Privacy Must Be Balanced with Innovation, FTC Official Says
It’s too early to tell where the FTC’s privacy roundtables will take the commission, but its actions probably will be based on a few principles, said Chris Olsen, an assistant director of the division of privacy and identity protection, who discussed them at an American Constitution Society forum. The first roundtable will be Dec. 7.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Olsen said the first idea is that privacy is important and consumers should understand what happens with their personal information. The FTC has taken criticism for its earlier approaches to privacy, he said. The commission first adopted a fair information practices structure that led to lengthy privacy policies, and then it moved to a harm-based approach that was criticized for being too reactive and focused solely on economic harms rather than the harm of intruding upon privacy, Olsen said. As an example of how consumers should understand what’s happening with their data, he cited the proposed Google Books settlement and Bureau of Consumer Protection Director David Vladeck’s concern with how much information about reading history Google will collect (WID Sept 8 p2).
Privacy should get greater attention but shouldn’t unduly interfere with the development of new features and products, Olsen said. He also said privacy notices must improve. Informed consent is key, he said. The government might decide that certain categories of users, such as children, need extra protections, he said. In general, the issue will always be the adequacy of disclosure, to allow consumers to make decisions based on “complete knowledge,” he said.
The U.S. is at a turning point, warned Deborah Peel, the founder of Patient Privacy Rights. If people don’t gain control over their health information, they will never gain control over other personal information, she said. Her group will soon start a “do not disclose” petition that it hopes will lead to federal action, much as the “do not call” list became a federal effort.
People have no control over their health information and they don’t realize it, Peel said. The provision in the Recovery Act that will give people the right to an audit trail of who’s accessed their health information is critical, she said. “We think you're going to be stunned how much access there is.” She cited a study that the Agency for Healthcare Research and Quality did, mining medical records of diabetics to determine the best treatment for diabetes. It obtained the doctors’ consent to do the study, she said, but the patients weren’t consulted. An audience member asked whether a study of diabetes treatment with all the identifiable information stripped away shouldn’t be considered a public good. Peel said it’s nearly impossible to successfully make health data anonymous because it’s so personal. Her group and the Electronic Privacy Information Center wrote to Google asking for the algorithm it uses to anonymize data in Google Flu Trends, she said. The groups wanted to see whether the information is truly anonymized or experts can identify it. “I don’t think that the nation has deputized Google yet to be a replacement for the Centers for Disease Control,” she said. Alan Davidson, the director of public policy at Google, said Google won’t re-identify data like these. Flu Trends provides a valuable service, identifying flu outbreaks about two weeks before the CDCs, he said.
Davidson said Google is working for a baseline federal privacy law. Although he sees a role for states, he wasn’t as enthusiastic about state laws as Peel. She said states serve as laboratories and often have stronger regulations than the federal government. But Davidson said it can be difficult for businesses, especially small companies, to comply with a patchwork of state laws.
Consent can’t be the only privacy protection, but it’s foundational, Peel said. Patients should be able to make broad directives, she said. For example, a patient could say that her primary care physician would get all health data about her, but a podiatrist would get only information on allergies, Peel said. Or the directive could say any information that the American College of Emergency Physicians considers crucial when someone shows up unconscious would be made available in that situation, she said.
Laws and regulations aren’t enough, said Lillie Coney, EPIC’s associate director. Even with laws against snooping, people will look at files they're not supposed to, as can be seen in the snooping into presidential candidate passport files, the release of information about the immigration status of then-candidate Barack Obama’s aunt, and cases involving celebrities’ medical files. System architecture must be designed to alert supervisors to inappropriate access, she said. Coney singled out the IRS as an agency committed to openness in cases of wrongdoing. But she said the State Department has declined to disclose the identity of the contractor that the passport snoops worked for.
Social networking sites complicate the situation, Coney said. Because Facebook apps gives developers access to information about friends of people who use the apps, depending on the app-users’s privacy settings, the Secret Service probably got information on uninvolved third parties when it investigated a recent Facebook poll about assassinating Obama, she said.