High-Tech Leaders Push Privacy Protections

Committee Chmn. Barton (R-Tex.) is fed up with headlines on security breaches: “They seem to be getting worse, not better,” he said, adding that the patchwork of state and federal law isn’t working. It’s “ludicrous” to claim the Graham Leach Bliley Act is privacy protection: “It’s disclosure, not privacy.” Barton wants a bill on the House floor before the 109th Congress ends. He also wants to jumpstart the stalled Data Accountability & Trust Act (HR- 4127), introduced last Oct. and still not on the calendar for a floor vote. Barton said he had meetings on HR-4127 earlier in the day.

Congress created the “haphazard” regime, Ranking Member Schakowsky (D-Ill.) said: “We regulate by headline, or problem of the day, be it spam, spyware, pretexting for phone records or information brokers.” Lawmakers want to correct policy deficiencies, but are “pushed off the big question of establishing broad privacy principles for another day,” she said. Another factor is commercial interests’ kneejerk characterization of even minimal privacy protections as “too burdensome.” Because technology lets companies reach consumers easily to sell their wares and compile large databases of information, companies have a responsibility to protect consumers and private personal records, she said.

Consumers need to make informed decisions on personal data, and businesses need a legal and regulatory framework that stimulates innovation and success rather than hampering them, Stearns said. Congress should not discourage advances in technology that speed transactions, because it’s “a leadership edge that we cannot compromise.” But as IT and information sharing become more powerful, so does their ability to harm, Stearns said: Rigorous data security is essential to protect the progress being made.

“Something must be done to hold bad actors accountable,” eBay CEO Meg Whitman told the subcommittee. Just as with trade, privacy policy should be aligned with international allies’ rules, Whitman said, calling U.S. privacy legislation “the next logical step.”

Hewlett-Packard Chief Privacy Officer Scott Taylor said it’s “time for Congress to consider a unifying federal privacy law.” Today’s patchwork confuses customers and businesses, and state statutes often conflict, Taylor said. What’s needed is a “workable national standard,” he said: “We're not looking for Congress to dictate the terms or technologies. That would be counterproductive and self- defeating.” Companies like HP want a flexible benchmark that unifies divergent laws and regulations and “responds to the very real needs of anxious consumers.”

But personal data amassed by private firms produce value for consumers and markets, said Progress & Freedom Foundation Senior Vp-Research Thomas Lenard. Lawmakers should study the consequences of privacy and data security regulation to assure that the benefits justify the costs, he said, challenging claims that too much consumer information is being collected. “Markets work better with more information,” he said: “As the cost of information goes down, market participants obtain more of it and, consequently, make better decisions.”

Lenard ticked off benefits of data availability, such as targeted marketing, better estimates of consumer demand and smaller inventories. An abundance of consumer information can correct market failures caused by “asymmetric information,” he said. Some types of data security mandates cause unintended harm to consumers and markets, he said. Anxiety over breaches can lead to limits on information, perhaps disrupting the flow of data vital to market functioning, Lenard said. Spooked consumers may move transactions offline, which studies show can make them more vulnerable to ID theft, he said. Small firms that can’t afford compliance could suffer, Lenard said.

New Forum Will Study Consumer Privacy Policies

Piggybacking on the hearing, a coalition of industry and consumer groups formed the Consumer Privacy Legislative Forum (CPL Forum) to support comprehensive U.S. consumer privacy law. The forum, backed by Google, eBay, Intel, Microsoft and others, called for sweeping privacy protections. The forum wants a simplified, harmonized and flexible legal framework to allow free flow of information and commerce while protecting consumers from ID theft, fraud and intrusions into privacy.

The forum takes form amid data showing less consumer trust in the Internet, officials said. A May Cyber Security Industry Alliance report said 94% of respondents cited ID theft as a serious problem and only 24% felt businesses put proper emphasis on protecting data. “Increased use and access to information, often made possible through advances in technology, has greatly benefitted society through the exchange of ideas, enhanced economic productivity, and increased access to goods and services,” Ohio State U. law prof. and forum member Peter Swire said: “Unaddressed, a loss of trust has an adverse impact on economic growth and innovation.”

The right measure would address businesses transparently collecting consumers’ personal data with appropriate notice and would provide consumers meaningful choice on use and disclosure of their data, the forum said. An ideal bill would give consumers “reasonable access” to personal data they've provided and protect those records from misuse or unauthorized access, the forum said.

Besides circulating a petition for consumer privacy legislation, the forum is meting with key players and consumer groups, officials said. The forum hopes to foster a more informed congressional debate, leading to a law of benefit to industry and consumers.