediate scrutiny because it only restricted commercial speech, it still did not advance a substantial government interest in a narrowly tailored way.
In the State's defense, the Attorney General argued: 1) that the law did not implicate the First Amendment because it did not regulate speech; and 2) even if the Act did implicate speech, that the law should survive intermediate scrutiny because it advanced the State's substantial interests in promoting public health, controlling health care costs and protecting the privacy of patients and doctors, while still allowing the data to be used for non-commercial purposes. A federal trial court rejected all of the Attorney General's arguments, finding that the government did not have an interest in "preventing the dissemination of truthful commercial information" and that the law was more expansive than necessary to promote the State's interests. The trial court held that the Act did not advance a substantial interest in protecting the privacy of patients and health care providers. The November 18, 2008 ruling overturns the trial court's decision.
In their brief, EPIC and the experts said the lower court should be reversed, because it failed to consider the substantial privacy interest in de-identified patient data. Although de-identification measures are increasingly innovative and computationally complex, patient data is still vulnerable to attacks because sophisticated re-identification programs are also being developed, the experts said. Individuals can be re-identified using information such as zip code, date of birth, and gender and then comparing that data to publicly available information. Such information is easily accessible through birth and death records, incarceration reports, voter registration files, and driver's license information.
EPIC wrote in the brief, "Simply stated, amicus believes that the privacy interest that undergirds the state's interest in this statute is even greater than what the legislature recognized, and that the Court should give even greater weight to the Central Hudson... analysis if it concludes that the statute implicates speech interests."
EPIC has argued in federal court for a decade that properly crafted privacy laws should survive First Amendment challenges. EPIC's original amicus effort on this issue was in US West v. FCC, 182 F.3d 1224 (10th Cir. 1999), litigation concerning telephone record privacy. EPIC recently supported this proposition in NCTA v. FCC, No. 07-1312 (D.D.C. filed Aug. 7, 2007), a case involving a First Amendment challenge to telephone privacy regulations.
EPIC's IMS Health v. Ayotte page: http://epic.org/privacy/imshealth/
Opinion Upholding New Hampshire Prescription Confidentiality Act: http://epic.org/privacy/imshealth/11_18_08_order.pdf
EPIC's Brief in Support of Prescription Privacy: http://epic.org/privacy/imshealth/epic_ims.pdf
New Hampshire Prescription Confidentiality Act: http://www.gencourt.state.nh.us/legislation/2006/HB1346.html
Maine's Prescription Privacy Law: http://epic.org/redirect/112008_ME_prescrption_privacy.html
Vermont's Prescription Privacy Law: http://epic.org/redirect/112008_VT_prescrption_privacy.html
EPIC's US West v. FCC page: http://epic.org/privacy/litigation/uswest/
EPIC's NCTA v. FCC page: http://epic.org/privacy/nctafcc/
Pursuant to a complaint by EPIC to the Federal Trade Commission (FTC) earlier this year, a federal court ordered CyberSpy Software to stop selling malicious computer software. The EPIC complaint, filed in March, stated that the spyware company engages in unfair and deceptive practices by (1) promoting illegal surveillance; (2) encouraging "Trojan Horse" email attacks; and (3) failing to warn customers of the legal dangers arising from misuse of the software. The FTC agreed and moved the court for a permanent injunction barring the sales of the spyware program. The court issued a temporary restraining order on November 6, 2008 pending further litigation.
Surveillance technology software is available for purchase from all over the internet. These technologies can be used for illegitimate purposes and usually includes the interception of email, audio, video, instant messaging, text messaging, and computer passwords. Such surveillance can be in the form of keyloggers, screenshot, spywares, trojans or sniffers. These programs collects vast amounts of personal information which aids in identity theft, stalking and intimidation. Individual uses of these technologies are harder to detect as they render themselves invisible to the computer user.
Federal statutes prohibit the interception of wire, oral and electronic communications as well as the accessing of communications that has been stored electronically. Federal statutes also forbid the intentional, unauthorized access to a computer and obtaining any information from such accessed computer. Thus, in essence, the use of the surveillance technology software automatically results in the violation of federal statutes. The EPIC complaint highlighted the fact that the purchasers of the software are exposed to criminal and civil liability. The victims face privacy violations; are exposed to identity theft; are placed in physical danger; may not find help from law enforcement authorities; and may not find adequate compensation via the civil legal system. In light of the harm caused by these programs, EPIC requested the FTC to investigate the companies selling such software, determine the extent of the threat they posed to consumer privacy and safety and seek appropriate injunctive and compensatory relief.
In June 2008, EPIC testified before the Senate Commerce Committee warning of the privacy risks of spyware including the theft of private information, monitoring of communications and the tracking of an individual's online activity. EPIC supported the ability of the FTC to seek treble fines and penalize pattern or practice violations as authorized under a newly-enacted statute, the Counter-Spy Act, while not pre-empting state laws.
TRO in FTC v. CyberSpy Software, LLC: http://ftc.gov/os/caselist/0823160/081106cyberspytro.pdf
FTC complaint (Civil Action No. 08-CV-01872): http://www.ftc.gov/os/caselist/0823160/081105cyberspycmplt.pdf
EPIC's complaint to the FTC: http://epic.org/privacy/dv/spy_software.pdf
Court Orders Halt to Sale of Spyware (FTC): http://ftc.gov/opa/2008/11/cyberspy.shtm
EPIC's page on Personal Surveillance Technologies: http://epic.org/privacy/dv/personal_surveillance.html
EPIC's page on Domestic Violence and Privacy: http://epic.org/privacy/dv/
Court Halts Sale of DIY Spyware: http://blog.wired.com/27bstroke6/2008/11/court-halts-sal.html
EPIC's Senate Testimony on Spyware: http://epic.org/privacy/dv/Spyware_Test061108.pdf
In the online world, search engines are the primary method by which a person accesses information on any given topic. In July 2008, 11.8 billion online searches were conducted in the US with Google holding the lion's share at 61.9 percent. However, when search data is collected, stored and analyzed, it raises serious privacy concerns. Google Flu Trends is a classic example in causing such unease.
Google Flu Trends is a Google utility for locating geographic areas where people are searching for the word "flu" and related terms. Google believes such searches correlate with outbreaks of influenza, and can potentially aid in influenza prevention. It is an extension of Google Trends, a technology that analyzes search queries submitted by Google users. User search data is stored on Google's servers, and retained by the search engine giant. This information includes the Internet Protocol (IP) address, the date and time of the query as well as a unique cookie ID assigned to the browser.
As Google believes that computed statistical analyses of Flu Trends were almost two weeks faster than traditional flu analysis by agencies such as the Centers for Disease Control and Prevention (CDC), it is sharing Flu Trends data with the CDC, part of the US Department of Health and Human Services. Plainly, information about users' searches for medical information is now being handed over to the government.
Google has stated that it will anonymize search data after a period of nine months, but technical experts have questioned the efficacy of the "anonymization" technique. Google obfuscates the fourth octet but retains the rest of the IP address. At most, the redacted IP address is one of 254 other users. Moreover, the unique cookie assigned by Google to the browser remains unchanged over time and can be easily used by Google (or any entity with powers to subpoena Google) to trace back the search query down to a specific user. This linking of a search term to a specific user can re-identify search terms back to an individual that had been previously "de-identified" by Google.
On November 12, 2008, EPIC wrote a letter to Google warning of the dangers of linking searches to individuals and asked Google to publish the technique used to maintain privacy of search queries for Google Flu Trends while ensuring re-identification is not possible. EPIC noted that "Census data, the quintessential form of aggregate data, was used during the Second World War to identity and then displace Japanese Americans. The Department of Homeland Security sought information from the US Census about Muslim Americans in the United States after 9-11"
EPIC's page on Google Flu Trends and Privacy: http://epic.org/privacy/flutrends/
EPIC's page on Search Engine Privacy http://epic.org/privacy/search_engine/
EPIC's November 12, 2008 Letter to Google: http://www.epic.org/privacy/flutrends/EPIC_ltr_FluTrends_11-08.pdf
How Google Flu Trends work: http://www.google.org/about/flutrends/how.html
Official Google Blog: Tracking Flu Trends: http://googleblog.blogspot.com/2008/11/tracking-flu-trends.html
Server Information Google Retains: http://www.google.com/intl/en/privacy_faq.html#serverlogs
The Commonwealth of Massachusetts has become the first state in the United States to enact data privacy and security standards and regulations. The Massachusetts Office of Consumer Affairs and Business Regulation decided on having comprehensive methods to ensure that businesses are taking steps to safeguard personal information about Massachusetts residents. The new regulation prescribes the minimum standards that are to be implemented. Although it was initially announced that the rules will come into effect from January 1, 2009 it was subsequently postponed to May 1, 2009, consistent with the Red Flag rules of the federal regulators. The Red Flag rules requires financial institutions and creditors to develop and create ID theft prevention programs.
The purpose of the new regulation is to protect against unauthorized access or use in a way that creates a risk of identity theft or fraud. This can be achieved by ensuring minimum standards in safeguarding personal information consistent with industry standards which will protect against anticipated threats or hazards to the security and integrity of the information. Identity Theft has been identified as the number one crime committed in the United States. Identity theft has been committed for a number of reasons including deriving or obtaining financial benefits and impersonation of another person or entity.
The new law, dubbed the "Standards for The Protection of Personal Information of Residents of the Commonwealth" charges every person owning, licensing, storing or maintaining personal information about a Massachusetts resident to develop, implement and monitor a comprehensive, written information security program for any record containing personal information. The new law establishes a wide spectrum of duties upon the record holder such as risk identification, developing security policies, imposition of disciplinary measures and preventing access by personnel unless specifically authorized. Minimum data collection, annual audits and security breach documentation also feature in the new rules. The new law will result in companies installing firewalls to protect personal data and encrypting them whenever transmitted or saved on a portable device like laptops or flash drives. Also, as some companies may prefer a singular approach to ensuring data privacy and security, it may choose to implement nationwide policies.
A violation of such law may also lead to a jury trial in addition to the imposition of penalties. Additionally, the Massachusetts law may serve as a model state privacy law. Although, many entities have been clamoring towards a single federal privacy law, such federal law may end up pre-empting better and more robust state privacy laws, unless it explicitly states that it establishes a minimum national baseline and leaves the states to provide better or higher standards in data privacy or security.
EPIC has long warned against business practices that expose customer information to potential pilferage and has advocated the imposition of civil penalties so as to provide greater incentives towards better guarding against data breaches. Recently, a mortgage company settled with the federal regulators after a hacker obtained credit reports due to its lax security.
Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00): http://epic.org/redirect/112008_MA_DataPriv_210CMR1700.html
201 CMR 17.00 Compliance Checklist: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf
FAQs regarding 201 CMR 17.00: http://epic.org/redirect/112008_FAQ_201CMR1700.html
EPIC's page on Identity Theft: http://epic.org/privacy/idtheft
At the OECD Ministerial Conference on the Future of the Internet Economy, the OECD Secretary General expressed support for an effort to formalize the participation of civil society in the work of the OECD concerning the future of the Internet. This recommendation follows almost two decades of civil society participation at the OECD, and after specific proposals the civil society contributed to the 1998 OECD Ministerial Conference as well as the Civil Society Declaration at the 2008 Ministerial Conference.
The OECD Ministerial Meeting on the Future of the Internet Economy was held in Seoul, Korea, on 17-18 June 2008. Participants agreed on the need for governments to work closely with business, civil society and technical experts on policies that promote competition, empower and protect consumers, and expand Internet access and use worldwide.
In his "Remarks on Future Work by the OECD in the Closing Session", the Secretary-General of the OECD stated, "We appreciate the participation of the stakeholders in this Ministerial meeting. I recommend that we begin the process of formalizing the participation of civil society and the technical community in the work of the OECD on the Internet economy."
Ministers and representatives of the OECD member countries, as well as non-member nations attending the Ministerial Meeting, issued the Seoul Declaration for the Future of the Internet Economy. The Declaration stated, "We invite the OECD to further the objectives set out in this Declaration, through multi-stakeholder co-operation, by...reinforcing co-operative relationships and mutually beneficial collaboration with ... civil society...."
Civil society participants of the Public Voice Coalition engage actively in the OECD Ministerial Meeting on the Future of the Internet Economy. In connection with the Ministerial Meeting, civil society, in cooperation with Trade Union Advisory Committee worked together effectively and successfully for many months to formulate the Forum program, engage participants, develop recommendations, prepare the Declaration, draft the Background Paper, and arrange the participation of civil society participants from OECD member and non-member countries.
The OECD was established in 1961. Very early in the existence of the OECD, the OECD member countries recognized the desirability of liaison and consultation with international non-governmental organizations interested in its activities. In recognition of this goal, the Council of the OECD adopted the Decision of the Council on Relations With International Non-governmental Organizations on March 13, 1962. Pursuant to the Council's Decision, the Business and Industry Advisory Committee (BIAC) and Trade Union Advisory Committee (TUAC) to the OECD began to participate in the work of the OECD.
Although it has not had formal status, civil society participants have engaged and been welcomed in the work of the ICCP Committee for eighteen years. Civil society participation has expanded over time through and has played an increasingly important role. For example, in 1998, civil society participants of the Public Voice Coalition organized a successful symposium for the OECD Ministerial in Ottawa, similar to its recent Forum in Seoul, which helped shape OECD policy in key areas in the early days of electronic commerce.
Now, after several months of drafting and deliberation, the civil society participants of The Public Voice Coalition have submitted a consensus proposal to the ICCP OECD Committee for the establishment of the Civil Society Information Society Advisory Council (CSISAC) for its approval at its meeting on December 11-12, 2008.
Under the Charter, the CSISAC will:
- Engage in constructive input and dialogue with the ICCP Committee about policy issues of interest to civil society;
- Pursue the agenda set out in the Civil Society Seoul Declaration of 2008;
- Report to civil society organizations about the OECD publications, events, and policy recommendations of interest to civil society;
- Identify and publicize opportunities for participation by civil society organizations in the work of the OECD;
- Maintain appropriate communications tools (e.g. content management system, mailing list, social network platform) that highlight key OECD-ICCP developments of interest to civil society and facilitate broader civil society participation; and
- Report on an annual basis the accomplishments of the past year and the goals for the next year.
The CSISAC governing structure includes the CSISAC Membership, the CSISAC Steering Committee, and the CSISAC Liaison. The structure seeks to facilitate the participation of interested parties in the work of the OECD and to promote effective communications between stakeholders and the OECD. The Public Voice project will serve as the CSISAC interim liaison for the first two years of the CSISAC.
The CSISAC Charter: http://thepublicvoice.org/documents/CSISAC-Final.pdf
The OECD Civil Society Seoul Declaration: http://thepublicvoice.org/events/seoul08/seoul-declaration.pdf
The OECD Civil Society Background Paper: http://thepublicvoice.org/events/seoul08/cs-paper.pdf
OECD, "The Future of the Internet Economy OECD Ministerial Meeting," June 17-18, 2008, Seoul, South Korea: http://www.oecd.org/FutureInternet
"Closing remarks by Angel Gurrķa, OECD Ministerial Meeting on the Future of the Internet Economy," June 18, 2008: http://epic.org/redirect/112008_OECD_MM_closeremarks.html
OECD, Convention on the Organization for Economic Co-operation and Development (1960): http://epic.org/redirect/112008_OECD_Convention.html
India Hosts the Third Internet Governance Forum
The Internet Governance Forum (IGF) was formed to support the United Nations Secretary-General in carrying out the mandate from the World Summit on the Information Society with regard to convening a new multi- stakeholder policy dialogue forum to discuss issues related to key elements of Internet governance.
The third annual meeting of the IGF will take place in Hyderabad, India, on December 3-6, 2008. It is expected that approximately 2,000 government, private, academic and civil society participants will join in the forum. The proposed agenda for the Third Meeting includes "Reaching the next billion"; "Promoting cyber-security and trust"; "Managing critical Internet resources"; "Taking stock and the way forward"; and "Emerging issues - the Internet of tomorrow". The overall theme of the meeting will be 'internet for all'. Five main sessions and more than eighty self organized panel discussions built around the IGF agenda will be held. The event will also include the IGF dynamic coalitions' meetings, best practices and open forums. Documents and webcasts of the main sessions for the IGF in Hyderabad will be posted after the meeting in December. A remote participation project is being prepared by a group of volunteers. The remote participation project is based on the use of regional hubs from where participants will be able to interact with the IGF main sessions of the Hyderabad meeting. The next IGF meeting will be held in Egypt in 2009.
Internet Governance Forum: http://www.intgovforum.org/
A list of the submitted proposals for workshops and main sessions http://www.intgovforum.org/cms/workshops_08/wrkshplist.php
IGF Remote Participation http://www.intgovforum.org/cms/index.php/remoteparticipation
IGF Dynamic Coalitions http://www.intgovforum.org/cms/index.php/dynamiccoalitions
The Public Voice: http://www.thepublicvoice.org
Presidential Transition Job Application a Privacy Concern
As the Presidential transition team moves ahead towards nominating individuals with great vigor, applicants for high-ranking positions must disclose vast amounts of information to enable the vetting. Historically, each successive incoming administration has vetted applicants more tightly than the last. The Obama-Biden transition team is no exception having prepared a list of 63-item, highly detailed questionnaire designed to ferret out professional achievements as well as personal and potentially embarrassing details. However, as the information submitted to the transition team is not a part of any government record, it is not subject to Privacy Act safeguards, which would provide privacy protections and transparency.
EPIC's page on Obama-Biden Transition Team & Privacy: http://epic.org/privacy/transition08/
Obama-Biden Transition Team questionnaire: http://epic.org/privacy/transition08/13apply_questionnaire.pdf
Obama-Biden Transition Team website: http://www.change.gov/
EPIC's page on The Privacy Act: http://epic.org/privacy/laws/privacy_act.html
Alternative Consultation on EU Justice & Home Affairs Policy
The European Commission has launched a public consultation on the future priorities in the field of Justice and Home Affairs policy. The European Union has been building measures concerning police cooperation, counter- terrorism, immigration, asylum and border controls and claims to that it has upheld civil liberties as well as people's privacy with its policies. As part of the 'exchange of ideas' that will lead to the definition of priorities for the next five years, the European Commission has initiated 'wide-ranging public consultation'. However, the consultation fails to evoke meaningful exchange on the substance and content of those policies. As a result, the European Civil Liberties Network designed an alternative questionnaire that poses different questions about the development and implementation of EU policies and their effect on civil liberties and human rights.
Justice and Home Affairs survey: http://www.sysurvey.com/os.asp?qid=7407&rid=0&web=1
ECLN: Why an alternative consultation? http://www.ecln.org/survey.html
EU Future Group: http://www.statewatch.org/future-group.htm
European Commission Consultation: http://epic.org/redirect/112008_EC_Consulation.html
Subscribers Sue ISP Over NebuAd Deep Packet Inspection
A group of fifteen consumers sued 6 Internet Service Providers (ISPs) over disclosing personally identifying information by spying on websites they visited and Internet searches they conducted. The complaint, alleging violation of federal and state laws, stated that no adequate, informed notice was provided and "opting out of the pilot program only applied to ads customers were shown." The NebuAd technology uses a method called Deep Packet Inspection (DPI) that reviews transmitted content across a network. Recent technological advances have made is possible for ISPs and service providers to implement DPI on a large scale and use this information for targeting advertisement. EPIC has brought to light the perils of using Deep Packet Inspection including behavioral targeting and traffic throttling. DPI has also been criticized by network neutrality advocates.
Nebu Ad complaint: http://www.docstoc.com/docs/2497992/Nebuad-Class-Action-Suit
EPIC's page on Deep Packet Inspection: http://epic.org/privacy/dpi/
Net Spying Firm and ISPs Sued Over Ad System: http://blog.wired.com/27bstroke6/2008/11/net-spying-firm.html
Report: NebuAd Forges Packets, Violates Net Standards: http://blog.wired.com/27bstroke6/2008/06/nebuad-forges-g.html
Ask DSLReports.com: What Is NebuAD? http://epic.org/redirect/112008_NebuAd_query.html
NIST Issues Guidelines on Cell Phone Security
The march of technology has seen personal communication devices evolving into smartphones and becoming mini-computers. As the volume of data on these devices continue to grow, the risk of data theft and security breaches assumes paramount importance. The National Institute of Standards and Technology (NIST) has released guidelines, (Special Publication 800-124), for mitigating these risks. The NIST recommended that organizations should initiate security policies for mobile devices after conducting a risk assessment and training workers. The guidelines included disabling unnecessary applications, using authentication to restrict access, restricting the use of cameras, microphones and removable media, the use of encryption technology and installation of firewalls, antivirus and anti-malware programs. EPIC has warned about the threats of data breaches, identity theft and personal surveillance. EPIC maintains a Tools Page for ensuring privacy on computers and the methods to be adopted in ensuring privacy in personal communication devices are similar to that of computers.
NIST: Guidelines on Cell Phone and PDA Security, (SP 800-124): http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
EPIC's page on Identity Theft: http://epic.org/privacy/idtheft/
EPIC's page on Personal Surveillance: http://epic.org/privacy/dv/personal_surveillance.html
EPIC's Tools Page on Maintaining Online Privacy: http://epic.org/privacy/tools.html
Protectors of Privacy, Regulating Personal Data in the Global Economy By Abraham L. Newman
Numerous data security debates have highlighted the differences between the United States' self-regulatory approach to privacy protections and the European Union's comprehensive privacy safeguards. From airline passenger data sharing, to Internet Protocol (IP) Address privacy, to commercial data retention, the U.S. and European frameworks exemplify strikingly different regulatory regimes. The U.S. favors self- regulation to establish consumer privacy protections, and lacks a regulatory body that focuses on privacy protection. In contrast, the E.U. maintains a strong, independent regulatory regime to ensure consumer privacy safeguards. In "Protectors of Privacy," Abraham L. Newman argues that the European design has been widely replicated, while the American system remains largely confined to the United States and its territories. "Protectors of Privacy" details the U.S. regulatory scheme, much of which was established during the Clinton and Bush administrations. The 2008 elections present an opportunity for the government to disavow the failed self-regulatory policies of the Bush administration by adopting comprehensive consumer privacy safeguards. Newman's book demonstrates that the differences between U.S. and E.U. privacy laws are entrenched. It would require sustained effort to harmonize the regimes. But "Protectors of Privacy" also describes circumstances that demonstrate the substantial transaction costs resulting from the lack of harmony.
"Privacy Protectors" describes two types of regulatory regimes. "Limited regimes" regulate personal data held by the government, but do not impose these regulations on all private sector companies. In contrast, "comprehensive regimes" hold the public and private sector accountable to the same privacy standards. Newman characterizes the U.S. as a limited regime, and the European Union as a comprehensive regime. The United States and Europe began to establish these systems in the 1970s. But meaningful privacy regulation was largely ignored in many parts of the world until the 1990s. Newman asserts that, "beginning in the 1990s, the comprehensive system spread globally, coming to dominate international data privacy efforts." Newman largely ascribes the adoption of the comprehensive system to European data privacy authorities, which took advantage of "domestically delegated authority, expertise, and diverse network ties" to establish independent regulatory authority for privacy. The regulators argued that failure to provide strong privacy protections endangers fundamental political objectives, including civil rights, as well as basic economic objectives, such as consumer confidence, fairness, and transparency.
Comprehensive privacy regimes vary in their specific terms and implementation. However, the limited American privacy regime stands in stark contrast to the comprehensive privacy protections afforded to E.U. consumers. The European Commission has an independent European Data Protection Supervisor, whose office is devoted to protecting personal data and privacy. The Article 29 Working Party, an independent body that seeks to harmonize the application of data protection rules throughout the European Union, also supports privacy protections. E.U. countries also have domestic, independent privacy commissioners. In contrast, the U.S. lacks a Privacy Commissioner, and has not established any federal agencies analogous to the European Data Protection Supervisor or Article 29 Working Party. The Federal Trade Commission, the U.S. agency charged with protecting consumer privacy, has broad jurisdiction over a host of consumer protection issues, including antitrust, merger review, and deceptive trade practices. Privacy is only part of the Commission's portfolio, and it has stated that it lacks authority to protect privacy in several key areas, including merger review.
These structural differences mirror substantive policy distinctions between the regimes. For example, in Europe, Internet Protocol Addresses (the "Internet phone number" assigned to a computer) are protected as personal information. The U.S. does not require private companies to treat Internet Protocol Addresses as personal data. In addition, European regulators regularly consider consumer privacy impacts in merger reviews. U.S. regulators failed to impose privacy protections as conditions of the 2007 Google-Doubleclick merger review despite ample evidence that the deal threatened consumer privacy. The disparity between the E.U. and U.S. systems imposes substantial transaction costs on cross-border business deals and government agreements. For example, extensive negotiations were required between 2001 and 2003 in response to a U.S. demand that European airlines transfer international passengers' personal information to the United States. "Protectors of Privacy" describes European authorities' dismay at the lack of privacy safeguards for the data once it reached the U.S. Complex negotiations were undertaken to reach a compromise that would comport with E.U. privacy law.
"Protectors of Privacy" sets forth an insightful and compelling explanation for the widespread adoption of comprehensive privacy regimes. It also provides examples of how the differences between comprehensive privacy regimes and the United States' limited regime can require complicated negotiations and compromises between regulators on cross-border privacy issues. These examples demonstrate that the U.S. approach imposes costs, despite its self-regulatory nature. Corporations and government officials often disdain the alleged costs of comprehensive consumer privacy protections, and tout the savings provided by the self-regulatory system. However, we increasingly live in a world of comprehensive privacy protections. Cross-border business deals and government agreements require entities to expend considerable time and resources harmonizing the limited U.S. privacy regime with international comprehensive requirements. These costs promise to increase in the future, unless the U.S. adopts comprehensive privacy protections that provide meaningful, clear safeguards for consumers.
-- John Verdi
"Litigation Under the Federal Open Government Laws 2008", edited by Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid (EPIC 2008). Price: $60.
Litigation Under the Federal Open Government Laws is the most comprehensive, authoritative discussion of the federal open access laws. This updated version includes new material regarding the substantial FOIA amendments enacted on December 31, 2007. Many of the recent amendments are effective as of December 31, 2008. The standard reference work includes in-depth analysis of litigation under Freedom of Information Act, Privacy Act, Federal Advisory Committee Act, Government in the Sunshine Act. The fully updated 2008 volume is the 24th edition of the manual that lawyers, journalists and researchers have relied on for more than 25 years.
"Information Privacy Law: Cases and Materials, Second Edition" Daniel J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.
This clear, comprehensive introduction to the field of information privacy law allows instructors to enliven their teaching of fundamental concepts by addressing both enduring and emerging controversies. The Second Edition addresses numerous rapidly developing areas of privacy law, including: identity theft, government data mining and electronic surveillance law, the Foreign Intelligence Surveillance Act, intelligence sharing, RFID tags, GPS, spyware, web bugs, and more. Information Privacy Law, Second Edition, builds a cohesive foundation for an exciting course in this rapidly evolving area of law.
"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.
This annual report by EPIC and Privacy International provides an overview of key privacy topics and reviews the state of privacy in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Privacy & Human Rights 2006 is the most comprehensive report on privacy and data protection ever published.
"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on the Information Society" (EPIC 2004). Price: $40.
This resource promotes a dialogue on the issues, the outcomes, and the process of the World Summit on the Information Society (WSIS). This reference guide provides the official UN documents, regional and issue-oriented perspectives, and recommendations and proposals for future action, as well as a useful list of resources and contacts for individuals and organizations that wish to become more involved in the WSIS process.
"The Privacy Law Sourcebook 2004: United States Law, International Law, and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price: $40.
The Privacy Law Sourcebook, which has been called the "Physician's Desk Reference" of the privacy world, is the leading resource for students, attorneys, researchers, and journalists interested in pursuing privacy law in the United States and around the world. It includes the full texts of major privacy laws and directives such as the Fair Credit Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well as an up-to-date section on recent developments. New materials include the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the CAN-SPAM Act.
"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content Controls" (EPIC 2001). Price: $20.
A collection of essays, studies, and critiques of Internet content filtering. These papers are instrumental in explaining why filtering threatens free expression.
EPIC publications and other books on privacy, open government, free expression, crypto and governance can be ordered at:
"EPIC Bookshelf" at Powell's Books
EPIC also publishes EPIC FOIA Notes, which provides brief summaries of interesting documents obtained from government agencies under the Freedom of Information Act.
Subscribe to EPIC FOIA Notes at: https:/mailman.epic.org/mailman/listinfo/foia_notes
Privacy and Identity Theft Conference. November 24-25, 2008.
Fairmont Hotel, Vancouver, Canada. For more information:
Third Internet Governance Forum. December 3-6, 2008. Hyderabad, India. For more information: http://www.intgovforum.org
International Human Rights Day, December 10, 2008. For more information: http://www.un.org/events/humanrights/2008/
Tilting perspectives on regulating technologies, Tilburg Institute
for Law and Technology, and Society, Tilburg University. December
10-11, Tilburg, Netherlands.
The American Conference Institute is hosting the 8th National Symposium on Privacy and Security of Consumer and Employee Information at the Four Points by Sheraton, Washington, DC. January 27-28, 2009, Washington, DC. http://www.americanconference.com/Privacy.htm
Subscribe/unsubscribe via web interface: https://mailman.epic.org/mailman/listinfo/epic_news
Back issues are available at:
The EPIC Alert displays best in a fixed-width font, such as Courier.
The EPIC Alert mailing list is used only to mail the EPIC Alert and to send notices about EPIC activities. We do not sell, rent or share our mailing list. We also intend to challenge any subpoena or other legal process seeking access to our mailing list. We do not enhance (link to other databases) our mailing list or require your actual name.
In the event you wish to subscribe or unsubscribe your e-mail address from this list, please follow the above instructions under "subscription information."
The Electronic Privacy Information Center is a public interest research center in Washington, DC. It was established in 1994 to focus public attention on emerging privacy issues such as the Clipper Chip, the Digital Telephony proposal, national ID cards, medical record privacy, and the collection and sale of personal information. EPIC publishes the EPIC Alert, pursues Freedom of Information Act litigation, and conducts policy research. For more information, see http://www.epic.org or write EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202 483 1140 (tel), +1 202 483 1248 (fax).
If you'd like to support the work of the Electronic Privacy Information Center, contributions are welcome and fully tax-deductible. Checks should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. Or you can contribute online at:
Your contributions will help support Freedom of Information Act and First Amendment litigation, strong and effective advocacy for the right of privacy and efforts to oppose government regulation of encryption and expanding wiretapping powers.
Thank you for your support.
If you would like more information on Privacy '08, go online and search for "Privacy 08." You'll find a Privacy08 Cause at Facebook, Privacy08 at Twitter, a Privacy08 Channel on YouTube to come soon, and much more. You can also order caps and t-shirts at CafePress Privacy08.
Start a discussion. Hold a meeting. Be creative. Spread the word. You can donate online at epic.org. Support the campaign.
EPIC is seeking a smart, energetic, creative individual
for the position of Staff Counsel
Deadline: Jan. 1, 2009
Click here for more details http://www.epic.org/epic/jobs/counsel_1108.html