March 10, 2000 Via E-mail GLBRule@ftc.gov Secretary Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313--Comment Dear Mr. Clark: I am a professor of law, Harry T. Ice Faculty Fellow, and director of the Information Law and Commerce Institute at the Indiana University School of Law--Bloomington, and Senior Counsel for Information Law in the Indianapolis law firm of Ice Miller Donadio & Ryan. For more than a decade I have studied, taught, and written about privacy and other information law issues. I have testified before Congress on privacy matters, including H.R. 10, the House precursor to the Gramm-Leach Bliley-Financial Services Modernization Act ("the Act"). I am a member of the Federal Trade Commission's ("the Commission") Advisory Committee on Online Access and Security. Previously, I directed the Electronic Information Privacy and Commerce Study for the Brookings Institution. I am the author of many publications concerning privacy and other information law issues, including Privacy in the Information Age. My comments reflect my views alone and should not be attributed to any institution with which I am affiliated. I wish to comment on two issues raised by the Commission's proposed rules concerning Privacy of Consumer Financial Information ("proposed rules"), both dealing with the proposed definition of "nonpublic personal information" and both matters about which the Commission specifically invited comment. "Personal Information" The discussion of the proposed rules includes the statement "the G-L-B Act defines 'nonpublic personal information' to include, among other things, 'personally identifiable financial information'." (p. 10, emphasis added) The following sentence then indicates the Commission's intention to treat "any personally identifiable information as financial if it is obtained by a financial institution in connection with providing a financial product or service to a consumer." (p. 10, emphasis added) These interpretations are inconsistent with the text of the Act. Congress limited the definition of "personal information" in the Act to only "personally identifiable financial information." (Sec. 509(4)(A)) To fit within the Act's definition of "personal information," that information must be "financial"--not financial "among other things." In addition, the wording of the definition of "nonpublic personal information" in the Act clearly indicates that Congress did not anticipate that all information provided by a consumer to a financial institution, or resulting from any transaction with the consumer, or otherwise obtained by a financial institution was financial in nature. Congress wrote:
To fit within the statutory definition, nonpublic personal information must be (1) personally identifiable, (2) financial, and (3) obtained in one of the ways specified in the Act. Contrast that with the definition in the proposed rules:
Under this definition, "nonpublic personal information" is defined as "personally identifiable financial information," which is in turn defined as "any information" obtained in one of the ways specified in the Act. (emphasis added) There is no requirement in the proposed rules that the information be either (1) personally identifiable, or (2) financial. The proposed rules would thus rewrite the Act to omit the phrase "personally identifiable"--which I assume is merely a drafting error, albeit a serious one--and the word "financial," which, to judge from the commentary, is deliberate. Rather that "reasonably interpret" the word "financial", as the Commission writes in the commentary (p. 10), the proposed rules eliminate it. Had Congress meant for Title V to apply to all personally identifiable information provided by a consumer to a financial institution, or resulting from any transaction with the consumer, or otherwise obtained by a financial institution, it certainly could have said so, but it did not. The proposed rules turn the word "financial" in the definition in Title V of the Act quoted above into a nullity, in violation of the most basic principles of statutory interpretation. Not only is the proposed definition of "nonpublic personal information" inconsistent with the plain language of the statute, it also is not supported by commonsense. Not all information provided to financial institutions is financial, even if personally identifiable. Names and addresses, for example, are not converted into financial information just because a bank or insurance company receives them. They are personally identifiable to be sure, but not financial. I believe that Congress used the word "financial" for a purpose, and that purpose was, on the one hand, to include within the definition personally identifiable information that deals with finance, obtaining or borrowing money, investments, insurance, and other financial services. On the other hand, that purpose was to exclude personally identifiable information that was not financial in nature. Because the proposed rule treats all personally identifiable information as financial, it eliminates this key distinction, and turns a law intended to enhance privacy protection for financial information into an omnibus data protection law. What should the rule treat as financial? This is the question that I believe the Commission needs to address. One starting point would be the existing federal statutory definition of "financial," which codifies section 4(k) of the Bank Holding Company Act of 1956: According to that provision:
It would seem then that a starting point for interpreting "financial" would be information that bears upon a consumer's ability to obtain, or fitness for, any of the above-listed services. Individuals' names, addresses, telephone numbers, birth dates, and even social security numbers do not meet that definition. The value of individuals' debts and assets, their past history of repaying loans, the nature of their investment, the terms of and payment made under their insurance policies--these all seem to fit within the statutory and commonsense definition of financial information. To the extent that such information is "nonpublic," it would be covered by the Act. "Nonpublic" The proposed rules contain two alternative interpretations of "nonpublic personal information." Alternative A would treat as public only information that is in fact obtained from a public source. Alternative B would treat as public only information that could have been obtained from a public source, irrespective of whether it was. Alternative B is considerably more sensible in light of the impossibility of accurately determining the source of any specific datum in a record and the cost and inefficiency of attempting to do so. Apparently the Board of Governors of the Federal Reserve Board has reached a similar conclusion. Beyond the choice between the two alternatives however, the proposed rules reflect a narrow understanding of concept of "publicly available information," in part because of the elimination of the word "financial" from the definition of "personally identifiable information" in the proposed rules. As a result, the commentary on the proposed rules states that if "a financial institution includes . . . names and addresses as part of a list of the institution's customers, then the names and addresses become nonpublic personal information." (p. 11) And the proposed rules contain the following examples:
Some of these examples, and the conclusion in the Commission's commentary, are difficult to understand and, I believe, incorrect, for two reasons. First, as already noted, names and addresses do not fit within the Act's definition of "nonpublic personal information" because they are not "personally identifiable financial information." (Sec. 509(4)(A) (emphasis added)) Second, names and addresses are not nonpublic--they are routinely publicly available--and they do not lose their public character just because they appear on a list of financial institution customers. As a result, the Act should not be interpreted as applying to such public information because Title V specifically states that the term "nonpublic personal information" "does not include publicly available information . . . ." (Sec. 509(4)(B)) This conclusion is consistent with the third part of the Act's definition of "nonpublic personal information." Under that part, section 509(4)(C), "nonpublic personal information" includes "any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information [which, by definition, means nonpublic personal financial information] other than publicly available information," but "shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information [i.e., that is derived without using nonpublic, personally identifiable, financial information]." (emphasis added) Under this part of the definition in the Act, even though the names and addresses of customers are clearly public information, they might nonetheless be covered by the Act if they pertain to customers (which they certainly do) and if the list of customers to whom they pertain was derived using information that was nonpublic, personal, and financial. However, unless the list of customers was selected by income or account balance or other financial information, the names and addresses are not covered by the Act because the list was derived without using any financial information. Where a consumer engages in a financial transaction is not, without more, financial information--this was clearly Congress' intent. Otherwise, Congress would not have included the italicized words in the definition above. Under the Act, the mere fact that an individual is on a list of consumers is not enough for that list to fit within the definition of nonpublic personal information. This is clear from the fact that Congress included in this section of the Act language requiring that the list of consumers must have been "derived using . . . nonpublic personal information other than publicly available information." This is also clear--unmistakably so--from the fact that Congress specifically provided for the existence of lists of consumers "that [are] derived without using any nonpublic personal information"--that is, without using nonpublic, personally identifiable, financial information. The drafters of the proposed rules plainly regard the existence of a list of consumers of a financial institution "that is derived without using any nonpublic personal information" as an impossibility, but Congress did not. The proposed rules explicitly state that "[t]he fact that an individual is or has been one of [a financial institution's] customers or has obtained a financial product or service from [a financial institution]" falls within the definition of "personally identifiable financial information." (Sec. 313.3(o)(2)(C) (Alternatives A and B)) The proposed rules therefore interpret the italicized words in the statutory definition above to have no meaning. The proposed rules thus render that statutory language, like the word "financial" in the definition of "nonpublic personal information," a nullity, something which the most basic principles of statutory interpretation will not permit. Ironically, the Commission's commentary on the proposed rules acknowledges that a list of popular magazine subscribers would not be covered by the Act, even though that list reflects that each of those subscribers has paid (or had paid for them) the published subscription price necessary to subscribe to the magazine. A list of financial institution customers, by contrast, yields far less information. A person on that list could have borrowed money, cashed a check, made an investment, purchased a money order, accessed an ATM, or engaged in literally hundreds of other transactions to qualify as a customer. Presumably this is why Congress specified that the Act would not apply to all lists of consumers of financial services, but rather only to those that conveyed some nonpublic, personal, financial information about those individuals listed. "Every word and clause must be given effect," is among the most basic canons of statutory interpretation. The definition of "nonpublic personal information" in the proposed rules violates this tenet in two ways:
The proposed rules thus ignore key parts of the Act and result in a definition of "nonpublic personal information" that is contrary to the statute and to commonsense. Moreover, by interpreting the Act to apply far beyond any reasonable interpretation of "nonpublic personal information, " the proposed rules would turn statutory provisions intended to protection the privacy of "financial information" into a broad, omnibus privacy law. This not only violates the plain language of the Act, it also unnecessarily restricts valuable, productive uses of information that Congress did not intend to be burdened, and likely fails to protect adequately truly nonpublic personal financial information that many individuals reasonably consider to be private and to warrant protection. I strongly encourage the Commission to revisit these critical definitions, in an effort to focus the privacy protection included in the Act on the types of information that Congress intended and the public expects. Thank you for the opportunity to comment. Yours sincerely, Fred H. Cate |