Advisory Committee on Online Access and Security - Comment, P004807
Comments of Robert Gellman on the
These comments are offered on my own behalf. I have not had an opportunity to review the entire report, but I did have some comments on Access Option 3. No inference should be drawn from the absence of comments on other parts of the report.
I find it difficult to make any sense out of Access Option 3. It is an access policy completely without standards or clear purpose. It offers no rights to data subjects, and it offers record keepers the maximum ability to deny access for reasons that can be fabricated on an ad hoc, after the fact basis. The descriptive word used most often in the text of Access Option 3 is "different." It seems clear that any record keeper can decide that its records are "different" and can deny access without giving an objective reason. Access Option 3 pointedly has no definitive list of factors or reasons for denying access.
The absence of any meaningful standards to measure a decision to deny access together with a focus on a case-by-case approach could mean that decisions to deny access will be made on an individual-by-individual basis. One individual might obtain access while the next person similarly situated will be denied access. It is an open invitation to record keepers to use subjective reasons for refusing access. Individuals perceived to be troublemakers, privacy advocates, or litigious can be denied access. Individuals whose records have embarrassing errors can be denied access. When there are no standards, personal judgments and prejudices rule.
It is interesting that the discussion cites the Privacy Protection Study Commission in support. The PPSC did not say that access was unimportant. Instead, the PPSC identified access as an essential element of maximizing fairness. In analyzing the objections to fairness and to access, the Commission wrote:
These same type of vague, unsupported reasons are cited in Access Option 3 for undermining the importance of access. Yet despite years of experience with access under a variety of statutes and in a variety of countries, the discussion offers no facts to support its assumption that access is troublesome enough to remove access altogether from the basic list of privacy rights.
Most privacy statutes provide for access. The existence of an occasional law that does not is not significant for several reasons. First, most laws require some type of access. If the law reflects any default policy, it is that access is favored in privacy laws. Second, it is difficult to make inferences about why Congress did not do something. This is a well-established principle of statutory construction. The Video Privacy Protection Act did not provide for access, but Congress never voted down an access amendment. It just was not included, perhaps because no one thought about it or for other reasons that have nothing to do with substance. Third, it is well known that the legislative process has a considerable degree of randomness to it. Statutes go through the process and have differences that make little sense. They are the products of the individuals who were engaged in drafting them, and the differences do not always reflect reasoned judgments.
Finally, the lack of standards in Access Option 3 is incompatible with industry calls for self-regulation. The essence of any type of regulation - self-regulation or governmental regulation - is the establishment of standards by which to measure conduct. If self-regulation is to be meaningful at all, it must be conducted under a clear set of rules and policies that all can see and evaluate.
I recommend that Access Option 3 be dropped from the report.