Equifax Knows Quite a Lot about You
► Employers themselves may not know what the credit-reporting giant does with their information.
Just when we imagined that credit-reporting firms couldn’t be more invasive and profiteering, NBC News breaks this story:
The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.
Based on data voluntarily provided by thousands of U.S. businesses and public employers (from local public schools to federal agencies) Equifax’s product, The Work Number, includes information many of us would prefer to keep private, from week-by-week paystubs to information on personal “health care providers”—perhaps including the name of your psychiatrist or gynecologist.
For employers, The Work Number offers “an easy way to outsource employment verification of former workers” without having to deal with pesky phone calls whenever former employees start applying for new jobs. It’s a convenient service. But employers themselves may not know what the credit reporting giant does next:
Equifax turns around and sells some of this data to third parties, including debt collectors and financial services companies.
That’s right: debt collectors—the very companies that a new Federal Trade Commission study just found don’t bother to verify alleged debts in half of the cases studied—and yes, the same companies widely denounced for their harassing and abusive practices in pursuit of debts consumers may have paid off long ago or may never have owed—may now have access every detail of your employment history.
Yet even as Equifax and its debt collector customers cash in on data about the pay rates of millions of Americans, employees themselves can’t share information about their own paychecks so freely. According to the Institute for Women’s Policy Research, nearly half of U.S. employees are either contractually forbidden or strongly discouraged from discussing their own pay with their colleagues. Pay non-disclosure rules aimed at employees are a significant barrier to preventing gender and racial discrimination at work—as the ACLU points out “workers often remain in the dark about pay discrimination because employers have rules that punish employees for voluntarily sharing wage information with their colleagues.” For just that reason, Senator Barbara Mikulski has called on President Obama to issue an executive order prohibiting federal contractors from retaliating against employees who discuss salaries amongst themselves. Similarly, the National Labor Relations Board recently struck down provisions in Costco’s employee handbook that barred employees from sharing personal salary information with coworkers. Unfortunately, this ruling was thrown into limbo when a court struck down President Obama’s recess appointments to the NLRB.
The upshot? Even as employee advocates seek partial solutions to rules that bar workers from freely discussing their own salaries, Equifax insists that its collection and resale of personal salary information to third parties is perfectly legal under the Fair Credit Reporting Act. More than one law needs to be changed here.
► Data Protection Laws, an Ocean Apart
By Natasha Singer
New York Times
February 2, 2013
Over the years, the United States and Europe have taken different approaches toward protecting people’s personal information. Now the two sides are struggling to bridge that divide.
On this side of the Atlantic, Congress has enacted a patchwork quilt of privacy laws that separately limit the use of Americans’ medical records, credit reports, video rental records and so on. On the other side, the European Union has instituted more of a blanket regulatory system; it has a common directive that gives its citizens certain fundamental rights — like the right to obtain copies of records held about them by companies and institutions — that Americans now lack.
Even so, United States officials maintain that the divergent approaches are equal. “The sum of the parts of U.S. privacy protection is equal to or greater than the single whole of Europe,” says Cameron F. Kerry, general counsel of the Commerce Department. He is overseeing an agency effort to help develop voluntary, enforceable codes of conduct for industry groups, like app developers, whose collection and use of consumer data are now unregulated.
Europe begs to differ.
“Yes, we share the basic idea of privacy,” says Peter Hustinx, Europe’s data protection supervisor. “But there is a huge deficit on the U.S. side.”
Alas, the data-control divide appears to be widening.
A year ago, the European Commission proposed comprehensive reforms to strengthen online privacy rights — changes that could have big repercussions for American technology companies and marketers that operate in the European Union. American officials, trade groups and tech executives have responded by taking frequent treks to Brussels and other cities, where they have urged regulators and legislators to reconsider the one-regulation-fits-all-data approach. What’s at stake, American industry representatives say, is nothing less than a free and commerce-friendly Internet.
“The ecosystem of the Internet is very delicate,” says Kevin Richards, senior vice president of federal government affairs at TechAmerica, a trade group that represents companies like Google and Microsoft. “It’s not wise to have an overly broad, prescriptive, one-size-fits-all approach that would hinder or undermine the ability of companies to innovate in a global economy.”
European Union members already have data protection laws in place, based on a directive from 1995 that laid out principles for the collection of personal information. The proposed new rules would strengthen some existing provisions. They would standardize data protections across the 27 member states. They would also provide some new rights, such as “data portability” — the right of consumers to easily transfer their text files, photographs and videos from one social network, or e-mail or cloud storage service, to another. And they would subject companies that violate the rules to penalties of up to 2 percent of their annual global revenue.
Asked for comment, Viviane Reding, the vice president of the European Commission and the architect of the proposed regulation, said in a statement: “The main problem is that our rules predate the digital age and it became increasingly clear in recent years that they needed an update.” She continued: “That is why I have proposed a root-and-branch reform of the E.U.’s data protection rules — currently under discussion in the European Parliament and the Council of the E.U. — that will both protect citizens’ rights and facilitate business in the digital age.”
BUT some provisions seem too rigid to United States officials and trade groups. They argue that the American approach — sector-specific privacy laws, in addition to industry self-regulation and enforcement by the Federal Trade Commission — is more nimble.
“We hope that Europe will move in the direction of those multistakeholder standards, and not standards which are not flexible and don’t move at Internet speed,” says Mr. Kerry, who has taken at least four trips to European cities in the last year to discuss these issues.
From the perspective of some European legislators, however, United States representatives seem more interested in protecting commerce than consumers. The full-court American effort may have backfired, they say, pushing some European officials toward even broader measures. Last month, Jan Philipp Albrecht, a representative of the European Parliament who reviewed the draft regulation, proposed additional rights for citizens — like the right not to be subject to consumer profiling.
“My impression is that the U.S. Chamber of Commerce and the Commerce Department are mostly just following the interests of Silicon Valley,” he says. “This leads to heavy pressure on the European regulator, I can say.”
But Mr. Kerry says the United States must make its views known if the systems are to work in concert.
“I know that some people have raised eyebrows at our involvement; I make no apologies,” Mr. Kerry says. “We in the United States and countries and businesses around the world are stakeholders in this process. This has an important impact on the global economy.”
The solution to this trans-Atlantic clash may simply be American ingenuity.
Last year, President Barack Obama proposed a “Consumer Privacy Bill of Rights” that would give Americans many of the same baseline protections that the draft European rule proposes to reinforce. These include the right of access to records that companies hold about them, the right to correct those records and the right to have limits on the personal data that companies collect and keep. Administration officials said they would work with Congress on legislation based on those rights and to extend oversight to industries not currently covered by federal privacy laws.
A coalition of more than a dozen American advocacy groups said it would send a letter on Monday to senior Obama administration officials, seeking a meeting to ensure that American policy makers’ efforts in Europe “are not averse to the views expressed by the president.” The coalition includes the Electronic Privacy Information Center and the Center for Digital Democracy.
“Does the Obama administration really want to be on the opposite side of the European effort to upgrade and modernize its privacy law which is at its core about the protection of a fundamental freedom?” asks Marc Rotenberg, executive director of the Electronic Privacy Information Center.
European officials hold out hope that Congress will enact baseline consumer privacy protections for Americans.
“This development — which is much welcomed in Europe — shows that we have much in common,” Ms. Reding of the European Commission said in her statement, speaking of the privacy bill of rights. “Convergence is springing up and synergies are possible.”