Protecting Privacy in a B2B WORLD.
THE CURRENT FOCUS ON PRIVACY STEMS LARGELY FROM THE COLLISION OF TWO FORCES: the growth of electronic commerce over the Internet and the adoption and implementation of the European Union's (EU's) Directive on Data Protection (the EU directive). One byproduct of this collision is the Gramm-Leach-Bliley Act of 1999, which allows consumers to prevent disclosure of certain information by financial institutions.
The EU directive, the act and the proposed regulations under the act share the same focus--how businesses handle the personal data they receive directly from the consumer. Each also addresses the often overlooked issues surrounding the treasure trove of personal data that is held by third parties, be they the new breed of Internet infomediaries such as ULTRAPRISE.COM or IMX Exchange, or more traditional entities such as loan servicers.
This article addresses the privacy issues raised when businesses transfer personal data to third parties, with particular focus on transfers made over the Internet. The article first discusses the EU directive and the Commerce Department's interpretation of it in the Safe Harbor Principles. The EU directive and the Safe Harbor Principles provide an important framework for understanding how the privacy debate has evolved; they also provide a backdrop for understanding the proposed regulations under the Gramm-Leach-Bliley Act. (References in this article are to the Federal Reserve's proposed Regulation P--more information can be found at the Fed's Web site, www.bog.frb.-fed.us/boarddocs/press/boardacts/2000/-20000203).
The article then compares certain aspects of the Safe Harbor Principles and the proposed regulations to give the reader a better understanding of the overall privacy landscape. The article concludes with some suggestions for how to manage privacy in this quickly developing area.
The growth of the Internet
The Internet has emerged as the fastest-growing communication medium in history, and it is dramatically changing how business is transacted. As of year-end 1998 it had more than 97 million users, and International Data Corporation estimates this number will grow to 320 million users by 2002.
Companies such as Amazon.com have demonstrated the viability of the business-to-consumer model of Internet commerce. Most experts predict, however, that business-to-business electronic commerce will vastly exceed business-to-consumer electronic commerce in the next three years. According to Forrester Research, Cambridge, Massachusetts, business-to-business electronic commerce is expected to grow from $43 billion in 1998 to $1.3 trillion in 2003, accounting for more than 90 percent of the dollar value of electronic commerce in the United States.
The Internet can bring together disparate segments of an industry through the use of a simple Web browser and the XML (extensible markup language) data standard. Capitalizing on this trend, several information intermediaries, so-called infomediaries, have sprung up in the mortgage market--such as Dulles, Virginia-based ULTRAPRISE.COM, a secondary market mortgage exchange for buyers and sellers of closed whole loans. Another example is IMX Mortgage Exchange, San Ramon, California, a wholesale market where mortgage brokers offer consumer mortgage applications to multiple lenders that then bid on the applications.
On both of these sites, loan-level data is posted by businesses for businesses. The data that travels across the sites contains the richest mine of consumer information available in the market--the mortgage loan file, which includes the consumer's name, address, Social Security number, property location and appraised value, debt and income information, bank account information and credit rating. Yet neither business ever has any direct contact with the consumer whose information it handles.
Until recently, most of the focus on privacy has been in the primary market--that is, where consumers give businesses their data directly. Businesses, consumers and privacy advocates neglect the privacy implications of business-to-business transfers of personal data at their peril, however. By focusing primarily on the privacy policies of the businesses that collect personal data directly from consumers, these parties ignore the multitude of places where personal data may be bought, sold, corrupted, miskeyed, stolen and the like.
International Safe Harbor Privacy Principles
The EU directive--the Draft International Safe Harbor Privacy Principles (hereafter referred to as the Safe Harbor Principles)--which became effective on October 25, 1998, governs the collection, storing, manipulation, use and disclosure of personal data. Personal data includes information about an identified or identifiable individual that is recorded in any form. The EU directive is based on the idea that collecting and using personal data is an infringement of a fundamental right--the right to privacy.
While the United States has recognized a right to privacy in certain actions, it has not typically recognized a fundamental right to privacy with respect to personal data. Rather, the presumption is that data is a commodity that can be bought and sold freely. A business need not pay a consumer to obtain or use data about that consumer, and the business can generally sell that data without legal limitation. (The Federal Trade Commission's March Trans Union ruling, although it addressed constitutional issues, did not challenge the notion that there is no fundamental right to information privacy, but rather found protection in the Fair Credit Reporting Act.)
Where legal limitations do exist, they are sectoral in nature. For example, the Video Privacy Protection Act prohibits the disclosure of personal information gathered in connection with video rentals. Similarly, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act place limitations on when, where and how certain financial information can be used and shared. This sectoral approach underscores the idea that, unless specifically proscribed, personal information can be freely used and traded.
The Commerce Department has enunciated a set of privacy principles that attempts to reconcile the EU fundamental rights approach with the United States' free market and sectoral approach. The principles are broad and intended to apply across all industries.
Safe Harbor Principles
Note that the Safe Harbor Principles are draft principles and the EU has not agreed to all of the language. (The annotated version of the principles can be found on the Department of Commerce's Web site at www.ita.doc.gov/-ecom/shprin.html, along with frequently asked questions about the principles.)
Under the EU directive, personal data cannot be transferred if the receiving business does not have privacy protections that are on a par with those in the EU directive. The Commerce Department principles are intended to create a safe harbor. Businesses complying with the principles will be considered to offer sufficient privacy protections that will allow them to receive personal data about EU residents. The principles are as follows:
* Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure, where the organization is using or disclosing it for a purpose other than that for which it was originally collected or for a purpose which it was processed by the transferring organization. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization, or as soon as is practicable, but in any event, before the organization uses or discloses such information for a purpose other than that specified here.
* Choice: An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties, where such use or disclosure is incompatible with the purpose(s) for which it was originally collected, or subsequently authorized by the individual.
For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt-in) choice if the information is to be used for purposes other than those for which it was originally collected or disclosed to any type of third party other than those already notified to the individual, or used or disclosed in a manner other than as subsequently authorized by the individual through the exercise of opt-in choice. Individuals must be provided with clear and conspicuous, readily available and affordable mechanisms to exercise choice.
* Onward Transfer: An organization may disclose personal information only to third parties consistent with the principles of notice and choice. Where an organization has not provided choice (because a use is not incompatible with a purpose for which the data was originally collected or which was subsequently authorized by the individual) and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the principles or is subject to the directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. If the organization complies with these requirements, it shall not be held responsible when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations.
* Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
* Data Integrity: Consistent with the principles, an organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete and current.
* Access: Individuals must have access to personal information about them that an organization holds, and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question or where the rights of people other than the individual would be violated.
* Enforcement: Effective privacy protection must include mechanisms for ensuring compliance with the principles, recourse for individuals to whom the data relates affected by noncompliance with the principles and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the principles and damages awarded where the applicable law or private sector initiatives so provide; b) follow-up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and c) obligations to remedy problems arising out of failure to comply with these principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.
Focus of the principles
It is clear that the main focus of the Safe Harbor Principles is the use, handling, dissemination and protection of personal information gathered by a business directly from a consumer. This is most evident in the notice, choice and access principles, each of which assumes that the business will have direct contact with the consumer. For example, the notice principle states that a notice must be provided"...when individuals are first asked to provide personal information to the organization...." Similarly, the choice principle requires that consumers be given an opportunity to choose whether and how personal information they provide to a business is used (generally, the ability to opt out--but for particularly sensitive information, to opt in).
The access principle requires that individuals have access and the ability to correct information that a business has about them. Implicit in this assumption is that consumers know the entities that have information about them, presumably because of a relationship with the business.
Application of the Safe Harbor Principles
The EU directive is broad in scope and thus also covers the processing and use of the information by third parties as well as the direct collection of information. The Safe Harbor Principles try to incorporate this concept of third-party transfers primarily through the onward transfer principle.
Onward transfer addresses the responsibilities of both the business that collects personal information and the business that receives it secondarily. For the business that collects the information, the principle appears to give two options, which actually collapse into just one upon closer examination. The first option is to provide the consumer with notice and the opportunity to opt out (or opt in) of the transfer of personal data. The second is to forgo notice and opportunity (so long as the transfer is for a purpose that is consistent with the reason that the information was originally collected) while ensuring that the receiving party has adequate privacy protections in place.
To have meaningful notice, the consumer must be clearly informed of all the possible types of entities with whom information may be transferred or shared. This presents something of a double-edged sword for businesses trying to comply with the principle.
Simply put, a notice that is sufficiently broad to cover all the types of entities that might receive the information is likely to be considered too vague to permit the consumer to make a meaningful choice. Similarly, if the consumer's only choice is to consent to the transfer or forgo the product or service, then the consumer is not likely to have been given a meaningful choice--which may be considered tantamount to not giving any opportunity to choose at all. Given the difficulty that most businesses are likely to have giving consumers meaningful notice and opportunity, ensuring that receiving businesses have adequate privacy protections becomes critical.
Even if adequate notice and opportunity were provided, it is unclear the extent to which a regulator would ignore the practices of a third party. Consider, for example, the merchant that maintains strict privacy protections for the personal information it collects from consumers but then passes the information on to a third-party processor that does not have any privacy protections in place. Should anything happen because of the processor's lack of standards, it is likely that the regulators would view both parties as responsible--the processor for not maintaining standards and the merchant for not exercising due diligence to ensure that the information it was providing was treated with the same care as the merchant itself had represented to the consumer it would use.
Under the onward transfer principle, a business can ensure that the party to which it is transferring personal data has adequate privacy protections by "...either ascertain[ing] that the third party subscribes to the Safe Harbor Principles or enter[ing] into a written agreement with such third party requiring that the third party provide at least the same level of privacy as is required by the relevant Safe Harbor Principles." (The EU would like additional text added that would require explicit notice and choice when personal data is transferred to a third party that does not adhere to the safe harbor requirements.) Thus, before a business can transfer personal information to a third party, the third party must adopt the Safe Harbor Principles either directly or through a contract with the business that has collected the personal information.
However, since the principles themselves are primarily designed to address collecting personal information directly from a consumer, it is unclear how some of these principles, particularly choice and access, apply to a business that receives personal information secondarily. And yet ensuring compliance with these principles is critical if the information about EU citizens will be transferred.
Proposed regulations under Gramm-Leach-Bliley
The Gramm-Leach-Bliley Act governs the collection and transfer of personal information by financial institutions. As with the EU directive and the Safe Harbor Principles, the act and proposed regulations primarily focus on the collection of information from the individual, but also contain provisions addressing business-to-business transfers of the data.
In some areas, the proposed regulations are significantly easier to comply with than the Safe Harbor Principles. For example, the regulations do not require access, only notice and an opportunity to opt out. Moreover, there are a number of exceptions where either notice or opt-out is not required. The transfer of information in secondary market transactions is one such example. The difficulty with the proposed regulations lies in determining when the exceptions apply.
Under section 9 of the proposed regulations, an individual need not be given the opportunity to opt out of a transfer of information to a third party who "performs services ... or functions" for or on behalf of the entity transferring the data, if the entity transferring the data has provided the initial notice required by the regulation and that entity enters into a contractual relationship with the third party. The contract must require that the third party maintain at least the same level of confidentiality as the entity transferring the data. In addition, the contract must limit the third party's use of the data to the purposes for which it was provided, or similarly related purposes.
Difficult issues arise when trying to parse through the provisions of section 9 regarding the third party's use of the data. Where the onward transfer provision of the Safe Harbor Principles allows a third party to do anything with the data that the transferring party could do so long as the appropriate contractual provisions are in place, no such freedom exists in section 9. Under the terms of section 9, the third party can do with the data only what was originally intended or would otherwise be allowed under section 10.
For example, suppose the Web site through which Bank A transmits data is hosted and maintained by a third party (a Web-hosting firm). If Bank A requested that the Web-hosting firm transfer the data it has (from the mortgage loan applications submitted to Bank A through the site) to a credit-card company, the firm could not do so unless the firm--which has no relationship with the consumer--provided consumers with a notice of opportunity to opt out. Yet Bank A, had it provided a broad enough initial disclosure, could have transferred the data without new notice if the data was on its servers rather than on the firm's servers.
Further relief--and further confusion--can be found in section 10. Under this section, there is no need to provide either notice prior to transfer or an opt-out. To qualify under section 10, the transfer of the information must fit into one of the following exceptions:
* As necessary to effect, administer or enforce a transaction requested or authorized by the consumer;
* To service or process a financial product or service requested or authorized by the consumer;
* To maintain or service the customer's account with you or with another entity as part of a private-label credit-card program or other extension of credit on behalf of such entity; or
* In connection with a proposed or actual securitization, secondary-market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer.
Unfortunately, the proposed regulations provide little guidance on how to distinguish between the exception in section 9 and those in section 10. Section 9 refers to joint marketing, but it is unclear whether that is the only time that it applies. Returning to the Web-hosting example, is the relationship between the bank and the Web-hosting firm governed by section 9 since the Web-hosting service is "performing services or functions" for the institution, or section to as "necessary to effect the transaction" or "to service or process the financial product"?
Given the ever-evolving privacy landscape, it is imperative that a business look beyond its four walls to ensure that any third parties to which it transfers data have adequate privacy protections. Until all is settled on the regulatory front, the most effective way to do this is contractually.
By contracting, a business can accomplish several goals at once. First, it allows parties to clearly define the level and types of protection that are to be maintained. Second, it allows the parties to allocate liability for any breach of the privacy protections. Finally, and perhaps most significantly, the contract can serve as evidence to a regulator that the business has taken reasonable steps to ensure the ongoing protection of the personal information it collects from consumers. And the regulators are watching.
The following items should be covered in any contract between a business that collects personal information and the third party to which it intends to transfer the information:
* Governing standards. There should be a general provision explicitly stating which privacy principles govern the contract (Regulation P, the Safe Harbor Principles, the TRUSTe standards, the BBBOnLine standards, etc.).
* Clarifying ambiguities. There should be explicit language regarding the parties' interpretation of any ambiguities in the standards chosen to govern the contract. For example, if the Safe Harbor Principles are to govern, there should be explicit language about when the third party must provide consumers with notice and opportunity. Similarly, if any transfer would violate the original notice that the collecting business gave to consumers, the third party should be prohibited from making such transfers (e.g., the contract might prohibit the third party from selling the information to a list broker). Similarly, if Regulation P is to govern, the parties may want to indicate whether they are assuming that their relationship is based on section 9 or section 10, and why (at least until there is some further clarification by the regulators).
* Providing access. There should be specific language explaining how requests for access will be handled. For example, the contract might allow the third party to provide the consumer with access to the personal information it holds, but only after notice to the business that owns the information.
* Certifying compliance. If the contract will be in effect for more than a year, it should require that the third party submit some type of independent audit or recertification to ensure that the third party is complying with the relevant standards.
* Allocating liability. The contract should contain indemnity provisions so that neither party is liable for the other party's breach of the governing standards.
While there are significant questions yet to be answered regarding how the proposed regulations will apply to business-to-business transfers of personal data, there can be no question that these transfers of information must be managed closely. As the policy debate on how to provide protection in the direct collection of personal information settles down, the focus will begin to shift. Businesses that collect and transfer personal information should not, however, wait for the debate to resolve itself. Instead, they should take a proactive role managing these data transfers by thorough contractual provisions that will ensure that the parties to whom information is transferred exercise the same level of care as the business collecting the information.
Sheilah Goodman is general counsel for Ultraprise Corporation, Dulles, Virginia.
|Printer friendly Cite/link Email Feedback|
|Date:||Apr 1, 2000|
|Previous Article:||Privacy and the Prying Eyes of Cyberspace.|
|Next Article:||Two Views on XML STANDARDS.|