RESTORING AMERICANS' PRIVACY IN ELECTRONIC COMMERCE

By Joel R. Reidenberg

ABSTRACT

In the United States today, substance abusers have greater privacy than web users and privacy has become the critical issue for the development of electronic commerce. Yet, the U.S. government's privacy policy relies on industry self-regulation rather than legal rights. This article argues that the theory of self-regulation has normative flaws and that public experience shows the failure of industry to implement fair information practices. Together the flawed theory and data scandals demonstrate the sophistry of U.S. policy. The article then examines the comprehensive legal rights approach to data protection that has been adopted by governments around the world, most notably in the European Union, but finds that difficulties implementing these laws for online services pose important challenges for the effective protection of citizens' privacy. The lessons show that safeguarding citizens' rights requires a combination of law and technology and that a legal incentive structure is necessary to stimulate the rapid development and implementation of privacy-protecting technologies. The article concludes with a recommendation for a framework privacy law in the United States modeled on the O.E.C.D. guidelines that includes a safe harbor provision for policies and technologies and that creates a U.S. Information Privacy Commission to assure the balance between citizens' privacy, industry needs, and global competitiveness.

Privacy is a critical issue for the growth of electronic commerce. During the last few years, an overwhelming majority of Americans report that they have lost control of their personal information and that current laws are not strong enough to protect their privacy.1 In 1998, Business Week found that consumer worries about protecting privacy on the Internet ranked as "the top reason people are staying off the Web -- above cost, ease of use and annoying marketing messages."2 The fair treatment of personal information and citizen confidence in such treatment are each necessary conditions for electronic commerce over the next decade. Yet, sadly, at the political birth of the electronic commerce movement in 1997, the White House's report, A Framework for Global Electronic Commerce,3 more commonly referred to as the Magaziner Report, missed a key opportunity to assure the protection of citizens' privacy on the Internet.

For years, the United States has relied on narrow, ad hoc legal rights enacted in response to particular scandals involving abusive information practices.4 The approach has led to incoherence and significant gaps in the protection of citizens' privacy.5 For example, substance abusers have stronger privacy rights than web users in the United States.6 Yet, rather than revise American privacy protection, the Magaziner Report adopted a position enshrining the status quo.

This paper will first examine the philosophy and sophistry behind the U.S. policy of industry self-regulation. Next, the paper examines the comprehensive legal rights approach to data protection that has been adopted by governments elsewhere around the world, in a movement led by the European Union. While conceptually the cross-sectoral approach is better suited to the treatment of personal information in electronic commerce, the foreign experience illustrates a number of challenges for effective protection of citizens. The concluding section argues for a more desirable policy that combines legal and technological means in order to safeguard the privacy of citizens on the Internet.

B. The Philosophy and Sophistry of U.S. Privacy Policy

Broad, international consensus exists on the basic standards of fair information practice and the protection of citizen privacy in a democratic society.7 As recently as June 1998, the Clinton Administration even said that the "O.E.C.D. Guidelines have served as the basis for virtually all privacy legislation and codes of conduct that have been developed over the years."8 Beginning with the U.S. Department of Health and Education''s elaboration of the first computer privacy policy in 19739 and the United States' approval of the Organization for Economic Co-Operation and Development's privacy guidelines in 1980, the United States has recognized benchmark norms for fair information practice. These norms include specification of the purpose for data collection, the consent of individuals to processing of personal information, the transparency of data processing, such as notice to individuals and access to their personal information, special treatment of particularly sensitive information, such as medical data, and the existence of enforcement remedies and mechanisms.

The United States, however, has rejected all attempts to legislate any full set of standards.10 Rather, Congress and state legislatures have enacted isolated and narrow statutes such as the Fair Credit Reporting Act11 and the Video Privacy Protection Act,12 after the discovery of particularly scandalous practices. This type of statutory protection only covers the particular activities committed by specific actors such as a consumer credit reporting agency or a video rental service provider. This reactive policy for fair information practices has historically been predicated on the philosophy that self-regulation will accomplish the most meaningful protection of privacy without intrusive government interference, and with the greatest flexibility for dynamically developing technologies. The theory holds that the marketplace will protect privacy because the fair treatment of personal information is valuable to consumers; in other words, industry will seek to protect personal information in order to gain consumer confidence and maximize profits.13

For more than twenty years, however, government agency task forces and reports regularly illustrated the lack of fair information practices in American society, but nevertheless resorted to the mantra that business should be given more time to self-regulate.14 With the Internet revolution, the Clinton Administration had a chance to conceive a new vision of American privacy. Unfortunately for American citizens, the Magaziner Report sought to preserve the status quo:

The Administration considers data protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.15

In effect, the Magaziner Report catered to the industry of personal data rather than enshrining the participation of citizens citizen participation in decisions about their personal data. Indeed, the marketplace of personal information is big business in the United States. By 1998, the gross annual revenue of companies selling personal information and profiles, largely without the knowledge or consent of the individuals concerned, was reportedly $1.5 billion.16

Despite the claims of industry partisans, there are critical normative flaws in the theory of self-regulation for information practices. First, sSelf-regulation assumes that all privacy values can and should be resolved by a marketplace. In contrastYet, privacy interests are central to democratic governance17 and privacy has been hailed as a necessary condition for participatory governance.18 In contrast, totalitarian governments prefer the surveillance state.19 Indeed, a democratic government typically does not sell basic political rights. But even if one rejects this position, a marketplace can only function efficiently if there is transparency; citizens must be able to identify the collectors and users of their personal information. However, for personal information, the natural tendency of the marketplace is to obscure the its treatment.

This is a classic case of market failure. Without disclosure by corporations, citizens cannot ascertain how their personal information is acquired and used. In the private sector, the economics are wrong for transparency.20 Companies make significant profits from the secret collection and sale of personal information; the $1.5 billion market in personal information is largely hidden from public view. Few individuals have ever heard of companies such as Acxiom or First Data. Yet, these companies have data warehouses with the most intimate details of the lives of millions of Americans. For example, Acxiom even sells information such as ethnic and religious affiliations, the type of car a person drives, and whether a person buys specialty clothing like particular types of underwear.21 Without transparency, an information trafficking industry has emerged in the United States with no accountability and minimal risk of harm to corporate financial interests from abuses of personal information. Not surprisingly, an analysis of industry codes of privacy practice reveals policies that fail to address the most basic principles of citizens' rights to personal information.22

In effect, the American experience during the last two decades shows that the theory of self-regulation is pure sophistry. Time and again, the U.S. government has acknowledged that self-regulation remains hypothetical in corporate America. The Department of Commerce held a long awaited "Public Meeting on Internet Privacy" in June 1998, initially designed to give industry a chance to show its self-regulatory successes.23 Unfortunately, industry had very little to show in terms of concrete implementation of privacy practices and the Secretary of Commerce had to admit conceded that the business community was failing to show demonstrate effective self-regulatory practicesregulation.24 The Chairman of the Federal Trade Commission, in testimony to Congress during the summer of 1998, stated that "despite the Commission's considerable efforts to encourage and facilitate an effective self-regulatory system, we have not yet seen one emerge."25 Several months later, the first government review of the position paper A Framework for Global Electronic Commerce wistfully admits that industry has only tentatively responded to privacy concerns even in the face of heavy government pressure.26

It is worthy to note, however, that industry has improved its privacy talk over the last few years. Trade associations are now addressing the issues of data privacy (and lobbying Congress against regulation). The Secretary of Commerce has also tried to highlight self-regulatory initiatives such as TRUSTe and BBBOnLine as evidence of progress.27

But, ironically, these examples themselves demonstrate the structural defects in self-regulatory theory. TRUSTe, for example, is a program through which websites agree to disclose their privacy policies and license the right to use a special logo designating the site as one that protects privacy.28 TRUSTe may audit licensees to verify compliance with the stated privacy policy. However, the program has had a few major problems. Although about 450 companies are licensed to use the logo to date, this number is trivial compared to the number of website operators in the United States. In fact, one of the companies, GeoCities, holds the distinction of being the first company prosecuted by the Federal Trade Commission for information trafficking,29 and fifty percent of the TRUSTe sponsors do not bother to subscribe to the program and license the logo.30 TRUSTe even features a link on its web page to a look-up service site that fails to disclose its privacy policy and is owned by a company that is not even listed as a TRUSTe licensee.31

A similar pattern exists at BBBOnLine, a project of the Better Business Bureau proposed more than a year ago in response to U.S. government pressure on industry to demonstrate that self-regulation might work.32 BBBOnLine hopes to provide an enforcement mechanism for privacy disputes online. However, for the moment, the BBBOnLine mechanism remains hypothetical. While the program officially launched on March 17, 1999,33 BBBOnLine ignores the issue that consent might not be an appropriate basis for the processing of some personal information, such as health data, only requires that websites disclose particular practices, fails to require that remedies be afforded to victims of information abuse, and fails to require that individuals be granted complete access to their personal information.34 In addition, BBBOnLine uses a nebulous and undefined term term, "individually identifiable information," without definition to circumscribe the scope of its participants' obligations. It also remains to be seen whether the online industry will participate on significant scale.

Another important privacy initiative likewise remains unavailable even after three years of development and government encouragement. Internet labeling and filtering technology based on the world wide web's protocol, Platform for Internet Content Selection ("PICS,") has been under development for a privacy application, the Platform for Privacy Preferences ("P3P"), since 1996.35 The World Wide Web Consortium ("W3C")36, an influential standards setting body for the Internet, has led the development effort for P3P technology. Yet after three years, W3C has still not obtained sufficient industry agreement to conclude the development phase, let alone find companies willing to implement the technology. In addition, P3P faces a patent licensing problem that jeopardizes its ultimate adoption by industry.37

The cornerstone of these self-regulatory efforts and U.S. policy seems to be the concept that notice and consent will solve the privacy issues. In describing the notice principle, the Magaziner Report articulates that "[d]ata-gatherers should inform consumers what information they are collecting, and how they intend to use such data."38 The report describes the consent standard by asserting that "[d]ata gatherers should provide consumers with a meaningful way to limit use and re-use of personal information."39 The Magaziner Report even argues that "principles of fair information practice [] rest on the fundamental precepts of awareness and choice."40 This position is also emphasized clearly in the U.S. Department of Commerce's work "Elements of Effective Self-Regulation."41 Yet, these pronouncements seriously misconstrue basic fair information practices principles. These basic principles include key standards, such as purpose limitations, data minimization, and duration of storage that are not satisfied merely through notice and consent; notice and consent are not enough [cite id.? enough. prof, maybe a citation here?}. The United States has even recognized this broader range of issues when it endorsed the O.E.C.D. Guidelines.42 In the rare instance when a government agency, the Federal Communications Commission, gave considered analysis to the effectiveness of consent as a legitimate basis for the sale of personal information to marketers, the FCC found opt-out to be a deficient basis for processing personal information under the Telecommunications Act of 1996 that mandated the protection of subscriber privacy.43

Thus, to rely principally on notice and consent ignores the other basic fair information practice principles and underlines how self-regulation has not worked. Indeed, for the online world, technological defaults routinely favor privacy invasions over the implementation of fair information practices for citizens. Recent examples, such as the incorporation by Intel of an embedded identifier on each of its Pentium III chips44 and the "smart browsing" features of Netscape Communicator and Internet Explorer software that upload from the user's computer a hidden file containing the Internet addresses of sites visited by the user,45 illustrate techniques that facilitate the surreptitious surveillance of citizens. These examples demonstrate that the full range of fair information practice principles are marginalized by self-regulation defined in terms of notice and consent. Smart browsing, for instance, confronts the basic principle of purpose limitations and storage duration as since addresses, processed to make website connections, are stored beyond the duration of the connection and now uploaded to a remote site for profiling purposes.

These basic flaws in the theory and practice of the U.S. self-regulatory approach pose an increasingly troubling problem for companies developing electronic commerce. Electronic commerce is global, yet American privacy policy is at odds with the growing movement around the world to establish clear, comprehensive legal rights. Ironically, American companies' global electronic commerce activities face an heretical choice: either provide better protection for U.S. citizens in order to have a single set of practices for global operations (because foreign laws require fair information practices) or maintain a double standard, treating foreign citizens to better privacy than U.S. citizens. The Magaziner Report largely ignores this incongruity in boldly assuming that the rest of the world would simply accept the U.S. status quo with better educational efforts.46

The international consequence of this self-regulatory pretense is an embarrassment for the U.S. government. Without demonstrable privacy protection in the United States, Europe threatens to block the flow of personal information to the United States.47 The U.S. Department of Commerce has sought to negotiate with the European Commission a "safe harbor" code that would assure privacy for international data transfers to the United States and avoid any European data export prohibitions.48 The proposal met with resounding criticism and virtual ridicule for its lack of content.49 Because the Department of Commerce cannot propose any meaningful privacy standards, including such as implementation mechanisms and or enforcement devices providing remedies to victims, without undermining support for self-regulation, it is unequipped to respond to such criticism. Yet, without meaningful privacy standards, the United States isolates itself from the rest of the world. The time has come to reevaluate and reverse the policy that enshrines electronic surveillance and information trafficking against citizens.

C. The Challenge of Comprehensive Legal Standards

The recycling of unsuccessful and outdated privacy policies in the United States is in direct contrast to the data protection movement around the world. Foreign countries, led by the fifteen states of the European Union (the "Member States",),50 more typically follow an omnibus or comprehensive approach. Ironically, Europe learned its post-war lessons about information privacy from the movement in the United States during the 1960s and 1970s.51 But, unlike the United States, as European countries faced the computer processing of large quantities of personal information in the 1970s and 1980s, they adopted comprehensive data protection statutes to enshrine a rights-based, rather than market-based approach, approach to privacy. (cite) Indeed, in 1981, the Council of Europe opened for signature and ratification a data privacy treaty that has as its object and purpose "to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data."52

Under the European model, framework legislation guarantees a broad set of rights to assure the fair treatment of personal information and the protection of citizens. In general, the modern European data protection laws define each citizen's basic legal right to "information self-determination."53 This European premise of self-determination puts the citizen in control of the collection and use of personal information. The approach imposes responsibilities on data processors in connection with the acquisition, storage, use, and disclosure of personal information and, at the same time, accords citizens the right to consent to the processing of their personal information and the right to access stored personal data and have errors corrected. Rather than accord pre-eminence to business interests, the European approach seeks to provide for a high level of protection for citizens.54

Although the comprehensive rights approach has conceptual appeal for electronic commerce, the approachit poses normative challenges for the structure of electronic commerce ventures and the effective protection of citizens. Because the rights- based approach relies on omnibus legislation, it covers the electronic processing of personal information regardless of context.55 These statutes apply the same standards of fair treatment for personal information across sectoral boundaries of collection and use. In theory, this cross-sectoral application of principle correlates well to an iInformation sSociety where industry boundaries blur and data use defies clear categorization.

However, with the proliferation of European data protection laws during the course of the last two decades, the national laws evolved56 and different standards in various Member States threatened the flow of personal information within Europe. For example, the scope of application of data protection laws and transparency requirements varied across national laws, posing conflicts for pan-European data processing.57 In response, the Member States of the European Union sought to harmonize data protection principles and launched a five-year negotiating process that ultimately resulted in the enactment of the European Directive on data protection.58

The European Directive confirmed the pre-existing comprehensive rights-based approach and contained both general and exacting rules aggregated from the laws of various European Union Member States.59 Like the existing national laws, the European Directive's rules address the full set of internationally recognized principles. Each Member State must enact legislation implementing standards conforming to those defined by the European Directive,60 and each Member State must maintain an independent, national supervisory authority for oversight and enforcement of these privacy protections.61 Significantly, the European Directive also mandates that Member State law require any person processing personal information to notify the supervisory authority and the supervisory authority must keep a public register of data processors.62

While the harmonization of European data protection around comprehensive standards seems conceptually better suited to electronic commerce, in practice, the complexity of data processing arrangements in an Iinformation Ssociety makes the application of general principles to particular contexts challenging. Indeed, the registration mechanisms designed to assure transparency of processing activities can become onerous and problematic. Within Europe, critics have argued that compliance with these registration obligations is lacking.63 Elsewhere, required notification to a government agency of data collection might be seen as an overly intrusive government action. In the United States, for example, the European commitment to the registration of data processing activities with a government agency would clash with Fourth Amendment values against government intrusion into the activities of citizens.

Furthermore, the application of the European Directive does not remove all divergences and ambiguities in the European national laws.64 Small divergences and ambiguity will inevitably exist where the principles must be interpreted by different supervisory organizations in each of the Member States. These remaining divergences in standards can pose significant obstacles for the complex information processing arrangements typical in electronic commerce. For example, the European Directive requires that privacy rights attach to information about any "identifiable person.".65 Yet, the scope of this definition is not the same across the Member States; what some Member States consider "identifiable" others do not.66 Similarly, the disclosures that must be made to individuals prior to data collection varyies within Europe.67 These differences distort the ability and desirability of performing processing operations in various Member States since potentially conflicting requirements might apply to cross-border processing of personal information.

The effect of this challenge to comprehensive standards is, however, mitigated by consensus building options and extra-legal policy instruments that are available under the European model. The European Directive creates a working party of the Member States' data protection commissioners.68 The Working Party offers a formal channel for data protection officials to consult each other and to reach consensus on critical interpretive questions. But, policy guidelines from the Working Party will not be sufficient to assure privacy in electronic commerce. Guidelines will not be meaningful in a dynamic network environment without a technical infrastructure that also promotes data protection. This has been recognized internationally by data privacy commissioners: "it is mandatory to develop design principles for information and communications technology ... which will enable the individual user to control ... his personal data."69 Interestingly, the European model includes a provision for consensus on industry codes of conduct that might prove quite useful to facilitate the implementation of privacy compatible technologies.70 The European Directive, building on Dutch law, provides for approval of codes of conduct as conforming to the privacy standards. This provision can be used to certify technical codes and configurations to assure privacy.71 The use of such technical measures may also be designed to avoid problems found in standards divergence, such as the differences in notice requirements.72

For global information networks and electronic commerce, the comprehensive approach also inevitably invokes tension. Without the statutory authority to restrict transborder data flows, the balance of citizens' rights in Europe could easily be compromised by the circumvention of Europe for processing activities. Consequently, the European Directive includes two provisions to assure that personal information of European origin will be treated with European standards. The choice of law clause in the European Directive assures that the standards of the local state applies to activities within its jurisdiction and the transborder data flow provision prohibits the transfer of personal information to countries that do not have "adequate" privacy protection.73 Some commentators have predicted that any European action will spark a trade war that Europe might lose before the new World Trade Organization.74 While, in theory, such a situation is possible, it is equally remote.75

Even with the difficulties of the European approach, countries elsewhere are looking at the European Directive as the basic model for information privacy, and significant legislative movements toward European-style data protection exist in Canada, South America, and Eastern Europe.76 This movement can be attributed partly to the pressure from Europe arising from scrutiny of the adequacy of foreign privacy rights, but is also and partly due to the conceptual appeal of a comprehensive set of data protection standards. In effect, Europe has displaced the United States in setting the global privacy agenda with the enactment of the data privacy directive.

But, as illustrated by the European experience, the resolution of these difficulties cannot derive from law reform alone. In short, the comprehensive standards approach has two serious problems. First, general principles, while needed, leave significant margin for implementation and interpretation, especially in countries with very different legal cultures. For electronic commerce, any ostensibly small divergences in implementation or interpretation can generate significant distortions affecting the coverage for personal information and the incentives for protection by companies.77 Second, the process to enact data protection law in Europe shows that adoption of legal rights is exceedingly slow. The existing European data protection directive took five years and transposition into national law was scheduled for three additional years.78 In Internet time, these delays are generational.

D. Safeguarding Citizens' Rights with a Combination of Law and Technology

The lessons from the American experience with self-regulation show that government cannot abdicate responsibility for the protection of citizens' privacy to a marketplace skewed in favor of sale of personal information. At the same time, the lessons from the European experience with involving detailed comprehensive statutes illustrate that effective privacy does not end with a legislative enactment. The guarantee of privacy for citizens requires a combination of law and technology that affords mechanisms to assure the fair treatment of personal information.

In a democratic state, privacy is and remains a basic right of citizens.79 In contrast to many other aspects of privacy, informational privacy is unique in that citizens cannot determine how their personal information is being used without access to internal activities of those processing the data. To paraphrase Justice Stewart, "I do not know it when I cannot see it."80 As a consequence, the citizen confidence in the treatment of personal information that is so necessary for robust electronic commerce will not develop without a clear underlying set of rights.

To restore privacy for American citizens, the United States needs a framework that provides consistent fair information practices across different types of uses of personal information and different forms of processing arrangements. The United States government, however, need not try to reinvent fair information practice principles. The O.E.C.D. guidelines offer a full set of standards already recognized by the United States.81 The content of these guidelines provides a clear basis and level playing field for citizen privacy, and the guidelines themselves have been praised as sensitive to business concerns.82 These principles should be adopted in law as the American framework for information privacy.

Nevertheless, as both the American and European experiences show, technological capabilities and configurations hold the balance between effective fair treatment of personal information and defective privacy. Technical choices embed a set of policy rules for information flows in data processing systems. This "code"83 or "lex informatica"84 contained in the technical infrastructure has a direct rule-making effect on privacy. For example, the protocol P3P85 is designed to empower web users by giving them information about website privacy policies and affording web users choices in the provision of personal information. However, P3P can only be effective if fairly written and appropriately implemented. The technical way in which the P3P protocol allows the expression of privacy policies and the choices given to web users are values-based decisions.86 Furthermore, the manner in which P3P is incorporated in browsers, including the default settings and the fashion by which websites actually describe their practices, are critical for fair treatment of personal information. The development of "cookies" and theirits ability to track users across the Internet is another example of policy rules embedded in technical standards.87 The initial default settings built into browsers encouraged the secret transfer of user's information, and only when faced with scandal did the software developers increase users' control over the disclosure of information.88 These cases show that the technology can "go either way." The availability of privacy-protective technologies and privacy-enhancing default settings must exist. Yet, industry has demonstrated its lethargy in developing and implementing these technologies. Already, P3P has been in the development stage for three years and wide-spread use of the standard is, at best, a long time away.

Government must, therefore, act in a fashion that assures technological development in a direction favoring privacy protections rather than privacy intrusions. During the debate over self-regulation, U.S. industry took privacy more seriously only when government threats of regulation were perceived as credible. For example, the threats and cajoling from the Federal Trade Commission was a key impetus for the development of the BBBOnLine, Online Privacy Alliance, and TRUSTe programs. But, despite deadline extensions for action by the Federal Trade Commission, none of these programs has yet to demonstrate accountability by their corporate members for violations of privacy to individuals.89 Indeed, to the contrary, industry created policies tend toward privacy myopia in the development of new products. Intel, for example, seemed genuinely surprised by the outrage expressed against its planned use of an unique identifier on its Pentium III chips.90

With the enactment of a basic set of rights, the incentive structure for industry would shift to the development of effective protection for citizen privacy rather than the elaboration of vague policies to forestall corporate accountability. The existence of basic legal rights will force industry to deploy fair information practices that are well-balanced rather than skewed against citizens. To stimulate the quick development of privacy protecting system designs, these legal rights should allocate liability to companies that fail to develop and deploy privacy-enhancing technology.91 In doing this, legal standards will create new markets and opportunities for the development of privacy protecting products.

In any case, the promotion of privacy-friendly technologies and the implementation of fair information practices in particular contexts and especially in the electronic commerce context require constant vigilance. While counterintuitive for many in the United States, a U.S. Information Privacy Commission is urgently needed. Privacy policy requires a forum with a clear mandate for independent judgment to build consensus on solutions in particular contexts and to arbitrate disputes among stakeholders. In addition, U.S. business interests need an advocate in the face of international data flows. For years, the United States has remained on the sidelines of the annual meeting of data protection commissioners from around the world because the United States has no privacy commission.

At present, no existing agency or department in the United States is well suited to the tripartite role of consensus builder, privacy arbitrator, and international advocate. The Department of Commerce, where international privacy policy is presently formed, may be politically expedient, but is inappropriate for the range of privacy issues in the Information Society. The Commerce Department does not, for example, have particular expertise or competence in health privacy issues or global flows of employee data and is notoriously captured by business interests at the expense of citizens' concerns.92 The State Department might be more appropriate for the foreign policy role, but has no expertise on the myriad of domestic privacy issues. Similarly, existing independent agencies such as the Federal Communications Commission would be poor choices for the centralization of privacy policy. The competence of these existing agencies is sectoral and each lacks expertise in cross-sectoral issues. The recent creation of a new position in the White House Office of Management and Budget is a good, but insufficient step.93 Unfortunately, the new position is placed within the layers of the OMB bureaucracy and does not fulfill all the needed roles. Instead, the post has a coordinating role and does not have policy decision-making authority nor does the position have authority for the international negotiations with Europe.

If the United States hopes to effectively protect effectively citizen privacy in electronic commerce, an independent privacy commission offers a number of attractive benefits both for citizens and businesses. The application of general privacy principles in the dynamic and complex online environment will inevitably require interpretation of the standards. Since a citizen's perspective may undervalue the interests of industry and society at large to information flows, while a corporate perspective will undervalue citizen's privacy, an independent privacy commission can offer critical guidance. In particular, such a commission can be accorded the authority to grant safe harbor protections for company practices.94 Like a no-action letter from the Securities and Exchange Commission, a company seeking guidance and assurance that its policies are appropriate should be able to request approval from the privacy commission. Such an approval would mean that the practice conforms to the legal obligations for the fair treatment of personal information. This safe harbor approach was recently endorsed by the Federal Trade Commission.95

In the context of electronic commerce, the safe harbor concept is especially powerful for guidance on technical infrastructure decisions. Technical protocols, default settings, and implementations can be treated the same way as company practices and policies for purposes of a safe harbor.96 The existence of such a voluntary approval mechanism would give companies an important tool to avoid myopic, internal evaluations of the privacy ramifications, protect against data scandals, insulate the company from liability for privacy invasions, and satisfy foreign privacy regulators such as those in the European Union.

At the same time, the safe harbor process would afford citizens an opportunity for public comment on the conformity of practices to framework legal obligations and would not immunize practices outside the safe harbor nor immunize those safe harbor practices that change. Over time, safe harbor decisions would develop a body of public guidance that would increase transparency for all citizens. For citizens, the independent commission and a safe harbor procedure would also assure that the interpretation of fair information practices for electronic commerce continues as an on-going process.

E. Conclusion

The time has come for the U.S. government to become serious about privacy and restore protection to citizens. The Magaziner Report clearly erred in charting a conventional approach for a most unconventional, new environment. Citizens participating in global electronic commerce need to be assured that their personal information will be treated fairly. Companies engaged in electronic commerce cannot be crippled in their use of personal information. Fundamental values are at stake and one-sided policies and solutions will undermine democratic society.