1998 Congressional Hearings
Intelligence and Security






Before the


of the



Washington, D.C.

March 26, 1998

Mr. Chairman and members of the House Judiciary Committee, I am David Aaron, Under Secretary, International Trade Administration of the U.S. Department of Commerce. The Clinton Administration appreciates the opportunity to testify on our policies related to information privacy. As outlined in his Directive on Electronic Commerce, President Clinton instructed the Department of Commerce and the Office of Management and Budget to lead the Administration's privacy efforts and to encourage private industry and privacy advocacy groups to adopt effective self regulatory approaches to protect privacy on the Internet. As Under Secretary of ITA, I am deeply involved in many aspects of the our electronic commerce initiatives, including privacy policy.

Americans treasure privacy, linking it to our concept of personal freedom and well-being. The Internet's great promise -- that it facilitates the collection, re-use, and instantaneous transmission of information -- can also, if not managed carefully, diminish personal privacy. It is essential, therefore, to assure personal privacy in the networked environment if people are to feel comfortable doing business.

At the same time, fundamental and cherished principles like the First Amendment protect the free flow of information. Commerce on the Internet will thrive only if the privacy rights of individuals are balanced with the benefits associated with the free flow of information.

The Clinton Administration has been aggressive about privacy protection in general and the Internet in particular. Apart from the Internet, for example, the Administration called for legislation to protect the privacy of medical records on genetic information. In addition, the Administration supported 1996 amendments to the Fair Credit Reporting Act that extend the coverage of the Act to hundreds of information providers and strengthens financial privacy. In the Telecommunications Act of 1996, the Administration supported new limits on the use of telephone subscriber information by telephone common carriers. Additionally, the Administration supported passage of the Drivers' Privacy Protection Act of 1994, which governs how states make motor vehicle and licensed driver information available.

Specific sectoral privacy statutes, such as those mentioned above apply to information on the Internet. But because networked communication technology facilitates data collection and sharing, privacy concerns are heightened with regard to the Internet. I want to stress that existing applicable statutory protections and regulatory obligations apply to personally identifiable information on the Internet.

The Clinton Administration is concerned, however, that the nature of the Internet makes legislative and regulatory privacy protections less effective on-line. On the World Wide Web, new sites appear and others disappear at an astonishing rate. Congress could certainly pass a law mandating privacy protections on-line, for example, but enforcement of such a law, even if possible, might require enormous resources. We don't want to give Internet users a false sense of security based on an unenforceable law.

Therefore, the Clinton Administration has also been active with respect to the specific issues of protecting privacy on the Internet. In 1993, the Administration set up the Information Infrastructure Taskforce (IITF), a cabinet level group charged with articulating and implementing the Administration's program, to promote the development of the Information Superhighway; the group was chaired by the late Secretary of Commerce, Ron Brown. The Clinton Administration quickly realized that successful development of the information infrastructure would require enhanced privacy protections. Quite simply, while the infrastructure might get built, consumers will not use it until their personal data is adequately protected. Accordingly, in 1995, the IITF examined privacy in the electronic environment and issued Privacy Principles updated for the information age.

The Privacy Principles were developed with substantial input from industry and consumer groups. They provide a general framework from which more specific laws and quidelines could be written for particular sectors of the economy or to remedy particular abuses. The Principles explicitly call upon the private sector to develop detailed guidance responsive to particular needs of the individual sectors.

Similarly, when the Administration issued its policy statement on electronic commerce, A Framework for Global Electronic Commerce, it supported private sector efforts to implement meaningful, consumer-friendly, self-regulatory regimes based on the fair information practice principles. (These principles were contained in a report presented in 1973 to the then Department of Health, Education and Welfare, now the Department of Health and Human Services; adopted by the international community in the early 1980s in the form of the OECD's Guidelines for the Protection of Personal Data and Transborder Data Flows; and formed the basis for the Privacy Principles.) They include consumer awareness, choice, appropriate levels of security, and consumer access to their personally identifiable data.

Consumer awareness of information practices is essential to promoting on-line information privacy. Information about their rights and responsibilities in personal data enables consumers to make judgments about the levels of privacy available to them and to make meaningful choices about the use of their data. At a minimum, consumers must know the identity of the collector of their personal information, the intended uses of the information, and the means by which consumers may limit its disclosure. Accordingly, businesses must develop policies that articulate the manner in which they collect, use, disclose, and protect data, and the choices they offer consumers to exercise rights in their personal information. Notice of companies' information practices is a first principle in advancing privacy. Notification must be written in language that is clear and easily understood, and must be displayed prominently and in a manner that allows consumers to access it prior to relinquishing information to the company.

Consumers must be given the opportunity to exercise choice with respect to whether and how their personal information is used, either by businesses with whom they have direct contact or by third parties. Consumers must be provided with a simple, readily available, and affordable mechanism -- whether through technological means or otherwise -- to exercise this option. For certain kinds of information, e.g., information related to children, affirmative choice by consumers may be appropriate -- personal information may not be used by companies unless it is specifically released by the individual or his or her parent or guardian.

Security of information is critical if electronic commerce is to flourish. Companies creating, maintaining, using or disseminating records of identifiable personal information must take reasonable measures to assure their reliability for their intended uses and must take reasonable precautions to protect them from loss, misuse, alteration or destruction. Companies should also strive to assure that the level of protection extended by third parties to whom they transfer personal information is at a level comparable to its own.

Consumers must have reasonable access to information about them that is held by businesses, and should have a right to request corrections and amendments of that information. Mechanisms must be in place to make it possible to exercise that right, although the extent of access may vary from industry to industry. Decisions about the level of appropriate access necessarily must take into account a number of factors, such as the nature of the information collected, the number of locations in which it is stored, the nature of the enterprise, the ways in which the information is to be used, and the cost of access.

Let me be clear: to be meaningful, self regulation must be more than an articulation of broad policies or guidelines. Effective self regulation must involve substantive rules, as well as the means to ensure that consumers know the rules, that companies comply with them, and that consumers have an appropriate means of redress for injuries resulting from noncompliance.

A self-regulatory regime to protect privacy must have some enforcement mechanism to assure compliance with the rules and appropriate redress to an injured party when rules are not followed. Such mechanisms are essential tools to enable consumers to exercise their rights in data, and must, therefore, be readily available and affordable. They may take several forms, and businesses may need to use more than one of these tools depending upon the nature of the enterprise and the kind of information the company collects and uses. But in the end, we think that enforcement mechanisms will provide at least three elements: consumer recourse, verification, and consequences.

1. Consumer recourse. Companies that collect and use personally identifiable information should offer consumers a mechanism by which their complaints can be resolved. Such mechanisms must be simple, readily available, and affordable.

2. Verification. Verification provides attestation that the assertions businesses make about their privacy practices are true, and that privacy practices have been implemented as represented. The nature and the extent of verification depends upon the kind of information with which a company deals -- companies using highly sensitive data may be held to a higher standard of verification.

3. Consequences. For self regulation to be effective, failure to comply with fair information practices must have consequences. Among these may be cancellation of the right to use a certifying seal or logo, posting the non-complier on a publicly available "bad-actors" list, or disqualification from membership in an industry trade association. Non-compliers could be required to pay the costs of determining its non-compliance. Ultimately, sanctions should be stiff enough to be meaningful, and swift enough to assure consumers that their concerns are addressed in a timely fashion. When companies make assertions that they are abiding by certain privacy practices and then fail to do so they may be liable for fraud and subject to action by the Federal Trade Commission.

On July 1, the Commerce Department and OMB will report to the President on private sector implementation of effective self regulation for privacy, including codes of conduct, industry developed rules, technological solutions to protect privacy on the Internet, and means for ensuring the privacy of children online. We are looking for a commitment from industry to establish enforcement mechanisms to ensure that sector-specific self regulatory codes (1) are easy for consumers to recognize, (2) comport with fair information practices, (3) verify compliance through audits or other procedures, (4) provide prompt and efficient dispute resolution and recourse for consumers harmed by misuse of personal information, and (5) provide appropriate consequences (trade association disciplinary measure, revocation of seals, etc.) for those who violate privacy policies.

In anticipation of this report, the Department of Commerce will hold a privacy conference in May. This two-day DOC conference will bring together the private sector and consumer groups to work toward establishing enforcement mechanisms for privacy self regulation. The conference will serve several purposes. First, it will raise consumer awareness of privacy issues; second, it will allow companies to begin to present the status of their efforts toward self regulation; third, it will allow a full and fair discussion of the role that self regulation can play in online privacy protection; fourth, it will allow presentation and public discussion of enforcement mechanisms self regulation; and fifth, it will set the stage for further evaluation of privacy protection technology.

The Department of Commerce will follow up the May conference by continuing the dialogue with industry and consumer groups in a variety of informal and perhaps more formal ways.

The Administration considers privacy protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.

That concludes my comments on the issue of privacy. I will be happy to answer any questions.