文档详细内容(约60页)
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 111 definition, however, also has the effect of bringing more entities within the scope of glB privacy protections than would be ap parent from the term "financial institutions. Examples in clude many travel agencies, law firms that provide tax and fi- nancial planning advice, and retail stores with installment credit operations. 38 The reach of the privacy protections is thus greater than many initially realized. State law may also operate in ways that make GlB more powerful for privacy than the statute would be standing alone As enacted, glb specifically provides that it acts as a floor but states may provide stricter privacy protections if they so choose. 39 As discussed below, this possibility of additional state legislation serves as an important goad for financial institu tions to reassure state legislators and the general public that they are treating sensitive data with the appropriate level of confidentiality. Stricter state law may turn out to be especially important in the enforcement area. glb does not provide a private right of action. The statutory language on relation to tation"to be stricter at the state level 40 This language may be important in the context of a state tort or contract claim that alleges that a financial institution failed to protect a customers privacy. Even if GLB itself does not create the private right of action, the statute appears to allow the state claim to proceed to an eventual""by a judge who may "interpret federal and state law. In a tort case. for instance. a bank' s violation of the federal privacy regulation may assist a plaintiff in showing that the bank violated a standard of reasonable care. The level of privacy protection contemplated by glB may turn out to highly relevant to what is held to be a breach of duty in state IL THE HISTORY AND RATIONALE OF FINANCIAL PRIVACY LEGISLATION The financial privacy provisions of GLB Title V were not inevitable. Indeed, financial reform came very close to passage in 1998 without having any noticeable privacy provisions. 4I In 38. The definition of"financial institutions"clearly includes ncies.16 C F.R.$ 313. 1(20 or an additional discussion of the breadth of the term"financial services, "see 65 Fed. Reg. 33, 647 (May 24, 2000) 39. GLB, supra note 10, 5 6807(b) 41. See Financial Services Competitiveness Act of 1997, H.R. 10, 105th
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 111 definition, however, also has the effect of bringing more entities within the scope of GLB privacy protections than would be apparent from the term “financial institutions.” Examples include many travel agencies, law firms that provide tax and financial planning advice, and retail stores with installment credit operations.38 The reach of the privacy protections is thus greater than many initially realized. State law may also operate in ways that make GLB more powerful for privacy than the statute would be standing alone. As enacted, GLB specifically provides that it acts as a floor, but states may provide stricter privacy protections if they so choose.39 As discussed below, this possibility of additional state legislation serves as an important goad for financial institutions to reassure state legislators and the general public that they are treating sensitive data with the appropriate level of confidentiality. Stricter state law may turn out to be especially important in the enforcement area. GLB does not provide a private right of action. The statutory language on relation to state law, however, specifically permits an “order” or “interpretation” to be stricter at the state level.40 This language may be important in the context of a state tort or contract claim that alleges that a financial institution failed to protect a customer’s privacy. Even if GLB itself does not create the private right of action, the statute appears to allow the state claim to proceed to an eventual “order” by a judge who may “interpret” federal and state law. In a tort case, for instance, a bank’s violation of the federal privacy regulation may assist a plaintiff in showing that the bank violated a standard of reasonable care. The level of privacy protection contemplated by GLB may turn out to highly relevant to what is held to be a breach of duty in state court. II. THE HISTORY AND RATIONALE OF FINANCIAL PRIVACY LEGISLATION The financial privacy provisions of GLB Title V were not inevitable. Indeed, financial reform came very close to passage in 1998 without having any noticeable privacy provisions.41 In 38. The definition of “financial institutions” clearly includes many travel agencies. 16 C.F.R. § 313.1 (2002). For an additional discussion of the breadth of the term “financial services,” see 65 Fed. Reg. 33,647 (May 24, 2000). 39. GLB, supra note 10, § 6807(b). 40. Id. 41. See Financial Services Competitiveness Act of 1997, H.R. 10, 105th
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp 1999, by contrast, privacy became a leading political issue in the legislative debates. President Clinton put forward privacy proposals in May. 42 The House of Representatives almost unanimously passed a privacy amendment in July, 43 most of whose provisions were signed into law in November. 44 Upon signing the bill, furthermore, President Clinton called for addi- tional privacy protections in future legislation, 45 and the Ad ministration proposed such legislation in the spring of 2000. 46 These financial privacy developments, furthermore, hap- pened alongside heated debates on medical privacy, Internet privacy, and related topics. How can we capture the reasons why privacy and data protection issues climbed so swiftly up the policy agenda in the United States in the past few years? To answer this question requires us to recognize that we are currently in the second major wave of privacy law reform, and to understand what differs from the first major wave A. THE FIRST WAVE OF PRIVACY LEGISLATION The first major wave of privacy activity took place in the early 1970s, largely in response to the rise of the mainframe computer. The chief worry in that period was the spectre of the enormous centralized database. The chief areas of concern. as evidenced by the passage of legislation, were credit reporting agencies and the federal government. For credit histories, the concern was that the fragmented Cong.(1998); see also Leslie Wayne, Senate Panel Delays Vote on Overhaul of Banking Laws, N.Y. TIMES, Sept. 4, 1998, at C4 (bill delayed even though mOmentum had been building in Congress for the Senate to take up the 42. Press Release, The White House, Press Background Briefing by Senior dministration Officials on Financial Privacy(Apr. 30, 2000), available at wprivacy 2000. org/archives/POTUS_4-30- 00_press_background_briefing_on_financial_privacy_htm 3. The Oxley Amendment to H R. 19 was agreed to by a vote of 427 to 1 on July 1, 1999. See H. Res 235, 106th CONG REC. 5304-16(1999) 44.GLB, supra note10,§§6801-09 45. President William Clinton, Remarks by the President at Financial Modernization Bill Signing www.privacy2000.org/archives/potus_11-12 46. Press Release, The White House, Office of the Press Secretary, Clin- ton-Gore Plan to Enhance Consumers' Financial Privacy: Protecting Core Val the Information Age, (Apr. 30, 2000), available at the Congress as H.R. 4380 and S 2513. See supra note 2 was introduced in wwprivacy 2000.org/archives. The Administrations bill
347402.DOC 11/25/2002 11:27 PM 112 MINNESOTA LAW REVIEW [Vol.86:pppp 1999, by contrast, privacy became a leading political issue in the legislative debates. President Clinton put forward privacy proposals in May.42 The House of Representatives almost unanimously passed a privacy amendment in July,43 most of whose provisions were signed into law in November.44 Upon signing the bill, furthermore, President Clinton called for additional privacy protections in future legislation,45 and the Administration proposed such legislation in the spring of 2000.46 These financial privacy developments, furthermore, happened alongside heated debates on medical privacy, Internet privacy, and related topics. How can we capture the reasons why privacy and data protection issues climbed so swiftly up the policy agenda in the United States in the past few years? To answer this question requires us to recognize that we are currently in the second major wave of privacy law reform, and to understand what differs from the first major wave. A. THE FIRST WAVE OF PRIVACY LEGISLATION The first major wave of privacy activity took place in the early 1970’s, largely in response to the rise of the mainframe computer. The chief worry in that period was the spectre of the enormous, centralized database. The chief areas of concern, as evidenced by the passage of legislation, were credit reporting agencies and the federal government. For credit histories, the concern was that the fragmented Cong. (1998); see also Leslie Wayne, Senate Panel Delays Vote on Overhaul of Banking Laws, N.Y. TIMES, Sept. 4, 1998, at C4 (bill delayed even though “[m]omentum had been building in Congress for the Senate to take up the measure before adjourning in October”). 42. Press Release, The White House, Press Background Briefing by Senior Administration Officials on Financial Privacy (Apr. 30, 2000), available at www.privacy2000.org/archives/POTUS_4-30- 00_press_background_briefing_on_financial_privacy_htm. 43. The Oxley Amendment to H.R. 19 was agreed to by a vote of 427 to 1 on July 1, 1999. See H. Res. 235, 106th CONG. REC. 5304-16 (1999). 44. GLB, supra note 10, §§ 6801-09. 45. President William Clinton, Remarks by the President at Financial Modernization Bill Signing (Nov. 12, 1999), available at www.privacy2000.org/archives/POTUS_11-12- 99_Remarks_by_president_at_financial_moderniztion_bill%20signing.htm. 46. Press Release, The White House, Office of the Press Secretary, Clinton-Gore Plan to Enhance Consumers’ Financial Privacy: Protecting Core Values in the Information Age, (Apr. 30, 2000), available at www.privacy2000.org/archives. The Administration’s bill was introduced in the Congress as H.R. 4380 and S. 2513. See supra note 27
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 113 legacy of local credit agencies was turning into a few nation- spanning databases. The newly national databases, according to contemporary studies, contained a disturbingly large amount of unverified and often incorrect information Individuals were apparently being turned down for mortgages or jobs based on inaccurate information, some of which was provided by careless or malicious persons. 47 In the face of these concerns about the centralized databases, Congress passed the Fair Credit Report ing Act in 1970. 48 The Act establishes a number of fair infor- mation practices, including individuals' right to access their own records and to seek to correct mistakes in those records 49 a similar fear of centralized databases led to the privac Act of 1974, which governs the creation and use of federal gov ernment systems of records. so The fear of Big Brother-a uni fied and government-run database-was an important motiva tion for the Privacy Act. a crucial feature of the act generally prohibits transfers from one federal agency to another except with the individuals consent. I Whatever the imperfections in the reach or application of the privacy act, 2 it has succeeded preventing the creation of the omnivorous, unified federal da Since 1974, a number of significant privacy laws have be dopted in the United States, covering such areas as govern Access to financial records ,53 searches of materials related ablication and broadcast 54 cable television records 55 elec- ic wiretaps, 6 video records, '7 employee polygraph tests, 58 47. See R. MILLER. THE ASSAULT ON PRIVACY. CoMPUtERS DOSSIERS, (1971); L. RICHARD FISCHER, THE LAW OF FINANC 1 (Warren, Gorham Lamont Banking 1998) 48.15U (2000) §1681g 0. Privacy Act of 1974, 5 U.sC$552a(2000) 51. Id at $552a(b). Transfers among agencies are also allowed in a num- er of other statutory exceptions, including for "routine uses" that are pub- lished in the Federal Register. Ie 62. Robert Gellman, "How to Amend the Privacy Act, Access Reports cy Act of 1978, 12 U.S.C. $3402 lectronic Communications Privacy Act of 1986, 18 U.SC.$2510- 2519(20 7. Video Privacy Protection Act of 1998, 18 U.SC.$2710(2000 8. Employee Polygraph Protection Act of 1988, 29 U.S.C.$ 2002(1994)
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 113 legacy of local credit agencies was turning into a few nationspanning databases. The newly national databases, according to contemporary studies, contained a disturbingly large amount of unverified and often incorrect information. Individuals were apparently being turned down for mortgages or jobs based on inaccurate information, some of which was provided by careless or malicious persons.47 In the face of these concerns about the centralized databases, Congress passed the Fair Credit Reporting Act in 1970.48 The Act establishes a number of fair information practices, including individuals’ right to access their own records and to seek to correct mistakes in those records.49 A similar fear of centralized databases led to the Privacy Act of 1974, which governs the creation and use of federal government systems of records.50 The fear of Big Brother—a unified and government-run database—was an important motivation for the Privacy Act. A crucial feature of the Act generally prohibits transfers from one federal agency to another except with the individual’s consent.51 Whatever the imperfections in the reach or application of the Privacy Act,52 it has succeeded in preventing the creation of the omnivorous, unified federal database. Since 1974, a number of significant privacy laws have been adopted in the United States, covering such areas as government access to financial records,53 searches of materials related to publication and broadcast,54 cable television records,55 electronic wiretaps,56 video records,57 employee polygraph tests,58 47. See generally ARTHUR R. MILLER, THE ASSAULT ON PRIVACY: COMPUTERS, DATA BANKS, AND DOSSIERS, (1971); L. RICHARD FISCHER, THE LAW OF FINANCIAL PRIVACY, ch. 1 (Warren, Gorham & Lamont Banking 1998). 48. 15 U.S.C. §§ 1681-1681U (2000). 49. Id. at § 1681g. 50. Privacy Act of 1974, 5 U.S.C. § 552a (2000). 51. Id. at § 552a(b). Transfers among agencies are also allowed in a number of other statutory exceptions, including for “routine uses” that are published in the Federal Register. Id. 52. Robert Gellman, “How to Amend the Privacy Act,” Access Reports (1997). 53. Right to Financial Privacy Act of 1978, 12 U.S.C. §3402 (2000). 54. Privacy Protection Act of (1980), 42 U.S.C. § 2000aa (1994). 55. Cable Communications Policy Act of (1984), 47 U.S.C. § 551 (1996). 56. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510- 2519 (2000). 57. Video Privacy Protection Act of 1998, 18 U.S.C. § 2710 (2000). 58. Employee Polygraph Protection Act of 1988, 29 U.S.C. § 2002 (1994)
347402.DOC 11/25/200211:27PM 114 MINNESOTA LAW REVIEW VoL86: pppp telemarketing calls, 9 motor vehicle records, 0 aspects of cus- tomer telephone records, I and childrens records for on-line ac tivities.62 Not until recently, however, has there seemed a real possibility of creating wide-ranging privacy rules that would reshape information practices in major economic sectors Shifts in the underlying technology spurred the wave of privacy reform in the 1990s.63 First, the fear in the 1970s was prompted by the new mainframe technology. Today, everyone has a mainframe--a modern laptop or desktop computer out performs the mainframes of the earlier era. The number of da- tabases has thus grown exponentially. Second, in the 1970s, the Internet was only an experimental system available to some government agencies and scientific researchers. Today, transfers among computers are entirely different. For most practical purposes, transfers today are free, instantaneous, and global The new databases and new transfers among databases led to a major spike in public concern about privacy issues The public expressed concern that sensitive personal data was be coming available in new ways to a new range of people. Per haps the clearest message about the salience of privacy came from a Wall Street Journal poll in September 1999, just as House and Senate negotiators were debating the privacy provi sions in GLB. In the lead-up to the year 2000, the poll asked Americans what they feared most in the coming century. 64 Out of a dozen choices, including threats such as international ter rorism, global warming, and nuclear holocaust, the leading an- swer was "erosion of personal privacy. The poll reported that percent of respondents put privacy either first or second out of the dozen choices. No other issue received more than 23 per 59. Telephone Consumer Protection Act of 1991, 47 U.S.C.$ 227(1994) 60. Drivers Privacy Protection Act of 1994, 18 U.SC.52721-2725(1994) 61. Telecommunications Act of 1996, 47 U.S.C.$222(Supp. 111 1997) 62. Childrens On-Line Privacy Protection Act of 1998, 15 U.SC.$6501- 505(2000). The privacy statutes listed here, and other legal materials re- Marc Rotenberg, THE PRIVACY LAW SOURCEBOOK 2000 (Electronic Privacy Information Center).(Have source, lo 63. The shift from mainframes to distributed processing is discussed in nore detail in SWIRE LITAN, supra note 6, at ch 3 64. Christy Harvey, American Opinion(A Special Report): Optimism Out. duels Pessimism, WALL ST J, Sept 16, 1999, at A10
347402.DOC 11/25/2002 11:27 PM 114 MINNESOTA LAW REVIEW [Vol.86:pppp telemarketing calls,59 motor vehicle records,60 aspects of customer telephone records,61 and children’s records for on-line activities.62 Not until recently, however, has there seemed a real possibility of creating wide-ranging privacy rules that would reshape information practices in major economic sectors. Shifts in the underlying technology spurred the wave of privacy reform in the 1990s.63 First, the fear in the 1970’s was prompted by the new mainframe technology. Today, everyone has a mainframe—a modern laptop or desktop computer outperforms the mainframes of the earlier era. The number of databases has thus grown exponentially. Second, in the 1970’s, the Internet was only an experimental system available to some government agencies and scientific researchers. Today, transfers among computers are entirely different. For most practical purposes, transfers today are free, instantaneous, and global. The new databases and new transfers among databases led to a major spike in public concern about privacy issues. The public expressed concern that sensitive personal data was becoming available in new ways to a new range of people. Perhaps the clearest message about the salience of privacy came from a Wall Street Journal poll in September, 1999, just as House and Senate negotiators were debating the privacy provisions in GLB. In the lead-up to the year 2000, the poll asked Americans what they feared most in the coming century.64 Out of a dozen choices, including threats such as international terrorism, global warming, and nuclear holocaust, the leading answer was “erosion of personal privacy.” The poll reported that 29 percent of respondents put privacy either first or second out of the dozen choices. No other issue received more than 23 percent. 59. Telephone Consumer Protection Act of 1991, 47 U.S.C. § 227 (1994). 60. Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721-2725 (1994). 61. Telecommunications Act of 1996, 47 U.S.C. § 222 (Supp. 111 1997). 62. Children’s On-Line Privacy Protection Act of 1998, 15 U.S.C. § 6501- 6505 (2000). The privacy statutes listed here, and other legal materials related to privacy, are collected in Marc Rotenberg, THE PRIVACY LAW SOURCEBOOK 2000 (Electronic Privacy Information Center). (Have source, locating) 63. The shift from mainframes to distributed processing is discussed in more detail in SWIRE & LITAN, supra note 6, at ch. 3. 64. Christy Harvey, American Opinion (A Special Report): Optimism Outduels Pessimism, WALL ST. J., Sept. 16, 1999, at A10
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW B. THE SECOND WAVE: PRIVACY DEVELOPMENTS OUTSIDE OF FINANCIAL MODERNIZATION A comprehensive history of the privacy politics in the 1990s has yet to be written. For the present purpose to under stand the origins of Title V of GlB, we can identify some of the major aspects of the wave of policy activity in the late 1990s Public attention focused most intensively on the growing issue of Internet privacy, especially information collected at web pages. The Clinton Administration early on gave some at tention to the issue as part of the Information Superhighway project. The Federal Trade Commission became involved in Internet privacy by 1995. The FtC was increasingly viewed as the cop on the Internet beat due to its power to enforce against unfair and deceptive "trade practices, such as violations of web privacy policies. Within the Administration, e-commerce leader Ira Magaziner announced the basic policy of encouraging in dustry self-regulation in the summer of 1997. Secretary Commerce William Daley personally became involved in en couraging industry to improve privacy practices as part of the development of e-commerce. In May, 1998, Vice President Gore elevated the privacy is- sue to the White House level in a speech announcing an "Elec- tronic Bill of rights. 65 In this speech, and a follow-up event in July, 1998, the vice President set forth a four-part policy struc ture that the Administration essentially followed until the end of its second term. 66 First, the Vice President called for privacy legislation to protect especially sensitive information. This category of"sensitive" information initially included medical records, childrens activities on-line. and some financial re- cords. Second, the Administration supported self-regulation for privacy in other areas, while continually pushing industry to take effective steps to improve privacy protection. The implicit understanding was that the Administration might switch to supporting Internet privacy legislation if industry did not act effectively. Third, the Federal government should act as a model for good privacy practices. Fourth, the Office of Man- York University Commencement speech. White House, Vice President Gore Announces New Comprehensive Privacy Action Plan for the 21st Century (mAy14,1998),availableatwww.privacy2000.org/archive 66. Office of the vice president. "Vice president gore Announces ney teps Toward an Electronic Bill of Rights, "July 31, 1998, available at
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 115 B. THE SECOND WAVE: PRIVACY DEVELOPMENTS OUTSIDE OF FINANCIAL MODERNIZATION A comprehensive history of the privacy politics in the 1990s has yet to be written. For the present purpose, to understand the origins of Title V of GLB, we can identify some of the major aspects of the wave of policy activity in the late 1990s. Public attention focused most intensively on the growing issue of Internet privacy, especially information collected at web pages. The Clinton Administration early on gave some attention to the issue as part of the Information Superhighway project. The Federal Trade Commission became involved in Internet privacy by 1995. The FTC was increasingly viewed as the cop on the Internet beat due to its power to enforce against “unfair and deceptive” trade practices, such as violations of web privacy policies. Within the Administration, e-commerce leader Ira Magaziner announced the basic policy of encouraging industry self-regulation in the summer of 1997. Secretary of Commerce William Daley personally became involved in encouraging industry to improve privacy practices as part of the development of e-commerce. In May, 1998, Vice President Gore elevated the privacy issue to the White House level in a speech announcing an “Electronic Bill of Rights.”65 In this speech, and a follow-up event in July, 1998, the Vice President set forth a four-part policy structure that the Administration essentially followed until the end of its second term.66 First, the Vice President called for privacy legislation to protect especially sensitive information. This category of “sensitive” information initially included medical records, children’s activities on-line, and some financial records. Second, the Administration supported self-regulation for privacy in other areas, while continually pushing industry to take effective steps to improve privacy protection. The implicit understanding was that the Administration might switch to supporting Internet privacy legislation if industry did not act effectively. Third, the Federal government should act as a model for good privacy practices. Fourth, the Office of Man- 65. Vice President Gore announced the electronic bill of rights at a New York University Commencement speech. White House, Vice President Gore Announces New Comprehensive Privacy Action Plan for the 21st Century, (May 14, 1998), available at www.privacy2000.org/archives. 66. Office of the Vice President, “Vice President Gore Announces New Steps Toward an Electronic Bill of Rights,” July 31, 1998, available at www.privacy2000.org/archives [hereinafter New Steps]
