Chapter Two: Privacy Basics
What Is Privacy?
Privacy is one of the most basic human rights. Without privacy, freedom of expression is chilled and dissent becomes risky. A sense of being watched is deeply corrosive of democracy and human development. Privacy is also one of the building blocks of trust in the security and confidentiality of communications and sensitive data - a trust that is essential to e-commerce and full realization of the potential benefits of the Information Society.
Privacy is recognized and protected as a fundamental human right in the U.S. Constitution and all the major international human rights instruments, starting with the Universal Declaration of Human Rights. Yet of all our rights, privacy is often said to be one of the most difficult to define. Privacy has been defined as the "right to be left alone" or the "right to control information about oneself." In fact, privacy is a concept that embodies a number of ideas, including confidentiality, anonymity and solitude.
Definitions of privacy necessarily vary according to context. In this privacy guide, we focus on two forms of privacy: communications privacy and information privacy.
By "communications privacy," we refer to the right to expect that a letter, email or telephone conversation will remain confidential - that it will not be intercepted, read or listened to by a third party.
"Information privacy" (referred to in many other countries as "data protection") focuses on information that is generated or disclosed in the course of a commercial or governmental transaction. Generally speaking, "information privacy" focuses not on what is kept secret, since the information is necessarily disclosed in the course of a commercial or governmental transaction and often must be re-disclosed to third parties to complete the transaction. Sometimes the information is even publicly available, in the case of government records such as property deeds or arrest records. Instead, the core of information privacy is sometimes characterized as one of control: Individuals should be able to interact with government and commercial entities and provide them with personal information without losing control over subsequent uses of that information. Another way to think of privacy in this context is in terms of "fairness:" When individuals disclose information, that information should be used fairly. In this context, privacy involves the rules governing the collection, use, retention and disclosure of personal information.
While the U.S. Constitution does not explicitly use the word "privacy," several of its provisions protect different aspects of this fundamental right. Some of the most important protections arise from the Fourth Amendment, which safeguards individuals in their persons, homes, papers, and effects, from unreasonable searches and seizures. The Fourth Amendment limits government intrusion into people's private lives. The Supreme Court's interpretations of the Fourth Amendment, however, contain weaknesses that are particularly troubling in the network environment of the Internet.
Other privacy protections arise from:
- the First Amendment's freedom of expression and association clauses, which protect information about those with whom we associate (political groups and social organizations), and offers protections for the materials that we create, access and read in the privacy of our homes;
- the Fifth Amendment's privilege against self-incrimination, which protects the autonomy of our bodies, thoughts and beliefs;
- the Ninth Amendment, in which the Supreme Court has found protections for the privacy of our family and reproductive life; and
- the Fourteenth Amendment, which the Supreme Court has also cited as the source of some limits on state government intrusions upon the freedom and privacy of intimate decisions that affect our sexual, family and reproductive lives.
An important point to recognize about the U.S. Constitution: It protects privacy only against governmental intrusion. It does not apply to the actions of private actors, such as businesses. Some state constitutions, most notably California's, do provide a privacy right against private sector as well as governmental intrusion, but generally in the U.S. we rely on statutes and principles of the "common law" to protect privacy in the commercial context.
Fair Information Practices and Privacy Statutes
In 1977, at the beginning of the computer revolution, an advisory committee to the U.S. government developed a set of principles for handling personally identifiable information collected by the government. Known as the Principles of Fair Information Practice or FIPs, they have had a wide impact on the protection of privacy in both governmental and commercial contexts. They have been adopted in varying degrees by a wide range of governmental entities and industry groups, both in the U.S. and internationally. The Principles are intended to foster individuals' control over their personal information, limit data collection, and place responsibilities on data collectors. The FIPs are the basis for current information privacy laws and remain at the center of online privacy debates.
2008 DHS FIPs Guidelines
- Transparency: Entities should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of information.
- Individual Participation: Entities should involve the individual in the process of using personal information and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of this information. Entities should also provide mechanisms for appropriate access, correction, and redress regarding their use of personal information.
- Purpose Specification: Companies should specifically articulate the purpose or purposes for which personal information is intended to be used.
- Data Minimization: Only data directly relevant and necessary to accomplish a specified purpose should be collected and data should only be retained for as long as is necessary to fulfill a specified purpose.
- Use Limitation: Personal information should be used solely for the purpose(s) specified in the notice. Sharing of personal information should be for a purpose compatible with the purpose for which it was collected.
- Data Quality and Integrity: Companies should, to the extent practicable, ensure that data is accurate, relevant, timely and complete.
- Security: Companies should protect personal information through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: Companies should be accountable for complying with these principles, providing training to all employees and contractors who use personal information, and auditing the actual use of personal information to demonstrate compliance with the principles and all applicable privacy protection requirements.