OF JOHN T. SPOTILA
OFFICE OF INFORMATION AND REGULATORY AFFAIRS
OFFICE OF MANAGEMENT AND BUDGET
ECECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES
THE SUBCOMMITTEE ON GOVERNMENT MANAGEMENT
INFORMATION, AND TECHNOLOGY
COMMITTEE ON GOVERNMENT REFORM
UNITED STATES HOUSE OF REPRESENTATIVES
and members of the Committee, thank you for inviting me here to
present the Administration's views on H.R. 4049, the "Privacy Commission
Act." As Administrator of OMB's Office of Information and Regulatory
Affairs, I care deeply about the protection of privacy. In 1998,
throughout the Administration. OIRA already had policy responsibility
under the Privacy Act of 1974, which applies to federal government
systems of records. Now it plays a cental coordinating role for
Chief Counselor for Privacy, Peter Swire, to be the point person
in this coordination effort. Peter is with me here today.
and the Vice President are committed to the protection of individual
privacy. As President Clinton said on April 30, when announcing
his new financial privacy proposal: "From our earliest days, part
of what has made America unique has been our dedication to freedom,
and the clear understanding that real freedom requires a certain
space of personal privacy." Vice President Gore showed similar leadership
in 1998 when he called for an Electronic Bill of Rights, emphasizing
that we should all do our part to protect individual privacy, relying
on private sector leadership where possible, on legislation when
necessary, on responsible government handling of personal information,
and on an informed public.
the proposed findings for H.R. 4049, we find much common ground.
We agree that Americans are increasingly concerned about the security
and use of their personal information. We agree that the shift from
an industry-focused economy to an information-focused economy calls
for reassessing the way we balance personal privacy and information
use. As Administrator of OIRA, I work extensively on information
policy issues relating to computer security, privacy, information
collection, and our transition to the electronic delivery of government
services. In these and other areas, we are working hard to gain
the advantages that come from new technologies while guarding against
possible costs to privacy and security that can come from badly
crafted uses of those technologies.
In some areas,
we already know that we must act swiftly to protect privacy and
security. Indeed, the Administration's biggest concern with H.R.
4049 is the risk that some might use the Commission as a reason
to delay much-needed privacy legislation. We understand that supporters
of H.R. 4049 have emphasized that it should not be used as a reason
for delay. But we are also aware from public reports that those
who oppose privacy reform would prefer to have Congress study the
issue indefinitely rather than take action. In the Administration's
view, such delay would be unwise. We cannot afford to take a year
and a half off in protecting Americans' privacy. We believe that
action is needed now in the areas of financial privacy, medical
records privacy, and genetic discrimination.
specific aspects of H.R. 4049, it would be useful to review recent
federal privacy initiatives.
been extensive initiatives by the Federal government since 1993
to study and take appropriate action in the area of privacy protection.
Study of privacy was an integral part of the National Information
Infrastructure project, sometimes called the "information superhighway"
effort, with the issuance in 1995 by an inter-agency Privacy Working
Group of "Principles for Providing and Using Personal Information."
(See: Privacy Working Group of the Information Infrastructure Task
Force, www.iitf.nist.gov/ipc/ipc-pub.html.) This effort was led
by OIRA. With Administration support, Congress has passed privacy
legislation including the Drivers' Privacy Protection Act of 1994
(motor vehicle records), the Telecommunications Act of 1996 (authority
for the Customer Proprietary Network Information regulations), the
Health Insurance Portability and Accountability Act of 1996 (authority
for the currently proposed medical privacy regulations), the Children's
Online Privacy Protection Act of 1998 (children's online records),
the Identify Theft and Assumption Deterrence Act of 1998 (deterrence
of identity theft), and the Gramm-Leach-Bliley Act of 1999 (financial
In the online
world, the Administration has encouraged self-regulatory efforts
by industry. For especially sensitive information -- such as medical,
financial, and children's online records -- legal protections are
required. Recent activities have included:
- When children
go online, parents should give their consent before companies
gather personal information. Websites aimed at children must get
such consent under the Children's Online Privacy Protection Act
of 1998 and accompanying rules that went into effect in April
of this year.
- The Department
of Commerce, the Federal Trade Commission, the White House Electronic
Commerce Working Group, and other parts of the Federal government
have undertaken a wide array of studies, reports, workshops, and
other activities to address issues of online privacy. As one example,
a public workshop last fall challenged the industry to address
concerns about "online profiling," in which companies collect
data, in ways few people would suspect, about individuals surfing
- In the international
sphere, the Department of Commerce has taken the lead in creating
"safe harbor" principles for transfers of personal information
between the European Union and the United States. These principles,
to which the European Commission has now agreed, recognize the
appropriateness of effective self-regulatory regimes. In developing
the principles, the Department has sought public comment on four
- The President
signed the Identity Theft and Assumption Deterrence Act of 1998.
This March, the Department of the Treasury hosted an Identity
Theft Summit to assist in the prevention, detection, and remediation
of the significant problem of malicious misuse of another person's
personal information for fraudulent purposes.
- The Administration
continues to build privacy protections into its own activities.
Last year, for instance, all Federal agencies successfully posted
clear privacy policies on their websites. Programs are now underway
to strengthen Government computer security to provide new privacy
safeguards for personal information held by the Government. The
new Privacy Subcommittee of the Chief Information Officers Council
is undertaking initiatives to ensure that privacy is effectively
built into government information technology systems.
financial privacy intensively in the course of its financial modernization
debate last year. As the President pointed out when signing the
law, the modernization law took significant steps to protect the
privacy of financial transactions, but did not go far enough. The
President asked OMB, the Department of Treasury, and the National
Economic Council to craft a legislative proposal to close loopholes
under existing law. On April 30, he announced his plan to protect
consumers' financial privacy. This plan would include:
choice: Giving consumers the right to choose whether a firm
can share consumer financial information with third parties or
protection for especially sensitive information: Requiring
that a consumer give affirmative consent before a firm can gain
access to medical information within the financial conglomerate,
or share detailed information about a consumer's personal spending
and correction: Giving consumers a new right to review their
information and correct material errors.
enforcement: Providing effective enforcement tools for financial
institutions subject to Federal Trade Commission enforcement of
shop on privacy policies: Giving consumers privacy notices
upon application or request so they know how information is protected
before a customer relationship is established.
were introduced in the House as H.R. 4380, attracting immediate
and substantial support in both the House and the Senate. As Secretary
of the Treasury Lawrence Summers emphasized on March 7, "It's time
to start now."
been a longstanding appreciation in the United States that individual
medical records include especially sensitive information. Disclosing
medical data can reveal what is happening inside a person's body,
such as a report that a person is HIV positive, or inside a person's
mind, such as the transcript of a session with a psychotherapist.
The Federal government has recognized these concerns at least since
1973, when the Department of Health, Education, and Welfare first
announced the basic fair information practices that underlie privacy
the need for legal protection of medical records when it passed
the Health Insurance Portability and Accountability Act of 1996
(HIPAA). After extensive discussions with stakeholders and as required
by HIPAA, the Secretary of Health and Human Services issued her
recommendations for health privacy legislation in September 1997.
Congress was unable to meet the HIPAA deadline for enacting comprehensive
privacy legislation by August 21, 1999. Accordingly, the President
and Secretary Shalala announced proposed privacy regulations on
October 29 of last year. It was HHS's goal to make the regulation
process open to those who wanted to communicate their concerns in
person. HHS met with many individuals and organizations to hear
their concerns and clarify provisions of the proposed rule. HHS
received over 53,000 submissions of comments by the February 17,
2000, deadline. HHS is now considering those comments, and the regulations
will become final this year.
medical privacy regulations will become final this year, there is
a pressing need for further Congressional action. As HHS Assistant
Secretary Margaret Hamburg testified in February of this year: "Health
information privacy is a top priority for the Department and the
Administration, and we continue to believe that legislation is the
only way to achieve the goal." President Clinton explained some
of the reasons for legislation when he proposed the privacy regulations
last October. The Administration is especially concerned that the
enforcement powers under current law are not as effective as they
should be. We recommend federal legislation that would allow punishment
of those who misuse personal health information and redress for
people who are harmed by its misuse. Administration officials have
testified often on what should be included in medical privacy legislation,
and we urge that there be no delay on this subject.
8, President Clinton signed an executive order that prohibits every
federal department and agency from using genetic information in
any hiring or promotion action. This order ensures that critical
health information from genetic tests not be used against federal
employees. The President has also endorsed the Genetic Nondiscrimination
in Health Insurance and Employment Act of 1999, introduced by Senator
Daschle and Congresswoman Slaughter, which would extend these protections
to the private sector and to individuals purchasing health insurance.
As with financial and medical privacy, legislation is before the
Congress to address especially sensitive personal data -- genetic
information on individuals. The time to act on each of these issues
* * *
Let me turn
now to the specifics of H.R. 4049.
Scope and Structure of the Proposed Commission
earlier, the Administration has significant concerns that the Study
Commission might be used by some as an excuse for delaying needed
activity in privacy protection. These concerns are especially acute
for topics such as medical, financial, and genetic information where
good legislative proposals are before the Congress now. There has
already been extensive discussion of these proposals within the
Congress and among the stakeholders. Further study of these topics
by the Commission would duplicate the public examination that has
already taken place, without adding real value. The proposed medical
privacy rules that become final this year will be the result of
a multi-year process that generated over 53,000 public comments,
many in extensive detail. These comments show a need for further
action, not further study.
that the Congress needs to make its own judgments on these matters,
and we defer to it in its assessment of what it needs to inform
those judgments. It seems sensible, however, to adopt a focused
approach to exploring these topics. Ideally, any further study efforts
should be done within a short time frame and would build on, not
duplicate, existing studies.
If there were
to be a Commission, contrary to our recommendation, we should ensure
that it focuses its efforts in an effective way. Again, we are concerned
about potential delay. Casting too broad a net would delay the work
of any new Commission, with uncertain results. We note, for example,
that the treatment of data collected on-line has been the subject
of extensive hearings in Congress, as well as public workshops,
public comments, studies, and reports by the Department of Commerce
and the White House Electronic Commerce Working Group. The Federal
Trade Commission is about to issue a major report. We recognize
that this is a complicated area that requires careful evaluation
and an understanding of new technology. It is not clear, however,
that a Commission lasting 18 months will give decisionmakers the
help they need.
than have a Commission pursuing a very broad set of topics, it might
be more productive to have technology and policy experts address
specific, emerging issues that have not yet benefitted from much
attention. One targeted way to study such privacy issues might be
to enlist the expertise of the National Academy of Sciences/National
Research Council or other appropriate bodies. The NAS/NRC has extensive
experience in creating blue-ribbon groups with the expertise to
provide insight into difficult policy problems. In the privacy area,
the NAS/NRC has already produced studies such as "Cryptography's
Role in Securing the Information Society" (1996) and "For the Record:
Protecting Electronic Health Information" (1997). Perhaps we should
call on it again.
Computer Science and Telecommunications Board is currently exploring
funding for a study on "Authentication Technologies and Their Privacy
Implications." The problem identified for this study arises from
the need to identify people in a trustworthy way-that is, to authenticate
people-in order to facilitate business and other activities over
the Internet. Many of the possible ways to identify people have
privacy implications since they involve individuals turning over
a good deal of personal information -- from a mother's maiden name
to credit card numbers or other information that could put an individual
at risk if revealed to unauthorized persons. As technology develops,
our society needs to understand how to make authentication work
in a way consistent with preserving privacy.
study topic, which similarly does not require a Commission, could
be biometrics and privacy. "Biometrics" refer to fingerprints, iris
scans, and other physical indicators of identity. Since many companies
are now exploring the commercial deployment of biometric technology,
now is a good time to assess the public policy of biometrics and
privacy. If deployed carefully, biometrics could protect privacy
by placing less reliance on sending credit card numbers or other
sensitive information over the Internet. If deployed badly, however,
biometric technology could create new privacy risks, such as if
biometrics were used to record each room an employee enters while
on the job. A study of this subject, taking proper account of new
technological developments, could increase the likelihood that biometric
systems will be more sensitive to privacy concerns as they become
For all these
reasons, we believe there are sound alternatives to a Privacy Commission.
If, nonetheless, legislation creating such a Commission moves forward,
then we have specific concerns about certain provisions in H.R.
4049. For instance, as with other commissions on many important
national issues, the President should have a greater role in appointing
Commission members. In addition, the current section 7(c) is objectionable
because it could be interpreted as requiring Executive Branch agencies
to turn over confidential or classified information to the proposed
Commission. The text could read that agencies "may," rather than
"shall" furnish that information.
As I emphasized
earlier, we share with the Congress a very strong interest in protecting
privacy and look forward to working with you to find suitable new
ways to improve that protection. We understand the good intentions
motivating the Congressional sponsors of H.R. 4049. Despite our
reservations about the specifics of this bill, we welcome the commitment
to privacy protection that they seek to demonstrate.
and Members of the Committee, thank you once again for the invitation
to discuss these issues.