United States: Privacy In The Digital Age - Searching For An Answer To A Changing Question

Privacy is the number one issue facing every entity and individual currently involved with or using information technologies. Whether it is an individual consumer, e-business or government agency or legislator, when it comes to the use of the Internet and related computer technology, everyone is to some degree concerned about their and other parties' "privacy" rights. As a general matter, most everyone would agree that "privacy" is an important principle worthy of certain practical, if not legal, protections. Given the speed and ease with which modern information technologies can aggregate, analyze and disseminate all or portions of "personal information," many have come to fear the "digital age" and what it means to their personal lives. Therefore, in the name of "privacy" they seek to limit or prohibit the collection and/or use of such information. However, upon close examination it becomes clear that "privacy" in the digital world does not mean the same thing to everyone. The precise meaning of "privacy" and the steps needed to protect it can vary greatly from circumstance to circumstance. For instance, the information and relationships involved in the health care field on one hand and consumer e-commerce on the other differ significantly and therefore, the meaning of "privacy" and the measures that should be taken to protect it are quite different.

Understanding these types of differences is critically important for software developers, system integrators, their customers and the industry watchdogs and governmental regulators seeking to ensure the "privacy" of targeted parties. These key players will not be in a position to properly design, implement, use or regulate information technology systems without a full appreciation for the distinctions arising in different market sectors.

The purpose of this paper is to identify certain general "privacy themes" appearing in major market sectors and highlight the differences and the need for tailored legal and practical protections. Given the great variety of personal "privacy" expectations and the competing legal interests at issue, it is clear there is no one consistent theme and no one appropriate solution. In the end, the only consistent "privacy principle" might be the overarching need for a thorough evaluation and understanding of the computer systems to be used and the information handled in each market setting in order to tailor legitimate "privacy" protections for the system's users. This principle should be applied to the practical, technical side of the equation as well as the legal or policy side.

Webster's New World Dictionary defines "privacy" as "the condition of being private" or "secrecy." It goes on to define "private" as "removed from public view;" "secluded."

As this definition makes clear, the context will drive the proper meaning of the word "privacy" and the relative expectations of the parties involved in a particular transaction. What is "secret" or "secluded from public view" can vary depending upon how the information is to be exchanged, stored, repurposed, analyzed and/or further disseminated by use of computer technologies. The scope of the term "public" may also vary significantly depending on who is speaking. Having information "secluded" begs the question of "from whom?" Is the information stored and disseminated through a computer network with five hundred users within one company "secluded from public view?" How about five users spread across a wide area network or secure extranet shared by three companies? What if the information is not directly linked to an immediately identifiable individual? What if the individual has granted permission for the five users to access and review the information but the companies' network is not secure and any one of hundreds of users would get the information with a little effort? Without sensitivity to such variables "privacy" advocates will likely miss their intended target. Moreover, technology service providers and their users will likely fail to properly allocate and manage their risks during the contracting phase.

It is important to understand that computer network security is not the same as and does not ensure the "privacy" of sensitive information stored or communicated within that particular network. While a firewall or "secure socket layer" may protect electronically stored or transmitted information from misappropriation or interception by an unintended third party, it does not completely address the ultimate use of the information by these information-based service providers and their affiliates. Many individuals sit behind a firewall and many may have access to the system and stored information. Privacy policies need to consider such realities.

Every individual has a different level of desire or expectation for privacy. Some will guard every aspect of their lives, whether meaningful to others or not. Job type, income level, ethnic background, political philosophy, sexual orientation, religion, number of family members, or home telephone number; these and many other "facts" or pieces of personal information are shared or protected to various degrees by different individuals. Certain individuals shield this information in an effort to protect themselves from a series of real or perceived threats to their personal security ranging from slight personal embarrassment or annoyance to significant illegal discrimination or other retribution. Privacy advocates often argue for broad protections from these potential threats with little regard for other competing interests.

As the Internet and information technologies continue to proliferate and become an increasingly integral component of most every business, educational, governmental and personal undertaking involving transactions or informational interactions with other parties, policy makers will need to be careful not to stifle innovation and retard productivity by imposing privacy laws and regulations that are overbroad and/or ill-suited for the specific situation at hand. Unless a proper balance is struck between realistic and rightful expectations of privacy with the need for certain entities to become more productive and better serve that very constituency which is concerned about its privacy, progress in "electronic business" will be severely restricted. A perfect example exists in the health care industry.

While the health care industry is ultimately driven by the delivery of hands-on care to patients, it is also tremendously information intensive. From the voluminous medical treatises and extensive individual patient histories to the myriad forms and paperwork necessary for the admission and treatment of patients and the payment of the resulting claims, information technologies are critical tools to streamlining the overall process and making it more cost-effective. If applied too broadly, federal and state regulations enacted to protect the confidentiality or privacy of "individually identifiable" patient information will undermine or hinder efforts to improve the efficiency of the health care system via telemedicine, instant patient record retrieval and reduced transaction costs for heath care services. In the health care area, appropriate non-public use of demographic and/or non-identifiable information could prove extremely important to determining the overall effectiveness of treatment plans, prescription medications, rehabilitation plans and other services that will improve the overall health care treatment delivered to individuals. Analogies can be drawn in other market sectors as well.

In the financial services area, more cost-effective financial services and products could be developed and administered, thus improving the customer's banking experience. The current emphasis on personal choice to opt-in or opt-out of certain information collection, analysis and sharing among financial industry professionals could ultimately drive transaction costs up or, at minimum, eliminate the possibility for much needed cost reductions. As a policy matter, overbroad efforts to maintain the privacy and confidentiality of all personal information will serve only to wrap certain industries in red tape and impede industry innovation.

While there are certainly many settings where privacy concerns are important to the implementation and use of information technology, these four (4) markets seem to top most lists: the heath care industry; consumer e-commerce; banking and financial services; and governmental transactions.

In a typical transaction in each of these markets, certain "personal information" is collected from the individual customer or user of the offered services and then input to a computer system maintained by the service provider or its agent. After that information is collected it may be analyzed, aggregated with other similar customer information, placed on a shared database, sent to one or more other parties who are business affiliates of the service provider and/or used to create targeted "service" or marketing plans directed to the original customer. Each of these steps can trigger "privacy" concerns for certain groups and/or individuals.

Given the rise in outsourced technical service, including database storage ("data warehouses"), application services service providers ("ASPs") and managed technical service providers ("MSPs"), another level of risk is created for the "inappropriate" viewing, handling or usage of the "personal information" collected in these markets. Because of the increased number of "risk points" and the various expectations held by customers as to the "privacy" of the "personal information" involved, technology service providers generally have failed to satisfy all of the resulting privacy concerns. Indeed, there have been many significant cases of gross violations of customer's privacy through the negligent or intentional misuse of the computer systems and information involved. Everyone would agree that the widespread e-mailing of a "patient's" personally identifiable heath information to a physician listserve is a gross violation of that patient's privacy rights. Few would argue that an on-line game site designed to gather key personal and financial information about the parents of the children using that website is also a major violation of privacy expectations. Allocating responsibility for prevention of such privacy violations and liability for any breaches is critical to the contracting process between providers and users. Privacy policy groups should focus on generally accepted protocols for implementing the technical solutions where needed.

However, reacting to specific situations like this by enacting broad privacy laws and regulations for all users of the Internet and/or information technologies creates a significant risk of destroying or hindering market innovations and resulting productivity gains which would directly benefit these same individual customers. As noted below, since there appears to be no one unifying privacy principle that can be applied in each situation, the key to appropriate privacy measures, whether legal or practical, is a clear understanding of the "privacy" considerations and competing legal or practical rights or considerations of the service providers and the users.

As detailed in separate articles in this white paper, each of the following markets has experienced significant developments in the area of privacy policy.

One of the most recent and talked about electronic privacy measures is the voluminous set of federal regulations enacted pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). When enacted HIPAA contained provisions designed to move health care industry participants to an electronic medium for record keeping and claims processing purposes. The general goal was to create a digital trail in order to combat fraud and abuse in the health care reimbursement area. Given the obvious sensitivity of a patient's health information and its ready portability in digital form, federal officials promulgated the so-called HIPAA regulations to minimize the risks of breaches of patient confidentiality. Everyone would acknowledge that the improper use or handling of an individual's health information can lead to very real consequences such as loss or denial of health or life insurance, loss or limitations on employment, refusal of housing and other real world disadvantages. As the federal government sought to encourage the use of information technologies in the health care field, it acknowledged the very real risks to patient confidentiality posed by such use. As a result, the HIPAA regulations set out a series of operating standards for health care providers implementing information technology as a part of their businesses. The regulations outline protocols for use of computer technologies and related networks, their use and operational control, including employee training, system maintenance, usage policy manuals, system integration protocols and operational security measures such as passwords, data filtering and encryption. This broad framework addresses the human as well as technical components of the health care computer network in order to address all possible "risk points" in the transaction chain.

The HIPAA regulations also require covered health care entities to obtain patient permission for the sharing of "personally identifiable" information with other parties in the industry, including HMO's, insurance companies, laboratories, preferred specialists, etc., with whom care givers work and interact. Importantly, the HIPAA regulations also require that covered entities also ensure that its "business associates" have "adequate" (HIPAA compliant) measures to ensure the confidentiality of shared patient information. Overall, a massive undertaking on the human as well as technical level.

Health care providers are vehemently opposed to the core regulations enacted pursuant to HIPAA and are currently petitioning the Bush Administration to scale back the requirements for certain patient authorization and business associate compliance requirements. These parties argue that the technological and related administrative burdens imposed by compliance with HIPAA regulations will prove to be extremely costly and time-consuming in an already slow and expensive industry. Patients' rights advocates are urging that no changes be made to these areas. Right now there is no indication whether any steps will be taken to modify the regulations. As a result, heath care entities will be spending tremendous amounts of time and money to become "HIPAA compliant" over the coming two year phase-in period.

In another market filled with "privacy" concerns, the banking and financial services sector has recently come under the Gramm-Leach-Bliley Act which requires certain customer notification and choice on services and information usage. Broadly stated, the Gramm-Leach-Bliley Act requires financial institutions including banks, finance companies, and credit unions to maintain certain security measures, to maintain the confidentiality of customer information and to notify its customers in writing of their rights to opt-in or opt-out of certain information usage and sharing programs traditionally engaged in by financial institutions.

While security measures designed to maintain and protect a customer's financial information is appropriate, most financial institutions have traditionally maintained stringent security measures on their computer systems. It is not as clear that the current opt-in/opt-out measures do much more than limit marketing opportunities for banks and their affiliates. Unlike the significant discrimination which can result from misuse of health care information, the annoyance risks driven by marketing companies does not seem to merit such broad measures. It is not clear whether this preventive measure will prove any more effective than the punishments that currently exist for misuse of customer's financial information. As an overall matter, however, the provisions of Gramm-Leach-Bliley are nowhere near as comprehensive and as expensive a scheme as HIPAA regulations require.

With the myriad federal and state consumer protection laws and regulations already in effect to this point in time it has been more a matter of ensuring that electronic commerce falls under these measures than it has been adding significant new privacy protections to the consumer protection framework. While many federal regulators have continued to support privacy "self-regulation" by retailers involved with consumer e-commerce, there are an increasing number of consumer protection advocates within the Federal Trade Commission, Congress and their respective state counterparts urging the enactment of more protective measures which restrict the on-line gathering and/or use of consumers' personal information. Proposed legislation ranges from requirements for conspicuous disclaimers and privacy policies on web pages to limitations on the sale of consumer data in any bankruptcy proceeding involving an e-commerce oriented business.

Given existing consumer protection remedies, it is not clear that broad, up-front restrictions will more appropriately address the privacy abuses complained of by e-commerce consumers. So long as credit card transactions are secure and collected information is not used for illegal purposes there appears to be no reason to spend significant resources limiting what kind of personalized marketing programs might be developed to better serve individual customers. Annoyance with marketing initiatives does not rise to the level of a fundamental legal claim. Customers ultimately hold the power of choice, namely whether to shop on-line with particular vendors who use their personal information. The clear and perhaps best punishment already exists - loss of customers for businesses which abuse their customers' confidence.

As individuals and business entities continue to increase the number of transactions completed on-line with federal and state governmental agencies, the spotlight has begun to turn on those transactions and the computer systems that support them. Federal and state governments have begun to offer on-line transactions including tax return filings, applications for licenses and permit, and other businesses involving potentially sensitive personal information. While posted "privacy policy" statements are a big trend for government web sites, government agencies must also ensure that appropriate privacy measures are enacted to protect sensitive information submitted by system users. It is not readily apparent why governmental steps on privacy matters should not match the corresponding private sector measurers for similar information. For now it appears little attention has been paid to privacy concerns related to available on-line services and transactions.

As technology providers and users evaluate the design and use of their computer systems, how do they weigh these privacy issues and select appropriate protective measures? Can any guiding privacy theme be drawn from the market examples noted above? Is it legitimate to be concerned about the embarrassment that a particular user might have at the thought of certain personal information being reviewed internally and/or shared with business parties even though no one in the "public" would ever see or hear about this information? Does the mere intrusion upon an individual's time or use of their e-mail box by delivery of targeted marketing materials warrant blanket prohibitions being layered on e-commerce retailers? Should any heath care entity handling heath care information be required to ensure that all of the "business affiliates" who may receive patient information comply with all HIPAA regulations? Or must some minimum level of risk of illegal discrimination exist based upon the availability of certain types information before strong protections are required?

Some might argue that governmental regulation preventing the use of accumulated information assets without payment of reasonable consideration constitutes the taking of property without due process of law. Others might argue that the use and dissemination of certain aggregated information is protected by Federal First Amendment rights of free speech. Notwithstanding such broad responses, very real legal risks exist for ASP's, MSP's, software developers and systems integrators. As key contributors to these computer networks these technology service providers are the agents and/or representatives of the service providers directing the business or personal transactions in question. When users make claims of violations of certain privacy laws and regulations the claims will likely be made against the technology companies as well as their service provider customers. Unfortunately, reaching that point means that a real dispute is at hand and expensive and destructive litigation is imminent.

So what can service providers and their technology "partners" do? Use an early, deliberate, thorough and practical approach to identify and manage the risks. Since current technology can do "most anything" by way of gathering, analyzing, storing, retrieving and distributing information in electronic form the service provider and the technology partner need to step back and:

• Determine the purpose of the system and/or the software.
• Map out the scope of the computer network.
• Identify the type and scope of information to be gathered.
• Identify the type and scope information to be shared and with whom.
• Establish the purpose of sharing the information or parts of it.
• Identify the end-users, or conversely the service providers, and their reasons for using the system or software.
• Identify any laws and/or regulations governing the information and/or transactions involved.

In light of the answers to these questions, ask the question of what conflicts might arise between the service provider and its customers due to the collection, use and/or sharing of certain information?

With those potential conflicts identified a "best" approach to the issue can be determined. Will self-regulation be enough or should a customer have choices on information gathering and use? Will technical means such as encryption, data filtering or firewalls be used? Or is it some combination of these measures? In the end technology companies, service providers, users and policy makers must objectively ask and answer these core questions before acting to address potential "privacy" concerns. Failing to do so will surely yield an ill-designed solution that may do more harm than good. One thing does seem clear, there is no "cookie cutter" solution because "privacy" does not always mean the same thing to everyone.

© 2001