"A Review of State and Federal Privacy Laws": Testimony to the California Legislature Joint Task Force on Personal Information and Privacy
Testimony of Beth Givens, Director
Senator Steve Peace, Chair
Thank you for the opportunity to participate in this Advisory Committee and to make a presentation this morning.
My name is Beth Givens. I am project director of the Privacy Rights Clearinghouse, a statewide nonprofit consumer education and advocacy program located in San Diego. We have been in operation for four and one-half years. The Clearinghouse operates a hotline for consumers to call with questions and complaints about privacy matters. We have developed a series of 20 publications with practical information about steps consumers can take to safeguard their informational privacy. These are available in paper form and on the Web.
I will speak briefly about two related topics: First, I will give an overview of a code of privacy principles called the Fair Information Practices. These, in part or in full, form the basis of many privacy-related laws, as well as industry initiatives.
Second, I will talk about the approach taken at the federal and state levels to privacy laws, with a brief outline of some of those laws.
Although our job here is to analyze California laws, I think it's important to put our privacy measures in historical perspective. Rather than give a rundown of specific laws -- which you have in handouts in your packets -- I want to lay a foundation for our subsequent discussions at these meetings.
First, the Fair Information Practices:
25 years ago, in the early 1970s a task force was formed at the U.S. Dept of Health Education and Welfare to look at the impact of computerization on medical records privacy. The members wanted to develop policies that would allow the benefits of computerization to go forward, but at the same time provide safeguards for personal privacy.
What they came up with was the Code of Fair Information Practices, consisting of five points. The reason I'm spending a bit of time on these principles is that they form the basis of many privacy related laws, and they also offer us a good model by which we can analyze existing California laws and perhaps recommend new approaches.
By the way, there is a handout on the Fair Information Practices in your packets. and on the handout table.
The first principle is (1) Openness. There must be no personal data record keeping systems whose very existence is secret.
(2) Disclosure. There must be a way for an individual to find out what information about him or her is in a record and how it is used.
The third principle has to do with (3) Secondary usage. [This is a key principle, which is the least implemented.] The principle of secondary usage says that information collected for one purpose shall not be used for another purpose without the consent of the data subject.
(4) Correction. Individuals should have the ability to correct or amend erroneous information about them.
And finally, (5) Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.
In an interesting turn of events, these principles were adopted by many European countries in the 1970s when they developed their national laws on data protection. This is an example of a policy initiative being born in the United States to go on to having more impact overseas. Yes, the Fair Information Principles have formed the basis of many individual laws here, at the federal and state levels. But the U.S. never adopted overarching privacy legislation covering both the public and private sectors as has been adopted in many European countries. And the U.S. has not created the office of Privacy Commissioner as have the European countries, Canada, Australia, New Zealand, Japan and Hong Kong.
Moving into the second part of my presentation -- an overview of the major privacy laws at the federal and state levels:
What is most important to understand about both federal and state privacy laws is that the sectoral approach has been taken. Rather than deal with the disposition of personally identifiable information across the board, the U.S. has addressed it sector by sector, industry by industry. The result is a patchwork of laws, with significant gaps.
We have laws on credit reporting, educational records, video store rental lists, and data gathering by cable TV companies, for example. We have laws on telemarketing practices, lie detector testing by employers, debt collection practices, government access to financial records, and wiretapping and eavesdropping. For these examples, there are laws at both the federal and California state levels. and in several cases, California law is stronger, for example credit reporting.
With this patchwork approach, however, there are some major gaps. For example, we have no medical records confidentiality law at the federal level. There is a medical records privacy law in California, which is among the strongest in the country. Even so, it has some shortcomings, which I would imagine will be addressed at our next meetings, and is also being addressed in legislation this session.
Another gap is in employment law. There is no law regarding workplace monitoring at either the federal or state level -- so monitoring can and does take place without the employees being given notice that their phone calls, electronic-mail, voice mail and computer key strokes may be monitored.
I want to say a few words about the federal level Privacy Act of 1974. Many people think that this law covers both the private and public sectors, and that it covers every situation in which personally identifiable information is collected. In fact, I wish I could have a dollar for every time I've heard one of our hotline callers say, "well there's a Privacy Act by golly and I demand that my rights be honored -- company X has no right to my Social Security number -- or company Y has no right to sell my name and address without my permission... or such and such government agency has no business requiring me for that information." and so on.
This law is actually quite narrow. The Privacy Act of 1974 is based quite closely on the Fair Information Principles that I listed earlier. It covers citizens' relationships with federal government agencies, and doesn't touch on the private sector at all. For the most part the federal Privacy Act also does not cover state and local governments either.
It requires that when a federal agency requests information about an individual, that it inform the individual of the agency's authorization and purpose for collecting the information and that it tell the individual what the consequences are for not divulging the information it asks for. The Privacy Act also requires agencies to give individuals access to records about them and give them the opportunity to correct or challenge the contents of those records.
When the Privacy Act was making its way through Congress, there was an attempt to include provisions for the establishment of a federal privacy commission. And remember, this was the post Watergate era, when privacy and security were a major concern of the day. The main proponent for the establishment of a privacy commission was Senator Sam Ervin. But that provision was not part of the House bill, and the final bill only required the establishment of a temporary privacy study commission.
Only a dozen states followed up with the state version of the federal Privacy Act, and California is one of them. Of those 12 states that have their own privacy acts, only four of them take the law to the local government level. And California is not one of them. I won't say more at this time about California's own Privacy Act, which is called the Information Practices Act, because Ted Prim is going to talk about it shortly.
But I would like to point out what I think are the two major shortcomings of California's Information Practices Act. One is that it does not cover local government, as the state's Public Records Act does. And the second is that the Office of Information Practices which was responsible for implementation of the law lost its funding and closed its doors in the early 90s. Each agency is charged with overseeing its own compliance with the Information Practices Act. Individuals no longer have a central office to contact when they have questions about the IPA or want to complain about agency actions or inactions.
A third point to make is that many of our privacy related laws were developed in the early 1970s, for example the credit reporting law, the Privacy Act and its California version, the Fair Information Practices Act. And several more privacy related laws were enacted in a second wave of legislation in the late 1980s, for example laws dealing with cellular phone monitoring, and cable TV. Technology has developed at a breathtaking pace since these laws were enacted. I think it's fair to say that these laws have not kept up with technology.
In closing, I want to make one final observation from the consumer's perspective. The burden is primarily upon consumers to protect their own privacy. As I've mentioned, there's an incomplete patchwork of privacy laws, providing limited remedies for consumers. The funding to support the regulation of these laws has diminished dramatically in the past decade, as has the funding for consumer assistance. Look at what has happened to county level District Attorney Consumer Fraud Divisions, for example. Or try to get through to the state Dept of Consumer Affairs 800 number, or that of the Public Utilities Commission. It's very difficult.
Privacy issues are complex, both for consumers and for policymakers -- especially during this time of rapidly changing technology. The work of this Task Force is both timely and important. I appreciate being able to participate.