文档详细内容(约60页)
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW Vol86: pppp stick with whichever default rule applies in a given context. 6 The other heated debate has been about what sorts of shar- ing constitute secondary use. In the financial services area, in dustry has pushed especially hard for the ability to share data with affiliates, that is, with companies controlled by the same ability to share data with nonaffiliated third parties 8 Privacy proponents have maintained that sharing with either affiliates or nonaffiliated third parties constitutes secondary use, and should trigger a choice or consent requirement As enacted, GLB adopted the basic rule of requiring an opt out choice before personal data could be shared with nonaffili ated third parties 9 Financial institutions must give notice be fore they share data with affiliates, but customers are not enti tled to an opt-out choice for affiliate sharing. 20 This basic rule is loosened in two ways. First, the "joint marketing exception allows a financial institution to share information with nonaf filiated financial institutions in order to pursue joint market ing.2 As discussed below, this exception has been controver sial, and i believe it should be repealed. Second, the law sets forth a number of statutory exceptions where neither notice nor choice are required. These exceptions have been reasonably well accepted by many of the stakeholders in the privacy de 16. This is my own view after experience with a wide range of privacy re- tion Act of 1999. 18 U.SC$2721(2000). The Act restricts a state motor hicles bureau from sharing individual drivers license information marketing purposes except with choice or consent. It was enacted as an opt with officials, from the low single digits to a high in some states of about 20 nt. In 1s appropriation rider switched the to opt ions Act, Pub. L. 106-346, 5 30 000)(amending 18 U.S.C.$ 2721). Since that time, no state has even asked hether individuals wished to consent to sharing their drivers license infor- ation for marketing purposes 17. " The term'affiliate' means any company that controls, is controlled b or is under common control with another company. "GLB, supra note 10, S 18. "The term 'nonaffiliated third party' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control institute f n aGL.B. instit tite b st dsos sot include a joint employee of such 19.la.。6802(b)(1) 20.ld.§6802(a). 21. Id& 6802(b)(2). The joint marketing exception is discussed in detail
347402.DOC 11/25/2002 11:27 PM 106 MINNESOTA LAW REVIEW [Vol.86:pppp stick with whichever default rule applies in a given context.16 The other heated debate has been about what sorts of sharing constitute secondary use. In the financial services area, industry has pushed especially hard for the ability to share data with affiliates, that is, with companies controlled by the same financial holding company.17 Industry has also supported the ability to share data with nonaffiliated third parties.18 Privacy proponents have maintained that sharing with either affiliates or nonaffiliated third parties constitutes secondary use, and should trigger a choice or consent requirement. As enacted, GLB adopted the basic rule of requiring an optout choice before personal data could be shared with nonaffiliated third parties.19 Financial institutions must give notice before they share data with affiliates, but customers are not entitled to an opt-out choice for affiliate sharing.20 This basic rule is loosened in two ways. First, the “joint marketing exception” allows a financial institution to share information with nonaffiliated financial institutions in order to pursue joint marketing.21 As discussed below, this exception has been controversial, and I believe it should be repealed. Second, the law sets forth a number of statutory exceptions where neither notice nor choice are required. These exceptions have been reasonably well accepted by many of the stakeholders in the privacy de- 16. This is my own view after experience with a wide range of privacy regimes. One example of the difference comes from the Drivers Privacy Protection Act of 1999. 18 U.S.C. § 2721 (2000). The Act restricts a state motor vehicles bureau from sharing individual drivers license information for marketing purposes except with choice or consent. It was enacted as an optout regime in 1994. Id. As such, opt out rates varied, based on my discussions with officials, from the low single digits to a high in some states of about 20 percent. In 1999, an appropriation rider switched the regime to opt in. Transportation Appropriations Act., Pub. L. 106-346, § 309 __ Stat. ___, ___ (2000) (amending 18 U.S.C. § 2721). Since that time, no state has even asked whether individuals wished to consent to sharing their drivers license information for marketing purposes. 17. “The term ‘affiliate’ means any company that controls, is controlled by, or is under common control with another company.” GLB, supra note 10, § 6809(6). 18. “The term ‘nonaffiliated third party’ means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution.” GLB, supra note 10, § 6809(5). 19. Id. § 6802(b)(1). 20. Id. § 6802(a). 21. Id. § 6802(b)(2). The joint marketing exception is discussed in detail text accompanying notes ___ infra
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 107 bates, and apply, for instance, to an institution s attorneys,ac- countants, and auditors, to consumer reporting agencies under the Fair Credit Reporting Act, to protect against or prevent fraud, and to comply with authorized law enforcement investigations. 22 GLB is stricter than the basic rule in one respect. A finan cial institution cannot disclose. other than to a consumer re- porting agency, a credit card or similar account number to any nonaffiliated third party for use in telemarketing, direct mail marketing, or e-mail marketing to a consumer. 2 The opt-out and account number restrictions are backed up by a limit on how third parties can redisclose the information. 24 C. AcceSS The third core principle is access. Access refers to an in- dividuals ability both to access data about him or herself--ie to view the data in an entity's filesand to contest that datas accuracy and completeness. 25 Individuals in the United States have had a right to access their credit history-an accumula tion of sensitive personal financial information--since passage of the Fair Credit Reporting Act in 1970.26 GLB itself does not implement any consumer access right Proposed legislation, including that supported by President 22. Id.$ 6802(e). Other exceptions, described in more detail in the sent of the consumer; to protect the confidentiality or security of the tions records: to provide information to persons assisting industry standards; and in connection with a sale or merger of the business. 3.Id.§6802(d) 24. Essentially, a nonaffiliated third party that receives personal informa tion shall not redisclose that information to any other person unless such dis- closure would be lawful if made directly to such other person by the original financial institution. Id$ 6892(c). 25. 1998 FTC Report, supra note 7, at 9. The OECD Individual Particip n Principle states right: a)t ler. or otherwise confirmation of whether or not the data controller has data relating to him; b)to have communicated to him, data relat- ing to him: within a reasonable time: at a charge, if any, that is not xcessive: in a reasonable manner: and in a form that dily intel- ligible to him; c)to be given reasons if a request raphs(a) and(b) is denied, and to be able to challenge such denial hallenge is suc- cessful to have the data erased, rectified, completed or amended OECD Guidelines, supra note 9 26. Fair Credit Reporting Act, 15 U.S.C.$ 1681g(2000)
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 107 bates, and apply, for instance, to an institution’s attorneys, accountants, and auditors, to consumer reporting agencies under the Fair Credit Reporting Act, to protect against or prevent fraud, and to comply with authorized law enforcement investigations.22 GLB is stricter than the basic rule in one respect. A financial institution cannot disclose, other than to a consumer reporting agency, a credit card or similar account number to any nonaffiliated third party for use in telemarketing, direct mail marketing, or e-mail marketing to a consumer.23 The opt-out and account number restrictions are backed up by a limit on how third parties can redisclose the information.24 C. ACCESS. The third core principle is access. Access refers “to an individual’s ability both to access data about him or herself—i.e., to view the data in an entity’s files—and to contest that data’s accuracy and completeness.”25 Individuals in the United States have had a right to access their credit history—an accumulation of sensitive personal financial information—since passage of the Fair Credit Reporting Act in 1970.26 GLB itself does not implement any consumer access right. Proposed legislation, including that supported by President 22. Id. § 6802(e). Other exceptions, described in more detail in the statute, include: an exception necessary to carry out a transaction; with the consent of the consumer; to protect the confidentiality or security of the institution’s records; to provide information to persons assisting in compliance with industry standards; and in connection with a sale or merger of the business. Id. 23. Id. § 6802(d). 24. Essentially, a nonaffiliated third party that receives personal information shall not redisclose that information to any other person unless such disclosure would be lawful if made directly to such other person by the original financial institution. Id. § 6892(c). 25. 1998 FTC Report, supra note 7, at 9. The OECD Individual Participation Principle states: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him: within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. OECD Guidelines, supra note 9. 26. Fair Credit Reporting Act, 15 U.S.C. § 1681g (2000)
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp Clinton in 2000, would have provided access rights to financial information as a matter of law.27 In practice, however, con- sumers often have an ability to access their personal financial information. For important accounts such as checking ad counts, credit card records, securities brokerage accounts, and the like, individuals generally receive detailed records as a matter of course, and they can contest the accuracy and com- pleteness of those records as problems arise D. SECURITY As the FtC states: Security involves both managerial and technical measures to protect against loss and the unauthor ized access destruction, use. or disclosure of the data. 28 Pri racy policies offer little protection unless security is in place Otherwise, the best-intended pe cles can quickly under y hackers or others who access and disclose the per sonal information GLB addresses security as part of the general obligation of financial institutions to protect privacy. The statute provides It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the pri- acy of its customers and to protect the security and confider 27. Consumer Financial Privacy Act, H.R. 4380, 106h Cong.$6(2000) (amending glB to add a new section that provides the right to access nonpub cial Information Privacy Protection Act of 2000, S 2513, 106th Cong. $6(2000 (same); Medical Financial Privacy Protection Act, H.R. 4585, 106th Cong. $2 (2000)(same for identifiable health information possessed by a financial insti- 8. 1998 FTC Report, supra note 7, at 10. Similarly, the OECD Security Safeguards Principle states: "Personal data should be protected by nable security safeguards against such risks as loss tion, use, modification or disclosure of data. OECD Guidelines, supra note 9 The FTC Report combines the security principle with the need take reasonable steps, such only reputable sources of data and cross referencing data against multiple sources,providing consumer access to data, and destroying untimely data or converting it to anonymous form. "1998 FTC Report, supra note 7, at 10. This definition of data integrity conforms to the principle, accepted in European hat"untimely data"should be destroyed or converted to anony. data must in a form which permits identification of data subjects for er th ecessary for the purposes for which the data were collected r for which re further processed. European Union Data Protection D rective, supra note 6, art. 6(e). Notwithstanding the FTCs support for"de- stroying untimely data, U.S. law has not usually included data destruction as a significant element of privacy principles
347402.DOC 11/25/2002 11:27 PM 108 MINNESOTA LAW REVIEW [Vol.86:pppp Clinton in 2000, would have provided access rights to financial information as a matter of law.27 In practice, however, consumers often have an ability to access their personal financial information. For important accounts such as checking accounts, credit card records, securities brokerage accounts, and the like, individuals generally receive detailed records as a matter of course, and they can contest the accuracy and completeness of those records as problems arise. D. SECURITY As the FTC states: “Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.”28 Privacy policies offer little protection unless security is in place. Otherwise, the best-intended policies can be quickly undermined by hackers or others who access and disclose the personal information. GLB addresses security as part of the general obligation of financial institutions to protect privacy. The statute provides: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidenti- 27. Consumer Financial Privacy Act, H.R. 4380, 106th Cong. § 6 (2000) (amending GLB to add a new section that provides the right to access nonpublic personal financial information possessed by a financial institution); Financial Information Privacy Protection Act of 2000, S. 2513, 106th Cong. § 6 (2000) (same); Medical Financial Privacy Protection Act, H.R. 4585, 106th Cong. § 2 (2000) (same for identifiable health information possessed by a financial institution). 28. 1998 FTC Report, supra note 7, at 10. Similarly, the OECD Security Safeguards Principle states: “Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.” OECD Guidelines, supra note 9. The FTC Report combines the security principle with the need to assure data integrity, where “collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.” 1998 FTC Report, supra note 7, at 10. This definition of data integrity conforms to the principle, accepted in European countries, that “untimely data” should be destroyed or converted to anonymous form. The Data Protection Directive, for instance, states that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” European Union Data Protection Directive, supra note 6, art. 6(e). Notwithstanding the FTC’s support for “destroying untimely data,” U.S. law has not usually included data destruction as a significant element of privacy principles
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW ality of those customers'nonpublic personal information. "29 In furtherance of that policy, regulators are required to tandards relating to administrative, technical, and phy safeguards to protect the security and confidentiality of tomer records and information. The standards must protect against "anticipated threats or hazards to the security or integ rity of such records, and protect as well against unauthorized access to records or information that "could result in substan tial harm or inconvenience to any customer. 30 E. ENFORCEMENT AND REMEDIES The FTC says: It is generally agreed that the core princi- ples of privacy protection can only be effective if there is a mechanism in place to enforce them. 3I A phalanx of financial regulators have now issued regulations to implement the glb privacy provisions for institutions in their jurisdiction.32 In implementing these privacy regulations, the basic rule under GLB is that financial regulators can deploy the full powers that they use in other enforcement actions. 33 Bank regulators can use the strict enforcement powers that they gained after the savings and loan abuses of the late 1980s. 4 State insurance 29. GLB, supra note 10,$ 6801(a) 31. 1998 FTC Report, supra note 7, at 10. The OECD Accountability Principle states: "A data controller should be accountable for easures which give effect to the principles stated above OECD Guidelines supra note 9 32. The statute required seven agencies, working together with the Treasury Department, to prepare regulations. GLB, supra note 10, 6804(a)(1). First, a set of standards-The Interagency Guidelines Establish Standards for Safeguarding Customer Information-were developed by the glB agencies and uniformly promulgated. See, e.g., 12 C F.R.$ 30.2, app french);ld.§208.3, D-2(Federal Reserve) 364.101 app. B ( FDIC), Id5570.1, app. B(Office of Thrift Supervision), Id. s 748, app. A (NCUA). Second, the agencies each promulgated a rule that re- Guidelines. See, e.g., Id$208.3(Federal Reserve): 16 C.F.R.$ 313. 1(Federal Trade Commission): 12 C F.R.s 364. 101(FDIC): Id.$ 568.5(Office of Thrift Supervision) GLB, supra note 10, 5 509(3)(B)specifically excluded the Commodity Futures Trading Commission from the Act, but that was reversed by The Commodity Futures Modernization Act of 2000. 7 U.S.C.$1 278f(2000). The CFTC ed proposed rules for GLB compliance in early 2001. 66 Fed. Reg. 15, 550 larch19,2001) 33. GLB, supra note 10, 6805 34. See 12 U.S.C. 1818(2000). The bank regulators with these powers to enforce the privacy rules are the Office of the Comptroller of the Currency, the
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 109 ality of those customers’ nonpublic personal information.”29 In furtherance of that policy, regulators are required to issue standards relating to administrative, technical, and physical safeguards to protect the security and confidentiality of customer records and information. The standards must protect against “anticipated threats or hazards to the security or integrity of such records,” and protect as well against unauthorized access to records or information that “could result in substantial harm or inconvenience to any customer.”30 E. ENFORCEMENT AND REMEDIES. The FTC says: “It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”31 A phalanx of financial regulators have now issued regulations to implement the GLB privacy provisions for institutions in their jurisdiction.32 In implementing these privacy regulations, the basic rule under GLB is that financial regulators can deploy the full powers that they use in other enforcement actions.33 Bank regulators can use the strict enforcement powers that they gained after the savings and loan abuses of the late 1980s.34 State insurance 29. GLB, supra note 10, § 6801(a). 30. Id. § 6801(b). 31. 1998 FTC Report, supra note 7, at 10. The OECD Accountability Principle states: “A data controller should be accountable for complying with measures which give effect to the principles stated above.” OECD Guidelines, supra note 9. 32. The statute required seven agencies, working together with the Treasury Department, to prepare regulations. GLB, supra note 10, § 6804(a)(1). First, a set of standards—”The Interagency Guidelines Establishing Standards for Safeguarding Customer Information”—were developed by the GLB agencies and uniformly promulgated. See, e.g., 12 C.F.R. § 30.2, app. B (Comptroller of the Currency); Id. § 208.3, app. D-2 (Federal Reserve); Id. § 364.101 app. B. (FDIC), Id. § 570.1, app. B (Office of Thrift Supervision), Id. § 748, app. A (NCUA). Second, the agencies each promulgated a rule that required financial institutions within their jurisdiction to comply with the Guidelines. See, e.g., Id. § 208.3 (Federal Reserve); 16 C.F.R. § 313.1 (Federal Trade Commission); 12 C.F.R. § 364.101 (FDIC); Id. § 568.5 (Office of Thrift Supervision). GLB, supra note 10, § 509 (3)(B) specifically excluded the Commodity Futures Trading Commission from the Act, but that was reversed by The Commodity Futures Modernization Act of 2000. 7 U.S.C. § 1 278f (2000). The CFTC issued proposed rules for GLB compliance in early 2001. 66 Fed. Reg. 15,550 (March 19, 2001). 33. GLB, supra note 10, § 6805. 34. See 12 U.S.C. 1818 (2000). The bank regulators with these powers to enforce the privacy rules are the Office of the Comptroller of the Currency, the
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp authorities enforce for violations by state-regulated insurance companies.35 The Securities and Exchange Commission tional credit union administration and commodities future Trading Commission can enforce against entities in their juri diction. The FtC can use its powers to enforce against unfair or deceptive trade practices against any other financial institu- tion that is not subject to one of the above agencies F. SUMMARY ON GLB AND FAIR INFORMATION PRACTICES When matched against the standard list of fair information practices, GlB provides a better set of privacy protections than many have realized. glB creates significant legal protections for the notice, security, and enforcement principles. For access, ordinary industry practice likely meets many consumer needs The largest debate concerns the choice/consent principle. Pri- vacy advocates are concerned that the opt-out choice is too reak and that too many data flows are permitted to affiliates and joint marketing partners without any choice at all. as dis- cussed below, the Clinton Administration proposed legislation in 2000 to address these problems, and i personally would favor additional legal protections in the choice/consent area Other provisions in GLB show that it provides a better foundation for rotection than many have rea First the definition of "financial institutions "which are cov ered by the statute, is extremely broad. GlB allows a financial holding company to engage in any activity found by the federal Reserve board "to be financial in nature or incidental to such financial activity. 36 going beyond that broad definition, the Board can authorize an activity that is "complementary to a fi- nancial activity and does not pose a substantial risk"to safety and soundness. 37 This broad definition is an advantage for banks and other institutions that are clearly financial in na- ture, because they are clearly covered by the privacy rules and can now combine with a wider range of entities. The broad Federal Reserve board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision 35. Because of federalism limits against"commandeering, the states in a federal statutory scheme, see New York v United States, 505 U.S. 144(1992). the statute does not order state insurance authorities to adopt regulations to carry out the privacy protections. Instead, states that decline to adopt regula- tions will lose the power to override certain federal banking regulations. GLB supra note10,§6805(c) 36.12USC.1843(k)(1)(A)(2000 37.12U.S.C.1843(k)(1)(B)(2000)( emphasis added)
347402.DOC 11/25/2002 11:27 PM 110 MINNESOTA LAW REVIEW [Vol.86:pppp authorities enforce for violations by state-regulated insurance companies.35 The Securities and Exchange Commission, National Credit Union Administration, and Commodities Future Trading Commission can enforce against entities in their jurisdiction. The FTC can use its powers to enforce against unfair or deceptive trade practices against any other financial institution that is not subject to one of the above agencies. F. SUMMARY ON GLB AND FAIR INFORMATION PRACTICES. When matched against the standard list of fair information practices, GLB provides a better set of privacy protections than many have realized. GLB creates significant legal protections for the notice, security, and enforcement principles. For access, ordinary industry practice likely meets many consumer needs. The largest debate concerns the choice/consent principle. Privacy advocates are concerned that the opt-out choice is too weak and that too many data flows are permitted to affiliates and joint marketing partners without any choice at all. As discussed below, the Clinton Administration proposed legislation in 2000 to address these problems, and I personally would favor additional legal protections in the choice/consent area. Other provisions in GLB show that it provides a better foundation for privacy protection than many have realized. First, the definition of “financial institutions,” which are covered by the statute, is extremely broad. GLB allows a financial holding company to engage in any activity found by the Federal Reserve Board “to be financial in nature or incidental to such financial activity.”36 Going beyond that broad definition, the Board can authorize an activity that is “complementary to a financial activity and does not pose a substantial risk” to safety and soundness.37 This broad definition is an advantage for banks and other institutions that are clearly financial in nature, because they are clearly covered by the privacy rules and can now combine with a wider range of entities. The broad Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision. 35. Because of federalism limits against “commandeering” the states in a federal statutory scheme, see New York v. United States, 505 U.S. 144 (1992), the statute does not order state insurance authorities to adopt regulations to carry out the privacy protections. Instead, states that decline to adopt regulations will lose the power to override certain federal banking regulations. GLB, supra note 10, § 6805(c). 36. 12 U.S.C. 1843(k)(1)(A) (2000). 37. 12 U.S.C. 1843(k)(1)(B ) (2000) (emphasis added)
