Is Safe Harbor Unfair and Deceptive?
I am particularly outraged by two elements of the safe harbor documents. First, the Commerce Department asked the EU to find that both the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act of 1999 provide adequate protection. I have no problem with finding that the FCRA is adequate for most information processed by a consumer reporting agency. It is time that the EU blessed the FCRA.
The new banking law is another matter, however. The law does not come anywhere close to fair information practices. The law offers consumers scant privacy protections and allows widespread sharing of personal information with few limits and little consumer choice. The president noted that the privacy protections were inadequate when he signed the bill into law.
A much stronger bill would have easily passed the House had the Republican leadership allowed a vote. After the banking law passed, members of Congress from the House and Senate and both parties immediately introduced stronger bills. Financial privacy will likely be a hot topic in state legislative sessions next year. For the Commerce Department to maintain that the new bank privacy provisions are adequate suggests that the department fails to understand the basics of privacy, that it has no interest in looking credible, or that it is shamelessly pandering to the banks. I wouldn't bet against any of these alternatives.
My second outrage is over the suggested role of the Federal Trade Commission. One of the safe harbor documents states that the FTC has, on a priority basis, committed to reviewing referrals received from EU member countries alleging noncompliance with the safe harbor principles.
I really don't know what a priority basis means. But if foreigners will receive priority, then who will not receive priority? The answer is obvious. Americans will be second-class citizens for privacy complaints at their own consumer protection agency.
The biggest lie in the privacy debate is over the role of the FTC in privacy enforcement. If I had a dollar for every time that someone in the business community or the government touted the FTC as a privacy enforcement agency, I could take all my friends and family out to a steak dinner. If I had a dollar for every privacy case that the FTC has actually brought, I couldn't buy myself a cheap lunch.
The FTC has done some useful privacy work - even if it doesn't do enough. FTC management and staff seem to be at least mildly concerned about privacy. That may well change in the next administration. If a Republican president is elected, the new FTC chairman may well devote fewer resources to privacy.
Regardless, the FTC will never be an aggressive enforcer of domestic privacy, let alone foreign privacy. Consider everything the FTC does and how little of it relates to privacy. I do not know of anyone in Washington, including current and former staffers from the FTC and the Commerce Department talking off the record, who believes that the FTC will aggressively pursue privacy investigations as promised. If the safe harbor promise about the FTC isn't outright fraudulent, then it may qualify as unfair and deceptive.
The Electronic Privacy Information Center contends that the FTC failed to act on existing privacy complaints from consumers. EPIC made a Freedom of Information Act request for copies of the complaints, and the FTC initially refused to provide them. EPIC then sued the FTC for failing to respond to the request. EPIC recently received some of the information that it requested, and a preliminary evaluation suggests that the FTC has received and failed to investigate many privacy complaints. EPIC soon plans to release more information about the FTC documents.
Finally, perhaps the most interesting development from the safe harbor process is the unwillingness of EU data protection authorities to involve themselves in complaints about American companies. It seems that they don't have the resources. Enforcing privacy laws in another country is surely complex and expensive. So why do they think that an overworked and understaffed American agency with diverse responsibilities will devote itself to foreign complaints about privacy?
A better enforcement solution would be EU's requirement of American companies to pay for enforcement through an independent process. TRUSTe and BBBOnline will only handle a limited class of complaints for online activities, and neither organization necessarily offers effective consumer remedies or a full range of fair information practices.
An independent enforcement process located in America, funded by safe harbor participants and broadly supervised by the EU would be much more effective and available than FTC vaporware. If the American business wants real self-regulation, the EU should let it extend to enforcement.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the U.S. House subcommittee on information, justice, transportation and agriculture. His e-mail address is email@example.com.