Over the past two decades, the American business community response to privacy has grown constantly though glacially. The slow rate of change has obscured the movement that has actually occurred over time. Two recent events highlight just how far things have evolved in the United States.
The first was a two-day Department of Commerce conference on privacy held in June 1998. The Department of Commerce allowed the business community to offer progress reports on the development and implementation of self-regulatory mechanisms. Each participating organization had a chance to show how its privacy self-regulation program addressed its own data, consumers and type of business.
The Online Privacy Alliance described its privacy requirements for online activities. Next came TRUSTe — a slightly older organization also devoted to encouraging online compliance with privacy principles — with a weaker set of policies. The Individual Reference Services Group was by far the worst of the lot. All of these industry privacy codes offer a highly selective variant of fair information practices that member organizations were supposed to follow.
The criticism of the self-regulatory activities from privacy advocates and experts at the conference focused on the clear failure of the self-regulatory codes to meet international fair information practice standards. America Online, an individual company presenter, offered the best privacy code of all.
The revelation did not come until the banking, securities and insurance trade associations said they are already heavily regulated so they do not have to do anything else to comply with privacy requirements. Listening to this denial, I realized that this is just what other industries — the same ones that had earlier described their new self-regulatory agendas — said years ago.
Financial service companies are not regulated for privacy, and they do not even know what fair information practices are. However, because they have so many existing regulations, they assume — wrongly — that some must be relevant to privacy. In any event, they demonstrated no interest in doing anything.
Knowingly or not, the banks recycled the original American business message from the early 1980s when Europe first raised questions about international privacy. That message was simple: ignore privacy. Denial has always been stage one in the business community's response to privacy. The financial services presentation was nostalgic, like a charming trip into the prehistory of privacy.
We will have to wait to see when the banks move to stage two: vague promises of voluntary industry compliance with international standards. The National Telecommunications and Information Administration at the Department of Commerce orchestrated an appearance of compliance from American companies. While this voluntary effort was underway, international pressure faded, and NTIA got out of the privacy business entirely around 1983.
When privacy returned as an international issue again in the 1990s, American companies repeated the earlier cycle. They claimed first that there was no need for any change in order to meet European standards. If the standard was adequacy, then they were adequate. When that didn't help, they moved quickly on to the voluntary company compliance stage. That didn't help either.
When it became clear that privacy was not going away this time, business moved to stage three. This is the current stage, characterized by promises of effective industry compliance with published standards and some degree of enforcement. The privacy codes presented at the Commerce Department conference arose because previous strategies did not allay concerns of the European Union or the American public. Plenty of loopholes remain, but the positive direction strikingly contrasts with the obstinacy of the financial sector.
The industries touting codes have abandoned the delusion that meaningful privacy protections will result from scattered privacy laws that largely ignore fair information practices. A growing segment of American business recognizes that privacy requires a serious response. No one can say how it will take the financial services sector to realize it too must address privacy directly. Perhaps the direct marketing industry — which is still mostly antediluvian when it comes to privacy — can take some comfort in knowing that another sector is worse.
The second revelation that demonstrated for me how much evolution on privacy had taken place came at last year's annual Data Protection Conference. I spoke there with many European data protection officials, and it was apparent that most are fully aware of American privacy self-regulatory efforts. Whether these efforts are serious and will be sufficient is still open to question. European privacy officials see the shortcomings, but most expect improvements will follow.
Why are they so confident? They pointed to how far the Americans have moved already. The older do-nothing approach has been abandoned for the most part, and American business has progressed to seemingly sincere attempts at enforceable self-regulation. The EU privacy officials called the progress significant and were sure of continuing evolution in their direction. They believe that it's only a matter of time until the obvious deficiencies in current policies are cured.
Looking through EU eyes, it's clear that the U.S. business community has moved a long way from its original do-nothing position. The Europeans have reasonable justification for believing that more improvements will follow and that the Americans will retreat further. EU privacy officials are just waiting for the next stage, which will surely include better protections for privacy. They may be right.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected].
