@INFO.POLICY: Robert Gellman

Overreaching bill fails to grasp privacy needs

Robert Gellman

Does the United States need a privacy commission?

A bill recently introduced by Rep. Asa Hutchinson (R-Ark.), HR 4049, would create an entity called the Commission for the Comprehensive Study of Privacy Protection and appears to be on a fast track in the House.

The commission would have 17 members'some appointed by the president, some by Congress. The president, the speaker and the Senate majority leader would jointly select the chairman. That alone could be a major battle.

As introduced, the bill would require the commission to hold at least four hearings in each of five geographic regions of the country. Hearings have their place, but 20 seems a bit much. It would take months and a good chunk of the commission's budget to cart 17 members plus staff all over the country in pursuit of witnesses.

Under the bill, the commission's general goals would include identifying privacy threats; analyzing information sharing; recommending legislation, regulations and self-regulation measures; and analyzing privacy costs. It would review the Privacy Act of 1974, the Freedom of Information Act, pending legislation, and public- and private-sector privacy protection efforts. Just for good measure, the bill also mentions medical, financial, insurance, driving and education records, and Social Security numbers'and, of course, the Internet.

In other words, the commission would consider everything and anything and make recommendations to everyone and anyone.

Has the word unfocused crossed your mind? The bill would take every privacy issue under the sun and toss it to the commission. Frankly, it would likely take 18 months to review just the Privacy Act.

What's the point of a commission without the time to do the topics justice? If the group avoids detailed reviews, it will accomplish little.

High-level principles and fair information practices abound, and many such policies already have an international consensus. There's no need to reinvent the wheel.

I can list several other reasons for not being thrilled about this bill.

First, a privacy agency should be a permanent, not temporary, commission. Many industrialized countries already have useful privacy agencies. Just about every privacy study conducted in the last 20 years has recommended establishing a permanent federal privacy agency. Dealing with privacy is a continuous process, not a one-time event.

Second, for good or bad, privacy has become too political in the last few years to expect much from a high-level commission. Industry groups are already plotting to make sure that they get the right person appointed. The consumers' point of view might be swamped by that of industry. The commission could become another version of the Internet Tax Commission, which found itself unable to make a recommendation because members came with fixed, rigid points of view.

Third, on many privacy fronts, the issues and solutions are already well understood. What is lacking is political consensus.

Health information privacy is a good example. Congress since 1980 has tried repeatedly to pass health privacy legislation and failed every time. The gap between patients and the industry groups is too wide.

Some advocates want to give patients the right to prevent including their records in computer networks, which makes no sense. Industry groups are just as extreme: They want to exploit patient records for profit without restriction, consent or liability.

A commission is not going to achieve consensus. Commission members who support compromises will be tarred and feathered by their own constituencies.

Partisan delay

Some see the commission proposal as providing Republicans with an excuse to delay consideration of real privacy legislation. That may be, but I doubt that Congress will pass substantive legislation in the next 18 months anyway.

I'm not deeply offended by this bill, and it is difficult to work up much energy to oppose a study of a complex and contentious public policy concern. I just don't think that much useful is likely to result.

It would help if the proposed commission had a narrower and more focused charge, and it would be better to ask the National Academy of Science to do some privacy work. An academy study offers the hope of substance without overt politics.

Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above