Protecting consumer privacy online was teed up as a top action item for this Congress, but the initiative was thwarted by the more imminent matter of homeland security and by some thorny partisan disputes. Now, proponents of the measure are preparing to re-introduce it early next year and spur quick action before too many state and local governments pass conflicting privacy mandates.
By and large, industry backs the Consumer Privacy Protection Act of 2002, as it imposes few, if any, costs and provides broad liability protections. While many companies would prefer no legislation at all, the measure is far preferable to a companion bill in the Senate, which requires different privacy protections for sensitive and non-sensitive data as well as for online and offline data.
At a hearing before the House commerce subcommittee, industry representatives testified widely in favor of the bill. Paul Misener, vice president for global public policy at Amazon.com, said that most companies already have in place the kinds of privacy precautions required by the measure. Rebecca Whitener, director of privacy services at Electronic Data Systems Corp., said that the provisions reflect the cost of doing business.
The sticking point for lawmakers is the degree to which companies should be shielded from lawsuits for violating new privacy mandates. The House bill would prohibit private rights of action and preempt state and local laws, which can impose higher standards of consumer protection. The subcommittee chairman, Rep. Cliff Stearns, R-Fla., said that the political nature of the debate will demand compromise if the bill is ever to be passed.
Consumer and privacy advocates remain concerned that the legislation does not go far enough to protect fundamental rights, particularly regarding government access to private data. Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., told the subcommittee that the bill favors industry over consumers, appears to shield privacy violators from legal accountability, and does not hold companies responsible for the accuracy of the data they collect, maintain or sell. Before the bill is brought to a vote, Rotenberg said, it should include language that establishes a standard for giving law enforcement access to private data.
Additionally, there are concerns that the legislation may upset the Europeans, who have taken a different approach to privacy protection. A 1998 European Commission Directive on Data Protection forbids transferring personal data to non-European Union nations that do not meet Europes "adequacy" standard for privacy. To avoid prosecution under the directive, U.S. companies can sign a "safe harbor agreement." The pending bill requires a review of this and other international agreements to determine whether they are discriminatory toward U.S. companies.
Some in industry are apprehensive about how the Europeans might respond to the provision. "It kind of puts down the gauntlet and says, if we cant get harmonization then were going to stop enforcing the safe harbor agreement," Philip Servidea, vice president of government affairs at NCR Corp., told lawmakers. For most American companies, the safe harbor agreement is a workable option, he said, adding that 243 companies have signed the agreement so far.
(Editors note: This story has been edited since its original posting to correct a mistake in the name of the House commerce subcommittee chariman.)