Center for Democracy & Technology

The U.S. Department of Health and Human Services (HHS) proposed a set of significant updates to health privacy rules. The proposed rule tackles how sensitive patient information is handled under the Health Insurance Portability and Accountability Act (HIPAA), which is the nation’s foremost health privacy law. The rule is open for public comment until September 13th, and CDT intends to file a set during this period.

Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, CDT is encouraged that HHS’ proposed rule would strengthen patient privacy, data security and enforcement of the law. The proposed rule contains numerous changes to the HIPAA Privacy Rule; of those changes, CDT considers the four discussed below to be the most consequential.

1. Business Associates
2. Enforcement
3. Marketing
4. Research

1. Business associates

Under HIPAA, “business associates” are organizations or individuals that perform activities involving patients’ personal data on behalf of doctors, hospitals, health insurance companies and other “covered entities.”  Historically, business associates were not directly accountable for complying with HIPAA privacy and security requirements. Instead, the law required covered entities and business associates to enter into specialized contracts – called “business associate agreements” – that contained certain patient privacy and security protections. However, the protections in the business associate agreements were still generally less comprehensive than those covered entities themselves were required to follow under HIPAA.

The HITECH Act made business associates directly subject to portions of the HIPAA Security Rule requiring physical, administrative and technical data safeguards. HITECH also required business associates to comply with those Privacy Rule provisions that are made applicable to them by their contract with the covered entity; in addition, business associates must comply with any changes to the Privacy Rule that were part of HITECH regardless of whether or not those provisions are in their contracts with covered entities. The proposed rule codifies these requirements, generally tracking the legislative language.

In the proposed rule, HHS – interpreting Congress’ intent in enacting HITECH – would also count subcontractors of business associates as business associates themselves. The proposed rule would therefore hold subcontractors to the same HIPAA requirements as business associates. The proposed rule would also provide that business associates may not use or disclose patient health information except as permitted under the Privacy and Enforcement Rules and within the limits of their business associate agreements.

With respect to the constraints that business associate agreements place on a business associate’s use and disclosure of patient health information, the proposed rule references the Privacy Rule language: The business associate agreement will provide that business associates cannot further use or disclose the information other than as permitted or required by the contract or by law. CDT is pleased to see HHS highlight this important component of the Privacy Rule. In the past, anecdotal reports indicate business associates may not have been sufficiently limited in their uses of patient data, in part due to overbroad agreements with covered entities and/or a failure of covered entities to more actively monitor their business associates. Business associates should not be permitted to indulge in creative expansion of vague business associate agreements to chase additional revenue streams with patient data.  CDT thinks the new limits on business associates and subcontractors are excellent in concept, but would like HHS to more strongly emphasize the role of business associate agreements in restricting use of patient information. In our comments, CDT intends to request HHS be very clear that the business associate agreement is intended to limit business associates’ uses and disclosures of patient data. Although HHS provides model contract language, it is too general to be very helpful. Business associate agreements should be very specific and allow business associates to use and disclose patient data only for the tasks necessary to carry out the services for which the covered entity hired the business associate.

HHS NPRM

CDT blog post on HHS NPRM
 

2. Enforcement

HITECH made some very positive changes regarding enforcement of HIPAA, but the proposed rule added only a little to that which was required under HITECH. Prior to HITECH, HHS had an obligation to try and solve compliance issues with covered entities through informal means. However, HITECH states that HHS will investigate any complaint of a violation if the facts indicate that an organization was willfully neglecting HIPAA rules. HITECH also stated that HHS will impose a civil penalty in cases of willful neglect.

The proposed rule implements these requirements and also proposes a provision stating that HHS will conduct a compliance review when a preliminary review indicates willful neglect. HITECH only referred to complaints, not compliance reviews. HHS must still resolve via informal means other complaints in which the prelim review does not indicate willful neglect, but HHS maintains its discretion regarding whether or not it will conduct a compliance review or a formal investigation in cases where willful neglect is not suspected.

Through HITECH and the proposed rule, HHS now has considerably more leverage to enforce HIPAA. It remains an open question, however, whether HHS will use its new enforcement tools effectively. In the past, HHS has shown reticence to levy civil penalties for even serious violations. CDT will urge HHS to take a proactive role in HIPAA stewardship, and to conduct reviews/investigations at a lower threshold than willful neglect.

The proposed rule would add reputational harm to factors HHS will consider when deciding how severe a penalty to impose for HIPAA violations. According to the proposed rule, HHS wanted to be clear that reputational harm was as concrete as financial and physical harm, which are currently listed as penalty factors.

CDT supports the inclusion of reputational harm when deciding on penalties; however, we do not believe that regulations should consider harm to individuals to be the determining factor for whether a privacy violation took place, and CDT argued against a “harm standard” in comments to HHS on data breach notification rules. (Under the breach notification "harm standard," covered entities must notify patients of a data breach if the covered entity determines that there is a significant risk the breached data will cause physical, financial, reputational or other harm to the patient.) However, given that the harm standard for breach notification is currently in effect, it is appropriate for the penalty factors to include all the parameters of the breach notification harm standard. Thus, CDT will request that HHS include “other” harm in the penalty factors in addition to reputational harm.

CDT will also request that the penalty factors incorporate some consideration of what actually happens to the data – i.e., whether an unauthorized party accesses the data. The Federal Trade Commission issued breach notification rules that gave significant weight to unauthorized access to the breached data. A focus on whether data was compromised – not harm to individuals – was also Congress’ intent with regard to the breach notification provisions in HITECH that formed the basis of HHS’ breach notification rule.

Joint comments of CDT and the Markle Foundation on the HHS breach notification rule

CDT blog post on HHS breach notification rules

3. Marketing

Covered entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule’s definition of marketing contains several exceptions, however, and covered entities do not need patient authorization to make communications that fall within those exceptions. The exceptions include communications about, treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.

But the proposed rule goes further and states that prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Subsidized communications not related to treatment, or that are more population-based, would still count as marketing and require patient authorization. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would establish certain requirements:

• The provider must notify the patient of its intent to send the patient subsidized treatment communications,
• The notice must inform the patient that she may opt out of receiving such communications, and
• The treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.

The provisions of HITECH related to marketing included a statement that “direct or indirect remuneration does not include payment for treatment of an individual.” It is unclear to what extent HHS relied on this provision as a basis for the proposed exception for subsidized treatment communications, but CDT believes such reliance would be misguided. Under HITECH, communications for which the covered entity receives remuneration count as marketing, and remuneration does not include payment for treatment, but HHS should not interpret “payment for treatment” to encompass subsidized treatment communications. In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. In removing payment for treatment from “remuneration”, Congress sought only to ensure that payment activities under HIPAA could proceed without the need to first obtain patient authorization. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers. CDT would like HHS to clarify its legislative authority in carving out the exception for subsidized treatment communications.

CDT is concerned that the proposed rule undermines HITECH by allowing patients’ information to be used to market products and services to them that are not part of the care plan established by their treatment physicians (for example, communications urging patients to switch from their current drug to another brand).  The opt-out is a slim concession, as it places the burden of ensuring their data is not used for marketing on patients.  The proposed opt out scheme is complicated by increasing levels of data sharing using health information technology. If patient data is shared with multiple entities, will patients have to make separate requests to each entity in order to fully opt out?

CDT generally believes that subsidized communications are marketing and should require the prior consent of the individual, subject only to the exception for current drugs and biologics to ensure there are no obstacles to patients receiving information about recalls or important drug safety issues. CDT will request that HHS preserve the opt in standard for subsidized communications. In the event that preserving the opt in is not achievable, CDT may ask that HHS structure its opt out to maximize the level of protection it can offer.
 

4. Research

As mentioned above, HIPAA requires covered entities to obtain patients’ authorization for certain disclosures of their health information. The current HIPAA Privacy Rule prohibits health care providers from conditioning a patient’s treatment, payment, or enrollment in a health plan or eligibility for benefits on obtaining an authorization from the patient. However, there is an exception to this general rule that permits conditioning research-related treatment on an authorization for the research itself. Still, the current privacy rule prohibits covered entities from “compound authorizations”: combining a conditional authorization with an authorization that is not conditional.

The proposed rule would allow covered entities to combine conditioned and unconditioned authorizations for research. However, the authorization must distinguish clearly between the conditioned and unconditioned components and allow patients to opt out of the latter. At first read, this proposal seems reasonable, but educating patients on how to distinguish the two components is a crucial challenge.

In addition to its proposed changes on compound authorizations, the proposed rule clarified HHS’ interpretation of another aspect of health privacy and research. HHS interprets the current Privacy Rule to require that patient authorizations to use or disclose health information for research be specific to each study – one authorization per study. However, HHS is contemplating whether to modify this rule to avoid having to re-contact the patient for multiple authorizations for future research. More specifically, HHS is considering whether to permit:

• authorizations for uses and disclosures of patient health information for future research purposes, so long as the future research is described in sufficient detail in the authorization that patients can make an informed decision, or
• to permit the above as a general rule, but require disclosure statements on authorizations for certain types of sensitive research activities.

CDT’s comments will ask HHS to specify what the initial authorization must include in order to obtain meaningful consent from the patient to uses of protected health information for future research purposes. Any such authorization should explain in detail what those future research purposes would be. Blanket authorizations permitting indefinite and undefined use of patient data for research purposes would violate Fair Information Practice principles. CDT would also seek clarification from HHS regarding the ability of patients to revoke their authorization many years after the fact. It would most likely be considerably difficult for patients to track down researchers after years of no contact. HHS has yet not proposed any modification to the rules on future research authorizations, but seeks public comment on the issue.
 

1. FCC Reconsidering Regulatory Approach to Broadband
2. CDT Supports Placing Broadband Internet Service Under Title II
3. FCC's Focus Must Remain Narrow
4. Congress Also Mulling Telecom Overhaul

FCC Reconsidering Regulatory Approach to Broadband

CDT recently filed comments on the Federal Communications Commission's Notice of Inquiry into the proper legal framework for addressing Internet access services.  This proceeding is the latest in a series of developments regarding Internet neutrality and other policies outlined in the FCC's National Broadband Plan.  Prompted by the DC Circuit Court of Appeals decision in Comcast v. FCC, which called into serious question the Commission's authority to issue rules governing broadband service, the Commission is wholly reconsidering its approach to Internet connectivity.  The Chairman has indicated a preference for classifying Internet access service as a telecommunications service under Title II of the Communications Act, while strongly forbearing from all but a few necessary provisions.  CDT supports this approach.

In general terms, the issue of Internet neutrality concerns whether operators of Internet access networks should be free to favor some Internet traffic over others, or instead should be required to handle traffic in an essentially neutral manner.  Non-discrimination has long been the norm for services classified as "telecommunications services" under the Communications Act.  But since a series of orders beginning in 2002, the FCC has regarded broadband Internet access not as a telecommunications service, but as an "information service" – a lightly regulated category of services subject to FCC authority, if at all, under a doctrine known as "ancillary jurisdiction."

In 2005 the FCC issued a "policy statement" intended to promote the Internet's open and neutral character by saying that broadband providers should not block subscribers' ability to access the content, applications, or services of their choice.  In 2008, the agency held that Comcast had violated these principles by interfering with subscribers' BitTorrent traffic.  But Comcast appealed, and the court held that the FCC did not have adequate authority to enforce the policy statement, in part because Comcast's broadband services were "information services" under the FCC's own classification scheme.  This ruling also called into question the FCC's process, begun in late 2009, to codify the principles of the policy statement into rules and to add rules on non-discrimination and transparency.  

The Commission went back to the drawing board, and the present Notice of Inquiry asks for comment on reclassifying Internet connectivity as a telecommunications service.  Specifically, the Notice asks for comment on whether such a move would fit current uses and understanding of the service, and on how best to apply a small subset of telecom rules covering non-discrimination, disability access, and customer privacy.

CDT largely agreed with the DC Circuit in the Comcast case that the FCC may not assert essentially unbounded jurisdiction over Internet matters.  But CDT does support the issuance of narrowly focused rules to ensure the Internet remains an open and level playing field for all speakers and application developers, big and small, as well as to implement other goals from the National Broadband Plan.  The best approach seems to be the one the Commission has proposed: changing the classification of broadband access services in a way that accurately reflects the current ways broadband Internet service is used and does not open the door to broader regulation of Internet content or applications.

CDT Comments of Framework for Internet Access

CDT statement on Comcast v. FCC

FCC General Counsel's Statement on Potential Reclassification

CDT Supports Placing Broadband Internet Service Under Title II

CDT supports the focused reclassification of broadband Internet access service from an information service to a telecommunications service.

First, the current classification framework put the FCC in a very difficult position.  The Internet is rapidly becoming the core communications network for the 21st century.  Accordingly, the FCC has recently devoted tremendous effort to crafting a National Broadband Plan, and a major focus for the agency going forward is implanting the plan and improving the availability of broadband connections nationwide.  In this environment, CDT believes it is not tenable for the federal communications regulator to lack any clear and stable conception of the scope of its authority over the services people use to access the Internet.  Yet that is where things stand; it currently is entirely unclear when or if the FCC may rely on "ancillary authority" to exercise jurisdiction over broadband access.  Absent a change in the current framework, its will take many years of case-by-case litigation to work out what kind of role (if any) the agency may play with respect to broadband.  It is hard to see how the FCC can effectively pursue its mission under the current legal framework.

Second, treating Internet access as telecommunications services is actually the most faithful application of the Communications Act.  The service that Internet access providers offer to the public is widely understood, by both the providers and their customers, as the ability to connect to anywhere on the Internet – to any of the millions of Internet endpoints – for whatever purposes the user may choose.  It provides a classic example of "transmission, between or among points specified by the user, of information of the user's choosing" – the Act's definition of a Title II telecommunications service.

This ability to transmit information to and from anywhere on the Internet is incontrovertibly the dominant function of Internet access service as it exists today. This is reflected in the marketing of the service providers themselves, and in commentary, surveys, and reviews of broadband providers – all of which overwhelmingly focus on connection speed.  ISPs have not been "walled gardens," with editorial control over content, for some time.

ISPs do still offer this telecommunications function together with other, non-telecommunications services, such as email or personal web page hosting.  But there is no basis today for concluding, as the FCC did back in 2002, that Internet connectivity service is so integrated with non-telecommunications functions that it makes most sense to think of the entire package, as a "single, . . . comprehensive service offering."  Rather, the additional functions are either relatively minor "add-on" services that many users ignore entirely, or, in cases such as DNS lookup, are largely technical processes aimed at making the telecommunications function work smoothly.

The rise of "cloud computing" means that, for virtually any kind of information service function one might want, there are a variety of providers who are completely independent of a user's Internet connectivity provider.  All of the information services the FCC previously held to be fully integrated with Internet connectivity – email, newsgroups, personal web page hosting, obtaining and aggregating content, and provision of a "home page" – are now widely available and easily obtained from third parties.  None is an integral part of a user's Internet access subscription.  There is thus only one indispensable function a consumer looks to the connectivity provider for: the connection link that in turn enables access to the essentially unlimited range of Internet-based services.

In short, in today's marketplace, Internet access services are functioning as "telecommunications services" within the meaning of the Communications Act.

Finally, classifying Internet access services as telecommunications neither should nor would result in such services being subject to the entire regulatory regime developed for monopoly telephone services, such as rate regulation with tariff filing.  The FCC has indicated that, in conjunction with reclassification, it would plan to exercise its authority to forbear from all but a core set of regulations.  CDT supports this approach.

FCC's Focus Must Remain Narrow

It is crucial, however, that the FCC's reclassification effort remain narrowly focused on data transmission and the provision of Internet access.  The Commission must make clear that it neither intends to expand the scope of regulation to Internet content and applications, nor would it have such authority under the Communications Act.  The current Notice of Inquiry appropriately focuses on transmission and access, excluding content regulation, but the Commission should clarify that this is not only a discretionary policy choice; it is compelled by law.

From a policy perspective, without clear legal limits, there remains a possibility that an assertion of jurisdiction today could be used as precedent by a future FCC, pursuing any number of potential concerns, to attempt to regulate various conduct and communications traversing the Internet.  Such a result would be directly contrary to longstanding policy objectives.  Section 230 of the Communications Act declares the policy of preserving the current competitive market for online services "unfettered by Federal or State regulation."  Accordingly, the FCC should do everything it can to ensure that any action it takes cannot be misused to help justify broad Internet regulation in the future.  To safeguard an open and vibrant Internet, the FCC should strive to articulate a conception of its jurisdiction that, far from laying the groundwork for broader Internet regulation in the future, actually serves as a bulwark against it.

Legally, a narrow focus on transmission and access services provides the most stable theory of jurisdiction. The FCC's subject matter jurisdiction centers on the actual transmission of communications by wire or radio. Courts have held that the agency lacks jurisdiction over activities that are not closely connected to the actual transmission of communications. For example, the FCC lacks authority to regulate non-transmission-related functions of consumer electronics.  By the same logic, the actions of websites and other services accessed via the Internet (search engines, social networks, cloud computing services, etc.) are thus outside the FCC's subject matter jurisdiction.

In addition, FCC regulation of Internet applications or content would raise serious constitutional issues.  In Reno v. ACLU, the Supreme Court held that communications over the Internet warrant the full protection of the First Amendment, and courts have repeatedly struck down as unconstitutional a range of government regulations of Internet content.  In the Internet context, users have unprecedented ability to control their Internet experience, and thus direct government regulation of Internet content and applications cannot survive constitutional scrutiny.

Lastly, the recent decision in Comcast v. FCC clearly reinforces the proposition that the Commission's jurisdiction is subject to significant limitations. In light of that, and of the limitations discussed above, the wisest legal approach for the FCC is not to push the envelope and test the boundaries.  The FCC and the public interest would be better served by a jurisdictional theory that expressly acknowledges limits and that centers on the core of FCC authority: the function of actually transmitting communications by wire or radio.
Fortunately, the FCC has expressed that it does not intend to "regulate the Internet" in a broader sense.  The agency can best demonstrate that it harbors no such intent by specifically disclaiming any legal authority over the myriad applications and content provided over the Internet by entities that are not providers of Internet access.

CDT Comments in Open Internet Rulemaking

Congress Also Mulling Telecom Overhaul

As this debate has evolved, Congress, too, has begun to consider addressing the FCC's jurisdiction over Internet access services.  Having Congress provide specific guidance may well be the best long-term solution to this question, and indeed CDT has supported a legislative approach in the past.  But telecommunications law is not an area in which Congress tends to move quickly, so the possibility of legislative action should not deter the FCC's effort to ensure a sensible framework for implementing the Communications Act as currently written.  After all, the Commission remains charged with implementing the existing Act for however long it remains on the books.  The agency cannot simply go dormant and abdicate its role for what could be multiple years in anticipation of a legislative update. Moving forward with the agency's existing responsibilities means developing a sound and stable legal footing for agency action under the existing statute.

1. Commerce Department Should Take Lead Role as Global Privacy Advocate
2. Commerce Should Push for 21st Century Federal Privacy Protections
3. Commerce Should Re-affirm Intermediaries Are Not Liable for Privacy Violations
4. Business Practices Should Be Consistent with Privacy by Design Principles

1. Department of Commerce Should Take Lead Role as Global Privacy Advocate

This policy post is drawn from comments CDT filed in response to a Notice of Inquiry released by the Department of Commerce’s (“DoC”) Internet Policy Task Force (“Task Force”) regarding the connection between privacy and innovation and the role the department should have in promoting online privacy.
The Commerce Department can support the global digital economy by supporting a comprehensive privacy plan in the U.S and supporting consumer trust as an innovation greenhouse.

Our comments ask the DoC to reaffirm that consumers' trust in the security and privacy of online transactions is a major reason for American business success.  Commerce can advocate for American business by supporting sound user privacy policies and practices. In calling for the DoC to take a global leadership role on privacy, CDT emphasized that leadership begins at home.

CDT Comments to the DoC NTIA Internet Policy Task Force: In the Matter of Information Privacy and Innovation in the Internet Economy

A. Fair Information Privacy Principles

CDT believes that the DoC can play an important role in defining and clarifying privacy protections for consumers. We urged the department to endorse a modern, comprehensive set of Fair Information Practice principles (“FIPs”) and to recommend that these principles be incorporated into a new baseline federal privacy law, executive branch policies, and self-regulatory guidelines.

The adoption of a baseline federal privacy law founded on FIP principles would have a global impact. Many international privacy frameworks, including the OECD guidelines of 1980, the Council of Europe data privacy convention, the EU Data Protection Directive, and the Asia-Pacific Economic Cooperation Privacy Framework, are all built around variations of the FIPs. Adoption of a U.S. law built around the FIPs would help U.S. companies adequately respond to differing legal regimes and empower the U.S. to assert global leadership on privacy.

The Department of Homeland Security’s FIP principles – a modern and comprehensive set of FIPS

2. Commerce Should Push for 21st Century Federal Privacy Protections

A. Support Baseline Consumer Privacy Legislation

The Task Force sought comment on the effectiveness of the current sectoral privacy framework, which CDT believes is insufficient to protect consumers and promote innovation in the 21st century. The current confusing patchwork of privacy standards differs depending on the type of data and the data collector. CDT believes that simple, flexible baseline privacy legislation that codifies a robust set of FIPs would protect consumers from inappropriate collection and use of their personal information, while enabling legitimate business. Baseline legislation should not preempt the strong, sectoral laws that already provide important protections to Americans.

The comments highlight the potential interactions between a comprehensive federal privacy law and state privacy laws. States have been a critical laboratory for privacy innovation and experimentation; data breach laws are one of many examples of the important new ideas that have arisen from the states. But compliance with fifty different state privacy regimes can be burdensome for businesses, especially small or medium-sized entities or startups. For that reason, CDT urged the DoC to support the enactment of a comprehensive federal privacy with preemption that is narrowly tailored. Federal privacy law should not preempt state law unless it provides as much protection as the best state laws and expressly covers the same set of covered entities and same set of requirements.

In our comments, CDT also emphasized that policies that promote consumer privacy should be written so they will not impede the growth of small and medium sized entities (SMEs) and startups. Exceptions can be made for companies that handle small amounts of non-sensitive consumer data. CDT also called on the Commerce Department to recognize the potential burden that federal data retention laws would represent to SMEs and startup companies. Such laws could plausibly require online service providers to retain vast quantities of data for law enforcement purposes, damaging SME’s bottom line.

CDT comments on the 2010 Staff Discussion Draft Consumer Privacy Legislation

B. The DoC should support ECPA reform

CDT's comments urged the DOC to consider the impact of current government access laws on individual privacy and technology innovation. Technology innovation has far outstripped legal protections for personal data in the United States provided by the Electronic Communications Privacy Act (ECPA). While ECPA was a forward-looking statute when enacted in 1986, it has not undergone a significant revision since then. ECPA is now an array of confusing standards that do not clearly apply to many new technologies. Inconsistent interpretations of the law by the courts have put both service providers and law enforcement agencies and putting user privacy at risk.

The outdated and overcomplicated privacy protections in ECPA can have a direct impact on the bottom line of the digital communications industry. Cloud computing experts warn that potential clients are seeking data storage centers outside the U.S. due to permissive U.S. laws giving the government access to huge quantities of information with little judicial oversight. Consumers consistently cite privacy from government as a top concern when it comes to adopting cloud computing and location based services.

Without stronger legal privacy protection, the reluctance of consumers and businesses to use U.S.-based communications services may cause American companies to miss out on the jobs that would accompany new growth. CDT's comments recommended a detailed set of reforms to ECPA that would clarify existing law and offer privacy protections that reflect consumer expectations, but preserve the government's ability to get information when necessary. The CDT-led Digital Due Process coalition filed separate comments also focusing on reforming ECPA to protect consumers and reduce unnecessary costs on businesses.

Comments of the Digital Due Process Coalition: In the Matter of Information Privacy and Innovation in the Internet Economy

Testimony of Jim Dempsey before the House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties: ECPA Reform

3. Commerce Should Re-affirm Intermediaries Are Not Liable for Privacy Violations

The Task Force requested input on the intersection of foreign and domestic privacy laws and the challenges these laws pose to U.S. businesses with global operations. CDT’s comments noted with concern cases where Internet intermediaries such as Web 2.0 platforms have been held liable for privacy violations in user-generated content. CDT believes that protecting technological intermediaries against liability for the conduct of their users has been critical in fostering growth and innovation in technology industry.

In Europe, the question of liability for Internet intermediaries has arisen due to the unsettled interaction between the EU Electronic Commerce Directive (ECD) and the Data Protection Directive (DPD). Web 2.0 platforms have been held liable for privacy violations in user-generated content under the DPD, even as the ECD purports to protect them from liability. In our comments, CDT called on the DoC to bring together stakeholders from both sides of the Atlantic to discuss the negative implications of such inconsistency and to find common ground, both in Europe and abroad.

CDT also recommended that the DoC reaffirm the importance of protecting intermediaries from liability and seek to globally promote strong protections for intermediaries. The DoC should also seek to document the positive relationship between protecting intermediaries and fostering innovation. Tracking best practices for protecting privacy and serving other societal objectives in the context of user-generated content will help the DoC urge its counterparts around the globe to adopt laws that protect Internet intermediaries from liability for content posted by third parties.

CDT Paper: Intermediary Liability: Protecting Internet Platforms for Expression and Innovation

4. Business Practices Should Be Consistent with Privacy by Design Principles

The Task Force requested information about the impact of privacy enhancing technologies and information management processes on business practices and consumers’ experiences. CDT believes that all companies should implement the principles of Privacy by Design, a concept that offers a roadmap for integrating privacy considerations into business models, product development cycle, and new technologies.

CDT also urged the DoC to actively work to incentivize a robust marketplace of identity management products for consumers, as well as encourage government adoption of identity services that meet an established minimum standard for privacy. The DoC should explore the applicability of the Fair Credit Reporting Act (FCRA) to identity providers and investigate the potential of an FDIC-like regime for encouraging good practices amongst identity providers. CDT also suggested that the DoC, in conjunction with NIST, draft general best practices for identity management services and for their implementation by government and businesses.

CDT Consumer Privacy Roundtable Comments: The Role of Privacy by Design in Protecting Consumer Privacy

CDT Consumer Privacy Roundtable Comments: Protecting Privacy in Online Identity: A Review of the Letter and Spirit of the Fair Credit Reporting Act’s Application to Identity Providers

CDT Paper: Issues For Responsible User-centric Identity
 

1. Draft Text of ACTA Made Public
   
2. ACTA’s Selective Export of U.S. Copyright Law May Foster Highly Skewed Legal Regimes in Other Countries
   
3. A Number of Proposed Provisions Could Encourage or Require Changes to U.S. Domestic Copyright Law
   
4. Other Concerns
   

1.  Draft Text of ACTA Made Public

Since late 2007, the United States and a number of other countries, including Australia, Canada, the European Union, Japan, Mexico, and South Korea, have been negotiating an “Anti-Counterfeiting Trade Agreement” (ACTA).  A variety of speculation, rumors, and leaks regarding what ACTA might contain have prompted concern in the blogosphere and the tech industry.  Until recently, however, the only official documents that had been publicly released were high-level outlines and statements offering little guidance on ACTA’s specific provisions and language.

In April, the negotiating countries ushered in a new and more transparent phase in the ACTA debate by making the current draft text public.  The draft is still very much a work-in-progress; many of its provisions feature multiple proposed options or bracketed language reflecting a lack of current consensus.  Nonetheless, the release of the draft text allows interested parties to stop lobbying for transparency, as CDT and many others have been doing since 2008, and instead turn their attention to the agreement’s substance.  It also allows the discussion to get specific; interested parties can analyze and comment on the details of concrete proposals.  (To its credit, USTR had at one point allowed CDT and a number of advocates to review and comment on a portion of draft text, but only subject to a non-disclosure agreement that prevented public debate.)

ACTA’s stated goal is to establish a new set of high standards for enforcement efforts to combat “counterfeiting and piracy.”  The idea is that a core group of countries would agree to meet certain benchmarks for strong intellectual property enforcement, and then likely press other countries to meet those benchmarks as well.

CDT has focused principally on ACTA’s impact for copyright policy.  CDT supports vigorous enforcement of existing copyright laws, particularly with respect to “bad actors” who flout the law and commit infringement on large scale.  But we have been concerned that ACTA could include provisions that affect a much broader range of parties. For consumers, overly aggressive copyright policies can raise privacy, free expression, and due process issues.  For online innovators and businesses, there can be serious issues of liability exposure and barriers to innovation.

The draft text makes it possible to have a more concrete discussion about these risks.  CDT’s specific concerns, based on the language and options currently on the table, are set forth in the following sections.  The biggest problem is that ACTA could skew foreign legal regimes by selectively promoting a stringent, one-sided model of U.S. copyright law.  In addition, several provisions could encourage problematic interpretations of or changes to U.S. copyright law. 

ACTA text
CDT 2008 Policy Post regarding ACTA transparency
2009 joint letter requesting transparency

2.  ACTA’s Selective Export of U.S. Copyright Law May Foster Highly Skewed Legal Regimes in Other Countries

Many ACTA copyright provisions appear to be modeled on U.S. law, particularly the Digital Millennium Copyright Act (DMCA).  But to the extent that the agreement aims to export U.S. law, it does so in a highly selective fashion.  The draft text repeatedly mandates those elements of U.S. law creating strong enforcement tools, while making entirely optional and discretionary those elements of U.S. law establishing limits on copyright.  In short, the draft unmoors the law’s tough, expansive copyright provisions from its safeguards and limitations.  It therefore invites foreign countries to adopt copyright legal regimes that would be far harsher and far less balanced than that of the United States.

Nowhere is this more true than in the area of third party liability (also known as secondary liability) – the doctrine under which device or service providers can be held liable for infringements committed by their users.

Article 2.18.3 of the proposed text requires each signatory to ensure that its legal system includes third party liability.  Footnote 47 describes the circumstances in which third party liability should apply.  But limitations, exceptions, and defenses to third party liability, while expressly permitted, are left entirely to the discretion of each country.  There is not even a mention of the core principle, established by the Supreme Court in the 1984 Sony case and reaffirmed unanimously in the 2005 Grokster decision, that the act of making or distributing a product with “substantial noninfringing uses” cannot be a basis for liability.  Fair use, another crucial factor in U.S. third party liability cases, is referenced in ACTA footnote 47, but is entirely optional.  Indeed, footnote 47 includes language designed to ensure that countries may not adopt overbroad exceptions and limitations to third party liability – but ACTA takes no similar care to ensure that countries will not adopt an overbroad approach to third party liability itself.

These are not minor omissions.  The Supreme Court in Grokster explained clearly that overbroad application of third party liability risks “trenching on regular commerce or discouraging the development of technologies.”  It described the third party liability debate as an effort to develop a “point of balance between protection and commerce.”  And it explained that “[t]he more artistic protection is favored, the more technological innovation may be discouraged; the administration of copyright law is an exercise in managing the trade-off.”  It is remarkable that ACTA, which as a trade agreement would be expected to carefully reflect the needs of commerce, shows little sensitivity to the potential commercial impact of the third party liability regimes it requires.  It demands third party liability and demands that it not be too weak, but takes a pass on all the Supreme Court law aimed at preventing it from being too strong.

Article 2.X.2 reinforces the concern that ACTA may expose third parties such as Internet service providers to legal risks far greater than they face under U.S. law.  The article says that rights holders may “apply for an injunction against [infringing] intermediaries whose services are used by a third party to infringe an intellectual property right.”  Under U.S. law, the availability of injunctions against intermediaries is limited by the Sony safe harbor, discussed above, for products and services with “substantial noninfringing uses.”  In addition, an intermediary qualifying for the DMCA section 512 safe harbor would be entitled to the protections of section 512(j), which directs a court to consider the burden an injunction would impose on the intermediary.   The ACTA proposal on injunctions makes no reference to such limits.  It thus could prompt other countries to embrace intermediary injunctions in a fashion far more burdensome and sweeping than in the United States.

ACTA’s asymmetrical version of U.S. law is evident in other provisions as well.  The “Option 1” text of Article 2.18.3 is presumably modeled on the DMCA’s section 512 safe harbor.  But it fails to require countries to adopt anything close to a true safe harbor.  Instead of providing a complete shield against monetary damages, as U.S. law does, ACTA merely says that countries must provide unspecified “limitations on the scope of civil remedies.”  Such “limitations” could fall well short of holding intermediaries harmless.

Meanwhile, subsection (b)(i) of Option 1 could easily be interpreted as endorsing policies that place far more onus on Internet service providers than does the DMCA.  The subsection calls for measures “to address the unauthorized storage or transmission of materials protected by copyright.”  As a preliminary matter, “unauthorized” is broader than “infringing,” since some activity – such as fair use – can be unauthorized but not infringing.  In addition, countries implementing this section could well conclude that a policy of terminating the accounts of proven repeat infringers – the safe harbor prerequisite contained in the DMCA – does not sufficiently “address” the problem of unauthorized transmissions.  Countries might therefore adopt more aggressive prerequisites for whatever safe harbor protection they choose to offer.  Bracketed language suggests that affirmative monitoring requirements might be off limits, but anything else would be fair game.

The “Option 2” text of Article 2.18.3 likewise fails to guarantee a real safe harbor.  In addition, it fails to include any protection for information location tools, in contrast to section 512(d) of the DMCA.

Article 2.18.4 is based on section 1201 of the DMCA, requiring countries to prohibit both the circumvention of technical protection measures and the distribution of circumvention devices.  But once again, ACTA reflects U.S. law in a selective and asymmetrical way.  DMCA section 1201 includes seven important exceptions to the anticircumvention prohibition, including for interoperability, encryption research, and security testing.  ACTA, in the two options listed under Article 2.18.5, merely says that countries “may” include exceptions.  The prohibition is mandatory, but the crucial balancing exceptions are merely permissive.

Finally, Article 2.14.1 calls for criminal penalties for infringement “on a commercial scale.”  It then goes on to describe “commercial scale” infringement as including any infringement that is willful and “significant.”  The meaning of “significant” would be up to individual countries, but this formulation seems to invite them to set a very low bar for treating infringement as a criminal rather than a civil violation.

In each of these areas, the United States likely would not need to change its domestic law to comply with ACTA.  But there would be a major risk that foreign countries implementing the agreement would create regimes that are far more skewed and one-sided than U.S. law.  The recent criminal conviction of Google executives in Italy based on an illegal video posted by a user – even though the company took down the video when notified about it – shows that some countries display an appalling lack of sensitivity to the costs of broad third party liability.  The end result of ACTA, therefore, could be foreign legal regimes that cater strongly to rights holders at the cost of discouraging a wide range of legitimate commerce and technology innovation – including the international business activities of U.S. information technology companies.  That would be a strange result for a trade agreement being pushed by the United States.

Leslie Harris article on threat posed by Italy’s conviction of Google execs

3.  A Number of Proposed Provisions Could Encourage or Require Changes to U.S. Domestic Copyright Law

U.S. officials have indicated that they intend to “color within the lines” of U.S. domestic law, such that ACTA will not require changes to the U.S. legal regime.  But several proposals currently on the table could have an impact on the U.S. legal framework or could encourage future changes to it.

Footnote 47 to Article 2.18.3 attempts to briefly summarize third party liability doctrine as it has emerged from caselaw in the United States.  In doing so, however, it appears to take sides on an important unsettled legal question.  The Grokster case was ambiguous about whether “inducement” of copyright infringement represents a new, independent theory of third party liability, or simply a revised test for applying contributory liability.  There is a strong argument that it is just a restatement of the contributory liability test:  The Court said that “one infringes contributorily by intentionally inducing or encouraging direct infringement.”  The doctrinal question is not merely semantic; it has significant implications for the mental state (intent versus knowledge) required for contributory liability.  But ACTA appears to take the position that that inducement liability and contributory liability are two separate, alternative bases for third party liability.  By weighing in on that question, ACTA could affect U.S. law in this area.

The “Option 1(b)” text of Article 2.18.3, in setting forth criteria for qualifying for safe harbor protection, says that an online service provider must adopt a policy to “address the unauthorized storage or transmission of material protected by copyright.”  The DMCA safe harbor, by contrast, requires service providers to (i) have a policy for terminating repeat infringers and (ii) accommodate standard technical measures.  Given the broader nature of the ACTA language, it could well be used in the future to justify proposals for imposing additional requirements on online service providers seeking to qualify for the safe harbor.  One can envision an argument that the DMCA requirements do not really “address” the problem as ACTA demands.  The ACTA provision’s phrasing, in other words, lends itself to advocacy for going beyond current U.S. law.

Proposed Article 2.18.3 ter is flatly inconsistent with U.S. law.  The proposed language would require each country to enable rights holders to “expeditiously obtain” from Internet service providers the identity of any subscriber that the rights holders claim are engaging in infringement.  This conflicts with settled decision of two federal appeals courts, which have held that the DMCA does not require ISPs in their capacity as conduits to turn over subscriber information based on allegations of infringement.  (See in re Charter Communications (8th Cir. 2005) and RIAA v. Verizon (D.C. Cir. 2003).)

Finally, proposed Article 2.18.3 quater would call on governments and ISPs to take on new roles not envisioned by U.S. law.  The proposal would require each party to “promote the development of mutually supportive relationships between online service providers and rights holders to deal effectively” with Internet-based infringement, including “guidelines for the actions which should be taken.”  In contrast, current U.S. law reflects a deliberate policy choice not to saddle ISPs with the affirmative responsibility to police and prevent infringing activity by users.  47 USC 230 and section 512 of the DMCA reflect this policy choice.

4.  Other Concerns

While CDT supports efforts to enforce current copyright law, we have concerns that efforts labeled as “enforcement” initiatives may be used as vehicles to obtain significant substantive modifications to the existing legal regime.  CDT recently told the new federal Intellectual Property Enforcement Coordinator that the forthcoming I.P. enforcement plan should not try to reshape substantive copyright law by, for example, calling for modifications to the scope of third party liability or new obligations for ISPs.  In the ACTA context, CDT and a number of allies similarly urged USTR in 2008 to avoid delving into matters of substantive law.

In CDT’s view, it is difficult to argue that provisions addressing how and when third parties may be liable for infringements committed by others is merely a question of “enforcement.”  Third party liability is not just about how to pursue those who violate the law; it is about how far copyright law reaches and which parties can be considered violators in the first place.  To the extent that ACTA gets into matters of substantive copyright law, there are legitimate questions about whether it is appropriate to address such matters in an executive agreement that can be concluded without any role for Congress.

In addition, some have raised questions about ACTA’s call for an Oversight or Steering Committee that would function as a brand new international I.P. institution separate from the World Intellectual Property Organization (WIPO) and World Trade Organization (WTO).  The impact on existing I.P. institutions and the potential for “forum shopping” are worth considering. 

In sum, while the draft ACTA text provides an opportunity to begin detailed debate on the pros and cons of specific provisions and language, it raises a number of serious concerns.  CDT hopes that the improved level of transparency will translate into better understanding of the potential pitfalls and a reexamination of those aspects of ACTA that pose significant risk to online intermediaries. 

Links:

CDT comments to I.P. Enforcement Coordinator
2008 joint comments to USTR on ACTA
Goldsmith/Lessig article raising constitutional concerns about ACTA
Geist blog post on ACTA’s institutional provisions