Privacy and Information Policy Consultant
431 Fifth Street SE
Washington, DC 20003

Fax: 202-547-8287


May 9, 2000

Advisory Committee on Online Access and Security - Comment, P004807

Comments of Robert Gellman on the
May 8, 2000 Draft Report of
the Advisory Committee on Access and Security
of the Federal Trade Commission

These comments are offered on my own behalf. I have not had an opportunity to review the entire report, but I did have some comments on Access Option 3. No inference should be drawn from the absence of comments on other parts of the report.

I find it difficult to make any sense out of Access Option 3. It is an access policy completely without standards or clear purpose. It offers no rights to data subjects, and it offers record keepers the maximum ability to deny access for reasons that can be fabricated on an ad hoc, after the fact basis. The descriptive word used most often in the text of Access Option 3 is "different." It seems clear that any record keeper can decide that its records are "different" and can deny access without giving an objective reason. Access Option 3 pointedly has no definitive list of factors or reasons for denying access.

  • Access Option 3 is void for vagueness.

The absence of any meaningful standards to measure a decision to deny access together with a focus on a case-by-case approach could mean that decisions to deny access will be made on an individual-by-individual basis. One individual might obtain access while the next person similarly situated will be denied access. It is an open invitation to record keepers to use subjective reasons for refusing access. Individuals perceived to be troublemakers, privacy advocates, or litigious can be denied access. Individuals whose records have embarrassing errors can be denied access. When there are no standards, personal judgments and prejudices rule.

  • Access Option 3 is a redliner's dream.

Access Option 3 denies that there is any value in providing for access by not creating any presumption for access. It may be impossible to find any privacy policy document during the last three decades that does not identify access as a fundamental interest of data subjects. Access does not necessarily have to be a right without any qualification. Exceptions to access in some narrow circumstances are recognized in some legislation. But the policy behind access is universally recognized as a key element of privacy. Exceptions need to be justified.

  • Access Option 3 is a return to the prehistoric days before Fair Information Practices were conceived.

It is interesting that the discussion cites the Privacy Protection Study Commission in support. The PPSC did not say that access was unimportant. Instead, the PPSC identified access as an essential element of maximizing fairness. In analyzing the objections to fairness and to access, the Commission wrote:

The arguments against them have ranged from the alleged need to keep secret the identity of third-party sources, even institutional sources, to fear that organizations would be inundated with requests to see, copy, and correct records. These arguments are still heard, despite the fact that wherever such protections have been established, most of the anticipated difficulties have failed to materialize. PPSC Report at 17.

These same type of vague, unsupported reasons are cited in Access Option 3 for undermining the importance of access. Yet despite years of experience with access under a variety of statutes and in a variety of countries, the discussion offers no facts to support its assumption that access is troublesome enough to remove access altogether from the basic list of privacy rights.

Most privacy statutes provide for access. The existence of an occasional law that does not is not significant for several reasons. First, most laws require some type of access. If the law reflects any default policy, it is that access is favored in privacy laws. Second, it is difficult to make inferences about why Congress did not do something. This is a well-established principle of statutory construction. The Video Privacy Protection Act did not provide for access, but Congress never voted down an access amendment. It just was not included, perhaps because no one thought about it or for other reasons that have nothing to do with substance. Third, it is well known that the legislative process has a considerable degree of randomness to it. Statutes go through the process and have differences that make little sense. They are the products of the individuals who were engaged in drafting them, and the differences do not always reflect reasoned judgments.

  • Access Option 3 has no factual justification to support its premise that access is without value.

Finally, the lack of standards in Access Option 3 is incompatible with industry calls for self-regulation. The essence of any type of regulation - self-regulation or governmental regulation - is the establishment of standards by which to measure conduct. If self-regulation is to be meaningful at all, it must be conducted under a clear set of rules and policies that all can see and evaluate.

  • Access Option 3 is an option that denies accountability for privacy.

I recommend that Access Option 3 be dropped from the report.

Robert Gellman