The safe harbor principles contain an exception where statute, regulation or case-law create “conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests further by such authorization.” Clearly, where U.S. law imposes a conflicting obligation, U.S. organizations whether in the safe harbor or not must comply with the law. As for explicit authorizations, while the safe harbor principles are intended to bridge the differences between the U.S. and Swiss regimes for privacy protection, we owe deference to the legislative prerogatives of our elected lawmakers. The limited exception from strict adherence to the safe harbor principles seeks to strike a balance to accommodate the legitimate interests on each side.
The exception is limited to cases where there is an explicit authorization. Therefore, as a threshold matter, the relevant statute, regulation or court decision must affirmatively authorize the particular conduct by safe harbor organizations. As a point of clarification, the relevant legal authority will not have to specifically reference the safe harbor principles. In other words, the exception would not apply where the law is silent. In addition, the exception would apply only if the explicit authorization conflicts with adherence to the safe harbor principles. Even then, the exception “is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization.” By way of illustration, where the law simply authorizes a company to provide personal information to government authorities, the exception would not apply. Conversely, where the law specifically authorizes the company to provide personal information to government agencies without the individual’s consent, this would constitute an “explicit authorization” to act in a manner that conflicts with the safe harbor principles. Alternatively, specific exceptions from affirmative requirements to provide notice and consent would fall within the exception (since it would be the equivalent of a specific authorization to disclose the information without notice and consent). For example, a statute which authorizes doctors to provide their patients’ medical records to health officials without the patients’ prior consent might permit an exception from the notice and choice principles. This authorization would not permit a doctor to provide the same medical records to health maintenance organizations or commercial pharmaceutical research laboratories, which would be beyond the scope of the purposes authorized by the law and therefore beyond the scope of the exception. Similarly, the doctor in this example could not rely on the statutory authority to override the individual’s exercise of the opt-out from direct marketing provided by the FAQ on Timing of Opt Out. The scope of any exception for “explicit authorizations” is necessarily limited to the scope of the authorization under relevant law. The legal authority in question can be a “stand alone” authorization to do specific things with personal information, but, as the examples below illustrate, it is likely to be an exception to a broader law which proscribes the collection, use, or disclosure of personal information.
In most cases, the authorized uses are either consistent with the requirements of the Directive and the principles, or would be permitted by one of the other allowed exceptions. For example, section 702 of the Telecommunications Act (codified at 47 U.S.C. § 222) imposes a duty on telecommunications carriers to maintain the confidentiality of personal information that they obtain in the course of providing their services to their customers. This provision specifically allows telecommunications carriers to:
1. use customer information to provide telecommunications service, including the publication of subscriber directories;
2. provide customer information to others at the written request of the customer; and
3. provide customer information in aggregate form.
See 47 U.S.C. § 222(c)(1)-(3). The Act also allows telecommunications carriers an exception to use customer information:
1. to initiate, render, bill, and collect for their services;
2. to protect against fraudulent, abusive or illegal conduct; and
3. to provide telemarketing, referral or administrative services during a call initiated by the customer. The scope of this exception is very limited. By its terms, the telecommunciations carrier can use CPNI only during a call initiated by the customer. Furthermore, we have been advised by the FCC that the telecommunications carrier may not use CPNI to market services beyond the scope of the customer’s inquiry. Finally, since the customer must approve the use of CPNI for this purpose, this provision is not really an “exception” at all.
Id., § 222(d)(1)-(3). Finally, telecommunications carriers are required to provide subscriber list information, which can only include the names, addresses, telephone numbers and line of business for commercial customers to publishers of telephone directories. Id., § 222(e).
The exception for “explicit authorizations” might come into play when telecommunications carriers use CPNI to prevent fraud or other unlawful conduct. Even here, such actions could qualify as being in the “public interest” and allowed by the principles for that reason.
The Department of Health and Human Services (HHS) has promulgated rules regarding standards for the privacy of individually identifiable health information. See 65 Fed. Reg. 82462 (December 28, 2000) (to be codified at 45 C.F.R. pts. 160-164). The rules implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191. The proposed rules generally would prohibit covered entities (i.e., health plans, health care clearinghouses, and health providers that transmit health information in electronic format) from using or disclosing protected health information without individual authorization. See 45 C.F.R. § 164.502(a). The proposed rules require disclosure of protected health information for only two purposes: 1. to permit individuals to inspect and copy health information about themselves, and 2. to enable the Office of Civil Rights to enforce the rules. Id. at § 164.502(a)(2).
The proposed rules would permit use or disclosure of protected health information, without specific authorization by the individual, in limited circumstances. These include for example oversight of the health care system, law enforcement, and emergencies. See id. at § 164.512. The proposed rules set out in detail the limits on these uses and disclosures. Moreover, permitted uses and disclosures of protected health information would be limited to the minimum amount of information necessary. See id. at § 164.502(b).
The permissive uses explicitly authorized by the proposed regulations are generally consistent with the safe harbor principles or are otherwise allowed by another exception. For example, law enforcement and judicial administration are permitted, as is medical research. Other uses, such as oversight of the health care system, public health function, and government health data systems, serve the public interest. Disclosures to process health care payments and premiums are necessary to the provision of health care. Uses in emergencies, to consult with next of kin regarding treatment where the patient’s consent “cannot practicably or reasonably be obtained,” or to determine the identity or cause of death of the deceased protect the vital interests of the data subject and others. Uses for the management of active duty military and other special classes of individuals aid the proper execution of the military mission or similar exigent situations; and in any event, such uses will have little if any application to consumers in general.
This leaves only the use of personal information by health care facilities to produce patient directories. While such use might not rise to the level of a “vital” interest, the directories do benefit patients and their friends and relations. Also, the scope of this authorized use is inherently limited. Therefore, reliance on the exception in the principles for uses “explicitly authorized” by law for this purpose presents minimal risk to the privacy of patients.
The concern has been raised that the “explicit authorizations” exception would “effectively create an adequacy finding” for the Fair Credit Reporting Act (FCRA). This would not be the case. In the absence of a specific adequacy finding for the FCRA, those U.S. organizations that would otherwise rely on such a finding, would have to promise to adhere to the safe harbor principles in all respects. This means that where FCRA requirements exceed the level of protection embodied in the principles, the U.S. organizations need only to obey the FCRA. Conversely, where the FCRA might fall short, then those organizations would need to bring their information practices into conformity with the principles. The exception would not alter this basic assessment. By its terms, the exception applies only where the relevant law explicitly authorizes conduct that would be inconsistent with the safe harbor principles. The exception would not extend to where FCRA requirements merely do not meet the safe harbor principles. Our discussion here should not be taken as an admission that the FCRA does not provide “adequate” protection. Any assessment of the FCRA must consider the protection provided by the statute in its entirety and not focus only on the exceptions as we do here.
In other words, we do not intend the exception to mean that whatever is not required is therefore “explicitly authorized.” Furthermore, the exception applies only when what is explicitly authorized by U.S. law conflicts with the requirements of the safe harbor principles. The relevant law must meet both of these elements before non-adherence with the principles would be permitted.
Section 604 of the FCRA, for example, explicitly authorizes consumer reporting agencies to issue consumer reports in various enumerated situations. See FCRA, § 604. If in so doing, section 604 authorizes credit reporting agencies to act in conflict with the safe harbor principles, then the credit reporting agencies would need to rely on the exception (unless, of course, some other exception applied). Credit reporting agencies must obey court orders and grand jury subpoenas, and use of credit reports by government licensing, social and child support enforcement agencies serves a public purpose. Id., § 604(a)(1), (3)(D), and (4). Consequently, the credit reporting agency would not need to rely on the “explicit authorization” exception for these purposes. Where it acts in accordance with written instructions by the consumer, the consumer reporting agency would be fully in compliance with the safe harbor principles. Id., § 604(a)(2). Likewise, consumer reports can be procured for employment purposes only with the consumer’s written authorization. (id., §§ 604(a)(3)(B) and (b)(2)(A)(ii)) and for credit or insurance transactions that are not initiated by the consumer only if the consumer had not opted out from such solicitations and the solicitations meet statutory criteria and constitute a firm offer of credit (id., § 604(c)(1)(B)). Also, FCRA prohibits credit reporting agencies from providing medical information for employment purposes without the consent of the consumer. Id., § 604(g). Such uses comport with the notice and choice principles. Other purposes authorized by section 604 entail transactions involving the consumer and would be permitted by the principles for that reason. See id., § 604(a)(3)(A) and (F).
The remaining use “authorized” by section 604 relates to secondary credit markets. Id., § 604(a)(3)(E). There is no conflict between use of consumer reports for this purpose and the safe harbor principles per se. It is true that the FCRA does not require credit reporting agencies, for example, to give notice and consent to consumers when they issue reports for this purpose. However, we reiterate the point that the absence of a requirement does not connote an “explicit authorization” to act in a manner other than as required. Similarly, section 608 allows credit reporting agencies to provide some personal information to government agencies. This “authorization” would not justify a credit reporting agency ignoring its commitments to adhere to the safe harbor principles. This contrasts with our other examples where exceptions from affirmative notice and choice requirements operate to explicitly authorize uses of personal information without notice and choice.
A distinct pattern emerges even from our limited review of these statutes:
In conclusion, the exception for “explicit authorizations” in the law will, by its nature, likely be rather limited in scope.