Data Protection, Telecomm & the Net: Recent US Legal Developments*
Visiting Professor, Universite de Paris I (Pantheon-Sorbonne)
Adaptation of Hypertext Slides Presented to the International Working
Group on Data Protection in Telecommunications (Paris, France: April 3,
1997). This represents a selective discussion of relevant US legal developments
since the last meeting of the International Working Group.
1. Collection and Use of Personal Information
Telecommunications Act of 1996
- This new statute restructuring the telecommunications regulatory regime
in the United States imposes several targeted data protection obligations
on communications service providers. It requires confidentiality of identified
Customer Proprietary Network Information (including transaction data),
imposes competition policy restraints on the use of aggregate data, and
grants service providers a statutory right to disclose directory information
( 47 U.S.C. § 222 Privacy of customer information). As
is typical with American legislation, the provisions have a narrow scope
and would, for example, not be applicable to the information practices
of the web sites themselves. The FCC has recently called for comments
on implementing regulations.
Avrahami v. U.S. News & World Report, (Cir. Ct., VA). The Virginia
courts have, thusfar, ruled that Avrahami has no privacy right to prevent
the sale of his name on a marketing list under the Virginia statutory ostensibly
protecting individuals against misappropriation of name or likeness. This
case may be a harbinger of future litigation elsewhere since most states
have a similar statute or common law right.
Federal Trade Commission
- Among the myriad of bills, Congress is considering proposals dealing
with three significant tendancies for data protection: the protection
of children (Rep. Bob Franks, R-N.J.), the treatment of subscriber information
by internet service providers (H.R. 98, Consumer Internet Privacy Protection
Act of 1997), and health information (H.R. 341, Genetic Privacy and Nondiscrimination
Act of 1997)
The FTC is becoming interested in on-line data protection issues and
has organized several workshops (June 10-13, 1997 "Consumer Privacy
Issues" and June 1996 "Consumer Privacy on the Global Information
Infrastructure"). The Commission has also just launched a study of
"On-Line Look-Up Services," though it excludes a significant
component, the use of marketing databases for these services, from the
scope of the study.
The NTIA has commissioned a series of papers to promote the effectiveness
of self-regulation. The release is expected during the Spring 1997. The
topics are: (1) General Discussion of Self-regulation; (2) Role of Consumer
Education in Self-regulatory privacy regime; (3) Anti-trust issues raised
by self-regulatory privacy regimes; (4) Public's view of self-regulation
in the privacy context; (5) Necessary elements of self-regulatory privacy
regimes; (6) Reaching consensus on privacy principles and practices in
self-regulatory regimes; (7) Appropriate enforcement mechanisms for assuring
National Research Council
The White House has noted the importance of privacy issues in Framework
for Global Electronic Commerce (Preliminary Report, Dec. 1996; Final,
expected late 1997). The new President's Commission on Critical Infrastructure
Protection also includes a privacy expert, Mary Culnan, a professor at
the Georgetown Business School. Rumors still abound that the White House
may release a white paper suggesting the creation of a privacy office in
the Executive Branch.
The NRC just released its report For the Record: Protecting Electronic
Health Information (March 5, 1997) that calls for privacy legislation
among other recommendations.
- The technical organizations are beginning to focus on privacy issues.
ANSI is forming an
- Ad Hoc Study Group (largely to respond to the Canadian initiative at
ISO). The IETF/IAB is considering a new protocol for white pages directory
information (e-mail, phone numbers, URL) and there is a new proposal for
a revised "cookies" protocol (RFC 2109).
2. Distribution and Filtering of Content on the Internet
- Communications Decency Act of 1996
- This statute makes it illegal to distribute pornography and indecent
material over the Internet to minors. Two federal courts have ruled that,
as drafted, the statute presents a restraint on speech that is unconstitutional
under the First Amendment. The Supreme Court heard oral argument two weeks
ago and will rule on the constitutionality of the statute before the end
of the present term. If the Court invalidates the statute, the opinion
may nevertheless provide guidance for Congress to re-write the offending
Statutory Repeal of CDA
- A few recent cases have supported on-line service providers in their
effort to prevent junk e-mail. See
- CompuServe v. Cyber Promotions, -- F. Supp. -- (S.D. Ohio, 1997) (preliminary
injunction granted against Cyber Promotions' junk e-mail); Cyber Promotions
v. America OnLine, 948 F. Supp. 436 (E.D.Pa, 1996) (AOL permitted to block
incoming junk e-mail)
Should the U.S. Supreme Court uphold the constitutionality of the Communications
Decency Act, there is a movement in Congress to seek its repeal. (S. 213.
Bill to amend section 223 of the Communications Act of 1934 to repeal amendments
on obscene and harassing use of telecommunications facilities made by the
Communications Decency Act of 1996.)
3. Availability and Use of Cryptography
The U.S. government modified the rules for exporting encryption products
in December 1996. The new rule permits the export and re-export of 56-bit
key length DES or equivalent strength encryption items under the authority
of a License Exception, if an exporter makes satisfactory commitments to
build and/or market recoverable encryption items and to help build the
supporting international infrastructure. This policy will apply to hardware
and software. See Dept. of Commerce Bureau of Export Administration, Encryption
Items Transferred From the U.S. Munitions List to the Commerce Control
List , 61 FR 68572-68587 (Dec. 30, 1996)
- There are a number of bills under consideration in Congress that might
liberalize export controls on encryption and prohibit a government mandated
key escrow system. These include:
The White House also has a proposal "Electronic Data Security
Act of 1997" (March/April 1997) to encourage registered key escrow
and certificates with immunity from civil liability.
- Pro-CODE Act to promote commerce and privacy on the Internet (S.377)
- Encrypted Communications Privacy Act (S.376).
- Security and Freedom Through Encryption (SAFE) Act (H.R. 695)
* (c) 1997 Joel R. Reidenberg. All rights reserved.
.... back to
- During the last six to nine months, there has been an enormous amount
of discussion and debate within the United States over privacy issues.
In terms of concrete results that show the implementation of data protection
principles, there have been few examples. I anticipate continued vigorous
discussion before the next Berlin meeting and expect that electronic commerce
and security issues will continue to drive the American debate.