347402.DOC 11/25200211:27PM The Surprising Virtues of the New Financial Privacy Law Peter P. Swire The financial privacy law passed by Congress in 1999 has been the target of scathing criticism. On one side, banks and other financial institutions have complained about the high costs of the billions of notices sent to consumers, apparently to widespread consumer indifference. On the other side, privacy advocates have condemned the law as woefully weak, and some have argued that its so-called privacy provisions actually re- sulted in weakening privacy protection. 2 This paper disagrees with the criticisms. The new finan cial privacy law, known more formally as Title v of the gramm Leach-Bliley Act of 1999, works surprisingly well as privacy legislation. It does so in ways that address legitimate industry concerns about excessive cost and barriers to needed informa- tion. In addition, the ability of states to draft additional legis lation in the area means that an effective mechanism exists to correct the key weaknesses of the law over time Professor of Law, the Moritz College of Law of the Ohio State Univer- sity. From March, 1999 to January, 2001 I served as Chief Counselor for Pri vacy in the u.S. Office of Management and Budget. My thanks to helpful comments from participants in the Minnesota Law Review Symposium on P vacy. My thanks also for comments by Rick Fischer, Lauren Steinfeld, and Art Wilmarth. and to Larry glasser for research assistance 1. For instance, one estimate was that the financial privacy rules would 2.5 bill ance cost of compliance (which I believe is high) of $1.25 billion. Michele Heller, Banks Want More Time on Reforms Privacy Rules, AM. BANKER, Apr 2,2000,at3. 2. Frank Torres, legislative counsel for Consumers Union and an active "The much ballyhooed privacy provision of the gramm-Leach-Bliley Act does not protect consumers' privacy. Don Oldenberg, To-Do Over Privacy Legisla tion, WASH. POST, April 5, 2000, at C4. Torres also lamented: "GLB has a few eager privacy provisions, but it contains so many exceptions that it giv consumers no real privacy protection at all. Steven Brostoff, Privacy Legisla- tion Draws Industry Fire, NAT'L UNDERWRITER LIFE HEALTH- FIN. SERVICES EDITION. May 8. 2000. at 46 101
347402.DOC 11/25/2002 11:27 PM 101 The Surprising Virtues of the New Financial Privacy Law Peter P. Swire† The financial privacy law passed by Congress in 1999 has been the target of scathing criticism. On one side, banks and other financial institutions have complained about the high costs of the billions of notices sent to consumers, apparently to widespread consumer indifference.1 On the other side, privacy advocates have condemned the law as woefully weak, and some have argued that its so-called privacy provisions actually resulted in weakening privacy protection.2 This paper disagrees with the criticisms. The new financial privacy law, known more formally as Title V of the GrammLeach-Bliley Act of 1999, works surprisingly well as privacy legislation. It does so in ways that address legitimate industry concerns about excessive cost and barriers to needed information. In addition, the ability of states to draft additional legislation in the area means that an effective mechanism exists to correct the key weaknesses of the law over time. † Professor of Law, the Moritz College of Law of the Ohio State University. From March, 1999 to January, 2001 I served as Chief Counselor for Privacy in the U.S. Office of Management and Budget. My thanks to helpful comments from participants in the Minnesota Law Review Symposium on Privacy. My thanks also for comments by Rick Fischer, Lauren Steinfeld, and Art Wilmarth, and to Larry Glasser for research assistance. 1. For instance, one estimate was that the financial privacy rules would require 2.5 billion consumer disclosure statements annually, with a compliance cost of compliance (which I believe is high) of $1.25 billion. Michele Heller, Banks Want More Time on Reform’s Privacy Rules, AM. BANKER, Apr. 12, 2000, at 3. 2. Frank Torres, legislative counsel for Consumers Union and an active participant in the legislative debates, bluntly described the new privacy law: “The much ballyhooed privacy provision of the Gramm-Leach-Bliley Act does not protect consumers’ privacy.” Don Oldenberg, To-Do Over Privacy Legislation, WASH. POST, April 5, 2000, at C4. Torres also lamented: “[GLB] has a few meager privacy provisions, but it contains so many exceptions that it gives consumers no real privacy protection at all.” Steven Brostoff, Privacy Legislation Draws Industry Fire, NAT’L UNDERWRITER LIFE & HEALTH-FIN. SERVICES EDITION, May 8, 2000, at 46
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp The financial privacy provisions were enacted in 1999 a part of sweeping legislation to update the structure of the banking, insurance securities, and other financial services in dustries. Since the 1930s, the glass-Steagall Act had largely separated these industries. Gramm-Leach-Bliley, as signed by President Clinton in November, 1999, culminated many years of regulatory and legislative debate about how to modernize the financial services sector. From now on, a single financial hold- es, and a wide array of other institutions. Part i of this article introduces the main provisions of Title v, showing the better match with basic privacy principles than many have realized. Part Ii explores the history of how the fi- nancial privacy provisions became law, placing the enactment into the context of a historical peak of privacy policy activity in the late 1990s. Perhaps this history will be of particular inter est because of my unusual dual perspective, both as an aca demic who has written extensively about financial privacy, 3 and also as the Clinton Administration s Chief Counselor for Privacy during the period Part III looks at the most hotly-contested issue in the pri- acy debate, the rules for sharing personal information with af- filiated entities and third parties. glB establishes a basic rule that information can flow freely within a financial institution and to its affiliates. Customer choice-an opt-out ability to prevent sharing-applies for transfers to non-affiliated compa This article argues that an exception to that principle of ustomer choice, the so-called joint marketing exception, should be repealed. It then explores the knotty issue of how to handle data sharing in today s vast financial conglomerate uggesting a number of possible modifications to GLBs Title V. Part Iv of the article looks at the much-maligned notic that financial institutions have sent out in compliance with GLB. The critics have accurately complained about the legalis tic and detailed language in the current notices. The critics have largely overlooked, however, important benefits from these notices. Perhaps most significantly, publication of the 3. PETER P ORLD DAT ECTRONIC COMMERCE. AND THE EUROPEAN PRIVACY DIRECTIVE 102-21 Peter Swire, Financial Privacy and the Theory High-Tech Gouernment Surveillance, 77 WASH. U. L.Q. 461(1999); Peter P. Swire, The Uses and Limits of Financial Cryptography: A Law Professors Per. spective(1997),availableatwww.osu.edu/units/law/swire.htm
347402.DOC 11/25/2002 11:27 PM 102 MINNESOTA LAW REVIEW [Vol.86:pppp The financial privacy provisions were enacted in 1999 as part of sweeping legislation to update the structure of the banking, insurance, securities, and other financial services industries. Since the 1930’s, the Glass-Steagall Act had largely separated these industries. Gramm-Leach-Bliley, as signed by President Clinton in November, 1999, culminated many years of regulatory and legislative debate about how to modernize the financial services sector. From now on, a single financial holding company can own banks, investment banks, insurance companies, and a wide array of other institutions. Part I of this article introduces the main provisions of Title V, showing the better match with basic privacy principles than many have realized. Part II explores the history of how the financial privacy provisions became law, placing the enactment into the context of a historical peak of privacy policy activity in the late 1990’s. Perhaps this history will be of particular interest because of my unusual dual perspective, both as an academic who has written extensively about financial privacy,3 and also as the Clinton Administration’s Chief Counselor for Privacy during the period. Part III looks at the most hotly-contested issue in the privacy debate, the rules for sharing personal information with affiliated entities and third parties. GLB establishes a basic rule that information can flow freely within a financial institution and to its affiliates. Customer choice—an opt-out ability to prevent sharing—applies for transfers to non-affiliated companies. This article argues that an exception to that principle of customer choice, the so-called “joint marketing exception,” should be repealed. It then explores the knotty issue of how to handle data sharing in today’s vast financial conglomerates, suggesting a number of possible modifications to GLB’s Title V. Part IV of the article looks at the much-maligned notices that financial institutions have sent out in compliance with GLB. The critics have accurately complained about the legalistic and detailed language in the current notices. The critics have largely overlooked, however, important benefits from these notices. Perhaps most significantly, publication of the 3. PETER P. SWIRE & ROBERT E. LITAN, NONE OF YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE 102-21 (1998); Peter Swire, Financial Privacy and the Theory of High-Tech Government Surveillance, 77 WASH. U. L.Q. 461 (1999); Peter P. Swire, The Uses and Limits of Financial Cryptography: A Law Professor’s Perspective (1997), available at www.osu.edu/units/law/swire.htm
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW notices and the new legal obligation to comply with them has forced financial institutions to engage in considerable self- crutiny as to their data handling practices. The current no tices, even in their imperfect form, have reduced the risk of egregious privacy practices. Improved notices, as described in this article, would enhance accountability while also communi cating far more clearly with ordinary customers In short this article shows the surprising merits of the GLB privacy provisions. Considerably more was accomplished in the Act than observers would have predicted in the spring of 1999 or than critics have recognized to date. Important flaws do exist, but specific and achievable changes in the statute and implementing regulations can go far toward reducing the mag nitude of those flaws L. THE PRIVACY PROVISIONS IN GRAMM-LEACH-BLILEY Perhaps the clearest way to understand what was and was not enacted in the gramm-Leach-Bliley Act(GlB) on privacy is to compare the law as enacted with standard definitions of fair information practices. Codes of fair information practices are an organizing theme of privacy protection. They were first set forth in comprehensive form in a United States Department of Health, Education, and Welfare study in 1973. 4 The precise list of fair information practices has varied somewhat over time, but the use of such a list has been a standard feature of privacy regimes. For instance, they are incorporated into United States law in the Privacy Act of 1974, which applies to United States federal agencies. They are listed as the "core princi- ples"of the most important consensus document internation ally, the Organization for Economic Cooperation and Develop ment Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980. They are central to the European Union Directive on Data Protection, issued in final form in 1995 and binding on the fifteen member states of the European Union. In the 1990s, as the rise of the Internet 4. U.S. DEPT HEALTH, EDUC. WELFARE, Records, Computers and the Rights of Citizens(1973) 5. Privacy Act of 1974, 5 U.S.C.$ 552a(2000) 6. Council Directive 95/46/EC on the protection of Individuals with Re. gard to the processing of Personal Data and the Free Movement of Such Data 1995o.j.(l281)31(oct.24,1995),availableathttp:/europea.eu.int/eur- lex/en/lif/dat/1995/en_395 L0046 html (hereinafter European Union Data Pro- tection Directive]. See generally PEteR P Swire& ROBERT E LITAN, NONE OI
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 103 notices and the new legal obligation to comply with them has forced financial institutions to engage in considerable selfscrutiny as to their data handling practices. The current notices, even in their imperfect form, have reduced the risk of egregious privacy practices. Improved notices, as described in this article, would enhance accountability while also communicating far more clearly with ordinary customers. In short, this article shows the surprising merits of the GLB privacy provisions. Considerably more was accomplished in the Act than observers would have predicted in the spring of 1999 or than critics have recognized to date. Important flaws do exist, but specific and achievable changes in the statute and implementing regulations can go far toward reducing the magnitude of those flaws. I. THE PRIVACY PROVISIONS IN GRAMM-LEACH-BLILEY Perhaps the clearest way to understand what was and was not enacted in the Gramm-Leach-Bliley Act (GLB) on privacy is to compare the law as enacted with standard definitions of fair information practices. Codes of fair information practices are an organizing theme of privacy protection. They were first set forth in comprehensive form in a United States Department of Health, Education, and Welfare study in 1973.4 The precise list of fair information practices has varied somewhat over time, but the use of such a list has been a standard feature of privacy regimes. For instance, they are incorporated into United States law in the Privacy Act of 1974, which applies to United States federal agencies.5 They are listed as the “core principles” of the most important consensus document internationally, the Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980. They are central to the European Union Directive on Data Protection, issued in final form in 1995 and binding on the fifteen member states of the European Union.6 In the 1990s, as the rise of the Internet 4. U.S. DEPT. HEALTH, EDUC. & WELFARE, Records, Computers and the Rights of Citizens (1973). 5. Privacy Act of 1974, 5 U.S.C. § 552a (2000). 6. Council Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data, 1995 O.J. (L 281) 31 (Oct. 24, 1995), available at http://europea.eu.int/eurlex/en/lif/dat/1995/en_395L0046.html [hereinafter European Union Data Protection Directive]. See generally PETER P. SWIRE & ROBERT E. LITAN, NONE OF
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp helped make privacy a more prominent public policy issue in the United States, the fair information practices were used as organizing principles for the debate. Likely the best known version was that of the Federal trade commission which con tained five principles: notice/awareness; choice/consent; ac- cess/participation; integrity/security; and enforcement/redress. 7 A NOtICe The FTC calls notice "the most fundamental princi 8 Without notice the consumer "cannot make an in- formed decision as to whether and to what extent to disclos personal information. 9 The notice principle is addressed in de tail in glB, although debates continue about how best to pro- vide notice The glB notice requirements apply to" nonpublic personal information"(often described in this article as "personal infor mation"or "personal data ). o This personal information may YOUR BUSINESS: WORLD DATA FLOWS. ELECTRONIC COMMERCE. AND THE EUROPEAN PRIVACY DIRECTIVE(1998). 7. Federal Trade Commission, Privacy Online: A Report to Congress (jUne1998),availableathttp://www.fte.gov/reports/privacy3/priv-23a.pdf thereinafter 1998 FTC Rep The list of the FTC, which is an independent nerally consistent with formulations by the Clinton admini. stration. See Information Infrastructure Task Force, Information Policy Com- orking Group, Privacy and the National Information Infi tructure: Principles for Prouiding and Using Personal Information(June 6 1995),availableathttpiitf.docgov/ipc/ipclipcpubx/niiprivprin_final.htm U.S. Department of Commerce, Privacy and the Nl: Safeguarding Teleco munications.Related Personal Information (Oct 1995), available at http://www.ntia.docgov/ntiahome/privwhitepaper.htm 8. 1998 FTC Report, supra note 7, at 7 9. Id. The 1980 OeCD Guidelines state. in the Collection Limitation le:"There should be limits to the collection of personal data and any uch data should be obtained by lawful and fair means and, where app ate, with the knowledge or consent of the data subject. Organization for Eco- omic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Sept 23, 1980, OECD Dic, C(80)58. reprintedin20I.l.m.422,availableathttp://wwwl.oecd.org/dsti/sti/ .secur/prod/PRIV EN. TM (atest update Jan. 5 1999)[hereinafter OECD 10. The term"nonpublic personal information"is defined in GLB Section 6809(4)to mean" personally identifiable financial information (i) provided by a consumer to a financial institution; (ii)resulting from any transaction with the consumer or any service performed for the consumer; (iii) or otherwise ob- tained by the financial institution. Gramm-Leach-Bliley Act of 1999, 15 U.S.C.$6809(4)(A)(2000)[hereinafter GLB]. The term"does not include pub mation.”ld.§6809(4)B).It scription, or other grouping of consumers.. that is derived using any non
347402.DOC 11/25/2002 11:27 PM 104 MINNESOTA LAW REVIEW [Vol.86:pppp helped make privacy a more prominent public policy issue in the United States, the fair information practices were used as organizing principles for the debate. Likely the best known version was that of the Federal Trade Commission, which contained five principles: notice/awareness; choice/consent; access/participation; integrity/security; and enforcement/redress.7 A. NOTICE The FTC calls notice “[t]he most fundamental principle . . . .”8 Without notice, the consumer “cannot make an informed decision as to whether and to what extent to disclose personal information.”9 The notice principle is addressed in detail in GLB, although debates continue about how best to provide notice. The GLB notice requirements apply to “nonpublic personal information” (often described in this article as “personal information” or “personal data”).10 This personal information may YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE (1998). 7. Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), available at http://www.ftc.gov/reports/privacy3/priv-23a.pdf [hereinafter 1998 FTC Report]. The list of the FTC, which is an independent agency, was generally consistent with formulations by the Clinton Administration. See Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information (June 6, 1995), available at http://iitf.doc.gov/ipc/ipc/ipc-pubx/niiprivprin_final.html; U.S. Department of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (Oct.1995), available at http://www.ntia.doc.gov/ntiahome/privwhitepaper .html. 8. 1998 FTC Report, supra note 7, at 7. 9. Id. The 1980 OECD Guidelines state, in the Collection Limitation Principle: “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.” Organization for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Sept. 23, 1980, OECD Dic, C(80) 58, reprinted in 20 I.L.M. 422, available at http://www1.oecd.org/dsti/sti/ it.secur/prod/PRIV-EN.HTM (latest update Jan. 5 1999) [hereinafter OECD Guidelines]. 10. The term “nonpublic personal information” is defined in GLB Section 6809(4) to mean “personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; (iii) or otherwise obtained by the financial institution.” Gramm-Leach-Bliley Act of 1999, 15 U.S.C. § 6809(4)(A) (2000) [hereinafter GLB]. The term “does not include publicly available information.” Id. § 6809(4)(B). It does include “any list, description, or other grouping of consumers . . . that is derived using any non-
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 105 not be disclosed to another corporation unless the consumer is provided a notice. At the time of establishing a customer re lationship and at least annually after that, a financial institu- tion "shall provide a clear and conspicuous disclosure of the in stitutions privacy policies [to the consumer]. "12 The privacy policy must give the policies for sharin g data with both ates and nonaffiliated third parties, including the categories of information that may be disclosed. 3 The notice requirement of GLB is what led to the large number of individual privacy poli- cies that customers of financial institutions now receive on an annual basis B. CHOICE/CONSENT The choice/consent principle has been a major source of contention, both during passage of GLB and since. In the words of the FTC, "choice relates to secondary uses of informa tion--i.e, uses beyond those necessary to complete the contem- plated transaction. " ivacy regimes generally limit data uses to those that fulfill the original purposes of the data collec- tion,as well as others that are compatible with those pur In interpreting the choice/consent principle, there have been heated debates about what the default rule should be. in- dustry has generally favored a default rule of allowing sharing, with customers able to opt out if they choose to limit the data flow. Privacy advocates have generally favored a default rule prohibiting sharing, with data going for secondary uses only with an affirmative opt in by the individual. The default rule seems to matter a great deal in the privacy context, because experience seems to show that the bulk of customers generally blic personal information other than publicly available information la.§6809(4)(C 12.ld.6803(a) 13.ld.§6803(a)(1) 14. 1998 FTC Report, supra note 7, at8. Similarly, under the 1980 OECD Guidelines the purposes for which personal data are collected should be speci- fied not later than at the time of data collection and subsequent use mited to the fulfillment of those purposes or such others as are not tible with those pur Disclosure or use of data hen not be done except a) with the consent of the data subject OECD Guidelines, supra note 9 15. See supra note 14
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 105 not be disclosed to another corporation unless the consumer is provided a notice.11 At the time of establishing a customer relationship, and at least annually after that, a financial institution “shall provide a clear and conspicuous disclosure of the institution’s privacy policies [to the consumer].”12 The privacy policy must give the policies for sharing data with both affiliates and nonaffiliated third parties, including the categories of information that may be disclosed.13 The notice requirement of GLB is what led to the large number of individual privacy policies that customers of financial institutions now receive on an annual basis. B. CHOICE/CONSENT. The choice/consent principle has been a major source of contention, both during passage of GLB and since. In the words of the FTC, “choice relates to secondary uses of information—i.e., uses beyond those necessary to complete the contemplated transaction.”14 Privacy regimes generally limit data uses to those that fulfill the original purposes of the data collection, as well as others that are compatible with those purposes.15 In interpreting the choice/consent principle, there have been heated debates about what the default rule should be. Industry has generally favored a default rule of allowing sharing, with customers able to opt out if they choose to limit the data flow. Privacy advocates have generally favored a default rule prohibiting sharing, with data going for secondary uses only with an affirmative opt in by the individual. The default rule seems to matter a great deal in the privacy context, because experience seems to show that the bulk of customers generally public personal information other than publicly available information . . . .” Id. §6809(4)(C). 11. Id. § 6802(a). 12. Id. 6803(a). 13. Id. § 6803(a)(1). 14. 1998 FTC Report, supra note 7, at 8. Similarly, under the 1980 OECD Guidelines, [t]he purposes for which personal data are collected should be specified not later than at the time of data collection and subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes. . . . Disclosure or use of data should then not be done except a) with the consent of the data subject; or b) by the authority of law.” OECD Guidelines, supra note 9. 15. See supra note 14
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW Vol86: pppp stick with whichever default rule applies in a given context. 6 The other heated debate has been about what sorts of shar- ing constitute secondary use. In the financial services area, in dustry has pushed especially hard for the ability to share data with affiliates, that is, with companies controlled by the same ability to share data with nonaffiliated third parties 8 Privacy proponents have maintained that sharing with either affiliates or nonaffiliated third parties constitutes secondary use, and should trigger a choice or consent requirement As enacted, GLB adopted the basic rule of requiring an opt out choice before personal data could be shared with nonaffili ated third parties 9 Financial institutions must give notice be fore they share data with affiliates, but customers are not enti tled to an opt-out choice for affiliate sharing. 20 This basic rule is loosened in two ways. First, the "joint marketing exception allows a financial institution to share information with nonaf filiated financial institutions in order to pursue joint market ing.2 As discussed below, this exception has been controver sial, and i believe it should be repealed. Second, the law sets forth a number of statutory exceptions where neither notice nor choice are required. These exceptions have been reasonably well accepted by many of the stakeholders in the privacy de 16. This is my own view after experience with a wide range of privacy re- tion Act of 1999. 18 U.SC$2721(2000). The Act restricts a state motor hicles bureau from sharing individual drivers license information marketing purposes except with choice or consent. It was enacted as an opt with officials, from the low single digits to a high in some states of about 20 nt. In 1s appropriation rider switched the to opt ions Act, Pub. L. 106-346, 5 30 000)(amending 18 U.S.C.$ 2721). Since that time, no state has even asked hether individuals wished to consent to sharing their drivers license infor- ation for marketing purposes 17. " The term'affiliate' means any company that controls, is controlled b or is under common control with another company. "GLB, supra note 10, S 18. "The term 'nonaffiliated third party' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control institute f n aGL.B. instit tite b st dsos sot include a joint employee of such 19.la.。6802(b)(1) 20.ld.§6802(a). 21. Id& 6802(b)(2). The joint marketing exception is discussed in detail
347402.DOC 11/25/2002 11:27 PM 106 MINNESOTA LAW REVIEW [Vol.86:pppp stick with whichever default rule applies in a given context.16 The other heated debate has been about what sorts of sharing constitute secondary use. In the financial services area, industry has pushed especially hard for the ability to share data with affiliates, that is, with companies controlled by the same financial holding company.17 Industry has also supported the ability to share data with nonaffiliated third parties.18 Privacy proponents have maintained that sharing with either affiliates or nonaffiliated third parties constitutes secondary use, and should trigger a choice or consent requirement. As enacted, GLB adopted the basic rule of requiring an optout choice before personal data could be shared with nonaffiliated third parties.19 Financial institutions must give notice before they share data with affiliates, but customers are not entitled to an opt-out choice for affiliate sharing.20 This basic rule is loosened in two ways. First, the “joint marketing exception” allows a financial institution to share information with nonaffiliated financial institutions in order to pursue joint marketing.21 As discussed below, this exception has been controversial, and I believe it should be repealed. Second, the law sets forth a number of statutory exceptions where neither notice nor choice are required. These exceptions have been reasonably well accepted by many of the stakeholders in the privacy de- 16. This is my own view after experience with a wide range of privacy regimes. One example of the difference comes from the Drivers Privacy Protection Act of 1999. 18 U.S.C. § 2721 (2000). The Act restricts a state motor vehicles bureau from sharing individual drivers license information for marketing purposes except with choice or consent. It was enacted as an optout regime in 1994. Id. As such, opt out rates varied, based on my discussions with officials, from the low single digits to a high in some states of about 20 percent. In 1999, an appropriation rider switched the regime to opt in. Transportation Appropriations Act., Pub. L. 106-346, § 309 __ Stat. ___, ___ (2000) (amending 18 U.S.C. § 2721). Since that time, no state has even asked whether individuals wished to consent to sharing their drivers license information for marketing purposes. 17. “The term ‘affiliate’ means any company that controls, is controlled by, or is under common control with another company.” GLB, supra note 10, § 6809(6). 18. “The term ‘nonaffiliated third party’ means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution.” GLB, supra note 10, § 6809(5). 19. Id. § 6802(b)(1). 20. Id. § 6802(a). 21. Id. § 6802(b)(2). The joint marketing exception is discussed in detail text accompanying notes ___ infra
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW 107 bates, and apply, for instance, to an institution s attorneys,ac- countants, and auditors, to consumer reporting agencies under the Fair Credit Reporting Act, to protect against or prevent fraud, and to comply with authorized law enforcement investigations. 22 GLB is stricter than the basic rule in one respect. A finan cial institution cannot disclose. other than to a consumer re- porting agency, a credit card or similar account number to any nonaffiliated third party for use in telemarketing, direct mail marketing, or e-mail marketing to a consumer. 2 The opt-out and account number restrictions are backed up by a limit on how third parties can redisclose the information. 24 C. AcceSS The third core principle is access. Access refers to an in- dividuals ability both to access data about him or herself--ie to view the data in an entity's filesand to contest that datas accuracy and completeness. 25 Individuals in the United States have had a right to access their credit history-an accumula tion of sensitive personal financial information--since passage of the Fair Credit Reporting Act in 1970.26 GLB itself does not implement any consumer access right Proposed legislation, including that supported by President 22. Id.$ 6802(e). Other exceptions, described in more detail in the sent of the consumer; to protect the confidentiality or security of the tions records: to provide information to persons assisting industry standards; and in connection with a sale or merger of the business. 3.Id.§6802(d) 24. Essentially, a nonaffiliated third party that receives personal informa tion shall not redisclose that information to any other person unless such dis- closure would be lawful if made directly to such other person by the original financial institution. Id$ 6892(c). 25. 1998 FTC Report, supra note 7, at 9. The OECD Individual Particip n Principle states right: a)t ler. or otherwise confirmation of whether or not the data controller has data relating to him; b)to have communicated to him, data relat- ing to him: within a reasonable time: at a charge, if any, that is not xcessive: in a reasonable manner: and in a form that dily intel- ligible to him; c)to be given reasons if a request raphs(a) and(b) is denied, and to be able to challenge such denial hallenge is suc- cessful to have the data erased, rectified, completed or amended OECD Guidelines, supra note 9 26. Fair Credit Reporting Act, 15 U.S.C.$ 1681g(2000)
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 107 bates, and apply, for instance, to an institution’s attorneys, accountants, and auditors, to consumer reporting agencies under the Fair Credit Reporting Act, to protect against or prevent fraud, and to comply with authorized law enforcement investigations.22 GLB is stricter than the basic rule in one respect. A financial institution cannot disclose, other than to a consumer reporting agency, a credit card or similar account number to any nonaffiliated third party for use in telemarketing, direct mail marketing, or e-mail marketing to a consumer.23 The opt-out and account number restrictions are backed up by a limit on how third parties can redisclose the information.24 C. ACCESS. The third core principle is access. Access refers “to an individual’s ability both to access data about him or herself—i.e., to view the data in an entity’s files—and to contest that data’s accuracy and completeness.”25 Individuals in the United States have had a right to access their credit history—an accumulation of sensitive personal financial information—since passage of the Fair Credit Reporting Act in 1970.26 GLB itself does not implement any consumer access right. Proposed legislation, including that supported by President 22. Id. § 6802(e). Other exceptions, described in more detail in the statute, include: an exception necessary to carry out a transaction; with the consent of the consumer; to protect the confidentiality or security of the institution’s records; to provide information to persons assisting in compliance with industry standards; and in connection with a sale or merger of the business. Id. 23. Id. § 6802(d). 24. Essentially, a nonaffiliated third party that receives personal information shall not redisclose that information to any other person unless such disclosure would be lawful if made directly to such other person by the original financial institution. Id. § 6892(c). 25. 1998 FTC Report, supra note 7, at 9. The OECD Individual Participation Principle states: An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him: within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. OECD Guidelines, supra note 9. 26. Fair Credit Reporting Act, 15 U.S.C. § 1681g (2000)
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp Clinton in 2000, would have provided access rights to financial information as a matter of law.27 In practice, however, con- sumers often have an ability to access their personal financial information. For important accounts such as checking ad counts, credit card records, securities brokerage accounts, and the like, individuals generally receive detailed records as a matter of course, and they can contest the accuracy and com- pleteness of those records as problems arise D. SECURITY As the FtC states: Security involves both managerial and technical measures to protect against loss and the unauthor ized access destruction, use. or disclosure of the data. 28 Pri racy policies offer little protection unless security is in place Otherwise, the best-intended pe cles can quickly under y hackers or others who access and disclose the per sonal information GLB addresses security as part of the general obligation of financial institutions to protect privacy. The statute provides It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the pri- acy of its customers and to protect the security and confider 27. Consumer Financial Privacy Act, H.R. 4380, 106h Cong.$6(2000) (amending glB to add a new section that provides the right to access nonpub cial Information Privacy Protection Act of 2000, S 2513, 106th Cong. $6(2000 (same); Medical Financial Privacy Protection Act, H.R. 4585, 106th Cong. $2 (2000)(same for identifiable health information possessed by a financial insti- 8. 1998 FTC Report, supra note 7, at 10. Similarly, the OECD Security Safeguards Principle states: "Personal data should be protected by nable security safeguards against such risks as loss tion, use, modification or disclosure of data. OECD Guidelines, supra note 9 The FTC Report combines the security principle with the need take reasonable steps, such only reputable sources of data and cross referencing data against multiple sources,providing consumer access to data, and destroying untimely data or converting it to anonymous form. "1998 FTC Report, supra note 7, at 10. This definition of data integrity conforms to the principle, accepted in European hat"untimely data"should be destroyed or converted to anony. data must in a form which permits identification of data subjects for er th ecessary for the purposes for which the data were collected r for which re further processed. European Union Data Protection D rective, supra note 6, art. 6(e). Notwithstanding the FTCs support for"de- stroying untimely data, U.S. law has not usually included data destruction as a significant element of privacy principles
347402.DOC 11/25/2002 11:27 PM 108 MINNESOTA LAW REVIEW [Vol.86:pppp Clinton in 2000, would have provided access rights to financial information as a matter of law.27 In practice, however, consumers often have an ability to access their personal financial information. For important accounts such as checking accounts, credit card records, securities brokerage accounts, and the like, individuals generally receive detailed records as a matter of course, and they can contest the accuracy and completeness of those records as problems arise. D. SECURITY As the FTC states: “Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.”28 Privacy policies offer little protection unless security is in place. Otherwise, the best-intended policies can be quickly undermined by hackers or others who access and disclose the personal information. GLB addresses security as part of the general obligation of financial institutions to protect privacy. The statute provides: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidenti- 27. Consumer Financial Privacy Act, H.R. 4380, 106th Cong. § 6 (2000) (amending GLB to add a new section that provides the right to access nonpublic personal financial information possessed by a financial institution); Financial Information Privacy Protection Act of 2000, S. 2513, 106th Cong. § 6 (2000) (same); Medical Financial Privacy Protection Act, H.R. 4585, 106th Cong. § 2 (2000) (same for identifiable health information possessed by a financial institution). 28. 1998 FTC Report, supra note 7, at 10. Similarly, the OECD Security Safeguards Principle states: “Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.” OECD Guidelines, supra note 9. The FTC Report combines the security principle with the need to assure data integrity, where “collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.” 1998 FTC Report, supra note 7, at 10. This definition of data integrity conforms to the principle, accepted in European countries, that “untimely data” should be destroyed or converted to anonymous form. The Data Protection Directive, for instance, states that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” European Union Data Protection Directive, supra note 6, art. 6(e). Notwithstanding the FTC’s support for “destroying untimely data,” U.S. law has not usually included data destruction as a significant element of privacy principles
347402.DOC 11/25/200211:27PM 2002 MERITS OF FINANCIAL PRIVACY LAW ality of those customers'nonpublic personal information. "29 In furtherance of that policy, regulators are required to tandards relating to administrative, technical, and phy safeguards to protect the security and confidentiality of tomer records and information. The standards must protect against "anticipated threats or hazards to the security or integ rity of such records, and protect as well against unauthorized access to records or information that "could result in substan tial harm or inconvenience to any customer. 30 E. ENFORCEMENT AND REMEDIES The FTC says: It is generally agreed that the core princi- ples of privacy protection can only be effective if there is a mechanism in place to enforce them. 3I A phalanx of financial regulators have now issued regulations to implement the glb privacy provisions for institutions in their jurisdiction.32 In implementing these privacy regulations, the basic rule under GLB is that financial regulators can deploy the full powers that they use in other enforcement actions. 33 Bank regulators can use the strict enforcement powers that they gained after the savings and loan abuses of the late 1980s. 4 State insurance 29. GLB, supra note 10,$ 6801(a) 31. 1998 FTC Report, supra note 7, at 10. The OECD Accountability Principle states: "A data controller should be accountable for easures which give effect to the principles stated above OECD Guidelines supra note 9 32. The statute required seven agencies, working together with the Treasury Department, to prepare regulations. GLB, supra note 10, 6804(a)(1). First, a set of standards-The Interagency Guidelines Establish Standards for Safeguarding Customer Information-were developed by the glB agencies and uniformly promulgated. See, e.g., 12 C F.R.$ 30.2, app french);ld.§208.3, D-2(Federal Reserve) 364.101 app. B ( FDIC), Id5570.1, app. B(Office of Thrift Supervision), Id. s 748, app. A (NCUA). Second, the agencies each promulgated a rule that re- Guidelines. See, e.g., Id$208.3(Federal Reserve): 16 C.F.R.$ 313. 1(Federal Trade Commission): 12 C F.R.s 364. 101(FDIC): Id.$ 568.5(Office of Thrift Supervision) GLB, supra note 10, 5 509(3)(B)specifically excluded the Commodity Futures Trading Commission from the Act, but that was reversed by The Commodity Futures Modernization Act of 2000. 7 U.S.C.$1 278f(2000). The CFTC ed proposed rules for GLB compliance in early 2001. 66 Fed. Reg. 15, 550 larch19,2001) 33. GLB, supra note 10, 6805 34. See 12 U.S.C. 1818(2000). The bank regulators with these powers to enforce the privacy rules are the Office of the Comptroller of the Currency, the
347402.DOC 11/25/2002 11:27 PM 2002] MERITS OF FINANCIAL PRIVACY LAW 109 ality of those customers’ nonpublic personal information.”29 In furtherance of that policy, regulators are required to issue standards relating to administrative, technical, and physical safeguards to protect the security and confidentiality of customer records and information. The standards must protect against “anticipated threats or hazards to the security or integrity of such records,” and protect as well against unauthorized access to records or information that “could result in substantial harm or inconvenience to any customer.”30 E. ENFORCEMENT AND REMEDIES. The FTC says: “It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them.”31 A phalanx of financial regulators have now issued regulations to implement the GLB privacy provisions for institutions in their jurisdiction.32 In implementing these privacy regulations, the basic rule under GLB is that financial regulators can deploy the full powers that they use in other enforcement actions.33 Bank regulators can use the strict enforcement powers that they gained after the savings and loan abuses of the late 1980s.34 State insurance 29. GLB, supra note 10, § 6801(a). 30. Id. § 6801(b). 31. 1998 FTC Report, supra note 7, at 10. The OECD Accountability Principle states: “A data controller should be accountable for complying with measures which give effect to the principles stated above.” OECD Guidelines, supra note 9. 32. The statute required seven agencies, working together with the Treasury Department, to prepare regulations. GLB, supra note 10, § 6804(a)(1). First, a set of standards—”The Interagency Guidelines Establishing Standards for Safeguarding Customer Information”—were developed by the GLB agencies and uniformly promulgated. See, e.g., 12 C.F.R. § 30.2, app. B (Comptroller of the Currency); Id. § 208.3, app. D-2 (Federal Reserve); Id. § 364.101 app. B. (FDIC), Id. § 570.1, app. B (Office of Thrift Supervision), Id. § 748, app. A (NCUA). Second, the agencies each promulgated a rule that required financial institutions within their jurisdiction to comply with the Guidelines. See, e.g., Id. § 208.3 (Federal Reserve); 16 C.F.R. § 313.1 (Federal Trade Commission); 12 C.F.R. § 364.101 (FDIC); Id. § 568.5 (Office of Thrift Supervision). GLB, supra note 10, § 509 (3)(B) specifically excluded the Commodity Futures Trading Commission from the Act, but that was reversed by The Commodity Futures Modernization Act of 2000. 7 U.S.C. § 1 278f (2000). The CFTC issued proposed rules for GLB compliance in early 2001. 66 Fed. Reg. 15,550 (March 19, 2001). 33. GLB, supra note 10, § 6805. 34. See 12 U.S.C. 1818 (2000). The bank regulators with these powers to enforce the privacy rules are the Office of the Comptroller of the Currency, the
347402.DOC 11/25/200211:27PM MINNESOTA LAW REVIEW VoL86: pppp authorities enforce for violations by state-regulated insurance companies.35 The Securities and Exchange Commission tional credit union administration and commodities future Trading Commission can enforce against entities in their juri diction. The FtC can use its powers to enforce against unfair or deceptive trade practices against any other financial institu- tion that is not subject to one of the above agencies F. SUMMARY ON GLB AND FAIR INFORMATION PRACTICES When matched against the standard list of fair information practices, GlB provides a better set of privacy protections than many have realized. glB creates significant legal protections for the notice, security, and enforcement principles. For access, ordinary industry practice likely meets many consumer needs The largest debate concerns the choice/consent principle. Pri- vacy advocates are concerned that the opt-out choice is too reak and that too many data flows are permitted to affiliates and joint marketing partners without any choice at all. as dis- cussed below, the Clinton Administration proposed legislation in 2000 to address these problems, and i personally would favor additional legal protections in the choice/consent area Other provisions in GLB show that it provides a better foundation for rotection than many have rea First the definition of "financial institutions "which are cov ered by the statute, is extremely broad. GlB allows a financial holding company to engage in any activity found by the federal Reserve board "to be financial in nature or incidental to such financial activity. 36 going beyond that broad definition, the Board can authorize an activity that is "complementary to a fi- nancial activity and does not pose a substantial risk"to safety and soundness. 37 This broad definition is an advantage for banks and other institutions that are clearly financial in na- ture, because they are clearly covered by the privacy rules and can now combine with a wider range of entities. The broad Federal Reserve board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision 35. Because of federalism limits against"commandeering, the states in a federal statutory scheme, see New York v United States, 505 U.S. 144(1992). the statute does not order state insurance authorities to adopt regulations to carry out the privacy protections. Instead, states that decline to adopt regula- tions will lose the power to override certain federal banking regulations. GLB supra note10,§6805(c) 36.12USC.1843(k)(1)(A)(2000 37.12U.S.C.1843(k)(1)(B)(2000)( emphasis added)
347402.DOC 11/25/2002 11:27 PM 110 MINNESOTA LAW REVIEW [Vol.86:pppp authorities enforce for violations by state-regulated insurance companies.35 The Securities and Exchange Commission, National Credit Union Administration, and Commodities Future Trading Commission can enforce against entities in their jurisdiction. The FTC can use its powers to enforce against unfair or deceptive trade practices against any other financial institution that is not subject to one of the above agencies. F. SUMMARY ON GLB AND FAIR INFORMATION PRACTICES. When matched against the standard list of fair information practices, GLB provides a better set of privacy protections than many have realized. GLB creates significant legal protections for the notice, security, and enforcement principles. For access, ordinary industry practice likely meets many consumer needs. The largest debate concerns the choice/consent principle. Privacy advocates are concerned that the opt-out choice is too weak and that too many data flows are permitted to affiliates and joint marketing partners without any choice at all. As discussed below, the Clinton Administration proposed legislation in 2000 to address these problems, and I personally would favor additional legal protections in the choice/consent area. Other provisions in GLB show that it provides a better foundation for privacy protection than many have realized. First, the definition of “financial institutions,” which are covered by the statute, is extremely broad. GLB allows a financial holding company to engage in any activity found by the Federal Reserve Board “to be financial in nature or incidental to such financial activity.”36 Going beyond that broad definition, the Board can authorize an activity that is “complementary to a financial activity and does not pose a substantial risk” to safety and soundness.37 This broad definition is an advantage for banks and other institutions that are clearly financial in nature, because they are clearly covered by the privacy rules and can now combine with a wider range of entities. The broad Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision. 35. Because of federalism limits against “commandeering” the states in a federal statutory scheme, see New York v. United States, 505 U.S. 144 (1992), the statute does not order state insurance authorities to adopt regulations to carry out the privacy protections. Instead, states that decline to adopt regulations will lose the power to override certain federal banking regulations. GLB, supra note 10, § 6805(c). 36. 12 U.S.C. 1843(k)(1)(A) (2000). 37. 12 U.S.C. 1843(k)(1)(B ) (2000) (emphasis added)
