Chapter Three: Existing Privacy Protections
Chapter Three: Existing Privacy Protections
Providing seamless privacy protection for data as it flows through the global Internet requires a careful reconsideration of the business community's interest in promoting commerce, the government's interests in fostering economic growth and protecting its citizens, and the interest of individuals in protecting themselves from intrusive overreach by government and the private sector. Protecting privacy in teh digital age will require the use of all of the tools at our disposal -- legislation, self-regulation, public education, and the technology itself.
"The makers of the Constitution conferred the most comprehensive of rights and the right most valued by all civilized men - the right to be let alone."- Louis Brandeis
One may be surprised to learn that the right to privacy is not explicitly mentioned in the U.S. Constitutional. Nevertheless, the federal constitution clearly- and in some ways strongly-- protects a range of values today encompassed by the concept of privacy.
In the First Amendment's protections of speech and association, the Supreme Court has recognized privacy interests such as "associational privacy" (NAACP v. Alabama, 1958), "political privacy" (Watkins v. United States, 1957, Sweezy v. New Hampshire, 1957), and the "right to anonymity in public expression" (Talley v. California, 1960).
In 1967, the Supreme Court held that the Fourth Amendment protects the privacy of communications against government eavesdropping. (Katz v. United States.)
In the 1960s and 1970s, the Supreme Court defined the concept of privacy to include personal decisions concerning reproduction, sex, and marriage. In Griswold v. Connecticut (1965), the Court ruled that citizens' fundamental right to privacy prohibits the criminalization of birth control. Justice Douglas stated in the majority opinion that the First, Third, Fourth, Fifth, and Ninth Amendments to the Constitution create penumbras of privacy. In Whalen v. Roe (1977), the Supreme Court held that the Fourteenth Amendment protects the privacy of certain information, in that case, sensitive prescription drug data collected by the state. The Whalen Court stated that the constitutionally protected zone of privacy involves two types of interests. One is the "individual interest in avoiding disclosure of personal matters" or informational privacy, and another is the "interest in independence in making certain kinds of important decisions." In Lawrence v. Texas (2003), the Supreme Court struck down the law against sodomy in Texas. The majority held that intimate consensual sexual conduct was part of the liberty protected by substantive due process under the Fourteenth Amendment. Lawrence has the effect of invalidating similar laws throughout the United States that purport to criminalize sodomy between consenting same-sex adults acting in private. The case made a vital, legal tie between liberty and privacy.
The courts generally have taken a case-by-case approach to privacy. In Greidinger v. Davis (1993), for example, a federal appeals court declared unconstitutional a Virginia law requiring citizens to disclose their Social Security numbers in order to register to vote. More recently, the Supreme Court ruled in Kyllo v. United States (2001) that use of thermal imaging to see through the walls of a house is a search requiring a warrant under the Fourth Amendment.
Because of the limitations of the judicial process and because the federal Constitution only protects against governmental intrusion, legislation is crucial to the protection of privacy, especially as technology erodes practical limits on the collection and sharing of information.
In the United States, privacy is protected against both governmental and commercial intrusion by a patchwork of statutes specific to different industries or different types of information. The statutes that define how governmental and commercial entities can collect, disclose and use information cover areas such as:
- Communications (the 1986 Electronic Communications Privacy Act and the Telephone Consumer Protection Act of 1991);
- Government collections (the Privacy Act of 1974);
- Financial information (the Right to Financial Privacy Act and the Gramm-Leach-Bliley Act);
- Credit reports (the 1970 Fair Credit Reporting Act);
- Medical records (the Health Insurance Portability and Accountability Act of 1996);
- Video rental records (the Video Privacy Protection Act of 1988).
These and many other laws are summarized at Existing Federal Privacy Laws.
All agencies of the federal government are responsible under the Privacy Act for protecting and properly using the personal data they collect. At the same time, various Cabinet departments and regulatory agencies have responsibility for regulating or overseeing the privacy practices of commercial entities falling under their jurisdiction. The Federal Trade Commission (FTC) has taken the lead in addressing privacy in the private sector. In terms of privacy at the various departments and agencies, the White House Office of Management and Budget (OMB) has a role in setting government-wide standards a role that has been approached differently by different Administrations.
In the past 30 years, the federal government has engaged in a wide range of privacy initiatives. For more on the privacy-related activities of federal privacy agencies and their recommendations regarding privacy, read CDT's May 2000 testimony and June 2008 testimony.
With respect to enforcement, the FTC receives complaints and brings cases against businesses that it believes engage in unfair or deceptive practices. It can seek preliminary injunctions against business practices it deems illegal. Most FTC cases against private businesses end in settlements. Its enforcement authority provides the FTC the ability to address unfair business practices that undermine consumer privacy on a case-by-case basis. Some FTC enforcement actions in the Internet context (2001 ? 2003) are summarized here.
The FTC also educates consumers and businesses with a variety of online guides. It also public workshops on emerging technologies and business practices. It publishes occasional reports to Congress and testifies at committee hearings upon invitation. For example, in January 2004, the FTC released its annual report detailing consumer complaints about identity theft and listing the top ten fraud complaint categories reported by consumers.
Finally, the FTC can adopt privacy protections through rule-making, but only with express mandate from Congress. Congress has granted the FTC jurisdiction to make rules concerning implementation and enforcement of certain statutory provisions, including provisions in the Children's Online Privacy Protection Act (15 U.S.C. secs. 6501-6506), the Gramm-Leach-Bliley Act, which pertains to the financial sector (15 U.S.C. secs. 6801-6809 and secs. 6821-6827), and the Telemarketing and Consumer Fraud and Abuse Prevention Act (15 U.S.C. secs. 6101-6108). Complete list of all FTC-related statutes.
In 1999, the Office of Management and Budget (OMB) created the office of the Chief Counselor for Privacy to coordinate the federal government's response to privacy issues. Peter P. Swire, a professor of law at Ohio State University and internationally recognized expert on privacy issues, was appointed as the first person to hold the position in the OMB's Office of Information and Regulatory Affairs, which oversees implementation of the Privacy Act of 1974. Swire served until the end of the Clinton Administration in January 2001. Despite the urging of CDT and others, the administration of President George W. Bush did not retain the position of chief privacy advisor; for 8 years, there has been no official in the White House devoted to privacy issues.
In the private sector or in government, privacy officers can play an important role. In 2002, Congress established in the Department of Homeland Security the first statutorily required senior privacy position in the federal government. Other agencies established privacy officer positions on their own. Now, legislation requires all agencies to have senior privacy officials responsible for compliance with relevant laws, particularly the Privacy Act and the E-Government Act. These officials issue public notices regarding agency data collection and conduct privacy impact assessments (PIA) of proposed technology selections. CDT strongly supports the existence of privacy officers at federal agencies. We believe their independence should be strengthened. We also support establishing a privacy officer at the White House with government-wide responsibilities.
Louis Brandeis famously praised the states as "laboratories" for the development of public policy. Indeed, particularly on privacy issues where Congress has lagged, state legislatures have stepped in to provide greater protection for consumers. As new technologies have led to greater data collection and sharing, the privacy stakes have grown. Many states have passed laws to enhance the privacy of medical and financial information and given residents a private right of action for privacy harms. Ten states take the added step of explicitly proclaiming a right to privacy in their constitutions.
Wish respect to enforcement, AGs can launch investigations into questionable business practices and press charges against businesses for violations of privacy obligations. For example, Washington's AG Rob McKenna successfully sued several spyware companies for deceptively invading user privacy.
For public education, most AG websites have handbooks or fact sheets outlining consumer privacy rights and what consumers should do if they face a breach of privacy.
The AGs can also be influential by pushing for or helping to shape state privacy legislation. Because AGs are often on the frontlines of spyware and other consumer privacy protection matters, they are viewed as experts of real-world enforcement problems and how those can be best addressed.
Corporations, universities and government agencies lose - through theft or carelessness - sensitive information on customers, members or citizens. In 2005, for example, data aggregation company ChoicePoint was the victim of a high profile breach, affecting over 160,000 consumers. In 2006, a laptop was stolen from an employee of the U.S. Department of Veterans Affairs, compromising the information of over 25 million veterans.
In 2002, California enacted the nation's first security breach notification law. The law was intended to combat the growing threat of identity theft by requiring companies and state agencies that suffered data breaches to notify those affected. The California law quickly became a model for other states, and at least 44 states now have similar legislation. High-profile data breaches continue to occur, in large part due to poor data management practices.
Although several bills have been introduced at the federal level. Congress has not yet passed federal security breach notification legislation.
While HIPAA establishes certain baseline standards for medical records privacy, it is far from comprehensive, and states have moved to filled in the gaps by enacting stronger legislation. HIPAA specifically allows the states to adopt stronger privacy protections. Many states also have laws governing access rights and liability for particularly sensitive information, such as mental health records, HIV/AIDS-related information, and genetic data.
National laws may be insufficient, on their own, to provide citizens with privacy protections across borders. Various international bodies, including the European Union and the Organization for Economic Cooperation and Development, have developed privacy rules.
In late 1980, the Organization for Economic Cooperation and Development (OECD) issued a "Recommendation Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data." While not binding, the OECD guidelines had a major influence on international agreements, national laws, and self-regulatory policies.
The OECD Guidelines include:
- Collection Limitation Principle,
- Data Quality Principle,
- Purpose Specification Principle,
- Use Limitation Principle,
- Security Safeguards Principle,
- Openness Principle,
- Individual Participation Principle, and
- Accountability Principle
In January of 2003, the OECD published a report on online privacy, offering specific practical guidance for implementation of privacy protection online for member countries, businesses, and consumers.
In 1995, the Council of Ministers of the European Union formally adopted the Directive on the Protection of Personal Data. The Directive granted data subjects a number of important rights including the right of access to personal data, the right to know where the data originated (if such information is available), the right to have inaccurate data corrected, the right of recourse in the event of unlawful processing, and the right to withhold permission to use data in certain circumstances -- for example, individuals have the right to opt out free of charge from being sent direct marketing material.
The Directive also prohibits businesses from transferring data from an EU country to a office or affiliate in another country unless that country provides adequate privacy protection. In 2000, after lengthy negotiations, the EU approved a set of ?safe harbor? principles that allow transfers to the U.S.
In July 2002, the EU adopted a directive translating the principles of the 1995 directive into specific rules for telecommunications and other electronic communications, addressing privacy and security, marketing, cookies, and data retention.
- Directive on privacy and electronic communications (2002)
- GIPI memo analyzing the electronic communications directive [pdf]
The debate continues over the ability of self-regulation and market forces to adequately address privacy concerns. Privacy advocates argue that self-regulation alone is insufficient due to both a lack of enforcement and the absence of legal redress to harmed individuals. Many businesses strongly favor self-regulation, stating that it results in workable, market-based solutions while placing minimal burdens on affected companies.
Numerous efforts at self-regulation have emerged; examples include TRUSTe, the Better Business Bureau's Online Privacy Program (BBBOnLine), and the Online Privacy Alliance. In addition, a growing number of companies, under public and regulatory scrutiny, have begun incorporating privacy into their management process.
Elements of Effective Self-Regulation for Protection of Privacy: The Department of Commerce paper discusses the elements of effective self-regulatory regimes -- elements that incorporate principles of fair information practices with enforcement mechanisms that promote compliance with those practices
Opt-out is an option that gives consumers the choice to prevent personally identifiable information from being used by a particular company or shared with third parties. Online opt-out procedures vary greatly; some businesses make opting out very difficult.
A major self-regulatory enforcement initiative has been the development of online privacy seal programs. To display the privacy seal on its Web site, a business must implement certain fair information practices defined by the seal program and submit to various types of compliance monitoring. Seal programs could be an efficient way to alert consumers to the information practices of those displaying the seal and to demonstrate compliance with program requirements. In 1999, CDT issued a report, Behind the Numbers, that described the status of privacy seal initiatives as of that time.
TRUSTe, the first online privacy seal program, has grown from over 500 licensed Web sites in 1999 to more than 1800 sites in a variety of industries in 2007. TRUSTe has also started specialized seal programs addressing children's privacy, email privacy, and the European Union/Safe Harbor privacy principles.
The Online Privacy Alliance (OPA), a group of more than 30 global corporations and associations, identifies and advances online privacy policies across the private sector, supports the development and use of self-regulatory enforcement mechanisms and activities, as well as user empowerment technology tools designed to protect individuals' privacy, and supports compliance with and strong enforcement of applicable laws and regulations.
The Network Advertising Initiative (NAI) is a ?cooperative of online marketing and analytics companies committed to building consumer awareness and establishing responsible business and data management practices and standards.? In 2000, the NAI adopted a set of self-regulatory principles that require NAI member companies to post a notice on all Web sites served by their networks. This notice informs visitors to such sites that the advertising networks may place a third party cookie on their computers and that such a cookie may be used to tailor ad content both on the site being visited and on other sites within that network that may be visited in the future. In addition to requiring notice to consumers about the use of third party cookies, the NAI mandates that member advertising networks provide an "opt-out" mechanism for the targeted ad programs they provide. In 2008, NAI issued for comment an updated version of the guidelines.
In November 2002, NAI, along with TRUSTe and BBBOnline, released guidelines governing web beacon usage. The guidelines require notice of web beacon usage and that advertisers provide choice if personally identifiable information is transferred through web beacons.
The Liberty Alliance (LA), a consortium of nearly 150 companies and other entities, was founded in 2001 to establish standards for federated network identity management systems, which allow users to link information between accounts. Such systems prevent centralization of information, thus inhibiting identity theft. Federated identity provides customers with more control over their personal data, and it fosters relationships between businesses. One of the key goals of the LA is to develop specifications that enable service providers to protect consumer privacy.