Testimony and Statement for the Record of


Marc Rotenberg, Director

Electronic Privacy Information Center


Oversight Hearing on

on Electronic Communications Privacy Policy Disclosures


Before the


Subcommittee on Courts and Intellectual Property

Committee on the Judiciary

U.S. House of Representatives


Thursday, May 27, 1999

2141 Rayburn House Office Building


My name is a Marc Rotenberg. I am the Executive Director of the Electronic Privacy Information Center (EPIC) in Washington, DC. I appreciate the opportunity to testify today before the Subcommittee of Courts and Intellectual Property regarding Electronic Communications Privacy Policy Disclosures.

The protection of privacy is quickly emerging as a central concern for Americans as we approach the twenty-first century. In the past year we have seen national protests launched against companies that design computer chips and computer software that could endanger personal privacy. More than a quarter of a million Americans opposed a banking regulation that would have established extensive government reporting requirements on routine financial transactions. And polls routinely show that the lack of privacy protection is contributing to growing public unease about the use of the Internet for commercial transactions. Will privacy policies actually protect the privacy rights of Americans in the years ahead?

Simply stated, I believe that the current efforts to promote industry self-regulation will not adequately address the public concerns about privacy and the Internet. Industry policies are typically incomplete, incoherent, and unenforceable. They are having little impact on actual data collection practices. Instead of reducing the demand for personal information or encouraging the development of privacy enhancing techniques, industry privacy policies are literally papering over the growing problem of privacy protection online.

A better approach would be to establish a legal framework that provides simple, predictable, uniform rules to regulate the collection and use of personal information. Not only is this approach consistent with US privacy legislation, it would also provide clarity and promote trust for consumers and businesses in the new online environment. I also believe that protecting privacy rights in law would encourage the development of better techniques to protect privacy and, in the long term, reduce the need for government intervention. The key is to pursue the enforcement of Fair Information Practices and the development of methods that reduce the need for personally identifiable information.



Up until a few years ago, legislating privacy protection was a straightforward problem. The basic goal was to outline the responsibilities of organizations that collect personal information and the rights of individuals that give up personal information. These rights and responsibilities are called "Fair Information Practices" and they help ensure that personal information is not used in ways that are inconsistent with the purpose for which they were collected. Fair Information Practices typically include the right to limit the collection and use of personal data, the right to inspect and correct information, a means of enforcement, and some redress for individuals whose information is subject to misuse.

Fair Information Practices are in operation in laws that regulate many sectors of the US economy, from companies that grant credit to those that provide cable television services. Your video rental store is subject to Fair Information Practices as are public libraries in most states in the country. The federal government is subject to the most sweeping set of Fair Information Practices. It is called the Privacy Act of 1974 and it gives citizens basic rights in the collection and use of information held by federal agencies. It also imposes on these same agencies certain obligations not to misuse or improperly disclose personal data.

The current debates in Congress over protecting medical records and financial records follow in this tradition. And privacy laws in these areas will reflect the rights that Congress is prepared to extend to patients and bank customers who seek to safeguard their personal information.

Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection. The most well known of these international guidelines are the OECD Recommendations Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines set out eight principles for data protection that are still the benchmark for assessing privacy policy and legislation. These are:

The United States and more than a hundred US companies pledged to support the OECD Guidelines almost twenty years ago. It is worth noting also that the United States has a particularly strong tradition of extending privacy rights to new forms of technology. For example, subscriber privacy provisions were included in the Cable Act of 1984. New protections for electronic mail were adopted in the Electronic Communications Privacy Act of 1986. Video rental records were safeguarded as a result of the Video Privacy Protection Act of 1988. And auto-dialers and junk faxes were regulated by the Telephone Consumer Protection Act of 1991. Even the original Privacy Act of 1974 came about in response to growing public concern about the automation of personal record held by federal agencies.

Viewed against this background, the problem of privacy protection in the United States in the early 1990s was fairly well understood. The coverage of US law was uneven: Fair Information Practices were in force in some sectors and not others. There was inadequate enforcement and oversight. Technology continued to outpace the law. And the Europeans were moving forward with a comprehensive legal framework to safeguard privacy rights of their citizens.

Unfortunately, just at the point in time when there was need for leadership in government to promote a privacy policy based on extending Fair Information Practices, the Administration and Congress turned away from well established legal standards and traditions and proposed instead a search for solutions based on industry self-regulation.

Some said that the interactive nature of the Internet made possible a new approach to privacy protection, one that focused on individuals exercising privacy "choice" or "preferences." But providing a range of choices for privacy policies turns out to be a very complicated process, and there is no guarantee that a person’s privacy preferences on one day will be the same the next. In the rush to avoid a "one size fits all approach," those who focused on privacy choices may have discovered paradoxically that "many sizes fits none." In other words simple, predictable, uniform rules make it easier for individuals to exercise control over their personal information, than an endless selection of choices that turn out to be meaningless.

Other industry approaches emphasized the easy online availability of privacy policies. But in practice, making use of a web site privacy policy turns out to be cumbersome and impractical, and almost the antithesis of the Internet’s architecture. The very networked nature of the Internet that enables users to move freely from one site to the next discourages standards that vary from one site to the next. If a user will click past a site because a graphic takes too long to load, can we reasonably expect that some person to read through the fine print of a privacy policy? Both of these approaches, which are the outcome of pursuing the industry policy of self-regulation, have made it more difficult -- not easier -- for individuals to protect their privacy online.

An additional problem was created by the somewhat awkward role of the Federal Trade Commission. Because the United States lacks an agency with the expertise and competence to develop privacy policies, the FTC was cast in the role of de facto privacy agency. But the FTC did not itself have the authority to enforce Fair Information Practices or to promote the development of the various privacy enhancing techniques that were being pursued by other privacy agencies around the world. The FTC relied instead on its Section 5 authority to investigate and prosecute fraudulent or deceptive trade practices.

The better approach would have been to look at the Internet and ask how could it make it easier to apply and enforce Fair Information Practices. For example, one of the hard problems in privacy protection is ensuring that individuals are able to access and correct information about themselves. In the paper world, the right of access is an elaborate and costly process for both businesses and consumers. Records must be copied and sent by mail. In the online world it is much easier to provide ready access to profile information. In fact many web sites today, from airline reservations to online banking, are making information that they have about their customers more readily available to their customers over the Internet. It is not "choice" that customers are exercising but rather "control" over their personal information held by others.

The Internet is also offering interesting developments in the use of techniques for anonymity and pseudo-anonymity to protect online privacy. These techniques enable commercial transactions while minimizing or eliminating the collection of personal information. Such techniques avoid the need for privacy rules simply by avoiding the rights and responsibilities that result from the collection and use of personal data.



For the last several years a great effort has been underway to encourage industry groups to develop policies for self-regulation. Self-regulation has been offered as an effective and appropriate way to encourage industry groups to respond to public concerns about privacy without the actual burden of changing practices or reducing the growing dependence on personal information. The critical question that is typically ignored in the quest for solutions based on self-regulation is whether it is an effective means to protect personal privacy.

To understand the problem of privacy protection on the Internet in more detail, in 1997 EPIC undertook the first comprehensive survey of web site privacy practices. We reviewed 100 of the most frequently visited web sites on the Internet. We checked whether sites collected personal information, had established privacy policies, made use of cookies, and allowed people to visit without disclosing their actual identity.

We found that about half of the sites that we surveyed in 1997 collected personal information. This was typically done for on-line registrations, surveys, user profiles, and order fulfillment. We also found that few web sites had explicit privacy policies (only 17 of our sample) and none of the top 100 web sites met basic standards for privacy protection. We also noted that users were unable to exercise any meaningful control over the use of cookies. However, we noted that anonymity played an important role in online privacy, with many sites allowing users to access web services without disclosing personal data. We said that:

  • Users of web-based services and operators of web-based services have a common interest in promoting good privacy practices. Strong privacy standards provide assurance that personal information will not be misused, and should encourage the development of on-line commerce. We also believe it is matter of basic fairness to inform web users when personal information is being collected and how it will be used.
  • We recommended that:

    • Web sites should make available a privacy policy that is easy to find. Ideally the policy should be accessible from the home page by looking for the word "privacy."
    • Privacy policies should state clearly how and when personal information is collected.
    • Web sites should make it possible for individuals to get access to their own data
    • Cookies transactions should be more transparent
    • Web sites should continue to support anonymous access for Internet users.

    In 1998 the FTC conducted its own survey of privacy policies. Although the survey looked at more web sites, the FTC survey was in some critical respects narrower than the original EPIC survey. The FTC focused on the number of web sites that collect personal information and also on the number of web sites that had a privacy policy. But the FTC largely ignored the crucial role of anonymity in privacy protection. The FTC also lowered the bar by defining Fair Information Practices to be simply "notice," "choice," "access" and "security." Although we did not look at the full range of Fair Information Practices in 1997, we followed the OECD practice in inquiring whether there were "use limitations" or "secondary use restrictions" in the privacy policies we found. This point is important because much of privacy law turns on the principle of finality &emdash; the principle that information is collected for a particular purpose and that information should be used only for that purpose unless meaningful consent is obtained from the data subject.

    Not surprisingly, the 1998 FTC survey found an increase in the number of web sites posting privacy policies.

    In 1998 we undertook a second survey to determine whether industry was doing a good job encouraging its own members to adopt privacy policies. "Surfer Beware II: Notice is Not Enough" surveyed the privacy policies of 76 new members of the Direct Marketing Association (DMA). We chose the DMA because it has been a leading proponent of self-regulation and because it has undertaken a number of efforts to encourage privacy protection through self-regulation. These included a policy announced in October 1997 that the DMA would require future members to post a privacy policy and provide an opt-out capability. Of the 76 new members we examined, only 40 had Web sites and of these, only eight sites had any form of privacy policy. We examined these policies and found that only three of the new members have privacy policies that satisfied the DMA's requirements set out in October 1997. None of the sites examined allowed individuals to gain access to their own information. We concluded that the DMA's efforts to promote privacy practices is having little impact on its new members, even after repeated assurances from the DMA that this approach is effective.

    Two recent surveys, funded by industry groups, found an increased number of web sites are now posting privacy policies. While many were quick to take this finding as an indication that self-regulation is working, a quick look behind the numbers reveals a different story. Less than 10% of the web sites have privacy policies that include the minimal elements proposed by the FTC. The collection and use of information among commercial web sites is rapidly accelerating.

    Taking a step back, I think the survey reveals an even larger problem with the assessment of self-regulation in 1999. It is not simply that there are still a small number of web sites with even the elements of a basic privacy policy, the survey also reflects the continuing process of lowering the bar to establish the success of self-regulation. The most recent survey allows that the posting of just one element of Fair Information Practices could constitute a privacy policy. Thus the industry was able to say, "Of the 364 websites surveyed, 65.7% had posted at least one type of privacy disclosure." At a certain point, you cannot lower the bar any further. I imagine you should simply push it to the side and hope no one accidentally trips over it.

    The survey methodology also reflects a lack of interest in the various techniques that would enable privacy protection through anonymity. The German government for example, more than two years ago adopted legislation to encourage the use of anonymity for commercial sites on the Internet. A survey that attempted to measure online privacy in 1999, as compared with our survey in 1997, should move the inquiry forward by trying to determine what techniques were being adopted to protect online privacy and specifically ask about the availability of techniques that would enable users to protect the disclosure of their personal information, particularly in the absence of enforceable Fair Information Practices.



    To understand the larger picture of privacy protection, it is necessary to look beyond the United States and the narrow issue of whether web sites post privacy policies. In 1998 EPIC undertook the first comprehensive survey on international privacy laws and practices. The report Privacy and Human Rights 1998: An International Survey of Privacy laws and Developments looked in detail at the state of privacy in fifty countries around the world. We found that:

    • Privacy is a fundamental human right recognized in all major international treaties and agreements on human rights. Nearly every country in the world recognizes privacy as a fundamental human right in their constitution, either explicitly or implicitly. Most recently drafted constitutions include specific rights to access and control one's personal information.
    • New technologies are increasingly eroding privacy rights. These include video surveillance cameras, identity cards and genetic databases.
    • There is a growing trend towards the enactment of comprehensive privacy and data protection acts around the world. Currently over 40 countries and jurisdictions have or are in the process of enacting such laws. Countries are adopting these laws in many cases to address past governmental abuses (such as in former East Bloc countries), to promote electronic commerce, or to ensure compatibility with international standards developed by the European Union, the Council of Europe, and the Organization for Economic Cooperation and Development.
    • Surveillance authority is regularly abused, even in many of the most democratic countries. The main targets are political opposition, journalists, and human rights activists. The U.S. government is leading efforts to further relax legal and technical barriers to electronic surveillance. The Internet is coming under increased surveillance.

    We are currently updating our 1998 survey. Our preliminary results show that more countries are moving to adopt comprehensive privacy legislation. For example, Canada is expected to enact comprehensive federal privacy legislation by the end of June, and many countries in Eastern Europe and East Asia are moving in a similar direction. There are a number of explanations for this, including the desire of countries to trade with the European Union as well as to respond to popular concerns about privacy protection. But there is also the natural tendency in privacy policy toward "convergence" the development of common standards that promote the free flow of information by ensuring the protection of privacy.



    A review of the surveys undertaken over the last several years leads to the following general observations:

  • First, while it can be shown that more web site operators are posting privacy policies, there is little evidence that this is translating into better privacy protection for Internet users. There is still no effective means of enforcement. No real effort has been undertaken to begin auditing or conduct oversight to ensure that the privacy policies posted are being followed.

    Second, just as the number of web site privacy policies has increased, so too have the demands for personal information. Indeed, it would not be too difficult to show that that the collection and use of personal data online over the last few years has far exceeded the development and enforcement of privacy policies. In this respect, the "privacy gap" has widened not narrowed since 1997.

    Third, the definition of what constitutes a privacy policy continues to be lowered as time passes. To say that 2/3 of web sites today post a privacy policy and that this shows progress is a bit like saying 2/3 of the cars in a scrapyard have at least one working component. The reality is that only a small percentage of web sites even begin to approach the type of privacy protection that would be provided by the most rudimentary privacy law in this country.

    Fourth, there has been a movement away from the consideration of techniques that could protect privacy and reduce the need for legislation. When EPIC undertook the first survey of Internet policies, we were very much aware that anonymity would play a critical role in protecting online privacy. We continue to believe that a much greater emphasis must be placed on developing techniques that reduce the demand for personally identifiable information.



    Much has been made in the last few years about the role of the Federal Trade Commission in defending the privacy rights of Internet users. The FTC has been held out as the de facto privacy agency in the United States and the backstop to enforce Industry self-regulatory policies. And while it is clearly the case that the FTC has expressed great interest in privacy issues, almost four years after it was asked by Congress to investigate the privacy risks associated with computerized databases, the FTC has produced little in the way of privacy assistance or enforcement for Internet users.

    In the past three years, the FTC has rendered an opinion in a privacy case about once a year. Which is to say the enforcement of privacy rules comes as often at the FTC as does Christmas. By comparison, the Information and Privacy Commissioner of the Canadian province of British Columbia has issued 200 orders in the same time period.

    Interestingly, one of the ongoing problems with the FTC’s investigation of privacy complaints is the lack of transparency into the agency’s own practices for pursuing privacy investigations. Earlier this year, there was a national campaign to stop the release of a computer chip that would enable ubiquitous identification across the Internet. While this technique may have provided some benefits in certain commercial applications, there was little doubt it would also raise enormous privacy issues.

    EPIC, Privacy International, and Junkbusters, the groups that organized the campaign against the Intel chip wrote to the FTC to see if the FTC has the authority to investigate what many would agree is one of the biggest privacy issues so far in 1999. Several months after filing our complaint there is no indication at the FTC web site that any action has been taken on the Intel Pentium III matter. Meanwhile, privacy agencies around the globe have begun formal investigations into the Pentium III matter. How can it be that the agency charged with safeguarding privacy in the United States has yet to issue a statement on this matter?



    Many of the problems with the current approach to privacy protection in the United States can be seen in the ongoing debate with the European Union over the Safe Harbor proposal. That proposal came about in response to the efforts of the European Union to develop a comprehensive privacy policy that would both promote economic growth and protect the privacy rights of citizens in the years ahead. The EU Directive requires that countries which process data on European citizens provide an "adequate" level of privacy protection. Many countries have taken the requirement in the EU Data Directive as an opportunity to update and extend their privacy laws to protect the interests of their citizens.

    The United States &emdash; at least the Administration &emdash; has chosen instead to develop a commercial "safe harbor" that allows US firms to meet the minimal requirements necessary to continue to do business in Europe without actually developing any new laws or rights for US citizens. But even this approach may not succeed. The European Commission working group that represents the privacy interests of European citizens has expressed great concerns about the Safe Harbor proposal. The Privacy Working Group recently issued an opinion on the effort. This is what they had to say:

  • Data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice. In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigative mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other give individual compensation where appropriate.
  • Significantly, the European expert group also said "the standard set by the OECD Guidelines of 1980 cannot be waived as it constitutes a minimum requirement for the acceptance of an adequate level of protection in any third country."

    Leading consumer groups in both the United States and Europe have also rejected the safe harbor approach. In a statement issued last month by the Trans Atlantic Consumer Dialogue, representing sixty consumer organizations from across Europe and the United States said that:

  • The Safe Harbor proposal now under consideration by the United States and the European Union fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks an effective means of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacrifice their legal right to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by businesses.
  • TACD urged the rejection of the Safe Harbor proposals and recommended instead the development and adoption of an International Convention on Privacy Protection that will help safeguard the privacy interests of consumers and citizens in the twenty-first century.

    It is possible that the Safe Harbor proposal will be adopted in some form by the time of the US-EU Summit in June. But if that comes to pass, a very unfortunate circumstance will result. US firms will offer a higher level of privacy protection for the processing of records on Europeans than they will in processing the records of Americans. This is one of the consequences of a policy that places such little emphasis on the privacy rights of US citizens.



    Another area where the failure of the self-regulatory approach can be seen is in the ongoing debate over cookies and other techniques that enable the collection and use of personal information. While it should be said at the outset that cookies perform many useful functions in the online world, it should also be recognized that there are privacy risks associated with the routine tagging of Internet users who visit web sites.

    When we looked at the cookies issue in 1997 we said that one of the main problems was the lack of transparency: users could not make meaningful choices about whether to accept cookies because the purpose and use was completely opaque.

    How do things stand two years later? To answer that question I was prepared to produce a survey showing that cookie practices were no more helpful today than they were two years ago. Looking at the Top 100 web sites listed in the Online Privacy Alliance survey, I could show for example that a typical cookie notice looks like the following:



    I could even point out that some cookie files have such a long VALUE field that the user does even get to see the full question:


    But as I reviewed the cookies practices at the web sites identified as the TOP 100 in the OPA Survey, I uncovered an even more serious problem. Some of the web sites are using the end-user’s IP address for the cookie file, which means that if I reprint the cookies statement here you will see my IP address.

    Consider the web site www.insidetheweb.com. This is a typical portal site that provides access to other web site grouped by topic area and is supported by advertising revenue. If you go the www.insidetheweb.com site, a cookie notice similar to the following will appear on your screen:

    The privacy policy of Insidetheweb states the following:

  • We use IP addresses to help diagnose problems with our server, and to administer our Web site. We do not link IP addresses to any personal information such as that provided when registering for a new message board. In rare instances IP addresses may be used to assist in deterring and/or preventing abusive or criminal activity on message boards.

    Our site uses cookies to count and track site visits anonymously. A cookie is a small piece of data that many Web sites write to a file on your hard disk. A cookie can contain data like an ID number used to track what pages are visited. A cookie cannot by itself be used by a Web site to obtain personal information about the user or to read information from your computer other than that which has been voluntarily provided by you or is contained in cookies given by the same Web site.

  • I am not an expert in web protocols but it seems obvious that a cookie that collects a user’s IP address is not always anonymous. Is this the basis for an action at the FTC? Perhaps. But the better approach, and the approach that will make it easier to avoid an endless parade to the FTC in the years is the enforcement of Fair Information Practices and the development of new techniques to protect online privacy. And the studies that are necessary at this point are the ones that look at the actual practices that web sites follow and not the privacy policies which are often not worth the HTML they’re coded in.



    I am very much aware of the important work by members of this Subcommittee and particularly Mr. Goodlatte to promote the widespread availability of strong techniques, such as encryption, to protect the privacy and security of network users and to reduce the risk of crime and network attack. As you may know, EPIC was established in 1994 in the campaign to stop the Clipper encryption scheme, and we very much support your continued efforts to relax export controls.

    The interesting question, though, is whether it is more or less difficult to make strong techniques available to protect privacy in countries do not respect the right of privacy in law. While some continue to view privacy techniques as an alternative to privacy laws, I think the better and more accurate view is that privacy techniques and privacy laws are complimentary. Strong encryption is more likely to emerge and be freely used in countries where the legal right of privacy is well established.

    The point is clear if you consider the recent history of negotiation over international cryptography policy. The United States government has tried repeatedly to obtain foreign acceptance of the key escrow concept, but such efforts have been resisted in part because of national privacy laws and the European Data Directive, which make key escrow encryption inherently suspect. Only when the United States had the opportunity to pursue an international negotiation on encryption policy beyond the reach of national privacy authorities was it possible to obtain support for new export limitations on the use of encryption software.

    Thus privacy laws and privacy officials turn out to be not only an ally for consumers, citizens, and users but also companies and developers of advanced networked services. Privacy agencies around the globe continue to support the development of genuine privacy enhancing techniques that may in the long term obviate the need for much privacy legislation. Technology professionals also understand that the design and development of information systems means that the responsibility for privacy risks must be carried who are best able to avoid the problem. The Association for Computing Machinery has had a long-standing commitment to privacy protection. The ACM’s own code of professional conduct makes clear that it is the developer of systems who must in the end take responsibility for privacy protection.

    The lesson here is that if we want good techniques to promote privacy online we will need good laws for online privacy.



    I won’t pretend that privacy protection in the online world will be easily solved. We are at the beginning of a long and complicated process. We will constantly have to make decisions individually and collectively about how important we believe privacy to be and what steps we are prepared to take. Imagining a comprehensive solution to information privacy in 1999 would be like to trying to imagine how to solve the problem of environmental protection in 1899 &emdash; many of our greatest challenges lie ahead.

    But I do think that more can be done to protect privacy and that Congress will have a significant role to play. There is more than enough precedent in US law and enough ingenuity in the technical community to move us in the right direction and give us at least a fighting chance of protecting what Justice Brandeis called "the most comprehensive of all rights and the right most cherished by a free people."

    Key steps will include the following:

    • Establish a privacy agency with the expertise, competence and resources to assist consumers, act as ombudsman, and a voice for privacy within the administration
    • Promote the establishment and enforcement of Fair Information Practices and encourage the development of simple, predictable uniform rules to protect personal information
    • Encourage the development of new techniques that limit or eliminate the collection of personally identifiable information

    Perhaps the simplest and least controversial proposal is the Online Privacy Provision contained in Title III of the Internet Growth and Development Act of 1999, HR 1685. This provision would require commercial web site operators that collect personally identifiable information to post a privacy policy and then to treat a violation of the policy as an unfair or deceptive trade practice. This would establish a minimal baseline for privacy in the online world. I do not think it goes far enough, but it is a start.

    The time for surveys has past. If we are to protect privacy, then we must take the necessary steps to ensure that the loss of privacy will not be the cost of the Information Society.



    1 The Electronic Privacy Information Center is a project of the Fund for Constitutional Government, a non-profit charitable organization established in 1974 to protect civil liberties and constitutional rights. More information about EPIC is available at the EPIC web site http://www.epic.org.

    2 See generally, Robert Gellman, "Does Privacy Law Work?" in P. Agre and M. Rotenberg, Technology and Privacy: The New Landscape (MIT Press 1998)

    3 M. Rotenberg, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments 1-37, 95-97 (Fair Credit Reporting Act of 1970, Cable Communications Policy Act of 1984) (EPIC 1998) [hereinafter Privacy Law Sourcebook]

    4 Privacy Law Sourcebook 38-54.

    5 Privacy Law Sourcebook 161-87.


    Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

    Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

    Purpose Specification Principle The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

    Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except: (a) with the consent of the data subject; or (b) by the authority of law.

    Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

    Openness Principle There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

    Individual Participation Principle. An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

    Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

    7 Privacy Law Sourcebook 163-64.

    8 Privacy Law Sourcebook 98-131.

    9 Privacy Law Sourcebook 132-34.

    10 Privacy Law Sourcebook 144-52.

    11 See, e.g., EC Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, "Anonymity on the Internet" (1997) reprinted in Privacy Law Sourcebook 331-42.

    12 EPIC, "Surfer Beware I: Personal Privacy and the Internet" (1997) [http://www.epic.org/reports/surfer-beware.html]

    13 FTC, "Online Privacy: A Report to Congress" (1998) [http://www.ftc.gov/reports/privacy3/index.htm].

    14 Prepared statement of the Federal Trade Commission on "Internet Privacy" before the Subcommittee on Courts and Intellectual Property of the House Judiciary Committee, March 26, 1998 [http://www.ftc.gov/os/1998/9803/privacy.htm

    15 [http://www.epic.org/reports/surfer-beware2.html]

    16 "Online Privacy Alliance Says Web Sweeps Confirm Significant Progress in Privacy Self-Regulation," Online Privacy Alliance [http://www.privacyalliance.org/news/05121999.shtml].

    17 EPIC and Privacy International, Privacy and Human Rights: An International Survey of Privacy Laws and Practice (EPIC 1998)

    18 Colin Bennett, Regulating Privacy (Cornell 1992).

    19 Letter from EPIC Director Marc Rotenberg to FTC Commissioner Christine Varney (December 14, 1995) ("I am writing to you to urge the Federal Trade Commission to investigate the misuse of personal information by the direct marketing industry and to begin a serious and substantive inquiry into the development of appropriate privacy safeguards for consumers in the information age.") http://www.epic.org/privacy/internet/ftc/ftc_letter.html. Letter from Senators Bryan, Pressler, and Hollings to FTC Chairman Robert Pitofsky ("We are writing to request that the Federal Trade Commission conduct a study of possible violations of consumer privacy rights by companies that operate computer data bases.") [http://www.epic.org/privacy/databases/ftc_databases.html]

    20 "Office of Information and Privacy Commissioner British Columbia," Table of orders (Last Updated May 13, 1999) [http://www.oipcbc.org/orders/orders_index.html]

    21 "Working document: Processing of Personal Data on the Internet," Adopted by the Working Party on 23 February 1999 (DG XV 5013/99-WP 16) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp16en.htm]; "Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware," Adopted by the Working Party on 23 February 1999 (DG XV 5093/98-WP 17) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp17en.htm]

    22 Privacy Law Sourcebook 201-27.

    23 [http://www.ita.doc.gov/ecom/menu.htm]

    24 Working Party on the Protection of Individuals with regard to the Processing of Personal Data,, Opinion 2/99 on the Adequacy of the "International Safe Harbor Principles" issued by the US Department of Commerce on 19th April 1999, Adopted 3 May 1999 (5047/99/EN/final WP 19) [http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp19en.htm]

    25 TransAtlantic Consumer Dialogue "Resolution on Safe Harbor Proposal and International Convention on Privacy Protection"(Brussels April 1999)[http://www.tacd.org/meeting1/electronic.html#safe]

    26 http://www.insidetheweb.com/privacy.shtml

    27 Respect the privacy of others.

    Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, as well as protecting it from unauthorized access or accidental disclosure to inappropriate individuals. Furthermore, procedures must be established to allow individuals to review their records and correct inaccuracies.

    This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages, without the permission of users or bona fide authorization related to system operation and maintenance. User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities.

    ACM Code of Ethics and Professional