文档详细内容(约60页)
347402.DOC 11/25200211:27PM The Surprising Virtues of the New Financial Privacy Law Peter P. Swire The financial privacy law passed by Congress in 1999 has been the target of scathing criticism. On one side, banks and other financial institutions have complained about the high costs of the billions of notices sent to consumers, apparently to widespread consumer indifference. On the other side, privacy advocates have condemned the law as woefully weak, and some have argued that its so-called privacy provisions actually re- sulted in weakening privacy protection. 2 This paper disagrees with the criticisms. The new finan cial privacy law, known more formally as Title v of the gramm Leach-Bliley Act of 1999, works surprisingly well as privacy legislation. It does so in ways that address legitimate industry concerns about excessive cost and barriers to needed informa- tion. In addition, the ability of states to draft additional legis lation in the area means that an effective mechanism exists to correct the key weaknesses of the law over time Professor of Law, the Moritz College of Law of the Ohio State Univer- sity. From March, 1999 to January, 2001 I served as Chief Counselor for Pri vacy in the u.S. Office of Management and Budget. My thanks to helpful comments from participants in the Minnesota Law Review Symposium on P vacy. My thanks also for comments by Rick Fischer, Lauren Steinfeld, and Art Wilmarth. and to Larry glasser for research assistance 1. For instance, one estimate was that the financial privacy rules would 2.5 bill ance cost of compliance (which I believe is high) of $1.25 billion. Michele Heller, Banks Want More Time on Reforms Privacy Rules, AM. BANKER, Apr 2,2000,at3. 2. Frank Torres, legislative counsel for Consumers Union and an active "The much ballyhooed privacy provision of the gramm-Leach-Bliley Act does not protect consumers' privacy. Don Oldenberg, To-Do Over Privacy Legisla tion, WASH. POST, April 5, 2000, at C4. Torres also lamented: "GLB has a few eager privacy provisions, but it contains so many exceptions that it giv consumers no real privacy protection at all. Steven Brostoff, Privacy Legisla- tion Draws Industry Fire, NAT'L UNDERWRITER LIFE HEALTH- FIN. SERVICES EDITION. May 8. 2000. at 46 101
347402.DOC 11/25/2002 11:27 PM 101 The Surprising Virtues of the New Financial Privacy Law Peter P. Swire† The financial privacy law passed by Congress in 1999 has been the target of scathing criticism. On one side, banks and other financial institutions have complained about the high costs of the billions of notices sent to consumers, apparently to widespread consumer indifference.1 On the other side, privacy advocates have condemned the law as woefully weak, and some have argued that its so-called privacy provisions actually resulted in weakening privacy protection.2 This paper disagrees with the criticisms. The new financial privacy law, known more formally as Title V of the GrammLeach-Bliley Act of 1999, works surprisingly well as privacy legislation. It does so in ways that address legitimate industry concerns about excessive cost and barriers to needed information. In addition, the ability of states to draft additional legislation in the area means that an effective mechanism exists to correct the key weaknesses of the law over time. † Professor of Law, the Moritz College of Law of the Ohio State University. From March, 1999 to January, 2001 I served as Chief Counselor for Privacy in the U.S. Office of Management and Budget. My thanks to helpful comments from participants in the Minnesota Law Review Symposium on Privacy. My thanks also for comments by Rick Fischer, Lauren Steinfeld, and Art Wilmarth, and to Larry Glasser for research assistance. 1. For instance, one estimate was that the financial privacy rules would require 2.5 billion consumer disclosure statements annually, with a compliance cost of compliance (which I believe is high) of $1.25 billion. Michele Heller, Banks Want More Time on Reform’s Privacy Rules, AM. BANKER, Apr. 12, 2000, at 3. 2. Frank Torres, legislative counsel for Consumers Union and an active participant in the legislative debates, bluntly described the new privacy law: “The much ballyhooed privacy provision of the Gramm-Leach-Bliley Act does not protect consumers’ privacy.” Don Oldenberg, To-Do Over Privacy Legislation, WASH. POST, April 5, 2000, at C4. Torres also lamented: “[GLB] has a few meager privacy provisions, but it contains so many exceptions that it gives consumers no real privacy protection at all.” Steven Brostoff, Privacy Legislation Draws Industry Fire, NAT’L UNDERWRITER LIFE & HEALTH-FIN. SERVICES EDITION, May 8, 2000, at 46
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp The financial privacy provisions were enacted in 1999 a part of sweeping legislation to update the structure of the banking, insurance securities, and other financial services in dustries. Since the 1930s, the glass-Steagall Act had largely separated these industries. Gramm-Leach-Bliley, as signed by President Clinton in November, 1999, culminated many years of regulatory and legislative debate about how to modernize the financial services sector. From now on, a single financial hold- es, and a wide array of other institutions. Part i of this article introduces the main provisions of Title v, showing the better match with basic privacy principles than many have realized. Part Ii explores the history of how the fi- nancial privacy provisions became law, placing the enactment into the context of a historical peak of privacy policy activity in the late 1990s. Perhaps this history will be of particular inter est because of my unusual dual perspective, both as an aca demic who has written extensively about financial privacy, 3 and also as the Clinton Administration s Chief Counselor for Privacy during the period Part III looks at the most hotly-contested issue in the pri- acy debate, the rules for sharing personal information with af- filiated entities and third parties. glB establishes a basic rule that information can flow freely within a financial institution and to its affiliates. Customer choice-an opt-out ability to prevent sharing-applies for transfers to non-affiliated compa This article argues that an exception to that principle of ustomer choice, the so-called joint marketing exception, should be repealed. It then explores the knotty issue of how to handle data sharing in today s vast financial conglomerate uggesting a number of possible modifications to GLBs Title V. Part Iv of the article looks at the much-maligned notic that financial institutions have sent out in compliance with GLB. The critics have accurately complained about the legalis tic and detailed language in the current notices. The critics have largely overlooked, however, important benefits from these notices. Perhaps most significantly, publication of the 3. PETER P ORLD DAT ECTRONIC COMMERCE. AND THE EUROPEAN PRIVACY DIRECTIVE 102-21 Peter Swire, Financial Privacy and the Theory High-Tech Gouernment Surveillance, 77 WASH. U. L.Q. 461(1999); Peter P. Swire, The Uses and Limits of Financial Cryptography: A Law Professors Per. spective(1997),availableatwww.osu.edu/units/law/swire.htm
347402.DOC 11/25/2002 11:27 PM 102 MINNESOTA LAW REVIEW [Vol.86:pppp The financial privacy provisions were enacted in 1999 as part of sweeping legislation to update the structure of the banking, insurance, securities, and other financial services industries. Since the 1930’s, the Glass-Steagall Act had largely separated these industries. Gramm-Leach-Bliley, as signed by President Clinton in November, 1999, culminated many years of regulatory and legislative debate about how to modernize the financial services sector. From now on, a single financial holding company can own banks, investment banks, insurance companies, and a wide array of other institutions. Part I of this article introduces the main provisions of Title V, showing the better match with basic privacy principles than many have realized. Part II explores the history of how the financial privacy provisions became law, placing the enactment into the context of a historical peak of privacy policy activity in the late 1990’s. Perhaps this history will be of particular interest because of my unusual dual perspective, both as an academic who has written extensively about financial privacy,3 and also as the Clinton Administration’s Chief Counselor for Privacy during the period. Part III looks at the most hotly-contested issue in the privacy debate, the rules for sharing personal information with affiliated entities and third parties. GLB establishes a basic rule that information can flow freely within a financial institution and to its affiliates. Customer choice—an opt-out ability to prevent sharing—applies for transfers to non-affiliated companies. This article argues that an exception to that principle of customer choice, the so-called “joint marketing exception,” should be repealed. It then explores the knotty issue of how to handle data sharing in today’s vast financial conglomerates, suggesting a number of possible modifications to GLB’s Title V. Part IV of the article looks at the much-maligned notices that financial institutions have sent out in compliance with GLB. The critics have accurately complained about the legalistic and detailed language in the current notices. The critics have largely overlooked, however, important benefits from these notices. Perhaps most significantly, publication of the 3. PETER P. SWIRE & ROBERT E. LITAN, NONE OF YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE 102-21 (1998); Peter Swire, Financial Privacy and the Theory of High-Tech Government Surveillance, 77 WASH. U. L.Q. 461 (1999); Peter P. Swire, The Uses and Limits of Financial Cryptography: A Law Professor’s Perspective (1997), available at www.osu.edu/units/law/swire.htm
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW notices and the new legal obligation to comply with them has forced financial institutions to engage in considerable self- crutiny as to their data handling practices. The current no tices, even in their imperfect form, have reduced the risk of egregious privacy practices. Improved notices, as described in this article, would enhance accountability while also communi cating far more clearly with ordinary customers In short this article shows the surprising merits of the GLB privacy provisions. Considerably more was accomplished in the Act than observers would have predicted in the spring of 1999 or than critics have recognized to date. Important flaws do exist, but specific and achievable changes in the statute and implementing regulations can go far toward reducing the mag nitude of those flaws L. THE PRIVACY PROVISIONS IN GRAMM-LEACH-BLILEY Perhaps the clearest way to understand what was and was not enacted in the gramm-Leach-Bliley Act(GlB) on privacy is to compare the law as enacted with standard definitions of fair information practices. Codes of fair information practices are an organizing theme of privacy protection. They were first set forth in comprehensive form in a United States Department of Health, Education, and Welfare study in 1973. 4 The precise list of fair information practices has varied somewhat over time, but the use of such a list has been a standard feature of privacy regimes. For instance, they are incorporated into United States law in the Privacy Act of 1974, which applies to United States federal agencies. They are listed as the "core princi- ples"of the most important consensus document internation ally, the Organization for Economic Cooperation and Develop ment Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980. They are central to the European Union Directive on Data Protection, issued in final form in 1995 and binding on the fifteen member states of the European Union. In the 1990s, as the rise of the Internet 4. U.S. DEPT HEALTH, EDUC. WELFARE, Records, Computers and the Rights of Citizens(1973) 5. Privacy Act of 1974, 5 U.S.C.$ 552a(2000) 6. Council Directive 95/46/EC on the protection of Individuals with Re. gard to the processing of Personal Data and the Free Movement of Such Data 1995o.j.(l281)31(oct.24,1995),availableathttp:/europea.eu.int/eur- lex/en/lif/dat/1995/en_395 L0046 html (hereinafter European Union Data Pro- tection Directive]. See generally PEteR P Swire& ROBERT E LITAN, NONE OI
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 103 notices and the new legal obligation to comply with them has forced financial institutions to engage in considerable selfscrutiny as to their data handling practices. The current notices, even in their imperfect form, have reduced the risk of egregious privacy practices. Improved notices, as described in this article, would enhance accountability while also communicating far more clearly with ordinary customers. In short, this article shows the surprising merits of the GLB privacy provisions. Considerably more was accomplished in the Act than observers would have predicted in the spring of 1999 or than critics have recognized to date. Important flaws do exist, but specific and achievable changes in the statute and implementing regulations can go far toward reducing the magnitude of those flaws. I. THE PRIVACY PROVISIONS IN GRAMM-LEACH-BLILEY Perhaps the clearest way to understand what was and was not enacted in the Gramm-Leach-Bliley Act (GLB) on privacy is to compare the law as enacted with standard definitions of fair information practices. Codes of fair information practices are an organizing theme of privacy protection. They were first set forth in comprehensive form in a United States Department of Health, Education, and Welfare study in 1973.4 The precise list of fair information practices has varied somewhat over time, but the use of such a list has been a standard feature of privacy regimes. For instance, they are incorporated into United States law in the Privacy Act of 1974, which applies to United States federal agencies.5 They are listed as the “core principles” of the most important consensus document internationally, the Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980. They are central to the European Union Directive on Data Protection, issued in final form in 1995 and binding on the fifteen member states of the European Union.6 In the 1990s, as the rise of the Internet 4. U.S. DEPT. HEALTH, EDUC. & WELFARE, Records, Computers and the Rights of Citizens (1973). 5. Privacy Act of 1974, 5 U.S.C. § 552a (2000). 6. Council Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, 1995 O.J. (L 281) 31 (Oct. 24, 1995), available at http://europea.eu.int/eurlex/en/lif/dat/1995/en_395L0046.html [hereinafter European Union Data Protection Directive]. See generally PETER P. SWIRE & ROBERT E. LITAN, NONE OF
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp helped make privacy a more prominent public policy issue in the United States, the fair information practices were used as organizing principles for the debate. Likely the best known version was that of the Federal trade commission which con tained five principles: notice/awareness; choice/consent; ac- cess/participation; integrity/security; and enforcement/redress. 7 A NOtICe The FTC calls notice "the most fundamental princi 8 Without notice the consumer "cannot make an in- formed decision as to whether and to what extent to disclos personal information. 9 The notice principle is addressed in de tail in glB, although debates continue about how best to pro- vide notice The glB notice requirements apply to" nonpublic personal information"(often described in this article as "personal infor mation"or "personal data ). o This personal information may YOUR BUSINESS: WORLD DATA FLOWS. ELECTRONIC COMMERCE. AND THE EUROPEAN PRIVACY DIRECTIVE(1998). 7. Federal Trade Commission, Privacy Online: A Report to Congress (jUne1998),availableathttp://www.fte.gov/reports/privacy3/priv-23a.pdf thereinafter 1998 FTC Rep The list of the FTC, which is an independent nerally consistent with formulations by the Clinton admini. stration. See Information Infrastructure Task Force, Information Policy Com- orking Group, Privacy and the National Information Infi tructure: Principles for Prouiding and Using Personal Information(June 6 1995),availableathttpiitf.docgov/ipc/ipclipcpubx/niiprivprin_final.htm U.S. Department of Commerce, Privacy and the Nl: Safeguarding Teleco munications.Related Personal Information (Oct 1995), available at http://www.ntia.docgov/ntiahome/privwhitepaper.htm 8. 1998 FTC Report, supra note 7, at 7 9. Id. The 1980 OeCD Guidelines state. in the Collection Limitation le:"There should be limits to the collection of personal data and any uch data should be obtained by lawful and fair means and, where app ate, with the knowledge or consent of the data subject. Organization for Eco- omic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Sept 23, 1980, OECD Dic, C(80)58. reprintedin20I.l.m.422,availableathttp://wwwl.oecd.org/dsti/sti/ .secur/prod/PRIV EN. TM (atest update Jan. 5 1999)[hereinafter OECD 10. The term"nonpublic personal information"is defined in GLB Section 6809(4)to mean" personally identifiable financial information (i) provided by a consumer to a financial institution; (ii)resulting from any transaction with the consumer or any service performed for the consumer; (iii) or otherwise ob- tained by the financial institution. Gramm-Leach-Bliley Act of 1999, 15 U.S.C.$6809(4)(A)(2000)[hereinafter GLB]. The term"does not include pub mation.”ld.§6809(4)B).It scription, or other grouping of consumers.. that is derived using any non
347402.DOC 11/25/2002 11:27 PM 104 MINNESOTA LAW REVIEW [Vol.86:pppp helped make privacy a more prominent public policy issue in the United States, the fair information practices were used as organizing principles for the debate. Likely the best known version was that of the Federal Trade Commission, which contained five principles: notice/awareness; choice/consent; access/participation; integrity/security; and enforcement/redress.7 A. NOTICE The FTC calls notice “[t]he most fundamental principle . . . .”8 Without notice, the consumer “cannot make an informed decision as to whether and to what extent to disclose personal information.”9 The notice principle is addressed in detail in GLB, although debates continue about how best to provide notice. The GLB notice requirements apply to “nonpublic personal information” (often described in this article as “personal information” or “personal data”).10 This personal information may YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE (1998). 7. Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), available at http://www.ftc.gov/reports/privacy3/priv-23a.pdf [hereinafter 1998 FTC Report]. The list of the FTC, which is an independent agency, was generally consistent with formulations by the Clinton Administration. See Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (June 6, 1995), available at http://iitf.doc.gov/ipc/ipc/ipc-pubx/niiprivprin_final.html; U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (Oct.1995), available at http://www.ntia.doc.gov/ntiahome/privwhitepaper .html. 8. 1998 FTC Report, supra note 7, at 7. 9. Id. The 1980 OECD Guidelines state, in the Collection Limitation Principle: “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.” Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Sept. 23, 1980, OECD Dic, C(80) 58, reprinted in 20 I.L.M. 422, available at http://www1.oecd.org/dsti/sti/ it.secur/prod/PRIV-EN.HTM (latest update Jan. 5 1999) [hereinafter OECD Guidelines]. 10. The term “nonpublic personal information” is defined in GLB Section 6809(4) to mean “personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; (iii) or otherwise obtained by the financial institution.” Gramm-Leach-Bliley Act of 1999, 15 U.S.C. § 6809(4)(A) (2000) [hereinafter GLB]. The term “does not include publicly available information.” Id. § 6809(4)(B). It does include “any list, description, or other grouping of consumers . . . that is derived using any non-
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 105 not be disclosed to another corporation unless the consumer is provided a notice. At the time of establishing a customer re lationship and at least annually after that, a financial institu- tion "shall provide a clear and conspicuous disclosure of the in stitutions privacy policies [to the consumer]. "12 The privacy policy must give the policies for sharin g data with both ates and nonaffiliated third parties, including the categories of information that may be disclosed. 3 The notice requirement of GLB is what led to the large number of individual privacy poli- cies that customers of financial institutions now receive on an annual basis B. CHOICE/CONSENT The choice/consent principle has been a major source of contention, both during passage of GLB and since. In the words of the FTC, "choice relates to secondary uses of informa tion--i.e, uses beyond those necessary to complete the contem- plated transaction. " ivacy regimes generally limit data uses to those that fulfill the original purposes of the data collec- tion,as well as others that are compatible with those pur In interpreting the choice/consent principle, there have been heated debates about what the default rule should be. in- dustry has generally favored a default rule of allowing sharing, with customers able to opt out if they choose to limit the data flow. Privacy advocates have generally favored a default rule prohibiting sharing, with data going for secondary uses only with an affirmative opt in by the individual. The default rule seems to matter a great deal in the privacy context, because experience seems to show that the bulk of customers generally blic personal information other than publicly available information la.§6809(4)(C 12.ld.6803(a) 13.ld.§6803(a)(1) 14. 1998 FTC Report, supra note 7, at8. Similarly, under the 1980 OECD Guidelines the purposes for which personal data are collected should be speci- fied not later than at the time of data collection and subsequent use mited to the fulfillment of those purposes or such others as are not tible with those pur Disclosure or use of data hen not be done except a) with the consent of the data subject OECD Guidelines, supra note 9 15. See supra note 14
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 105 not be disclosed to another corporation unless the consumer is provided a notice.11 At the time of establishing a customer relationship, and at least annually after that, a financial institution “shall provide a clear and conspicuous disclosure of the institution’s privacy policies [to the consumer].”12 The privacy policy must give the policies for sharing data with both affiliates and nonaffiliated third parties, including the categories of information that may be disclosed.13 The notice requirement of GLB is what led to the large number of individual privacy policies that customers of financial institutions now receive on an annual basis. B. CHOICE/CONSENT. The choice/consent principle has been a major source of contention, both during passage of GLB and since. In the words of the FTC, “choice relates to secondary uses of information—i.e., uses beyond those necessary to complete the contemplated transaction.”14 Privacy regimes generally limit data uses to those that fulfill the original purposes of the data collection, as well as others that are compatible with those purposes.15 In interpreting the choice/consent principle, there have been heated debates about what the default rule should be. Industry has generally favored a default rule of allowing sharing, with customers able to opt out if they choose to limit the data flow. Privacy advocates have generally favored a default rule prohibiting sharing, with data going for secondary uses only with an affirmative opt in by the individual. The default rule seems to matter a great deal in the privacy context, because experience seems to show that the bulk of customers generally public personal information other than publicly available information . . . .” Id. §6809(4)(C). 11. Id. § 6802(a). 12. Id. 6803(a). 13. Id. § 6803(a)(1). 14. 1998 FTC Report, supra note 7, at 8. Similarly, under the 1980 OECD Guidelines, [t]he purposes for which personal data are collected should be specified not later than at the time of data collection and subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes. . . . Disclosure or use of data should then not be done except a) with the consent of the data subject; or b) by the authority of law.” OECD Guidelines, supra note 9. 15. See supra note 14
