Apr 23 2001

TEXT OF SEN. SHELBY'S SPEECH AT ATTORNEYS GENERAL CONFERENCE AT HARVARD LAW SCHOOL

Thank you so much for inviting me to join you today. I am pleased to share some of my thoughts on the important issue of “privacy” and where I see the debate going in the future. I think that the best way to begin today is by addressing a couple of key questions -- first, why should we seek to protect personal privacy; second, what and when do we protect and third, how do we protect privacy ? I believe that the answer to this first question is rather straightforward: by protecting personal privacy, we can help protect people from harm. These harms include the tangible, such as stalking, physical violence or identity theft, as well as the intangible, such as embarrassment or even just the sense of loss of personal security. And this last point is of particular interest. There are those in the privacy debate who would like to minimize the concern behind the loss of privacy to one of harassing telemarketing calls or getting too many catalogues in the mail. It goes beyond this, I believe, because it is not so much that you may find it rude or poor manners to receive a marketing call at dinner time offering you various investment products – it is that they are calling you because they know that you have been carrying high balances in your checking account for the past few months. It is not the “annoyance” factor that upsets people so much as it the feeling of “insecurity”. That strangers - people that you do not have a business relationship with - that you do not know - have access to this important information about you. So when we talk about privacy, I think we are also talking about security in a sense. In the end, the motivation behind protecting privacy is the fact that when our privacy is secure, we both feel safer and are in fact safer.

Our concerns about privacy in the past largely involved government intrusion. Our patchwork of privacy laws passed in the early 70's , the Privacy Act of 1974, the Right to Financial Privacy Act, the Family Educational Rights and Privacy Act, all dealt with government. In large part, this can be attributed to the fact that the government had the unparalleled ability to collect, store and use personally identifiable information. Over time, the private sector has joined the federal government in acquiring the power and interest in collecting, cataloguing and sharing personal information. Technology made it possible and cost effective to gather, store and use massive amounts of information. Indeed, the “technology economy” that has developed maintains a voracious appetite for information. This considerable demand has led to a situation where businesses go to great lengths to try find out the most minute details of consumers and their lifestyles. Medical, credit card, banking, phone records, records covering just about every activity in our lives, are being gathered, stored, shared and sold.

Big Business thus joined Big Brother as consumers of our sensitive personal information. And, while each may present a separate set of concerns, the fact is, BOTH business and government activities pose legitimate and serious threats to our personal privacy.

Answering the question about why we should protect privacy only opens the door to more questions. The next logical question involves determining what and when we are going to protect privacy.

I think the best and most realistic way to approach this issue is to recognize that not all information disclosure presents the same threat or harm. For example, most of us would be highly concerned about public disclosure of our financial records and almost entirely unconcerned over the fact that our name and address appear on a mailing list. Common sense leads us to recognize that there are huge differences in the privacy value of different kinds of information.

And I think that this distinction is a good indicator of where governmental action is targeted in limiting the intrusions on personal privacy and that is to those disclosures that present the most danger or could cause the most harm to individuals.

Personally, I believe that there are three general areas that these issues fall into. I informally classify them as issues of: nature, capacity and power. Nature -- what is the nature of the information sought to be shared or protected - the more sensitive or inherently personal the information the greater need to protect, like medical records, genetic and financial information. Capacity -- what is the capacity of the individual to protect himself or herself? For example, we recognize that children need greater protection, either by empowering parents or by passing laws to sanction certain threatening activities or behavior. And Power -- who has the power to use the information in a way that causes harm or adverse consequences for the individual. Traditionally -- historically -- as a republic our biggest concern is with the power of government and its unique ability to restrict our individual rights and civil liberties. And that is why, issues of intrusions into privacy by the government garners significant consensus and alarm.

We have briefly touched on the subjects of why we protect privacy, and I have offered some suggestions as to what we should seek to protect. Now I would like to address the issue of what means should be utilized to protect privacy.

First, Congress could enact federal legislation. Second, states could enact locally applicable measures. Third, private entities could chose to self-regulate. Lastly, market forces could independently drive changes and provide technological adaptations to protect privacy. Let me consider each of these separately.

I think the basis for any direct federal action will focus on those cases where the type of information involved presents the greatest potential for harm, where individuals lack the means to protect themselves, where government action threatens liberty and where the markets fail to build in protections for consumers. These particular areas, I believe, have the greatest potential to garner the kind of consensus that will be needed to pass any legislation in Congress.

Privacy protection legislation could also be enacted on the state level. The bottom line issue here, however, will be the extent, if any, the federal government attempts to preempt state law. I support preserving a role for the states. I also think that any federal proposals to preempt the states will only pass if an extremely high level of federal privacy protection is provided. And that trade-off is a big one. Self-regulation is an idea that has been widely discussed in the context of the Internet. The key to any self-regulatory scheme, is the level of confidence the public has in the system. The level of confidence will be determined by the extent to which those that promise to abide by self-governance actually do so in practice. In my estimation, I think the public is still very leery of companies that promise to protect privacy through internal measures. The World Wide Web Consortium (W3C) has recently developed the Platform for Privacy Preferences Project or P3P to facilitate the adoption of an industry standard that would allow users of the Internet to gain more control over the use of their personal information. While this is encouraging, I think it will be interesting to see how well the Web’s P3P initiative works in practice. Market driven solutions are occurring and will continue to occur in those areas where the public has the greatest awareness of the issues, the largest variety of choices, and the strongest incentives and power to “vote with their feet” when their interests are not being served. That said, and with an acknowledgment that it is tough to predict the future, I think consensus is developing around adopting measures to limit the disclosure of the kinds of information that pose the highest threats to individual privacy. Let me turn to discuss some of those areas where I think privacy protection efforts will be successful. I believe a core area of concern where the consensus that greater protections are needed is the unauthorized disclosure of medical records and genetic information. Recently, President Bush decided to move forward with the medical privacy rules drafted by the Clinton Administration. I believe the decision to move forward is important for a couple of reasons. First, I believe it reflects an understanding of how much concern there is about the potential misuse and abuse of medical records information. And the same goes for genetic information, if not more. The potential for harm and discrimination based on genetic information is great and, I think still, largely unknown partly because technology continues to take us beyond what was once unimaginable. In the end, this is an area where the people are not going to feel comfortable deferring to industry or market solutions to provide privacy protection. Concern will grow and the government will step in. Second, many commentators believe that the President’s move is a sign that he plans to follow through on his earlier public comments supporting greater privacy protections.

Another area where I think we will see enactment of federal legislation will involve restricting the dissemination and disclosure of Social Security numbers. Social Security numbers were never intended to become the end all, be all personal identifier that they have become. As their use in this regard has proliferated, the interest in obtaining them, for both legitimate and nefarious purposes, has grown as well.

The tragic murder of Amy Boyer and the serious and growing problem of identity theft are providing the headlines that fuel the movement to provide protection of Social Security numbers. On Capitol Hill we have already seen a great deal of bipartisan legislation intended to limit the misuse of Social Security numbers. I think that we are growing closer to passing a bill with each Congress, particularly in light of the President’s apparent support for making it a criminal offense to sell social security numbers.On a related front, I believe we will pass legislation that provides greater security for financial information. A couple of years ago, Congress passed legislation that updated the laws that dealt with banking and financial services. While so-called consumer privacy provisions were included in this bill, I most certainly do not believe these provisions actually did much to protect the financial privacy of most Americans. I find it ironic that we have greater protection of what videos we rent than we do our financial information. But, I believe the privacy provisions of Gramm Leach Bliley are a floor rather than a ceiling for a couple of reasons. First, I believe consumers will demand it. I continue to be confused by the financial service industry’s opposition to financial privacy legislation because their business is built on trust. And yet, it is that very trust that has been and will continue to be undermined by their indiscriminate sale and trade in their customers’ financial information. Consumers don’t have the same relationships they used to with their banks because the business and the markets have changed -- they are global. And with the passage of Gramm Leach Bliley, this relationship will only continue to become more distant with the continued growth of large multinational holding companies. Second, their global business subjects them to higher data protection standards in other countries. This becomes costly and problematic. Unless the EU -- which provides greater protections for their citizens than we have -- are willing to lower their standards, which I don’t see, I believe the industry will have to move beyond Gramm Leach Bliley. Third, because of the law’s lack of preemption, the industry itself is starting to push for a federal standard that, by its nature, would have to go beyond Gramm Leach Bliley. In the end, the nominal cost of providing greater consumer protections will be far outweighed by the efficiency, certainty and integrity gained in the marketplace. I intend to continue my efforts to push for greater protections in this area. I have introduced two pieces of legislation, one requiring advance consent prior to sharing or selling behavioral profile information on consumers, and the second that would restrict the sharing and selling of social security numbers without consent. I am currently working with the Senator Gramm, the Chairman of the Senate Banking Committee to hold a hearing on the social security number issue in the near future. I also believe that Congress is willing to act in situations where the government over-reaches and threatens individual privacy. For example, recent government efforts such as the “know-your-customer” rules that would have required financial services firms to collect massive amounts of data about their customers and make that data available to the government were widely criticized and quickly defeated. I personally worked to expand the Driver License Privacy Protection Act to limit the ability of state governments to sell certain information they compel people to provide on their drivers’ license applications. The historical record is filled with instances where Congress acted to scale back the activities of the federal and state governments that could effect the privacy of the American people. I believe that the long tradition will continue. I am a firm believer in free markets and the new technology economy. We live in the most prosperous society on earth because of them. However, as we move forward and technology plays an ever greater role in our lives, it is essential that technology serves us rather than us serving it. One of the best ways to achieve this is to establish a framework that preserves the ability of individuals to make their own choices. Last year, I became a member of the Congressional Privacy Caucus, a bipartisan bicameral organization dedicated to protecting individual privacy. The Caucus was formed around four key principles which I believe are key to establishing this framework. These principles are:
NOTICE -
Individuals must be informed in a clear and conspicuous manner when private companies or governmental agencies plan to collect, use and or disclose personal information;
ACCESS and CORRECTION -
A person must have access to personally identifiable information held by a private company or government agency to be able to make sure that it is accurate, timely, and complete and they must have the ability to correct erroneous information.
CONSENT
- This one is easy - A private company or individual must receive prior, affirmative consent before using or disclosing personal information.
PREEMPTION
- This provision is especially important for our discussion today. You all have a key role in protecting people’s privacy. The Caucus members fully understand this: we want to ensure that individuals benefit from the strongest privacy protections available. Therefore, we will work to ensure that federal privacy protections do not preempt state laws or other regulations that provide stronger privacy protections.

In the end, I believe we are headed in the direction where one day the American people, not the government, financial service corporations, or Internet service providers, will have the power to decide for themselves when and how their personal information is used in the new information economy.

I believe this because the marketplace depends on consumer confidence and that confidence can only be sustained through greater privacy and security protections in an information society.
Thank you.