Congressman Edward J. Markey
EU Conference: Privacy and Protection of Personal Data
United States Institute of Peace
2301 Constitution Avenue, NW

March 19, 2012
 

 

Introduction

Thank you, Vice President Reding, for the insightful remarks you delivered this morning and for your incredible leadership on data privacy issues.

You are a one-woman privacy powerhouse, protecting the rights of Europeans across the EU.  

We can learn a lot from the Europeans in terms of how they are protecting the privacy of their citizens. A very high percentage of Americans come from European stock. They may have left Europe at some point in their family’s past because their family wasn’t doing as well religiously or economically as they would have liked to, but the values have not washed out of their family’s history.  And in fact polling in the U.S. shows that people here in fact share the many concerns that the Europeans have in terms of the impact that privacy can have on their families.

I’d also like to recognize the privacy experts from the U.S. government who are participating here today at this important conference:  my good friend Cam Kerry, Danny Weitzner, David Vladeck, Larry Strickling, Julie Brill, Maneesha Mithal, JC, and MR. All of the people here are privacy Paul Revere. Paul Revere is the person who said in 1775 “the British are coming, The British are coming,” to warn them of the impending doom for the American Revolution. And today they are here mourning the impending loss of privacy, basically saying the Europeans are coming, but this time it’s not a bad thing. It’s a good thing the Europeans are coming because they are reminding us of our European roots and the values that have been instilled within us because we come from that background.

I’d also like to note the joint U.S.-EU Privacy Statement released today.  It’s a strong signal of close cooperation between the United States and the European Union in this critical area.

OVERALL PHILOSOPHY

As was noted, I was the either the Chairman of the Telecommunications Committee or the lead minority member on the committee for 25 years, from 1986 to 2001. So all the communications laws that were put on the books from 1986 to 2001, I either authored or co-authored to ensure that your cable records can’t be compromised, that your phone records can’t be comprised, that your satellite records can’t be comprised, that your financial records can’t be comprised. And my own feeling is that these values don’t change, that Americans want to make sure that as technologies change, the values do not change; that we can view the technologies with values. In and of themselves, the technologies have no values. All of these words, including inter-operatability, have no meaning absent of human beings deciding what they mean. We have to define these words. We have to say what we mean as human meanings. That camera has a different meaning in a totalitarian country than in a democracy. We have to determine how the information is valued.

I have long believed that privacy and the protection of personal data should be based on a fundamental principle:  “Knowledge, Notice, and No”

Consumers should have knowledge of how companies use their information.

Consumers should be given notice of their options for controlling their personal data, and they should be able to say no to the use of their private information. Knowledge, Notice, No.

As we’ve seen repeatedly in the marketplace – whether in the United States or in the European Union – something gets lost in translation from principle to practice.

That’s why in 1999, I founded the Bi-partisan Privacy Caucus in the U.S. Congress with Representative Joe Barton.

When a liberal Democrat from Massachusetts like me and a conservative Republican from Texas like Joe agree on something, you know you’re on the right track. You know who we are isolating- the pragmatic middle. The middle always waits to see where the right and the left are and here’s a good middle. Because everyone knows where the middle is. They make a living waiting to see what the people who really believe in think. The bottom line is you just have to poll this issue in the EU or in the US. The US and the EU agree on all of these issues.

Back when we started the Caucus, companies put together targeted mailings and tailored their marketing based on consumer behavior in the real world.

Now, our activities in the online universe of the Internet are a vast treasure trove for those who want to reach out and target us.

The emails we write, the topics we search, and the pictures we post all leave digital traces across the Web that are scooped up by marketers, major corporations, and other data reapers that are often invisible to users. 

Our most sensitive information is stitched together to make profiles that are pure gold in the hands of pitchmen. 

The Pew Research Center has recently reported that by 2015, Facebook is expected to account for one out of every five digital display ads sold. And, the report says, privacy is becoming a bigger issue for consumers. Pew has determined that two-thirds of Internet users are uncomfortable with the use of targeted ads.

I believe that consumers – not corporations – should have control over their personal information.  Google’s recent change to its privacy policy tapped into this sentiment and sent shock waves from Washington to Brussels and around the world.  

I commend Vice President Reding for her strong response to Google’s policy change, and I’ve called on the Federal Trade Commission here in the United States to investigate whether Google’s actions violate its consent agreement with the agency.

Google should enable consumers simply to say NO if they don’t want their use of YouTube to morph into YouTrack. 

EUROPE VS. UNITED STATES

European governments have long been at the forefront in protecting consumers’ personal data, ahead of the United States. 

I’ve always believed that the European approach to privacy and the protection of personal data was shaped by the continent’s unique history during World War II.

During the Holocaust, one’s identity was literally a matter of life or death.

It’s to be expected that Europeans would insist on a far more comprehensive and protective approach to privacy. 

The recently released draft of the EU General Data Protection Regulation sets a high bar for us to achieve in the United States.  And I praise your efforts. You have established the right model for us to follow in the U.S.

The White Paper recently released by the Obama Administration is an important starting point for strengthening privacy protections for consumers. 

There is no substitute, however, for laws that clearly delineate privacy and security protections for consumers and contain strong enforcement provisions.

Congress needs to act to protect privacy as a right.

Internet users need clear, concise explanations of how their personal data is used and the power to control their own information. 

Many privacy policies, however, are constructed by armies of lawyers out of layers and layers of legalese.  It’s not surprising that most consumers never read them or don’t understand them. You would have to be a lawyer with nothing else to do but to read these privacy statements.

In her brilliant new book, Lori Andrews tells the story of an online gaming company that put the following clause into its terms and conditions:

[QUOTE] “By placing an order via this Web site…you agree to grant us a non-transferable option to claim, for now and forever more, your immortal soul.  Should we wish to exercise this option, you agree to surrender your immortal soul, and any claims you may have on it, within 5 working days of receiving written notification.”

The overwhelming majority – 88 percent – of people agreed to these make-believe conditions.  This is yet further proof that people simply don’t read these policies. 

While privacy policies can run into the tens of thousands of words, many can be summarized in one four word sentence:  you have no privacy. That’s what all these privacy statements actually say if you were to reduce it down to four words.

You have no privacy.

All consumers are disadvantaged by long and opaque policies, but children and teens are particularly vulnerable. 

Added protections for this sensitive group should be included in stringent, legally-enforceable statutory safeguards.   

KIDS AND TEENS

We know that what we say or do online can haunt us for the rest of our lives.  This is not right for a person of any age, but it is especially unfair for children and teenagers. 

For millions of kids today, the Internet is like online oxygen – they can’t live without it. 

The Internet is their 21st century playground – they learn, play, and connect with others every day. 

But there is a Dickensian quality to the Internet – it is the best of wires and the worst of wires.  It can ennoble and enrich or degrade and debase. Our choice is to determine how it will impact children and teenagers in our society.

Kids’ personal information can easily be used without their knowledge or turned against them. 

Consider:

  • The 13-year old girl who searches online for diet information, and then, because of this one search, she sees weight loss ads every time she goes online because some ad network profiled her as a “young female interested in weight loss”. 
  • The 17-year old who could be denied college admission because he purchased a violent video game when he was 11, leaving admission officers with the mistaken belief he’s at risk of committing violence. 
  • The 21-year denied a job based on a photo she posted that included other people drinking alcohol when she was just 14. 

Facebook’s policy is to bar children younger than 13 from the site, but Consumer Reports found that 7.5 million pre-teens were on the social networking site in just the United States alone, including five million users under age 10

Children and teens 15 and younger need protection from behavioral targeting ads. 

With time, youthful indiscretions can be erased or overcome in the offline world - it becomes “forgive and forget”. 

But in today’s online world, these missteps may not be forgotten, becoming an ever-present online albatross that can never be removed. 

Unlike kids and adults in Europe who will hopefully soon have the “right to be forgotten”, no one in America, including children, has that right.  And by the way, for kids 15 and under, the right to be forgotten is also the right to develop, the right to grow up, the right to make mistakes and the right to then have forgotten so what you did as a kid so it doesn’t come back to haunt you as an adult. The right to develop is a very important right for children and in an online world that is something that we must protect as being sacred. When companies say we can’t do it, they say, “How can we figure that out? Oh my goodness, that’s going to interfere with interopertability if we can’t target a 15 year old girl because she’s interested in diet pills?” And the word interopertability is used as code as “we aren’t going to do it, we aren’t going to give any protections.” That is wrong- it is just plain wrong. And everyone knows it’s wrong, and we must put laws on the books in order protect it. We absolutely must do that- it is wrong. It is immoral to target a girl like that. And we have to establish standards to say that is wrong, and that’s why I appreciate what the Europeans are saying.

This must change.

That’s why we need to give parents the tools to free kids’ future selves from mistakes they may make today.  

In both the United States and in Europe, citizens are concerned about the consequences of government knowing too much about our personal lives. 

In America, there’s a fear of “Big Brother”. 

But giving parents the tools to protect 15 year olds and under is not “Big Brother” – it’s “Big Mother” and “Big Father”:  Being able to move in and erase this material about my child, do not use it back against my child, do not manipulate my child, do not take advantage my child, and allow my child to develop. I want them to get the benefit of using your technology Mr. CEO of a company, but you have no right to then exploit my child by selling their information to other corporations. It is wrong.  

That’s why Congressman Barton and I introduced “the Do Not Track Kids Act” in the House of Representatives. 

Our bill would update COPPA – the Children’s Online Privacy Protection Act of 1998. I am the author of that law in the U.S.

COPPA is the communications constitution for safeguarding children online, but it was passed in 1998, way back in the “B.F. Era” – Before Facebook era. 

Just as the EU is currently updating its EU Data Protection Directive from 1995 -  the U.S. must do the same with COPPA.

Our bill is supported by a broad domestic coalition, including Common Sense Media, the National Parent-Teacher Association, the American Academy of Pediatrics, and many others.  It also has 30 co-sponsors in the House of Representatives from both political parties. And we are growing by the day in moving to protect 15 and unders.

Our bill has 3 important parts:

  • First, it would require companies to get consent from parents or teens before they collect information about kids.  Companies should not be allowed to build profiles of children. 
  • Second, kids and teens should be able to delete their personal information, with tools like an eraser button.  Our bill would allow kids and parents to permanently remove their information if they’ve decided they no longer want it on a website or social network.  Kids have a “right to be forgotten”.  Now you are going to hear from experts that say, “Oh, it’s so hard to do; Oh it’s going to be so complicated; You don’t understand how the web works; It’s just much too complicated.” But if you ask them if they can build an algorithm so that my corporation can use data in order to spread it across the planet in a nanosecond “Oh, we can do that for you. We can take all of these kids from MIT, Cal Tech, Stanford, and Harvard. We’ll get that done for you in 1 week.” But if you say, how can we help kids who are 13 and 14, and “Oh, you have no idea how complicated that is.” But by the way, if the 13 or 14 year old was a computer genius, they would hire them for $1 million a year in order to market to the 13 or 14 year old. They would give them stock options in the company. Let’s be honest about all this. “Oh you have no idea how complicated it is!”  But whereas at the same time, they market how simple they can make it to you as a corporation or as an individual to use these technologies. So, come on! Give me a break! How do you say that en Francais?

I had a friend Peter  in my French club in my sophomore year in high school who got extra bonus points if you wrote a letter to the teachers. I could not do that well. I did value translation, but I think the actual language is a skill. But if I could repeat what you just said, I would.

We have moved from lingo-franca to lingo-Internet, and the whole world has made this translation. And we have to make it with the world, with peace. If we don’t translate our values into Internet language then we are really going to have lost a lot.

  • Third, behavioral marketing to children is inherently unfair and deceptive.  Our bill would prohibit advertising that is tailored to kids’ age, gender, and personal information. 

If we wait too long, an entire generation may be forced to defend what they posted, tweeted, or texted years earlier when they were only 10, 12, or 15 years old. 

That is wrong, just plain wrong.

CONCLUSION

We all can agree that kids and teens should have the right to grow up in a safe and secure digital environment where strangers can’t track or target them. 

In the U.S., we need to follow Europe’s lead in establishing laws to protect privacy and data security – rather than leaving it to the private sector. 

And we should start with our most precious resource: our children of the US.  They may be 20 percent of America’s population, but they are 100 percent of our America’s future.  And we have an obligation to them. To allow them to be forgotten and allow them to develop. That’s our obligation to them.

And here is what I would say to you. If you want to test the sincerity of what the US is doing, just see how much response we can get from American companies on the issue of just protecting kids 15 and under while we try to figure out what we give to people who are 35 years old. And if they keep saying “No, we can’t even do that,” then you know there is going to be a big debate in the US. Because while we wait to find a way to create a formula for everyone, we should not wait to create a formula for kids 15 and under. President Kennedy used to say that because we can’t make progress on every front does mean we can’t make progress on any front. So I would urge the EU to say to the US, let’s make a common global formula for 15 and unders. Let’s have a little side discussion over here. What are the rules going to be for children? What are they going to be for adolescents? And see what the response is from the American corporations. And if there is none, then you know the answer on the larger issue. Because if you can’t create a safe harbor for children, how can you ever create a safe harbor for information? And that is what we should be talking about. Not safe harbor for information, but safe harbors for human beings, and especially safe harbors for children. And that’s the dialogue I would like you to have.

And every time you ask a question for 15 and unders, if they gave the same answer to adults 35 and older, then you know you got a problem. If they give the same answer to the complexity of how hard it would be in order to develop those standards for children that they give for the developing of standards for adults then you know we have a problem. And you know this is going to be constant source of friction between the US and the EU. So thank you for having this really important conversation.

We praise that we need the digital revolution. In the US in 1996, as the Telecommunications Act passed, not one home in America had broadband. Within five years, it was Google, ebay, Amazon, Hulu, YouTube. And now, it’s words. These are names that are common in every home. But we have not caught up yet with the values. So you need the one actually, the revolution technologically, to spur the other discussions. How mature is our society? How mature are we in resisting the corporate pressures to say, “Oh, now you can’t touch an innovation that was actually created by governmental policies in the EU and the US to unleash it for the benefit of their people.” If we had to take on monopolies in order to create it and it took politicians to do it, who said, no, you don’t understand what a monopoly is, you can’t force us to move in that direction.

When there are successor companies which we created out of that revolution who say “Oh, you can’t touch us; you don’t understand,” it is not being included in our conversation. But with the same type of corporate and chieftains who are only interested in making money. So monopolists turned into their successors who then become what they have beheld in terms of a maximization of profit. And the only way in which we can ultimately ourselves a mature society is if we put on the books the protection of our people. I thank you all so much.

Thanks to all of you – both in Washington and in Brussels – for having me here this morning.

I look forward to working with you in the months ahead.