can the us meet international privacy standards in an era of personal health records, consumer...
TRANSCRIPT
Can the US Meet International Privacy Standards in an Era of Personal Health
Records, Consumer Scores and Watch Lists?
UNSW's Cyberspace Law and Policy Centre Seminar
June 7, 2007
Robert GellmanPrivacy and Information Policy Consultant
Washington, DC [email protected]
www.bobgellman.com© Robert Gellman 2007
© Robert Gellman 2007 2
US Method of Privacy Regulation
• Federal laws
• State laws (especially California)
• Self regulation (e.g., TrustE, BBBOnline)
• Common Law (privacy torts)
• No law (data brokers, marketers, merchants)
© Robert Gellman 2007 3
Selected Federal Laws
• Fair Credit Reporting Act
• Privacy Act of 1974• Gramm-Leach-Bliley
(banking)• Health Insurance
Portability and Accountability Act (HIPAA)
• Family Educational Rights and Privacy Act
• Driver’s Privacy Protection Act
• Children’s Online Privacy Protection Act
• More….10-20 laws
© Robert Gellman 2007 4
COVERAGE OF US PRIVACY LAWS
RECORDS
RECORDKEEPEERS
© Robert Gellman 2007 5
• Official View: Regulate when necessary
• Another View: Pass privacy laws randomly, largely in response to horror stories
Sectoral vs. Horror Story
© Robert Gellman 2007 6
© Robert Gellman 2007 7
• Gaps
• Inconsistencies
• Sectoral Borders
• Geographic Borders
Major Shortcomings
© Robert Gellman 2007 8
• Can exist totally separately from regulated health records
• PHR record keepers not regulated• Data obtained with consent of data subjects• Only company policies apply, and they can
be changed• Completely open to commercial
exploitation
Personal Health Records
© Robert Gellman 2007 9
• Newly identified category of data– Passenger Screening
– Credit Score
– Insurance Score
– Bankruptcy Score
– ID Score
– Consumption/Marketing Score
– Health Score
• See WorldPrivacyForum.org for more
Consumer Scoring
© Robert Gellman 2007 10
Round up or round down?– Existing laws establish varying policies (bank
records can be used for marketing; health records cannot)
– Some records will necessarily receive a lower level of protection than today
– Widely variable accountability measures
Barriers to Common Rules I
© Robert Gellman 2007 11
Legislative Committee Jurisdictions– Banking Committee vs. Commerce
Committee vs. other committees– Security breach legislation referred to many
committees– Need strong political force to overcome
entrenched jurisdictional rules
Barriers to Common Rules II
© Robert Gellman 2007 12
Enforcement– Federal Trade Commission– State Attorneys General– Federal agency enforcement– Private right of action– Other approaches: ISPs enforce CAN-SPAM
Barriers to Common Rules III
© Robert Gellman 2007 13
Preemption– Allow stronger state laws?– Replace all state laws?– What to do with existing privacy torts (a wholly
state activity)?– Cut off innovations at the state level?
Barriers to Common Rules IV
© Robert Gellman 2007 14
Conclusion
• Microsoft proposal for EU style law
• No precedent for federal preemption in such a widespread area
• Would require major public or Presidential support
• Some consensus, but not on enforcement
• How to stop a “Privacy Prevention Act”