Data Protection, Telecomm & the Net: Recent US Legal Developments^*

Adaptation of Hypertext Slides Presented to the International Working Group on Data Protection in Telecommunications (Paris, France: April 3, 1997). This represents a selective discussion of relevant US legal developments since the last meeting of the International Working Group.

1.   Collection and Use of Personal Information

• Real Law

Telecommunications Act of 1996

This new statute restructuring the telecommunications regulatory regime in the United States imposes several targeted data protection obligations on communications service providers. It requires confidentiality of identified Customer Proprietary Network Information (including transaction data), imposes competition policy restraints on the use of aggregate data, and grants service providers a statutory right to disclose directory information ( 47 U.S.C. § 222 Privacy of customer information).  As is typical with American legislation, the provisions have a narrow scope and would, for example, not be applicable to the information practices of the web sites themselves. The FCC has recently called for comments on implementing regulations.
Courts

Avrahami v. U.S. News & World Report, (Cir. Ct., VA). The Virginia courts have, thusfar, ruled that Avrahami has no privacy right to prevent the sale of his name on a marketing list under the Virginia statutory ostensibly protecting individuals against misappropriation of name or likeness. This case may be a harbinger of future litigation elsewhere since most states have a similar statute or common law right.

• Hypothetical Law
Congress
Among the myriad of bills, Congress is considering proposals dealing with three significant tendancies for data protection: the protection of children (Rep. Bob Franks, R-N.J.), the treatment of subscriber information by internet service providers (H.R. 98, Consumer Internet Privacy Protection Act of 1997), and health information (H.R. 341, Genetic Privacy and Nondiscrimination Act of 1997)
.
Federal Trade Commission

The FTC is becoming interested in on-line data protection issues and has organized several workshops (June 10-13, 1997 "Consumer Privacy Issues" and June 1996 "Consumer Privacy on the Global Information Infrastructure"). The Commission has also just launched a study of "On-Line Look-Up Services," though it excludes a significant component, the use of marketing databases for these services, from the scope of the study.

NTIA

The NTIA has commissioned a series of papers to promote the effectiveness of self-regulation. The release is expected during the Spring 1997. The topics are: (1) General Discussion of Self-regulation; (2) Role of Consumer Education in Self-regulatory privacy regime; (3) Anti-trust issues raised by self-regulatory privacy regimes; (4) Public's view of self-regulation in the privacy context; (5) Necessary elements of self-regulatory privacy regimes; (6) Reaching consensus on privacy principles and practices in self-regulatory regimes; (7) Appropriate enforcement mechanisms for assuring effective self-regulation

White House

The White House has noted the importance of privacy issues in Framework for Global Electronic Commerce (Preliminary Report, Dec. 1996; Final, expected late 1997). The new President's Commission on Critical Infrastructure Protection also includes a privacy expert, Mary Culnan, a professor at the Georgetown Business School. Rumors still abound that the White House may release a white paper suggesting the creation of a privacy office in the Executive Branch.

National Research Council

The NRC just released its report For the Record: Protecting Electronic Health Information (March 5, 1997) that calls for privacy legislation among other recommendations.

Technical Organizations
The technical organizations are beginning to focus on privacy issues. ANSI is forming an
Ad Hoc Study Group (largely to respond to the Canadian initiative at ISO). The IETF/IAB is considering a new protocol for white pages directory information (e-mail, phone numbers, URL) and there is a new proposal for a revised "cookies" protocol (RFC 2109).

2. Distribution and Filtering of Content on the Internet

• Real Law

Communications Decency Act of 1996
This statute makes it illegal to distribute pornography and indecent material over the Internet to minors. Two federal courts have ruled that, as drafted, the statute presents a restraint on speech that is unconstitutional under the First Amendment. The Supreme Court heard oral argument two weeks ago and will rule on the constitutionality of the statute before the end of the present term. If the Court invalidates the statute, the opinion may nevertheless provide guidance for Congress to re-write the offending provisions..
Junk E-mail
A few recent cases have supported on-line service providers in their effort to prevent junk e-mail. See
CompuServe v. Cyber Promotions, -- F. Supp. -- (S.D. Ohio, 1997) (preliminary injunction granted against Cyber Promotions' junk e-mail); Cyber Promotions v. America OnLine, 948 F. Supp. 436 (E.D.Pa, 1996) (AOL permitted to block incoming junk e-mail)
• Hypothetical Law
Statutory Repeal of CDA

Should the U.S. Supreme Court uphold the constitutionality of the Communications Decency Act, there is a movement in Congress to seek its repeal. (S. 213. Bill to amend section 223 of the Communications Act of 1934 to repeal amendments on obscene and harassing use of telecommunications facilities made by the Communications Decency Act of 1996.)

3.  Availability and Use of Cryptography

• Real Law
Export Controls

The U.S. government modified the rules for exporting encryption products in December 1996. The new rule permits the export and re-export of 56-bit key length DES or equivalent strength encryption items under the authority of a License Exception, if an exporter makes satisfactory commitments to build and/or market recoverable encryption items and to help build the supporting international infrastructure. This policy will apply to hardware and software. See Dept. of Commerce Bureau of Export Administration, Encryption Items Transferred From the U.S. Munitions List to the Commerce Control List , 61 FR 68572-68587 (Dec. 30, 1996)

• Hypothetical Law
Encryption proposals
There are a number of bills under consideration in Congress that might liberalize export controls on encryption and prohibit a government mandated key escrow system. These include:
1. Pro-CODE Act to promote commerce and privacy on the Internet (S.377)
2. Encrypted Communications Privacy Act (S.376).
3. Security and Freedom Through Encryption (SAFE) Act (H.R. 695)
The White House also has a proposal "Electronic Data Security Act of 1997" (March/April 1997) to encourage registered key escrow and certificates with immunity from civil liability.

4.   Conclusion

During the last six to nine months, there has been an enormous amount of discussion and debate within the United States over privacy issues. In terms of concrete results that show the implementation of data protection principles, there have been few examples. I anticipate continued vigorous discussion before the next Berlin meeting and expect that electronic commerce and security issues will continue to drive the American debate.