In the not too distant future, consumers face the prospect that a computer somewhere will compile a record about everything they purchase, every place they go, and everything they do. The information may be used by marketing companies to send targeted mail and to make telephone solicitations.

If you buy a bag of potting soil, you may start getting seed catalogs in the mail. If you buy peanut butter, you may get coupons from jelly manufacturers. If you buy a pregnancy testing kit, you may get solicitations from diaper service companies. If you take a vacation at the beach, you may get travel brochures from resorts in the mountains. If you go to the hospital for a checkup, you may get an invitation to a diet seminar. If you buy a tube of Preparation H, you could get a call from a proctologist. If you take film to be developed, you might get a visit from the FBI.

I am not sure that this is a vision of the future that will make most Americans feel comfortable.

I do not think that we are paying enough attention to the privacy consequences of actions being taken by government or by business. In most other western industrialized countries, concerns about the uses of personal information have led to data protection laws. Most of these countries have established formal government organizations to pay attention to privacy issues. There are data protection commissions in Canada, Great Britain, West Germany, Austria, France, Sweden, Norway, the Netherlands, Australia, and Ireland. There is even talk of creating a similar organization in Hungary.

There is no agency in the federal government with the responsibility to consider the privacy consequences of modern life. We have agencies that are concerned about public health, consumer protection, civil rights, mine safety, battle monuments, and marine mammals. But no agency is devoted to privacy.

This brings me to my second concern. In other nations, fears about computers and the loss of privacy are leading to the creation of trade barriers. Some countries are beginning to impose restrictions on the transfer of personal information to countries that do not have adequate privacy laws. Recently, the French data protection commission stopped Fiat in France from transferring information about its employees to Fiat in Italy.

If the United States is perceived to have inadequate data protection laws, then the consequences for American banks, credit companies, travel agents, communications companies, and other businesses with multinational interests could be significant. The United States could lose international influence, business opportunities, and jobs.

I have a modest solution to the domestic privacy concerns and to the international business problems that I just described. Last year, I introduced a bill to establish a Data Protection Board as a small, permanent, independent, non-regulatory federal agency. The bill number is H.R. 3669. One of the purposes of the hearing will be to start discussions about this proposal. I think that a Data Protection Board could serve the interests of consumers, of government, and of business.

Mr. WISE. Mr. McCandless.

Mr. MCCANDLESS. Thank you, Mr. Chairman. I congratulate you for your movement in this area. I think it is very timely. As you pointed out, we worked through the Video Privacy Act process a couple of years ago.

I have some concerns about the legislation's nuts and bolts, so to. speak, which I will save until a later date to discuss with you.

I look forward to the testimony and its providing us with additional information.

Mr. WISE. Thank you.

The first panel will be David Flaherty, professor of history and law at the University of Western Ontario, author of "Protecting Privacy in Surveillance Societies," and also Richard Barton, senior vice president, Direct Marketing Association, Washington, DC. [Witnesses sworn.]

Mr. WISE. Let me say to you and to all following witnesses, your written statements are already part of the record and will be included and printed. So therefore feel free to add to them or summarize in any way you want to.

STATEMENT OF DAVID H. FLAHERTY, PROFESSOR OF HISTORY AND LAW, UNIVERSITY OF WESTERN ONTARIO, AUTHOR OF PROTECTING PRIVACY IN SURVEILLANCE SOCIETIES

Mr. FLAHERTY. Thank you. I appreciate the opportunity to testify on your proposal to have a data protection board in the United States. You mentioned I had recently written a book about privacy and data protection called "Protecting Privacy in Surveillance Societies." It was a comparative study that I spent most of the 1980's writing about how the equivalents to your data protection board have worked in practice in various countries, Sweden, West Germany, France, UK, Canada.

What I would like to do today is express my astonishment at the fact that due to historical accident and a certain amount of inertia, there is no data protection board or privacy protection commission in the United States. Obviously I think you are very much on the right track in proposing such a system of data protection on a permanent, ongoing, independent basis.

I won't go into things I have discussed in my written testimony, but talk about how the Privacy Act was gutted in 1974 at the last moment, and the privacy protection commission was not established.

The Privacy Protection Study Commission, as I further point out in my written testimony, in 1977 in its major report recommended the creation of such an entity. All kinds of good Senators and Congressmen in 1974 were in favor of such an entity. In fact, they were very prescient in anticipating the negative consequences of not having a data protection agency in the United States.

At your hearings of this subcommittee in 1983, all of the nongovernment people who appeared were entirely in favor of such a data protection board or privacy protection commission.

In fact, the Reagan administration in 1988 in the Computer Matching Act created data integrity boards in each Federal agency to oversee computer matching within Federal agencies. That in

many ways is a very nice precedent for the kind of data protection board in the executive branch that you are proposing here.

In fact, the Deputy Director of OMB pointed out in the hearings on the Computer Matching Act that there was a possibility some day of changing these data integrity boards into full-fledged data protection boards that would be much broader in scope than the specific computer matching responsibilities that they have now.

In my book I talk about the emergence of surveillance societies. The book was finished about a year ago, and I think I have actually understated the reality of the existence of surveillance societies in our advanced industrial democracies.

I really think we are already living in societies in which all of our lives are recorded in data bases of one sort or another in the public or private sector and that we already are in a situation where data bases of various sorts are watching us, sometimes for good reason, sometimes for innocuous reasons, and sometimes for much more nefarious reasons, if you think about the commitment to the right of privacy in the United States.

I think some of the testimony you are going to hear this morning further documents my belief that we are building surveillance societies. Some of the kinds of services that other panelists are going to describe to you should only exist with very, very strong data protection measures in place to ensure that the fair information practices are followed and that the privacy interests of American citizens are protected.

In my book I am fairly critical of the United States in a comparative perspective for not having a data protection board, but I acknowledge the fact that the United States practically invented the legal right to privacy. In fact, it is now the 100th anniversary of the famous Warren and Brandeis article on the right to privacy in the Harvard Law Review.

The constitutional right to privacy is much better developed, much more expansive in the United States than in any other country. The only thing that makes the United States look odd from a comparative perspective is that there is no ongoing permanent body at the Federal level in this country, or at most of the State levels, that has the responsibility to articulate privacy interests on a continuing basis. There is no watchdog agency in this country at the Federal or at most of the State levels. The only exception is New York State. There is a committee on open government in New York State that has a small committee that attempts to breathe life into their Personal Privacy Protection Act of 1983.

Generally speaking, unlike West Germany, or unlike Canada or other Federal systems where there is a national body and then State bodies that work in cooperation to promote and articulate privacy interests, the United States is in a regrettable situation in not having those kinds of agencies. As I said at the beginning, it is primarily an historical accident. There was a window of opportunity in 1974. Sam Ervin recognized the utility, necessity and the essential need for a data protection board and one wasn't created. Republican Senators and Congressmen at the same time recognized that.

It was only President Ford's threat of a veto at the last minute, in the closing days of the 1974 congressional session that led to the

omission of a privacy protection commission. One of the reasons that I reproduced some of these statements in my written testimony is to remind you how prescient these people were in recognizing that if you didn't have somewhere in the executive branch a body that would continue to oversee this very complicated business of protecting personal privacy, you were going to have a law that wasn't going to be very effective. That is how I describe in my book the Privacy Act of 1974. It is not an appalling piece of legislation. It has been improved in much of the sectoral legislation that has been passed in recent years, including the Bork bill, the Video Privacy Act, that Congressman McCandless worked on.

I think of these data protection boards as watchdogs. I want them to have advisory power. I want them to be able to consult with the public sector and with the private sector. Those are the models in my book that I describe most favorably, because I had the practical experience of watching what they did and what they didn't do.

I am very critical of the French model of data protection, of the British model of data protection, of the Swedish model of data protection, which are heavily bureaucratic, requiring the registration of information systems. At one point in the early years of Margaret Thatcher's Data Protection Act of 1984, the data protection registrar had 292 bags of unopened mail which were simply registrations. That symbolizes to me the kind of system we don't need, and in fact the West German model of data protection, the Canadian model of data protection are advisory. It is antibureaucratic; it is low cost. Nobody has more than 50 staff, even a country like West German with 61 million people, working in a data protection office. In Britain they happen to have 100 staff to open the mail bags. That is excessive and it is not the kind of registration system that I would encourage the United States to consider, nor is it the kind of system that you are proposing in your bill to create a data protection board.

Let me list for you some of the positive foreign experiences with this type of data protection board, drawing my examples from Federal systems comparable to the United States, that is, the Federal Republic of Germany, and Canada.

If you have a board like this, what you get is systematic oversight of implementation of an act like the Privacy Act. What you get is consultations with the public sector and the private sector on an advisory basis, on an ongoing basis.

I have been in this privacy business for 26 years due to an accident in my life of early contacts in education. I sometimes think that privacy is just an incredibly simple business that everybody can understand until I discover public or private sector individuals planning a new service or a new data base or a new telecommunications system or adopting a new data storage method without any consideration of the kinds of fair information practices that were invented in the United States and in Britain in the early 1970's and in fact are incorporated in the Privacy Act of 1974.

Actually implementing privacy and data protection legislation is a very complicated business. As I think you saw, Congressman McCandless, with the Bork bill, the Video Privacy Act, it is not that simple. In that area the United States has made tremendous

strides in what we call sectoral legislation, the Video Privacy Act, the Computer Matching Act, and things like that. What is shocking is that there is just no general body that on a continuing basis can generate that kind of legislation.

Each time somebody identifies a problem you have to build a coalition of conservatives, left, right, civil libertarians, computer specialists, all over again. That kind of expertise inside government could be very usefully built up over time and could develop the kind of sophisticated understanding of information systems in the public sector in particular that is essential if you are going to have good data protection.

These kinds of agencies are also a safety valve for public complaints. People who have got a complaint about what they perceive to be an abuse of privacy can go to the data protection commission, use their 800 number, and get someone to investigate whether or not this is realistic.

Some people are paranoid about their privacy. I think the challenges to personal privacy are so excessive in the kinds of surveillance societies we are building today that I actually think a little bit of paranoia with respect to protecting one's privacy is probably not a bad idea. At the same time, a data protection board would allow for the release of pent up public emotions on these kinds of privacy issues.

I haven't bothered to say to you that all of the polling in Canada and the United States, including some polls that haven't been released yet in the United States, demonstrate there is an incredibly strong latent sensitivity to the privacy issue. It is also a form of resistance to big government and big corporations, which is one reason that both groups ought to be a bit more sensitive, in my view, to the privacy issue.

People are very concerned about their privacy even though often they don't really know the kinds of challenges that personal privacy is faced with today in the United States. I regard some of the descriptions in later testimony of systems that are in place as really rather shocking from a privacy point of view. I am not totally satisfied that appropriate data protection measures are in place for some of these systems that could prevent a public outcry or wild public response if people find out what is actually being done with data about them. I am particularly referring to constant accumulating of profiles of individual's lifestyles, whether it is what they buy or the telephone calls that they make, and so forth.

As you know, cheap data storage makes it much easier to store data than to ever erase it and destroy it. Yet we know that good data protection requires the destruction of data at certain points in time. That is one of the kinds of things that a data protection board can help ensure in due course.

I also am very strong and very positive about the audits of personal information systems in the public sector that a data protection board should undertake. It is not enough to have a law called the Privacy Act of 1974. Somebody has got to go out, a small team of auditors, and monitor compliance in an agency like Health and Human Services with the fair information practices that are in the Privacy Act of 1974. That is not happening today. It is totally a self-starting mechanism in individual Federal agencies, and for the