Motivated by the January 2004 expiration of a federal preemption that prohibits states and municipalities from enacting laws that conflict with the Fair Credit Reporting Act (FCRA), Washington is contemplating a number of revisions to current privacy-related statutes. To better inform the debate over payment-card-related privacy issues, the Payment Cards Center hosted a one-day symposium entitled "Financial Privacy: Perspectives from the Payment Cards Industry."
Legal scholars, federal banking regulators, and privacy officers from the largest credit card issuers and information providers in the U.S. discussed the key privacy issues facing the industry. The symposium was structured as a roundtable discussion. Participants freely interacted with discussants and moderators. The president of the Federal Reserve Bank of Philadelphia, Anthony M. Santomero, opened the symposium by posing a series of questions for discussion. What kinds of uses and abuses of consumer information give rise to legitimate privacy concerns? How do current industry practices manage these concerns? How should market forces and prescriptive rulemaking work together to create an environment that both responds to consumer needs and protects consumer interests?
After Santomero's introduction, Oliver Ireland of Morrison & Foerster LLP provided a brief legal history of privacy as a matter of recent public concern. He explained how Vietnam-era distrust of government and the emergence of electronic data collection systems drove Congress to pass privacy-related legislation in the 1970s. Twenty years later, the proliferation of personal computers and the growth of the Internet resulted in another wave of privacy legislation, including amendments to the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley (GLB). Overall Congress's various privacy initiatives, coupled with programs proposed by state legislatures and attorneys general, have, in Ireland's view, largely created a "hodgepodge" of privacy policies. As a result, policymakers, consumer groups, and bankers have difficulty agreeing on precisely what privacy legislation should be protecting. Is it about identity theft? Businesses sharing customer information with other businesses? The secrecy of medical records? Protecting consumers from the intrusions of government, businesses, or other consumers?
In an attempt to answer some of the questions posed by Santomero and Ireland, the following experts discussed their perspectives on the issues: L. Richard Fischer, Morrison & Foerster; Peter Swire, the Moritz College of Law at Ohio State; Robert Ryan, TransUnion; Timothy Spainhour, Acxiom; William Brooks, MBNA; and Andy Navarrete, Capital One.
Overall, conference participants agreed that much of the recently enacted privacy legislation has provided benefits to the credit card industry, the privacy notice provisions of GLB excepted. Participants generally concurred that GLB's privacy provisions have led to stronger data security procedures, better-documented and better-understood information flows, and much improved data management as it relates to issuers' third-party relationships.
One of the hottest issues currently being debated in Congress is the extension of the federal preemption prohibiting states and municipalities from enacting laws that conflict with the Fair Credit Reporting Act. Participants felt strongly that these preemptions should be permanently extended. Ryan explained how critical uniform national standards are to the country's rich credit reporting system. If the federal preemption is allowed to lapse, Ryan predicted that credit bureau data would lose much of its completeness and richness.
Swire, former chief counselor for privacy in the Office of Management and Budget under President Clinton, argued that, contrary to many economists' assessments, confidentiality enhances efficiency in financial services markets. An assurance of information privacy induces consumers to trust their financial institutions with their business. Without such assurance, consumer information would likely be concealed and the quality of transactions greatly diminished.
During the day's final session, privacy experts from two credit card issuers returned to Ireland's assertion that the multifaceted nature of privacy required a more focused debate. Privacy, explained Navarrete, means different things to different people. To improve consumers' sense of privacy in a meaningful way, policymakers, regulators, and credit card issuers need to work together to disentangle the many issues associated with the term. Overall, privacy issues are best addressed individually and with specific remedies.
It was clear from the day's discussion that the privacy debate cannot be resolved with a single piece of legislation or a single administrative agency's rule. The issue is simply too broad, its facets too complex, and the technology that gives rise to these concerns too dynamic. Instead, the questions surrounding privacy require careful dissection, extensive analysis, and tailor-made remedies. The goal of industry leaders and policymakers, therefore, should be to understand clearly the specific privacy interests that need to be protected and to implement safeguards in a way that efficiently balances relevant costs and benefit.
For a detailed summary of the day's discussion, see the conference summary entitled "Financial Privacy: Perspectives from the Payment Cards Industry" on the Center's website.