文档详细内容(约60页)
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp agement and Budget was given responsibility for coordination of privacy issues. 67 To assist in carrying out this task, I was amed as Chief Counselor for Privacy, in OMB, in March 1999.6 Meanwhile, a largely separate debate had been occurring for the area of medical privacy 69 Medical privacy proposals were extensively considered leading up to passage of the Health Insurance Portability and Accountability Act (HIPAA).7 HIPAA mandated new rules so that providers and insurance companies would shift to electronic medical records There was widespread agreement that privacy and security protections should be created as part of this shift to electronic records. In HIPAA, Congress set itself a deadline of August, 1999 to write medical privacy legislation. If it did not do so, then the Department of Health and Human Services(HHs was required to promptly issue a medical privacy regulation. The hipaa deadline contributed to a new peak of privacy policy activity in the period before and during consideration of GLB in 1999. HHS Secretary Donna Shalala, drawing on a large inter-agency process, announced the Administrations recommendations for medical privacy legislation in the fall of 1997.71 Vice President Gore announced medical privacy initia- 67.OMB will be given responsibility for coordination of privacy issues, awing on the expertise and resources of other government agencies. This cy, which cuts across the jurisdiction of many federal agencies. "Id. OMB had long maintained respon sibility of overseeing agency implementation of the Privacy Act. 5 U.S.C 552a(v)(2000). The change was that OMB would now have responsibility to coordinate privacy issues generally, including financial and medical privacy issues, and not simply oversight for federal systems of records under the Pri- Robert HArrow, r, Clinton Names Counselor on Privacy, WASH 4.1999.atE2 69. The debate was"separate"in the sense of having different actors in- volved. The Department of Health and Human Services was the lead agency for medical privacy as opposed to the department of Commerce and the inde. pendent agency FTC for Internet privacy. In the Senate, medical privacy wa considered in the Health, Education, Labor, and Pensions Committee, while Internet privacy was in the Commerce, Science, and Transportation Commit e. In the House, medical privacy was principally considered in the Ways and Means Committee and one subcommittee of the commerce committee. while Internet issues were handled in a different subcommittee of the Commerce Committee 70. Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 71. See Shalala Urges Congress to Protect Americans Personal M R
347402.DOC 11/25/2002 11:27 PM 116 MINNESOTA LAW REVIEW [Vol.86:pppp agement and Budget was given responsibility for coordination of privacy issues.67 To assist in carrying out this task, I was named as Chief Counselor for Privacy, in OMB, in March, 1999.68 Meanwhile, a largely separate debate had been occurring for the area of medical privacy.69 Medical privacy proposals were extensively considered leading up to passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).70 HIPAA mandated new rules so that providers and insurance companies would shift to electronic medical records. There was widespread agreement that privacy and security protections should be created as part of this shift to electronic records. In HIPAA, Congress set itself a deadline of August, 1999 to write medical privacy legislation. If it did not do so, then the Department of Health and Human Services (HHS) was required to promptly issue a medical privacy regulation. The HIPAA deadline contributed to a new peak of privacy policy activity in the period before and during consideration of GLB in 1999. HHS Secretary Donna Shalala, drawing on a large inter-agency process, announced the Administration’s recommendations for medical privacy legislation in the fall of 1997.71 Vice President Gore announced medical privacy initia- 67. “OMB will be given responsibility for coordination of privacy issues, drawing on the expertise and resources of other government agencies. This will help improve the coordination of U.S. privacy policy, which cuts across the jurisdiction of many federal agencies.” Id. OMB had long maintained responsibility of overseeing agency implementation of the Privacy Act. 5 U.S.C. 552a(v) (2000). The change was that OMB would now have responsibility to coordinate privacy issues generally, including financial and medical privacy issues, and not simply oversight for federal systems of records under the Privacy Act. 68. Robert O’Harrow, Jr., Clinton Names Counselor on Privacy, WASH. POST, Mar. 4, 1999, at E2. 69. The debate was “separate” in the sense of having different actors involved. The Department of Health and Human Services was the lead agency for medical privacy as opposed to the Department of Commerce and the independent agency FTC for Internet privacy. In the Senate, medical privacy was considered in the Health, Education, Labor, and Pensions Committee, while Internet privacy was in the Commerce, Science, and Transportation Committee. In the House, medical privacy was principally considered in the Ways and Means Committee and one subcommittee of the Commerce Committee, while Internet issues were handled in a different subcommittee of the Commerce Committee. 70. Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191. 71. See Shalala Urges Congress to Protect Americans’ Personal Medical Records, (Sept. 11, 1997), available at http://www.hhs.gov/news.press/
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 117 tives in the summer of 1998, and called for strong medical pri- racy legislation. 72 The Congressional committees responsible for health care worked on numerous legislative proposals, try ing in vain to pass legislation before HHS gained regulatory authority in August, 1999.73 As it be came increasingly clear that Congress was unlikely to act, the Administration prepared a detailed proposed medical privacy regulation. President Clinton announced the proposed rule in Oval Office ceremony on October 31, 1999, less than two eeks before he signed GLB The Internet privacy and medical records debates helped create the affirmative arguments for why privacy protections would be appropriate as well for financial records. At the same time, the political context for glb was being shaped by devel opments in the European Union, the U.s. debate on encryption policy, and the so-called"Know Your Customerrules The European Union Data Protection Directive was rati fied in 1995, with implementation scheduled for October, 1998.4 The Directive requires harmonized and generally strict privacy protections within the fifteen member states of the European Union. Article 25 of the Directive said that personal information could be transferred to other countries only if they had"adequate"privacy protections. 75 Article 25 raised the pos- sibility that trade with Europe could be significantly disrupted if the United States was found to lack "adequate"protections. 76 Reasonable people can differ about the extent that the di rective pushed the United States toward passage of Title V or stricter privacy protections generally. In my view, the debates about the directive at a minimum educated and sensitized a 1997pres/97091lhtml 72. New Steps, supra note 66. For instance, the Vice President an ounced that the Administration would not develop standards for unique health identifiers as called for by HIPAA, until and unless strong privacy pro- tions were in place. Id 73. Health Care Policy: Congressional Roundup, 8 HEALTH L REP(BNA) No.42,at1728oct.281999) 74. See generally swire litAn, supra note 6 75. Directive, Art. 25. Article 26 creates a number of exceptions that can ermit transfers to countries that lack"adequate" protection States side by David Aaron and Barbara Wellbery, eventually resulted in the pring of 2000 with a"safe harbor"agreement. Essentially, companies that agree to be bound by safe harbor privacy les are allowed to share data freely between their European Union and U.S. operations. See safe harbor
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 117 tives in the summer of 1998, and called for strong medical privacy legislation.72 The Congressional committees responsible for health care worked on numerous legislative proposals, trying in vain to pass legislation before HHS gained regulatory authority in August, 1999.73 As it became increasingly clear that Congress was unlikely to act, the Administration prepared a detailed proposed medical privacy regulation. President Clinton announced the proposed rule in an Oval Office ceremony on October 31, 1999, less than two weeks before he signed GLB. The Internet privacy and medical records debates helped create the affirmative arguments for why privacy protections would be appropriate as well for financial records. At the same time, the political context for GLB was being shaped by developments in the European Union, the U.S. debate on encryption policy, and the so-called “Know Your Customer” rules. The European Union Data Protection Directive was ratified in 1995, with implementation scheduled for October, 1998.74 The Directive requires harmonized and generally strict privacy protections within the fifteen member states of the European Union. Article 25 of the Directive said that personal information could be transferred to other countries only if they had “adequate” privacy protections.75 Article 25 raised the possibility that trade with Europe could be significantly disrupted if the United States was found to lack “adequate” protections.76 Reasonable people can differ about the extent that the Directive pushed the United States toward passage of Title V or stricter privacy protections generally. In my view, the debates about the Directive at a minimum educated and sensitized a 1997pres/970911.html. 72. New Steps, supra note 66. For instance, the Vice President announced that the Administration would not develop standards for unique health identifiers as called for by HIPAA, until and unless strong privacy protections were in place. Id. 73. Health Care Policy: Congressional Roundup, 8 HEALTH L. REP. (BNA) No.42, at 1728 (Oct. 28 1999). 74. See generally SWIRE & LITAN, supra note 6. 75. Directive, Art. 25. Article 26 creates a number of exceptions that can permit transfers to countries that lack “adequate” protection. 76. Intensive discussions with the European Union, led on the United States side by David Aaron and Barbara Wellbery, eventually resulted in the spring of 2000 with a “safe harbor” agreement. Essentially, companies that agree to be bound by safe harbor privacy principles are allowed to share data freely between their European Union and U.S. operations. See safe harbor website, available at http://www.export.gov/safeharbor
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW Vol86: pppp greater range of U.S. policy officials to privacy issues. Aware- ness of the detailed privacy regulations in Europe made it eas ier to imagine similar regulations in the United States and more difficult for industry to say that such regulations would be unworkable. 7 In the financial services area, the most publi- cized enforcement action in Europe was brought against citi bank, and policy discussions about the directive foreshadowed the issues that arose in the glb debates. 78 The debate about tion policy brought fervor to the privacy issue while involving many members of Congress. 79 The legal issue at the heart of the debate was setting the terms under which encryption software and hardware could be ex- ported from the United States. Law enforcement and national security officials were concerned that criminals would deploy encryption domestically and that the United States would lose its ability to read messages that intelligence sources gathered from abroad. E-commerce companies supported strong encryp- tion as a necessary tool for securely conducting business trans actions over the Internet. Encryption enthusiasts and privacy supporters entered the debate with passionate rhetoric about the importance of strong encryption to individual liberty on the Internet The Clinton Administration initially sided with the law en- forcement and national security position, supporting in 1993 the"Clipper chip"that would have facilitated government ac- cess to encrypted communications.8 Encryption continued to be a hotly debated issue throughout 1998 and 1999. 82 In June 1999--as the House was preparing to vote on the financial 77. DAVID VOGEL, TRADING UP: CONSUMER AND ENVIRONMENTAL REGULATION IN A GLOBAL ECONOMY 259(1995) 78. The Swire and Litan book about the Directive devoted a chapter spe cifically to financial services privacy issues, and also examined a number of the specific situations that became exceptions under GLB$ 502(e). Swire LITAN, supra note 6, at ch 4 9. For a detailed and readable history of the encryption debate see gen rally PAUl Levy, CRYPto 1-2(2000 80. For a history of the policy debate from a civil liberties perspective, as ellascurrentnewsandlegislationseee.g.,http://www.cdtorg/crypto 81. John Mintz, U.S. Moues to Ensure Its Ability to Eavesdrop, WASH POST, Apr. 17, 1993, at A9(discussing announcement of the Clipper Chip); see also A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. PENN. L REV. 709, 717-718 (1995)(discuss- 82.Foradetailedchronologyoftheperiodseehttp://www.cdt.org/
347402.DOC 11/25/2002 11:27 PM 118 MINNESOTA LAW REVIEW [Vol.86:pppp greater range of U.S. policy officials to privacy issues. Awareness of the detailed privacy regulations in Europe made it easier to imagine similar regulations in the United States and more difficult for industry to say that such regulations would be unworkable.77 In the financial services area, the most publicized enforcement action in Europe was brought against Citibank, and policy discussions about the Directive foreshadowed the issues that arose in the GLB debates.78 The debate about encryption policy brought fervor to the privacy issue while involving many members of Congress.79 The legal issue at the heart of the debate was setting the terms under which encryption software and hardware could be exported from the United States. Law enforcement and national security officials were concerned that criminals would deploy encryption domestically and that the United States would lose its ability to read messages that intelligence sources gathered from abroad. E-commerce companies supported strong encryption as a necessary tool for securely conducting business transactions over the Internet. Encryption enthusiasts and privacy supporters entered the debate with passionate rhetoric about the importance of strong encryption to individual liberty on the Internet.80 The Clinton Administration initially sided with the law enforcement and national security position, supporting in 1993 the “Clipper chip” that would have facilitated government access to encrypted communications.81 Encryption continued to be a hotly debated issue throughout 1998 and 1999.82 In June, 1999—as the House was preparing to vote on the financial 77. DAVID VOGEL, TRADING UP: CONSUMER AND ENVIRONMENTAL REGULATION IN A GLOBAL ECONOMY 259 (1995). 78. The Swire and Litan book about the Directive devoted a chapter specifically to financial services privacy issues, and also examined a number of the specific situations that became exceptions under GLB § 502(e). SWIRE & LITAN, supra note 6, at ch. 4. 79. For a detailed and readable history of the encryption debate, see generally PAUL LEVY, CRYPTO 1-2 (2000). 80. For a history of the policy debate from a civil liberties perspective, as well as current news and legislation, see, e.g., http://www.cdt.org/crypto. 81. John Mintz, U.S. Moves to Ensure Its Ability to Eavesdrop, WASH. POST, Apr. 17, 1993, at A9 (discussing announcement of the Clipper Chip); see also A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. PENN. L. REV. 709, 717-718 (1995) (discussing legal issues implicated by Clipper Chip). 82. For a detailed chronology of the period, see http://www.cdt.org/ previousheads/encryption.shtml
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 119 modernization bill--encryption privacy bills passed both the Senate and House Commerce Committees.83 In September, 1999. as the financial modernization conference committee was deliberating, the White House announced a major shift on en- cryption in the direction of greater exports and privacy protec tion.84 The encryption debate, stretching over several years culminated in literally hundreds of members of Congress an- pouncing their support for stronger encryption, and thus the greater privacy protections that would result. 85 Meanwhile, the "know your customer"rule brought new at- tention to issues of financial privacy. The regulation was pro- posed by federal banking regulators in late 1998 as part of the ongoing efforts to crack down on money laundering. 86 The rule used language that provoked a privacy alarm As proposed, the regulation would require each bank to develop a program designed to determine the identity of its customers: deter mine its customers' sources of funds determine the normal and ex. pected transactions of its customers; monitor account activity for transactions that are inconsistent with those normal and expected transactions; and report any transactions of its customers that are de- termined to be suspicious, in accordance with the lagency's] existing suspicious activity reporting regulation. 87 In immediate response to the proposal, press accounts ap peared describing the rule as an Orwellian intrusion into Americans'privacy 88 Opposition arose from a combination of 83.ld 84. Press Release, The White House, Press Briefing by Deputy Nati http://www.privacy2000.orglarchive."imheretounderscorethattodaysan nouncement reflects the Clinton Administrations full support for the use of encryption and other new technologies to provide privacy and security to law- abiding citizens in the digital age. " Remarks of Peter Swire. Id 85. See, e.g., Joe Salkowski, Encryption Campaign Ends With a Triumph for Common Sense, CHI TRIB, Sept 27, 1999,$4, at 6 (reporting that a major- of members of the House supported the House encryption privacy bill 86. The discussion here draws on an analysis of money laundering laws nd privacy, written in early 1999. Peter P. Swire, Financial Privacy and th Theory of High-Tech Government Surveillance, 77 WASH. U. L.Q. 461, 487-92 1999). For an extremely detailed treatment of money laundering laws, see L. RICHARD FISCHER, THE LAW OF FINANCIAL PRIVACY . 4.01-413(3d ed 1991) 87. Know Your Customer Requirements, 63 Fed. Reg. 67524 (Dec. 7 1998) (to be codified at 12 C.F.R. pt. 21 88. Declan McCullagh, Banki http://www.wired.com/news/print/0,1294,16749,00.htmllastmodifiedDec.10
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 119 modernization bill—encryption privacy bills passed both the Senate and House Commerce Committees.83 In September, 1999, as the financial modernization conference committee was deliberating, the White House announced a major shift on encryption in the direction of greater exports and privacy protection.84 The encryption debate, stretching over several years, culminated in literally hundreds of members of Congress announcing their support for stronger encryption, and thus the greater privacy protections that would result.85 Meanwhile, the “know your customer” rule brought new attention to issues of financial privacy. The regulation was proposed by federal banking regulators in late 1998 as part of the ongoing efforts to crack down on money laundering.86 The rule used language that provoked a privacy alarm: As proposed, the regulation would require each bank to develop a program designed to determine the identity of its customers; determine its customers’ sources of funds; determine the normal and expected transactions of its customers; monitor account activity for transactions that are inconsistent with those normal and expected transactions; and report any transactions of its customers that are determined to be suspicious, in accordance with the [agency’s] existing suspicious activity reporting regulation.87 In immediate response to the proposal, press accounts appeared describing the rule as “an Orwellian intrusion into Americans’ privacy.”88 Opposition arose from a combination of 83. Id. 84. Press Release, The White House, Press Briefing by Deputy National Security Advisor Jim Steinberg, Attorney General Janet Reno, Deputy Secretary of Defense John Hamre, Under Secretary of Commerce Bill Reinsch, and Chief Counselor for Privacy at OMB Peter Swire, (Sept. 16, 1999), available at http://www.privacy2000.org/archive. “I’m here to underscore that today’s announcement reflects the Clinton Administration’s full support for the use of encryption and other new technologies to provide privacy and security to lawabiding citizens in the digital age.” Remarks of Peter Swire. Id. 85. See, e.g., Joe Salkowski, Encryption Campaign Ends With a Triumph for Common Sense, CHI. TRIB., Sept. 27, 1999, § 4, at 6 (reporting that a majority of members of the House supported the House encryption privacy bill). 86. The discussion here draws on an analysis of money laundering laws and privacy, written in early 1999. Peter P. Swire, Financial Privacy and the Theory of High-Tech Government Surveillance, 77 WASH. U. L.Q. 461, 487-92 (1999). For an extremely detailed treatment of money laundering laws, see L. RICHARD FISCHER, THE LAW OF FINANCIAL PRIVACY ¶¶ 4.01-4.13 (3d ed. 1991). 87. Know Your Customer Requirements, 63 Fed. Reg. 67524 (Dec. 7 1998) (to be codified at 12 C.F.R. pt. 21). 88. Declan McCullagh, Banking with Big Brother, available at http://www.wired.com/news/print/0,1294,16749,00.html (last modified Dec. 10
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW Vol86: pppp conservative, liberal, and libertarian groups, foreshadowing a coalition that emerged again in the glb debates. 89 More than 200, 000 comments rolled in, almost all of them negative. 0 Pri vacy had become a mobilizing issue politically. The rule was retracted in March. 1999.9I These five privacy debates--lnternet privacy, medical cords, the European Directive, encryption, and know your cus- tomer-were thus all in full swing in early 1999 as Congress prepared to debate the financial modernization bill. Many in the financial services industry thought that the 1999 moderni- zation bill would closely resemble the 1998 bill that almost passed. These industry insiders had a difficult time under- standing how privacy suddenly became so important in the 1999 financial debates. For those who had been engaged in the other privacy debates, however, the question seemed differ ent--why shouldnt financial records, which most people con sider very sensitive be subject to privacy protections, too? C. THE POLICY CONTEXT IN 1999 FOR FINANCIAL PRIVACY In considering financial privacy legislation, one can start with some basic goals. A first goal, in a democracy, is to have the laws match the desires of the public. In the legislative de bates, one important consideration was the widely held view that financial records contain sensitive personal information. Repeated polls have shown that Americans place financial in formation in an especially sensitive category with medical re cords and certain other information, such as gathering data on hildren surfing on-line. 92 In a democracy there is a straight Id. Groups expressing opposition included the Free Congress Founda conservative group, the libertarian Party and American Civil Liberties Union, libertarian groups on the right and left, and the Electronic Privacy In- formation Center, a generally liberal group. In the glB debates, generally onservative Republican Senator Richard Shelby and Representative Joe Bar. ton teamed with generally liberal Democrats such as Senator Richard Bryan and Representative Edward Markey to support stricter financial privacy pro- tections. Digest, WASH. POST, Nov. ll, 1999, at El (these four members of Congress introduce stricter financial privacy bill) 90. Robert OHarrow, Jr, Disputed Bank Plan Dropped ors Bow to Privacy Fears, WASH. POST, Mar 24, 1999, at El (over 200, mments); Michael Kelly, Banking With Big Brother, WASH. POST, Feb at Al (all but 12 comments to FDIC on the rule, out of 15, 000, were negative) 91. HArrow, supra note 90 92. A Gallup survey found that 84 of respondents stated that the pri
347402.DOC 11/25/2002 11:27 PM 120 MINNESOTA LAW REVIEW [Vol.86:pppp conservative, liberal, and libertarian groups, foreshadowing a coalition that emerged again in the GLB debates.89 More than 200,000 comments rolled in, almost all of them negative.90 Privacy had become a mobilizing issue politically. The rule was retracted in March, 1999.91 These five privacy debates—Internet privacy, medical records, the European Directive, encryption, and know your customer—were thus all in full swing in early 1999 as Congress prepared to debate the financial modernization bill. Many in the financial services industry thought that the 1999 modernization bill would closely resemble the 1998 bill that almost passed. These industry insiders had a difficult time understanding how privacy suddenly became so important in the 1999 financial debates. For those who had been engaged in the other privacy debates, however, the question seemed different—why shouldn’t financial records, which most people consider very sensitive, be subject to privacy protections, too? C. THE POLICY CONTEXT IN 1999 FOR FINANCIAL PRIVACY In considering financial privacy legislation, one can start with some basic goals. A first goal, in a democracy, is to have the laws match the desires of the public. In the legislative debates, one important consideration was the widely held view that financial records contain sensitive personal information. Repeated polls have shown that Americans place financial information in an especially sensitive category with medical records and certain other information, such as gathering data on children surfing on-line.92 In a democracy, there is a straight- 1998). 89. Id. Groups expressing opposition included the Free Congress Foundation, a conservative group, the Libertarian Party and American Civil Liberties Union, libertarian groups on the right and left, and the Electronic Privacy Information Center, a generally liberal group. In the GLB debates, generally conservative Republican Senator Richard Shelby and Representative Joe Barton teamed with generally liberal Democrats such as Senator Richard Bryan and Representative Edward Markey to support stricter financial privacy protections. Digest,WASH. POST, Nov. 11, 1999, at E1 (these four members of Congress introduce stricter financial privacy bill). 90. Robert O’Harrow, Jr., Disputed Bank Plan Dropped; Regulators Bow to Privacy Fears, WASH. POST, Mar. 24, 1999, at E1 (over 200,000 comments); Michael Kelly, Banking With Big Brother, WASH. POST, Feb. 3, 1999, at A17 (all but 12 comments to FDIC on the rule, out of 15,000, were negative). 91. O’Harrow, supra note 90. 92. A Gallup survey found that 84 % of respondents stated that the privacy of personal financial information was “very important,” with personal
