| ProfessorMiller: | Welcome. This is Arthur Miller with you for the third of our realtime dialogues. |
| We apologize for the delay, but we have been victimized by a crashing server, and we will do the best we can with the time remaining. | |
| This week, we discuss the transborder flows of data and nations' attempts to control them. | |
| We are joined by Peter Swire, Professor of Law at Ohio State University College of Law. | |
| Professor Swire has written widely on international privacy issues, and has recently been appointed privacy advisor to the US government. | |
| We want you to be free to direct comments and questions to Professor Swire. | |
| Let me start our session by asking him some absolutely basic questions. | |
| Remember, feel free to jump in. | |
| ProfessorSwire: | Fire away. |
| ProfessorMiller: | Peter, the European Union has promulgated a privacy directive. |
| What is the essence of that, and how will it affect us here in the US? | |
| ProfessorSwire: | The Directive entered into effect in October. |
| It covers all processing of personal information within the E.U. | |
| The big issue for many of us is that it also covers transfers of data out of Europe. | |
| Only nations with "adequate" protection are permitted, in general, to receive data. | |
| And there has been a big diplomatic debate about the legal basis of transfer to the U.S. | |
| Should I describe the basic privacy rules within Europe first? | |
| You can treat it a bit like Miranda rights. | |
| ProfessorMiller: | Yes, and try to indicate in what ways US privacy rules would not qualify as "adequate" under the EU Directive |
| ProfessorSwire: | You have the right to notice about processing of data about you. |
| You have the right for there NOT to be processing beyond the notice. | |
| You have the right to access your data, and correct mistakes. | |
| You have the right to opt out of transfers to third parties for marketing. | |
| Finally, you have the right to a national privacy agency to enforce all this. | |
| The issues on adequacy are that the U.S. has no privacy agency on the European model. | |
| We also generally do not have an overarching system of laws to protect all these rights. | |
| So, as a first cut, some Europeans have looked at our laws and said there are not enough of them. | |
| Perhaps that gives enough as a starting point for the next question. | |
| . | |
| ProfessorMiller: | Many of these, Peter, seem to fall within privacy principles enunciated by some private organizations, and arguably, a few of them are satisfied by certain statutes such as the Fair Credit Reporting Act, which permits confrontation and correction. But am I right in saying that the US qualifies for a big fat F on most of the rest? |
| ProfessorSwire: | I wouldn't say that, especially as a government official. |
| The practices are often much more similar than the laws on the books. | |
| ProfessorMiller: | I was appealing to your academic side! |
| ProfessorSwire: | Sorry, but these days when I type I can't just have an academic side! |
| ProfessorMiller: | What enforcement mechanisms does the EU Directive provide? |
| ProfessorSwire: | It varies by country. |
| There have been few real lawsuits in Europe. | |
| Some countries require registration of databses, and use this process as a way to put pressure on compaies | |
| Much of the pressure is moral suasion. | |
| Not so different at all from the U.S. moral suasion froim this Administration. | |
| ProfessorMiller: | Anyone out there who has questions about the EU Directive, feel free to type /ask and then your question |
| I gather the "diplomatic" negotiations are continuing. Any sense of how things are likely to work out? | |
| ProfessorSwire: | I can point out, on the academic/government point, that I am making the same observations as in the book that Litan and I wrote last year. |
| In answer, I can give a sense of the safe harbor talks. | |
| ProfessorMiller: | go ahead |
| ProfessorSwire: | The Euoprean Commission and the U.S. are in talks now. |
| The goal is to have an agreement by this June. | |
| The idea is a "safe harbor" that would allow flows to the U.S. | |
| hendrick asks: | since it is a directive it will have to implemented in member states national jurisdiction first, isn't that right? |
| ProfessorSwire: | If a company takes the safe harbor pledge, then it can transfer data from E.U. to U.S. |
| On implementation, about half the member states have adopted legislation. | |
| The other half are still working on their laws. | |
| ProfessorMiller: | Peter, some of our people are asking about what you mean by "safe harbor" |
| ProfessorSwire: | Safe harbor would mean that companies that are in it can transfer info freely to the U.S. |
| There would no longer be a dispute about "adequate" protection. | |
| The safe harbor pledge would meet adequacy. | |
| Dennis asks: | Prof Swire, isn't the safe harbor proposal a bit weak by Euro standards? It lacks enforcement. |
| ProfessorSwire: | If a company does not take the pledge, then it is at risk to have its data transfers blocked. |
| To Dennis, I don't agree that it is weak. | |
| Enforcement would happen in many ways. | |
| ProfessorMiller: | To Dennis, why do you think it is weak? |
| ProfessorSwire: | One way is Federal Trade Commission enforcement. |
| Another is through specialized agencies, such as banking agencies. | |
| Also, any company that broke the pledge would be liable on that basis. | |
| The main achievement is to widen the area of "adequate" protection so that the U.S. is included for sure if the company has signed on. | |
| Dennis asks: | Did the recent resignation of the entire Commission affect the negotiations? |
| ProfessorSwire: | That's a good question. |
| Fortunately, the Directive is specifically implementable by the current civil servants. | |
| There is a special "Article 31" committee that can approve the safe harbor approach. | |
| conan_lib asks: | Is there a way for a European citizen to waive their rights under the Directive? |
| ProfessorSwire: | Conan: consent will do a great many things. |
| European and American law, though, requires that the consent be real. | |
| That is why notice is so important. | |
| On a web policy, for instance, there should be notice of how data is used. | |
| That way, individuals can choose whether to participate at the site. | |
| In a few cases, European law does not allow consent. | |
| For instance, employees are not always seen as being able to consent to the wishes of their employers | |
| But consumers, with good notice, generally have choice of whether to act. | |
| aldon asks: | I am not sure I understand this directive. If I am an Internet User in a E.U. country and I attempt to go to a site in a non-complying nation that asks for me to enter private information (i.e. transfer private data), are the countries going to block me from entering that? And if, how? |
| ProfessorSwire: | The safe harbor is likely to say that jurisdiction is not affected by the agreement. |
| Some european countries take a very broad view of web jurisdiction. | |
| if a french citizen goes to a u.s. site, the french likely will claim jurisdiction. | |
| the u.s. company, if it exists only in the u.s., would likely dispute that. | |
| if it is a big multinational company, though, it may have business operations in france. | |
| then, it is likely well within the jurisdiction of france, with assets there, too. | |
| One article on my web site talks about jurisdiction and choice of law for the Directive. | |
| ProfessorMiller: | But what if the french citizen goes to a us site that is completely passive? |
| ProfessorSwire: | U.S. law likely says that there is no jurisdiction. |
| The french would likely differ. | |
| My discussion of this is at www.osu.edu/units/law/swire.htm | |
| ProfessorMiller: | does any of this suggest that the only way to get harmonization between the EU and the US is through treaty? |
| ProfessorSwire: | well, the safe harbor is not a formal treaty |
| but it is an international understanding | |
| local law remains, however, very powerful | |
| enforcement is likely to differ by country | |
| another route to harmonization is technology | |
| that's why there is so much interest in P3P and other technology standards | |
| The European regulators wrote a paper expressing concern about P3P. | |
| ProfessorMiller: | how can one of these technologies harmonize European and American interests (wendy asks)? |
| ProfessorSwire: | In theory, P3P can be expanded so that it allows a web site to ask all the questions |
| relevant to the directive | |
| that way, a french consumer could put in french requirements | |
| only a web site that fit those requirements could do business with the customer | |
| By contrast, a different country or different consumer could use other settings under P3P. | |
| The current protocol is not set up for all that, however. | |
| wseltzer: | but wouldn't French consumers be able to override the French preferences? (wendy) |
| ProfessorSwire: | Depends. |
| The French could pass a law forbidding such overrides. | |
| They could authorize midnight searches of everyone's computers. | |
| That's not likely, but it reminds us of the power of local sovereigns | |
| More realistically, they could pressure Microsoft or Compaq to include the defaults for French P3P in every computer | |
| One locus of regulation is in what Larry Lessig calls "code." | |
| wseltzer: | We've been talking about the difference between legal and technical regulations. Do you have a sense of which is more effective? |
| ProfessorSwire: | Each has work-arounds |
| For big organizations, it is risky to flaunt the law. | |
| They are too big and too public to wish to get caught. | |
| anabhan asks: | What would prevent companies from engaging in "rule arbitrage"? |
| anabhan asks: | They could simply move their operations to less privacy-conscious jurisdictions. |
| ProfessorSwire: | Greetings, again. |
| We were talking about technology and law | |
| ProfessorMiller: | Sorry about the delay. We had another server difficulty |
| What's to prevent a non-US and non-EU country from conducting a race to the bottom in terms of privacy? | |
| ProfessorSwire: | quality of data |
| It's important to look at who is likely to cause harm | |
| For porn or gambling, an offshore site works just fine | |
| For privacy, the key is to have LOTS of current data | |
| Closer to the source is better | |
| Not geographically closer, but closer in terms of tightly-linked and authenticated ata | |
| data | |
| A big bank in the U.S. is likely to have wonderful customer records | |
| How does the offshore privacy broker get data of that quantity and quality? | |
| There are exceptions, though. | |
| One company has downloaded the public records from Texas, and sells the data from Anguilla, in the Caribbean. | |
| There is a Texas law that forbids such sales. | |
| But Vince Cate never goes to Texas to get caught. | |
| One solution -- don't make the information so available within Texas. | |
| That issue of public records is one that we will be workin on in the Administration. | |
| Along the same lines, | |
| the hypothetical for this week had harms from rock and sex and gambling. | |
| ProfessorMiller: | Aha. Do you mean to suggest that you are going to tell the Texas media that they cannot get access to public records in Texas, or that the plaintiff's bar cannot get access to public records in Texas? |
| Or that mass marketers can't get access to them? | |
| ProfessorSwire: | These are the questions going forward on public records. |
| Once they are out, it it constitutionally and practically difficult to prevent resale. | |
| ProfessorMiller: | Put another way, can you say, "The public can get access, but the people in Anguilla cannot?" |
| ProfessorSwire: | The public record companies are hiring great first amendment lawyers on this topic. |
| ProfessorMiller: | Are you against a full employment policy for lawyers? |
| ProfessorSwire: | There is a Supreme Court case from Florida saying that it is very , very hard to stop the press reporting? |
| ProfessorMiller: | just a little joke |
| ProfessorSwire: | Hey, I teach lawyers, too! They're terrific. |
| As for offshore privacy, the question is how the brokers will get the data. | |
| rewell asks: | if you make the information more hard to obtain, that defeats so much of the good points of the internet |
| ProfessorSwire: | WHICH information? |
| Every purchase you made this week? | |
| The transcript of your session with a psychiatrist? | |
| My way to say it is that the internet makes possible many wonderful data flows. | |
| We also will limit some flows. | |
| E.g., limits on copyright violation. | |
| Limits on security breaches -- passwords, trade secrets, etc. | |
| And limits on privacy invasion. | |
| The trick is to encourage the wonderful flows | |
| And limit the ones we, as a thoughtful society, don't want. | |
| ProfessorMiller: | I agree with you completely, but worry about how we can get consensus on what is "wonderful flows" and what is a "privacy invasion." |
| ProfessorSwire: | OK, but first realize that there are important issues about WHICH flows. |
| Avoid the "free flows are all beautiful" extreme, or the "every flow is dangerous" extreme. | |
| In another recent paper, I talk about this for financial transaction records | |
| The paper is called "Financial privacy and the theory of high-tech government surveillance" | |
| It's on my web site | |
| I lay out a series of advantages from government knowledge of your purchases. | |
| Then the disadvantages. | |
| As a society, we have political and legal and cultural debates about where the limits on flows should be | |
| esexton asks: | It seems we need to strike a balance between making records available to those people who need them/have a right to them and who might like the ease of accessing their records via computer, while simultaneously trying to keep these records out of the hands of the offshoreman who would use them for nefarious purposes. |
| ProfessorSwire: | Yes, balance is the key word |
| anabhan asks: | I would imagine that your definition of a "wonderful flow" depends on who you are. The Direct Mail Association thinks a lot of their members' social function - and many consumers don't. |
| ProfessorSwire: | Politics is the art of trying to resolve these questions in a legitimate way. |
| ProfessorMiller: | Now you really are starting to sound like a government official!!!!! |
| ProfessorSwire: | Yeah, yeah. |
| But the point of my job is to help create a better process for looking at these issues. | |
| Even if I sound like a self-justifying government official, I also believe that. | |
| ProfessorMiller: | Seriously, Peter, what is the prospect for any form of a consensus between west Europe and the US on what types of information truly are private? |
| ProfessorSwire: | There is more overlap than many people realize. |
| On access to data, there is great practical overlap. | |
| Access problems are greatest for credit histories, social security, and immigration records | |
| European countries agree with that. | |
| Interestingly enough, the U.S. has strong access laws for these main areas of potential problem. | |
| (of course, folks, your Professor Miller led the fight on credit histories a while back) | |
| Similarly on enforcement. | |
| The actual mechanism for much progress is moral suasion. | |
| Courts have been a last resort in Europe, and the FTC is beginning to create a record here of actual enforcement in a legal setting. | |
| ProfessorMiller: | What is the view in the EU countries about medical records? |
| ProfessorSwire: | They think they are sensitive. |
| So do we. | |
| The Administration has a major proposal on medical privacy. | |
| ProfessorMiller: | now what happens when you throw countries like China into the equation? |
| ProfessorSwire: | On most of the key issues, the Administration and privacy advocates are on the same side in medical records. |
| China? | |
| ProfessorMiller: | yes, China |
| pick whichever one you want | |
| ProfessorSwire: | Well, not any noticeable history of data protection laws there. |
| Hong Kong has a law and an official agency, but the rest of the country does not. | |
| China will face the question of whether it can receive data from Europe consistent with the Directive. | |
| ProfessorMiller: | Or what about countries that have strong religious views and wish to create absolute shields against data movements from or to west Europe? or the US? |
| ProfessorSwire: | Again, I think that privacy will not be the key battleground. |
| Sex and gambling and commerce are probably bigger issues with these countries than data protection. | |
| For third world countries, there are few privacy laws. | |
| ProfessorMiller: | What do they know that we don't? |
| ProfessorSwire: | I think they are facing other issues first. |
| They hardly have internet connections. | |
| The threat of internet information flows is minor for them. | |
| ProfessorMiller: | If you had your druthers, do you think moral suasion is enough? do we need some more legislation in this country? Should we be thinking about international treaties? |
| ProfessorSwire: | More medical laws, yes. |
| Serious consideration for stricter bank privacy laws. | |
| For the Internet, the U.S. web sites are likely progressing faster with the threat of regulation | |
| Than are the European web sites, where there is actual regulation | |
| Schwartz and Reidenberg recently documented the lack of web policies on German major internet sites | |
| It shows that law does not assure compliance. | |
| ProfessorMiller: | That is sort of ironic since the idea of a privacy ombudsman had its birth in one of the German states. |
| ProfessorSwire: | Moral suasion all by itself does not last through the ups and downs of an issue cycle. |
| I wrote another article on "markets, self-regulation, and legal rules in the protection of personal information" | |
| Choosing institutions is largely empirical. | |
| Sometimes one approach or another is most promising. | |
| The Administration has said for the Internet: | |
| Work hard on self-regulation. | |
| Or else laws will likely follow. | |
| The FTC will soon release a study on how the web sites are doing. | |
| People in Washington are watching closely to see whether industry has made significant progress. | |
| The FTC might conclude that more laws are needed sooner rather than later. | |
| ProfessorMiller: | don't you think it will be an uneven picture that will emerge? |
| ProfessorSwire: | Calls on Capitol Hill are increasing, too, including from friends of hte internet. |
| "Uneven picture" -- yes. | |
| Big, trafficed sites will do much better than smaller sites. | |
| The political question will be % of sites or % or web traffic. | |
| The latter is better for self-regulation. | |
| One conceptual question is choosing whether privacy is a hard issue. | |
| Europeans say that the principles of fair information practices are consistent over time | |
| So they say we need consistent rules, too. | |
| Americans are more likely to be pragmatic. | |
| ProfessorMiller: | Just as an historical note, and an autobiographical one, when I participated in the First Privacy War many years ago, we were able to get some control over credit data, educational records, criminal records, and governmental data banks. When the Reagan administration came in, we were stopped dead in our tracks on carrying the war to private industry and medical records. These things have an ebb and flow to them. |
| ProfessorSwire: | To think that different rules fit different circumstances. You know, the case method. |
| The American political process is largely sectoral. | |
| Each committee in Congress has its own complex ecology. | |
| Passing an overarching bill, through multiple committees, would be institutionally extremely difficult. | |
| Well, it's about 7:30. | |
| Any last questions? | |
| ProfessorMiller: | Will Michigan get even against OSU next fall? |
| ProfessorSwire: | No way. |
| next. | |
| ProfessorMiller: | I hope you are a better privacy protector than a football prognosticator! |
| ProfessorSwire: | OK! Thank you for inviting me. It has been fun, and I hope helpful. |
| ProfessorMiller: | One last question: |
| ProfessorSwire: | Ok. |
| Dennis asks: | Prof Swire: What about modifying the ECPA to cover private industry in the same way as government? |
| ProfessorSwire: | Lots of ECPA applies the same, if I understand the question. |
| Unauthorized interception of e-mail gets punished when it is done by public or private sector. | |
| The harder question is storage. | |
| If the e-mail is on your employer's server, then the employer typically has the ability to see it without violating federal law. | |
| ProfessorMiller: | Truce! Let's both go home to dinner with the thanks of everybody up here for your enlightening comments. |
| ProfessorSwire: | Bye and thanks. |
| wseltzer: | And I want to add a thank you to everyone for putting up with the tribulations of our code! |
| Good night. | |
| Dennis asks: | Good night all! Fascinating discussion. |