Can the US Meet International Privacy Standards in an Era of Personal Health

Records, Consumer Scores and Watch Lists?

UNSW's Cyberspace Law and Policy Centre Seminar

June 7, 2007

Robert GellmanPrivacy and Information Policy Consultant

Washington, DC bob@bobgellman.com

www.bobgellman.com© Robert Gellman 2007

© Robert Gellman 2007 2

US Method of Privacy Regulation

• Federal laws

• State laws (especially California)

• Self regulation (e.g., TrustE, BBBOnline)

• Common Law (privacy torts)

• No law (data brokers, marketers, merchants)

© Robert Gellman 2007 3

Selected Federal Laws

• Fair Credit Reporting Act

• Privacy Act of 1974• Gramm-Leach-Bliley

(banking)• Health Insurance

Portability and Accountability Act (HIPAA)

• Family Educational Rights and Privacy Act

• Driver’s Privacy Protection Act

• Children’s Online Privacy Protection Act

• More….10-20 laws

© Robert Gellman 2007 4

COVERAGE OF US PRIVACY LAWS

RECORDS

RECORDKEEPEERS

© Robert Gellman 2007 5

• Official View: Regulate when necessary

• Another View: Pass privacy laws randomly, largely in response to horror stories

Sectoral vs. Horror Story

© Robert Gellman 2007 6

© Robert Gellman 2007 7

• Gaps

• Inconsistencies

• Sectoral Borders

• Geographic Borders

Major Shortcomings

© Robert Gellman 2007 8

• Can exist totally separately from regulated health records

• PHR record keepers not regulated• Data obtained with consent of data subjects• Only company policies apply, and they can

be changed• Completely open to commercial

exploitation

Personal Health Records

© Robert Gellman 2007 9

• Newly identified category of data– Passenger Screening

– Credit Score

– Insurance Score

– Bankruptcy Score

– ID Score

– Consumption/Marketing Score

– Health Score

• See WorldPrivacyForum.org for more

Consumer Scoring

© Robert Gellman 2007 10

Round up or round down?– Existing laws establish varying policies (bank

records can be used for marketing; health records cannot)

– Some records will necessarily receive a lower level of protection than today

– Widely variable accountability measures

Barriers to Common Rules I

© Robert Gellman 2007 11

Legislative Committee Jurisdictions– Banking Committee vs. Commerce

Committee vs. other committees– Security breach legislation referred to many

committees– Need strong political force to overcome

entrenched jurisdictional rules

Barriers to Common Rules II

© Robert Gellman 2007 12

Enforcement– Federal Trade Commission– State Attorneys General– Federal agency enforcement– Private right of action– Other approaches: ISPs enforce CAN-SPAM

Barriers to Common Rules III

© Robert Gellman 2007 13

Preemption– Allow stronger state laws?– Replace all state laws?– What to do with existing privacy torts (a wholly

state activity)?– Cut off innovations at the state level?

Barriers to Common Rules IV

© Robert Gellman 2007 14

Conclusion

• Microsoft proposal for EU style law

• No precedent for federal preemption in such a widespread area

• Would require major public or Presidential support

• Some consensus, but not on enforcement

• How to stop a “Privacy Prevention Act”