Recent Developments Relating to Data Privacy

Washington, DC, September 8, 1998 - The Administration has released recent studies related to consumers' rights to privacy with respect to their personal information. The SEC and NASD are also studying privacy issues. Legislation has been introduced in Congress, the SEC and Federal Reserve Board have responded to Congressional requests for information about the current state of privacy protection, and the Federal Trade Commission enforcement action involving alleged violations of data privacy policies. Internationally, a European Union Data Protection Directive could force companies in the EU to block the flow of personal information to non-EU companies, including US companies, that lack adequate privacy protections. EU members countries are required to pass laws giving effect to the directive before October 25, 1998.

Proposed Legislation
On August 6, 1998, Congressman Edward Markey (D-Mass) introduced a bill, H.R. 4479, the Securities Investors Privacy Enhancement Act of 1998, that would require brokers, dealers, and investment advisers to protect the confidentiality of financial information obtained concerning their customers. The bill would amend Section 15A(b) of the Securities Exchange Act of 1934, Section 38 of the Investment Company Act of 1940, and Section 211 of the Investment Advisers Act of 1940. If passed, the National Association of Securities Dealers (and any other association of brokers and dealers that registers as a national association) would be required to adopt rules requiring their members to:

  • protect the confidentiality of financial information of, and relating to, their customers;
  • inform their customers whenever financial information is being collected that pertains to the customers;
  • inform their customers whenever the member intends to offer financial information pertaining to the customer to any other person, including an affiliate or agent of the member; and
  • refrain from using, disclosing, or permitting access to individually identifiable financial information pertaining to the customer except for the provision of the financial services from which such information is derived, pursuant to the affirmative written consent of the customer, or as required by law or by the SEC.

The SEC would be given the discretionary authority to adopt similar rules relating to investment companies (under Section 38 of the 1940 Act) and investment advisers (under Section 211 of the Advisers Act).

On August 4, 1998, Congressman John LaFalce (D-NY) introduced a bill, H.R. 4388, the Consumer Financial Privacy Protection Act of 1998, that would amend the Consumer Credit Protection Act to ensure financial institution privacy protections. Brokers, dealers, investment companies, and investment advisers are specifically included in the definition of "financial institution" for purposes of the proposed legislation. The bill would:

  • require financial institutions to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of financial and personal records;
  • limit the collection of personal and financial information about a customer to the information required to facilitate customer-initiated transactions and to administer an ongoing business relationship with the customer;
  • prohibit the disclosure of customer financial or personal information to a third party for their independent use, except to the extent necessary to complete customer-initiated transactions, upon the customer's request, as required by law or by a government agency, or after full disclosure to the customer. Full disclosure would require separate and explicit notice identifying the purpose for disclosing the information, the customer's right to prevent disclosure of the information, and the procedures for doing so.

The bill would also require all "financial regulatory agencies" to prescribe uniform regulations to carry out the foregoing, including regulations that specifically require financial institutions to adopt policies and procedures to:

  • assure that customer records are current and accurate and provide for prompt correction of all records;
  • limit employee access to financial records and personally identifiable information;
  • maintain appropriate security standards to prevent unauthorized access to information;
  • require that third parties that receive the information also agree to maintain its confidentiality;
  • provide appropriate disclosure to customers regarding the institution's privacy policies and the customer's privacy rights. This would include clear and conspicuous disclosure of the types of information disclosed, the purposes for the disclosure, the customers' option to prevent the disclosure and the procedures for doing so, and the procedures for filing a complaint over the use of the customer's information.

The Federal Trade Commission would have general enforcement authority, except that the SEC would have enforcement authority over violations by SEC regulated companies. Aggrieved consumers also would have a private right of action under this bill.

SEC and Fed Letters to Congressman Markey
In June, Congressman Edward Markey (D-Mass) sent letters to SEC Chairman Arthur Levitt and Federal Reserve Board Chairman Alan Greenspan asking about the nature and adequacy of current legal protections for the privacy of personal information and stating Mr. Markey's belief that additional legislation is needed in this area in order to protect consumers. Chairman Levitt and Chairman Greenspan recently responded to these letters.

In the SEC response to Congressman Markey, Chairman Levitt stated, "I share your concerns that investors' privacy should not be compromised, and believe that the NASD should take the steps necessary to increase the security of personal financial information. I understand that the NASD is looking into these issues, and I hope they will act in the near future."

FTC's Settlement with GeoCities
In what is being hailed as a landmark case, the FTC settled an enforcement action against GeoCities, a company that provides personalized home pages on the Internet, in which it alleged that GeoCities misused its customers' personal information. According to the FTC's allegations, GeoCities sold personally identifying, demographic, and/or interest information collected from consumers who registered to use GeoCities' web site, in direct contravention of the privacy statements disclosed on its website and in account applications. The privacy statements included representations that GeoCities would not share certain personal information about its customers without their permission.

In settling the case, GeoCities has implemented a "privacy safeguards program" that includes:

  • registering with TRUSTe (an independent provider of privacy seals of approval);
  • inserting the company's comprehensive privacy guidelines into various locations on the website and highlighting it on GeoCities' application forms;
  • revising policies to prohibit inappropriate third-party collection and use of personal information;
  • requiring that individuals under 13 years of age obtain their parents' consent when applying for a free membership in GeoCities; and
  • increasing the number of privacy warnings in, and removing inappropriate advertising and promotions from, the portion of the company's website that is directed at children.

  

© 1997 - 2008 Investment Company Institute