Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 122
Engaging Privacy and Information Technology in a Digital Age 4 The Legal Landscape in the United States Many discussions of privacy ultimately end up turning toward the law. How have legislatures and the courts defined and interpreted privacy? What are individuals’ and organizations’ rights and obligations under the law? Is there a constitutional right to privacy? These are the sorts of questions that have inspired hundreds of books and journal articles about the legal underpinnings of privacy. This chapter presents an overview of the legal landscape as background for discussion elsewhere in the report. 4.1 CONSTITUTIONAL FOUNDATIONS This section addresses constitutional safeguards for a citizen’s privacy against government invasion and intrusion. Although the word “privacy” does not appear expressly in the U.S. Constitution, the Supreme Court has made clear that this fundamental right is implicit from the panoply of other rights guaranteed in the First, Fourth, and Ninth Amendments. 4.1.1 The Fourth Amendment The source of constitutional protection for privacy (now embodied most clearly in the Constitution’s Fourth Amendment) lies deep in English history. Precisely four centuries ago, British courts declared in Semayne’s Case that “the house of every one is to him as his castle and fortress.”1 1 Semayne’s Case, 5 Co. Rep. 91a, 91b, 77 Eng. Rep. 194, 195 (K.B. 1603).
OCR for page 123
Engaging Privacy and Information Technology in a Digital Age From that bold beginning developed a more specific expectation that government may search a person’s house, or personal papers, only with a valid reason (later, “probable cause”), legal authority (eventually in the form of a search warrant), and only after giving adequate notice before seeking entry or access. Prominent among the principles that the U.S. Constitution’s framers felt imperative to embody in the Bill of Rights was that of privacy. The Fourth Amendment has for the past 212 years been the bulwark of such privacy protection. Most states have comparable provisions in their own constitutions, and in 1963 the U.S. Supreme Court declared that state and local governments are as fully bound to respect privacy as is the national government, since the due process clause of the Fourteenth Amendment incorporates or absorbs the basic safeguards of the Fourth and makes those safeguards fully applicable to official action at all levels. Interpreting and applying the spare words of the Fourth Amendment have posed a major and continuing challenge for the courts. Indeed, hardly a term of the U.S. Supreme Court passes without at least one case on the docket that juxtaposes government’s need for information, usually pursuant to law enforcement investigation, and a citizen’s or organization’s wish to withhold that information, or to prevent government from gathering the information by invading premises or conducting surveillance in other forms. The Supreme Court’s recognition of a citizen’s right to be secure against unauthorized government intrusion dates at least to a batch of cases in the 1880s, beginning with Kilbourn v. Thompson, 103 U.S. 168, 190 (1880), noting that Congress does not “possess the general power of making inquiry into the private affairs of the citizen.” Later rulings extended the same principle to inquiries by federal administrative agencies. In 1886, in Boyd v. United States, 116 U.S. 616, 530 (1886), the Court struck down a regulatory measure that it found unduly intrusive into “the sanctity of a man’s home and the privacies of life.” The later evolution of Fourth Amendment privacy guarantees highlights several notable 20th-century decisions. While the Court ruled in Olmstead v. United States, 277 U.S. 438 (1928), that the use of a wiretap did not violate the Fourth Amendment because there had been no physical invasion of a citizen’s home, person, or papers, later judgments importantly qualified the potential scope of that decision. Notably, the Court held in Katz v. United States, 389 U.S. 347 (1967), that privacy rights did extend to a telephone booth, noting that “wherever a man may be, he is entitled to know that he will remain free from unreasonable searches and seizures.” The Supreme Court has dealt extensively in the last half century with conditions and circumstances under which searches of automobiles,
OCR for page 124
Engaging Privacy and Information Technology in a Digital Age pedestrians, hotel rooms, and offices may or may not be deemed reasonable. These rulings have usually reflected close divisions within the Court, often by the narrowest of margins. While the prevailing principles remain constant, variations in circumstances, in the potential effect of a particular search, and in the claimed needs of law enforcement inevitably affect the outcome. A more recent decision affecting privacy of the home may aptly illustrate the process. In 2001, the Supreme Court considered for the first time whether the use of a thermal imaging device aimed at a private home from a public street to detect relative amounts of heat within the home—to determine whether marijuana was probably being grown within—constituted a “search” for Fourth Amendment purposes. Distinguishing permissible “naked eye surveillance of a home” the Court held on a 5-4 vote that thermal-imaging surveillance was constitutionally different and did involve an unlawful search. The explanation recalls the clarity and simplicity of basic Fourth Amendment precepts: “Where, as here, the Government uses a devise that is not in general public use, to explore details of the home that would not previously have been knowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.”2 Within the ambit of protecting privacy against government action, the Supreme Court declined in Paul v. Davis, 424 U.S. 693 (1976), to extend privacy interests to the “stigma” created by official publication of a person’s name and photo on a list of “active shoplifters” after a larceny charge filed against him had been dismissed. While renewing the broad scope of the “zone of privacy,” the Court distinguished other situations in which it had recognized such interests, noting that the claim posed here was not legally analogous, but simply sought to avoid unwelcome publicity. The high Court’s 2003 decisions, rejecting similar claims against the display on state Internet Web sites of the identities of past sex offenders who had served time and been released, are much in the same vein. Finally, the Court has long held that the probable cause standard of the Fourth Amendment does not apply to individuals seeking to enter the country (as opposed to those individuals already in the United States). For example, the Supreme Court has held that “searches of persons or packages at the national border rest on different considerations and different rules of constitutional law from domestic regulations,”3 and has thus recognized the right of Congress to grant the executive “plenary authority to conduct routine searches and seizures at the border, without probable 2 Kyllo v. United States, 533 U.S. 27 (2001). 3 United States v. 12 200-Ft. Reels of Film, 413 U.S. 123 (1973).
OCR for page 125
Engaging Privacy and Information Technology in a Digital Age cause or a warrant, in order to regulate the collection of duties and to prevent the introduction of contraband into this country.”4 4.1.2 The First Amendment The First Amendment’s recognition of free speech and press safeguards citizens’ privacy in several distinct ways: Government may not compel citizens to reveal certain highly sensitive information (e.g., membership in controversial political groups) or require them to disclaim membership in such organizations as a condition of receiving public benefits such as food stamps. Nor may government require a postal patron to declare publicly a desire to continue to receive mail from Communist countries. The Supreme Court has also found in the First Amendment rights to speak, write, or publish anonymously or pseudonymously (especially in making political statements). Beginning with its 1960 decision in Talley v. California, 362 U.S. 60 (1960), the Court has consistently found in freedom of expression a right to resist compelled disclosure of one’s identity, especially in the context of volatile political communications. Some years later, in McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995), the justices reaffirmed their commitment to protection of anonymity, insisting that governments that had legitimate reasons to regulate political communications could use less intrusive means. In a similar vein, the Court also struck down on First Amendment grounds a law that required citizens who wished to receive “communist political propaganda” to explicitly notify the post office. The Court’s reasoning was that such notification was a limitation on the unfettered exercise of the addressee’s First Amendment rights. That decision, in Lamont v. Postmaster General, 381 U.S. 301 (1965), retains much value to privacy law, and is indeed the touchstone of current debate about the “opt-in” provision of the federal law that requires public libraries to filter Internet access, but permits patrons wishing unfiltered access to request it. However, the legal status of potentially intrusive government surveillance is less clear under the First Amendment; three decades ago, the Supreme Court rejected citizens’ efforts to enjoin the government’s Vietnam era surveillance and infiltration of controversial anti-war political groups. The high Court has never revisited this issue, although a few lower courts have been more protective—notably the California Supreme Court, a few years after the high Court ruling, in barring police departments from sending undercover agents into university classrooms, posing as students, to compile dossiers on suspected radicals. 4 U.S. v. Montoya de Hernandez, 473 U.S. 531, 537, 105 S. Ct. 3304, 3308 (1985).
OCR for page 126
Engaging Privacy and Information Technology in a Digital Age The First Amendment has also served as the basis for protecting privacy in the home. Starting with Breard v. Alexandria, 341 U.S. 622 (1951), the Supreme Court has shown substantial deference to local ordinances that protect privacy by forbidding door-to-door solicitation without the homeowner’s permission—save when such laws unduly burden free expression, as the justices found in their most recent encounter with such privacy-protecting measures, Watchtower Bible & Tract Soc’y v. Stratton, 536 U.S. 150 (2002). In Watchtower, the Court held that a requirement to register with the mayor’s office and to obtain a local permit prior to engaging in door-to-door advocacy violated the First Amendment as it applied to religious proselytizing, anonymous political speech, and the distribution of handbills. Turning to legal protection for privacy that concerns intrusion by individuals rather than by government, the case law is more easily summarized. Publication of the truth—no matter how unwelcome or invasive of privacy—is almost invariably protected under U.S. law, though less clearly under the laws of most other nations. The Supreme Court has stopped just short of declaring flatly that speaking truth is categorically protected. What the justices have consistently said on this subject is that a publisher may not be held criminally or civilly liable if the challenged information meets three conditions, spelled out in cases like Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975), and The Florida Star v. B.J.F., 491 U.S. 524 (1989). The statements must be accurate, else they would be subject to a legal claim for defamation. They must hold public interest—which means little more than that someone wishes to read or hear them. Finally, the information or images must not have been unlawfully obtained. This last criterion created substantial confusion over the issue of whose unlawful conduct would taint the information. That issue has now been largely resolved by the Supreme Court’s 2001 ruling in Bartnicki v. Vopper, 532 U.S. 514 (2001), that even if a tape recording that was eventually broadcast on the defendant’s radio station resulted from a clearly illegal wiretap, the station would not be liable if the evidence showed no complicity on its part in the unlawful taping. The case did involve, beyond a finding for the station’s innocence, subject matter of great public interest and value to the community, and a privacy interest on the part of the illegally taped parties, which—given the illegality of the activities they were plotting on the phone—the Court characterized as “attenuated.” The Supreme Court’s reluctance ever to declare unambiguously that truth trumps privacy may give pause to some publishers, and might imply that the ghost of Warren and Brandeis survives. Indeed, there are several situations in which truthful publications might generate liability. Clearly if the information was unlawfully obtained by the publisher or
OCR for page 127
Engaging Privacy and Information Technology in a Digital Age by someone for whose conduct the publisher bears responsibility—by hacking into an electronic database or breaching a legal privilege such as that between physician and patient, the legal immunity no longer applies. If truthful information is presented in a damaging “false light,” the law of some states affords redress, which the Supreme Court seems to have condoned. Conceivably an intrusive publication could be deemed to lack public interest, and forfeit protection on that basis. The ultimate question remains: If information has clear public interest, is accurate, and was not unlawfully obtained, can there ever be liability? The short answer seems to be no, and perhaps the longer answer as well. Yet one can imagine two cases in which such a negative answer would at least compel reflection. One would be the widespread dissemination—through a popular Web site, for example, of a photograph taken on a public street by a concealed camera of a female pedestrian’s intimate apparel and private features. Since the site was public—a place where there is no expectation of privacy (unlike a bathroom, dressing room, etc.)—the general policy is that anyone walking there is fair game for potentially embarrassing images. (As close as Canada, the law differs on just this point; a Canadian may be photographed with impunity at a rally or athletic event, but not without consent when sitting on a doorstep, even in clear public view.) There have been persistent suggestions that U.S. law should recognize some exception to the publisher’s immunity in such a situation. The other poignant case involves a person whose HIV-positive status is unknown to friends, family, employer, and neighbors but is disclosed to the world by someone who obtained this highly sensitive information “not unlawfully” (an estranged ex-spouse, for example). Here again, the revelation may not be actionable for a violation of a federal right of privacy, although it may be actionable under state constitutional privacy jurisprudence, for a variety of torts (e.g., tortuous interference with business relations), state or federal statutes, or for violation of contractual rights (e.g., divorce settlement agreements often have gag provisions). Yet there is something about such a case that gives even the most ardent free-press advocate some pause. For the moment, the short answer—“the truth shall set you free”—remains the long answer as well. 4.1.3 The Ninth Amendment Finally among constitutional safeguards for privacy (though not for informational privacy), a “penumbral” protection derived in part from the Ninth Amendment has recently joined more traditional sources. Among the most prominent cases in this regard is Griswold v. Connecticut, 381 U.S. 479 (1965). In this case, the Supreme Court held unconstitutional a Con-
OCR for page 128
Engaging Privacy and Information Technology in a Digital Age necticut law banning the use even by married couples of contraceptives, stating that the ban violated basic privacy precepts since it invaded “a zone of privacy created by several fundamental constitutional guarantees.” In that case, Justice William O. Douglas concluded his opinion for the Court with a reminder that is useful here: “We deal with a right of privacy older than the Bill of Rights—older than our political parties, older than our school system.” Such statements remind us that the framers of the Constitution and of the Bill of Rights were not creating protection for privacy against government, but codifying ancient precepts in new language, and with new force behind those words. On the other hand, a sharply split Court failed in Bowers v. Hardwick, 478 U.S. 186 (1986), to find in the right of privacy a constitutional basis for protection against state laws criminalizing homosexual sodomy. The status of that case had become increasingly problematic. Before his death, one justice who had voted in the majority declared he had been wrong in so doing. At least five states declined to follow Hardwick, granting protection to private homosexual activity under their own constitutions—as states are free to do, since the national Bill of Rights sets only a floor and not a ceiling. Thus when the issue returned to the Supreme Court during the 2002-2003 term, the likelihood of an overruling seemed substantial. Only the margin was in doubt, as well as the precise rationale a differently disposed majority would adopt. On June 26, 2003, the final day of its term, the justices by a decisive 6-3 vote overruled Bowers v. Hardwick, in Lawrence v. Texas, 539 U.S. 558 (2003). Justice Anthony M. Kennedy, writing for the majority, posed in this way the central question of the case: “whether [the defendants] were free as adults to engage in the private conduct in the exercise of their liberty under the Due Process Clause….” After reviewing the high Court’s own post-Hardwick privacy rulings, and taking an unprecedented account of foreign judgments, the majority concluded that the Constitution did and should protect such activity among consenting adults. Though primary emphasis rested on due process and equal protection, the Court did stress a strong privacy interest as well: “The [defendants] are entitled to respect for their private lives. The State cannot demean their existence or control their destiny by making their private sexual conduct a crime.” The majority quoted a passage from one of the earlier abortion-rights cases, recognizing “that there is a realm of personal liberty which the government may not enter,” and concluded that “the Texas statute furthers no legitimate state interest which can justify its intrusion into the personal and private life of the individual.” Not every recent ruling has favored privacy claims, however. A few years ago, the Court declined in Washington v. Glucksberg, 521 U.S. 702 (1997), to find in the due process clause a privacy interest sufficient to
OCR for page 129
Engaging Privacy and Information Technology in a Digital Age invalidate state laws that ban assisted suicide—a ruling that was actually consistent with the high Court’s earlier refusal in Cruzan v. Missouri Health Dep’t, 497 U.S. 261 (1990), to order the removal (pursuant to parental pleas) of life support from a vegetative accident victim. 4.2 COMMON LAW AND PRIVACY TORTS The modern quest for recognition of such a right of privacy is often traced to a seminal Harvard Law Review article, published in 1890 by a young Louis D. Brandeis and his senior partner Samuel Warren.5 The article reflected growing concern about unwelcome and intrusive media publicity about the private lives of the rich and famous (notably the newspaper publication of sensitive guest lists for social events hosted by the Warrens). The thesis of the piece was that courts should be more receptive to claims of privacy, and should develop “a right to an inviolate personality.” Today, common law regarding privacy is formulated in terms of a set of four privacy torts for which legal recourse may be appropriate—although when the threat is created by a publisher, broadcaster, or other entity protected by the First Amendment, courts will not always grant relief to the person whose privacy has been compromised. First articulated by William Prosser,6 these torts include: Intrusion—Objectionable intrusion into the private affairs or seclusion of an individual. The intrusion may be physical or electronic and is oriented toward improper information gathering. For example, watching someone urinating in a bathroom stall—whether through a peephole or using a video camera—is likely such an intrusion. Intrusion would generally not be applicable when someone is seen or photographed in public, although certain exceptions can be easily imagined (e.g., an out-of-visual-band camera that could generate realistic images of human bodies underneath clothing or “up-skirt” cameras embedded in the sidewalk. Public disclosure of private facts—Publication of personal information 5 Samuel Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4(5):193, 1890. 6 William L. Prosser, “Privacy,” California Law Review 48:383, 1960. The discussion in this section draws on Joey Senat, “4 Common Law Privacy Torts,” 2000, an online study reference, available at http://www.cas.okstate.edu/jb/faculty/senat/jb3163/privacytorts.html; “The Privacy Torts: How U.S. State Law Quietly Leads the Way in Privacy Protection,” a special report issued by Privacilla.org, July 2002, available at http://www.privacilla.org/releases/Torts_Report.html; and National Research Council, Who Goes There? Authentication Through the Lens of Privacy, Stephen T. Kent and Lynette I. Millett, eds., The National Academies Press, Washington, D.C., 2003.
OCR for page 130
Engaging Privacy and Information Technology in a Digital Age that a reasonable person would object to having made public. The information must be both true and reasonably construable as private (e.g., a person’s height would be less private than an account of his sexual past). In addition, the disclosure must be public—disclosure to a small number of people or those with a legitimate need to know does not count as public. Disclosure in the form of a movie that reveals someone by name is public; discussion among a group of acquaintances is not. Finally, the disclosure must not be newsworthy—thus making publication about the private lives of celebrities fair game. In an information age context, publication of a non-celebrity’s personal information on a publicly accessible Web page is largely uncharted territory. Misappropriation of name or likeness—Unauthorized use of an individual’s picture or name for commercial advantage. The misappropriation tort applies if and when a person’s name, likeness, or identity is used without his or her permission for trade or advertising purposes. The misappropriation tort relates to information privacy, but only insofar as it deals with a particular kind of use of a certain kind of personal information. False light—Publication of objectionable, false information about an individual. The intent of this tort is to protect people against being cast in a false light in the public eye. For example, this tort would apply when someone’s photograph is publicly exhibited in a way or a context that creates negative inferences about him. The false light tort has been found applicable when people have been wrongly associated with juvenile delinquents or drug dealing, for example. Of the four privacy torts, the false light tort is least applicable to informational privacy, since it deals with false information. The 1964 Restatement of the Law of Torts (a clarification and compilation of the law by the American Law Institute) adopted the Prosser framework.7 Together, these torts provide a basis for privacy suits against the disclosure, without consent, of embarrassing false information about a person, or of intimate details or images from a person’s private life, or unauthorized use for profit or commercial gain of an individual’s image, likeness, voice, or reputation. As a matter of practice, these privacy torts have not been used much to protect the information-age privacy of individuals. However, the principles behind these torts are useful reminders of some of the interests that privacy is designed to protect against—intrusion into personal affairs and disclosure of sensitive personal information, among others. As a historical matter, the Warren-Brandeis article may not fully 7 American Law Institute, Restatement of the Law of Torts, Philadelphia, 1964.
OCR for page 131
Engaging Privacy and Information Technology in a Digital Age deserve the credit it usually draws. Fully a decade earlier, Judge Thomas Cooley had written in his Treatise on the Law of Torts that “the right to one’s person may be said to be a right of complete immunity: to be let alone.”8 Although Cooley seems to have been more focused on physical than psychological intrusion, the phrase that he used first gave momentum to the quest for broader protection. Warren and Brandeis, in fact, fashioned an analogy between the legal basis for physical privacy (well established in British case law) and the emerging and more subtle value of protection for feelings, personal dignity and the like, for which they would invoke the new doctrine championed in their article. The impact of the Warren-Brandeis thesis, well over a century later, is still not easily assessed. On the one hand, nearly every state has adopted statutory protection for privacy claims that extend well beyond the physical sanctity of the home and office; at last count, North Dakota and Wyoming were the only holdouts. On the other hand, the degree to which the Warren-Brandeis view really has gained legal acceptance remains far less uniform. The most recent Restatement of the Law of Torts, issued in 1977, recognized a cause of action for unconsented “public disclosure of private facts” but qualified that recognition by noting, for example, that “while [a person] is walking on the public highway, there can be no liability for observing him or even taking his photograph.”9 Nonetheless, another comment to the 1977 Restatement posits that publishing “without consent, a picture of [the subject nursing her child]” would be actionable even if taken in a public place. In short, there is uncertainty and substantial ambivalence on the precise contours of this legal claim. Scholars, too, have remained ambivalent. In the mid-1960s, Harry Kalven asked rhetorically (in the title of an article on just this subject), “Were Warren and Brandeis Wrong?,” concluding that we are probably better off today because their plea for broad protection of privacy never has been fully embraced by the courts. 4.3 FREEDOM OF INFORMATION/OPEN GOVERNMENT Freedom of information has been and remains in this country a creature of statute and not of constitutional right. Save for a few situations (notably the criminal trial) where courts have recognized a First Amendment claim of access, obtaining government information or covering sen- 8 Thomas Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract, Callaghan, Chicago, 1879. 9 American Law Institute, Restatement of the Law of Torts, 2nd Edition, Philadelphia, 1977, pp. 379-380.
OCR for page 132
Engaging Privacy and Information Technology in a Digital Age sitive proceedings remains subject to the will of that government which controls the data or the site. Since 1965, at the federal level, the Freedom of Information Act (FOIA) has been the vital basis for access claims, many of which have been litigated with varying results. Among the nine statutory exemptions to a citizen’s right of access under FOIA, those most likely to precipitate privacy tensions are Exemptions 6 and 7c. The first of these relates to information such as personnel and medical files, the disclosure of which would “constitute a clearly unwarranted invasion of personal privacy.” Exemption 7c excludes records or information compiled for law enforcement purposes, “but only to the extent that the production of such [materials] … could reasonably be expected to constitute an unwarranted invasion of personal privacy.” In the major decision construing and applying Exemption 7c, United States Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749 (1989), the Supreme Court noted the need, under the statute, to balance the interests of openness and accountability against the statutory recognition of individual privacy. The justices unanimously rejected claims of access to a suspect’s rap sheet, noting the vital distinction (in FOIA) between the statute’s “purpose to ensure that the Government’s activities be opened to the sharp eye of public scrutiny” and the contrasting claim that “information about private citizens that happens to be in the warehouse of the Government be so disclosed.” But in a case that eventually led to extensive revelations of truly chilling law enforcement activity in the 1960s, a federal appeals court ruled in Rosenfeld v. Department of Justice, 57 F.3d 803 (9th Cir. 1995), that Exemption 7 would not justify withholding FBI documents pertaining to investigations of faculty and students at Berkeley during the Vietnam War era, the court noting that the FBI had no legitimate law enforcement interest in its probe of the Free Speech Movement and thus could not invoke a valid privacy interest to resist disclosure. Tensions between privacy and access arise occasionally in a very different context. The Supreme Court has twice in recent years resolved those debates in favor of the privacy interest. California law, in the interests of privacy, limited to certain groups ready access to records including the addresses of persons arrested on driving charges. Commercial enterprises were excluded from the access pathway and challenged the restriction through the state courts to the U.S. Supreme Court. The justices, in Los Angeles Police Department v. United Reporting Publishing Co., 528 U.S. 32 (1999), rejected, at the least, the challenge brought forward by the proprietary data seekers, leaving open the possibility of a future attack on the statute as it had been applied. Finally, in the aftermath of the September 11, 2001, attacks, regulations binding on federal agencies have been promulgated to reduce the
OCR for page 144
Engaging Privacy and Information Technology in a Digital Age Under a number of statutory provisions (including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, and the Children’s Online Privacy Protection Act), the FTC—often jointly with other regulatory agencies—has issued a variety of regulations that relate to privacy. Under the Gramm-Leach-Bliley Act (also known as the Financial Modernization Act of 1999 and codified at 15 U.S.C. 6801-6809 and 6821-6827), the FTC has issued regulations (16 C.F.R. Part 313) to ensure that financial institutions protect the privacy of consumers’ personal financial information.15 The main privacy protection provision is the Financial Privacy Rule, which governs the collection and disclosure of customers’ personal financial information by financial institutions.16 In brief, the Financial Privacy Rule requires covered institutions to give consumers privacy notices that explain the institutions’ information-sharing practices, gives consumers the right to limit certain types of sharing of their financial information on an opt-out basis, and puts some limits on how anyone receiving nonpublic personal information from a financial institution can use or re-disclose the information. In addition, the FTC has also promulgated the Safeguards Rule, which requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. Such a plan has administrative, technical, and physical information safeguards, and is intended to protect against any unauthorized access that might harm the consumer. Finally, other provisions of the Gramm-Leach-Bliley Act also affect how a company conducts business, such as a prohibition on financial institutions disclosing customers’ account numbers to non-affiliated companies for marketing purposes. Under Section 114 of the Fair and Accurate Credit Transactions Act of 2003, the FTC (in cooperation with the federal agencies regulating financial services, such as the Securities and Exchange Commission and the Commodity Futures Trading Commission, and the National Credit Union Administration) promulgated regulations specifying procedures under which financial institutions would protect account holders from 15 “Financial institutions” include banks, securities firms, insurance companies, and other companies providing certain types of financial products and services to consumers, including lending, brokering, or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities. 16 See Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act,” available at http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm.
OCR for page 145
Engaging Privacy and Information Technology in a Digital Age identity theft. Section 151 directed these agencies to jointly develop a summary of the rights of identity theft victims that would be made available to all such victims. Regulations issued under Section 211 established a single source through which a consumer could obtain a free credit report. Section 216 directed these agencies and the Securities and Exchange Commission to promulgate regulations for the disposal of consumer report information and records, whether they are stored in electronic or paper form. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, and medical history. Under the Children’s Online Privacy Protection Act (15 U.S.C. 6501-6506), the FTC is responsible for promulgating regulations (16 C.F.R. Part 312) implementing the protections of the act. These protections require that operators of commercial Web sites and online services directed to collect or knowingly collecting personal information from children under 13 must (1) notify parents of their information practices; (2) obtain verifiable parental consent before collecting a child’s personal information; (3) give parents a choice as to whether their child’s information will be disclosed to third parties; (4) provide parents access to their child’s information; (5) let parents prevent further use of collected information; (6) not require a child to provide more information than is reasonably necessary to participate in an activity; and (7) maintain the confidentiality, security, and integrity of the information. The rule-making authority of the FTC described above illustrates a common relationship between statutory authority and regulation. The U.S. Congress passes legislation that lays out the general issues and principles in question, but leaves it to a regulating agency to work out the details of how that legislation should be implemented. But this relationship is not the only possible one, and in some instances, Congress has delegated extremely broad regulatory authority to an agency, thus making it the primary source of guidance on a major privacy-related topic. A good example of this phenomenon is apparent in the privacy-protecting regulations of the Health Insurance Portability and Accountability Act of 1996. Legislators understood very well that the privacy of personal health information was a central issue for health insurance portability, but they were unable to reach agreement on the nature and scope of the appropriate privacy protections. Thus, Section 264 of HIPAA directed the secretary of the Department of Health and Human Services (DHHS) to promulgate regulations on appropriate privacy standards (covering at least the rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be
OCR for page 146
Engaging Privacy and Information Technology in a Digital Age established for the exercise of such rights, and the uses and disclosures of such information that should be authorized or required) if the U.S. Congress did not pass appropriate privacy legislation within 3 years of HIPAA’s enactment. This is indeed what happened, and the final privacy rule was published in the Federal Register (65 FR 82462) on December 28, 2000. On August 14, 2002, the Final Modifications to the Privacy Rule were published in the Federal Register.17 In short, Congress anticipated its possible inability to reach agreement on the contentious issue of health care privacy, and delegated to the DHHS secretary the regulatory authority to act in its stead. 4.4 EXECUTIVE ORDERS AND PRESIDENTIAL DIRECTIVES As the chief executive, the president of the United States has considerable latitude to direct the activities of various executive branch agencies. Some directives or executive orders have a bearing on privacy, as illustrated below. One example is Executive Order 13145, issued on February 8, 2000. This executive order prohibited the federal government and its agencies from using genetic testing in any employment decision, and specifically forbids federal employers from requesting or requiring that employees undergo genetic tests of any kind. In addition, it forbids federal employers from using genetic information to classify employees in such a way that deprives them of advancement opportunities, such as promotion for overseas posts. A second example is Executive Order 13181, issued on December 20, 2000. This executive order declared as the policy of the government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use. A third example is a presidential order issued in 2002 that authorized the U.S. National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity under certain circumstances without the court-approved warrants ordi- 17 For more information, see U.S. Department of Health and Human Services, “Medical Privacy—National Standards to Protect the Privacy of Personal Health Information: Background and General Information,” available at http://www.hhs.gov/ocr/hipaa/bkgrnd.html.
OCR for page 147
Engaging Privacy and Information Technology in a Digital Age narily required for domestic wiretapping.18 This presidential order is still classified. Orders and directives such as these clearly have a potential for affecting the privacy interests of Americans. But it is important to note that they are limited in at least three important ways. Though they are authoritative statements of presidential direction, their implementation must be consistent with existing statutory law. Executive orders have the force of law, but only with respect to executive branch agencies. Executive orders have no direct impact or force on private sector entities, although because they change the behavior of government, they can have considerable indirect impact. Upon signing a law, presidents often issue a signing statement that is published in the Federal Register and that documents the presidential interpretation of how the law should be construed. Signing statements do not have the force of law, but if a president directs an agency to behave in a manner that is allegedly contravened by the law, or by some other law, only court action can force the agency to cease and desist. 4.5 STATE PERSPECTIVES As one might expect within a federal system such as the U.S. system, legal protection of privacy varies vastly from state to state—reflecting what are often little more than anecdotal experiences that have triggered legislative safeguards. Table 4.1 indicates the variation in state laws regarding privacy for the first 16 states, listed alphabetically. Such diversity is not inherently problematic; one recalls Justice Louis Brandeis’s commendation for the role that unusually progressive states might play as “laboratories” for reform and innovation. The problem in regard to privacy protection, however, is the inevitably broad reach across much (if not all) of the nation of especially restrictive measures, and the potentially heavy burdens of compliance for those business entities that serve clients and customers in many states. Efforts to protect the privacy of sensitive (and even not-so-sensitive) financial data illustrate the problem extremely well. In the mid to late 1990s, North Dakota and Minnesota each enacted uniquely protective measures, ostensibly to shield its own citizens from unwelcome sharing or disclosure of financial information. It soon became apparent to insur- 18 James Risen and Eric Lichtblau, “Bush Lets U.S. Spy on Callers Without Courts,” New York Times, December 16, 2005.
OCR for page 148
Engaging Privacy and Information Technology in a Digital Age TABLE 4.1 Privacy Laws by State Category US Statea AL AK AZ AR CA CO CT DE DC FL GA HI IL IN IA KS Arrest records O X O X O X X X X X X X X X X O O Bank records X X X O O X O X O O X O O X O X O Cable TV X O O O O X O X O X O O O X O O O Computer crime X X X X X X X X X O X X X X X X X Credit X O O X O X O X X O X X O O O X X Criminal justice X X X X X X X X X O X X X X X X X Government data banks X X X X O X X X X X X O X X X X X Employment X O X O O X O X X X X O X X O X O Insurance X O O X O X O X O X X X O X O O X Mailing lists X O O X O X O X X O X O X O X X X Medical X X X X X X X X X X X X X X X X X Miscellaneous X O O O O X O X O O X O X X X O O Polygraph results X X X X X X O X X X O X X X O X O Privacy statutes X O X X O X O O X O X X X X O O O Privileges O X X O O O X X X O O X O O X O O School records X O O X O X X X X O X O O X O X O Social Security numbers O O O O O O O O O O O O O O O O O Tax records X O X X O O X O X O O X X O O O X Telephone solicitation X O X X X X X X O O X X X X X X X Testing O O O O O O O X O O X O X O O X O Wiretaps X X X X X X X X X X X X X X X X X aAn X in indicates that the state has a privacy law relevant to the category indicated, although it does not indicate how effective or strong the law is. Only the first 16 states (in alphabetical order) are listed. SOURCE: Data from http://www.epic.org/privacy/consumer/states.html.
OCR for page 149
Engaging Privacy and Information Technology in a Digital Age ance and financial service providers that the need for compliance with this exceptionally protective law went well beyond the state of its origin and initial reach. Since North Dakotans and Minnesotans might well move to other states, while policy holders or customers from elsewhere would move to North Dakota and Minnesota, the costs of bringing the entire national business enterprise into compliance with the strictest standard eventually seemed less onerous than the incalculable costs of confining compliance to residents of the target state. What ensued was a novel kind of reverse Gresham’s law, in which the most rigorous standard eventually shaped the norm, effectively forcing divergent standards to yield by default. Congress could, of course, achieve uniformity in several ways. In a very few areas—patent, copyright, and admiralty being the most familiar—the Constitution itself makes federal law exclusive and thus completely forestalls any possibility of variant regulation at other levels. But the exclusively federal field is the rarity, and in most regulatory realms power is shared between national and state government until and unless Congress or the federal courts declare otherwise. The most obvious means of setting a single national standard would be for Congress itself to regulate the activity in question, and in so doing either declare that inconsistent state and local standards were being preempted, or establish that the federal norm was the exclusive mode of regulation, thus precluding even consistent action by state and local government. A less obvious but theoretically possible approach would be for Congress to enter a regulatory area only to the extent necessary to limit or ensure uniformity in the standards that states and localities may set, but without creating its own federal regulatory system—in other words, leaving the actual regulation to other levels of government, but at the same time ensuring a degree of uniformity by setting parameters and boundaries for the exercise of that authority by states and localities. There is one precedent for such action. In 1999, Congress amended the Driver’s Privacy Protection Act (DPPA) to forbid state departments of motor vehicles and law enforcement officials to sell or otherwise release personal information obtained in connection with any motor vehicle or license record without affirmative opt-in consent. The constitutionality of this law was challenged by a group of states that apparently wished to retain the revenue streams associated with the sale of such data. In 2000, the U.S. Supreme Court unanimously sustained the constitutionality of this act in Reno v. Condon, 528 U.S. 141 (2000). The DPPA was found to be not only an appropriate exercise of Congress’s power over interstate commerce, but also one that invaded no state powers protected by the Ninth and Tenth Amendments. The Condon decision was unusual and stands as one among a very
OCR for page 150
Engaging Privacy and Information Technology in a Digital Age few decisions in the Rehnquist Court that sustains an act of Congress imposing obligations on the states or limiting state power. By contrast, during the late 1980s and much of the 1990s the Supreme Court was generally unsympathetic to congressional initiatives in areas of state and local interest and authority. Whereas previous Courts would likely have had little trouble finding federal power under the commerce (or other) clause, the Rehnquist Court rejected on constitutional grounds a number of acts that seemed to be perfectly reasonable and appropriate exercises of federal power. Two such decisions were one striking down federal laws that sought to ensure public school safety by requiring installation of metal detectors, and another that granted relief to women who had been victims of sexual assaults and wished to seek redress in federal courts. In these and a host of other situations in which the Warren Court and even the Burger Court would almost routinely have sustained the power of Congress to act, the Rehnquist Court found federal power lacking under its view of Article I of the Constitution, and deferred to state power under the Ninth and Tenth Amendments. Although the justices were sharply divided in these cases, a clear majority consistently sided with the states throughout this decade. Thus, the extent to which the Condon decision indicates a willingness of the Supreme Court to uphold congressional preemption of state laws regarding privacy is unknown. And a new chief justice—John Roberts—has been recently sworn in, making predictions about future court action in this domain much more uncertain than they already were. Finally, it should be noted that state laws can have national impact. The best such example is California’s SB-1386 (sometimes known as the California Security Breach Information Act), which mandated the disclosure of compromises in the security of certain types of personal information. Even though the law ostensibly affected only enterprises operating in California, that many businesses affected by the law have multistate operations has meant that residents of other states have also sometimes been notified when their personal information has been compromised. In addition, the passage of this law has spurred a number of other states to attempt the passage of similar legislation.19 (As this report is being written, Congress is considering a law (H.R. 4127, the Data Accountability and Trust Act) to set uniform standards across the states for disclosure in the event of such breaches; as written, some proposals for this law would reduce notification and disclosure requirements for some states.) 19 For additional discussion, see Eric M. Friedberg and Michael F. McGowan, Lost Backup Tapes, Stolen Laptops and Other Tales of Data Breach Woe, white paper from Stroz Friedberg, LLC, Washington, D.C., June 26, 2006.
OCR for page 151
OCR for page 152
Engaging Privacy and Information Technology in a Digital Age In 1998, the European Commission’s Directive on Data Protection went into effect. This directive was intended to prohibit the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. However, differing approaches of the United States and the European Union to protecting privacy might have hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.20 While some privacy advocates at the time had hoped that the directive would force the United States to move significantly in the direction of the European approach to protecting privacy (i.e., in the direction of comprehensive privacy protection), the United States and the European Union agreed on a “safe harbor” approach.21 Under this approach, any U.S. company may self-certify that it agrees to adhere to the safe harbor’s requirements, which are based in large measure on the fair information practices described in Chapter 1. Enforcement of the safe harbor takes place in the United States in accordance with U.S. law and is carried out primarily by the private sector, backed up as needed by government enforcement of the federal and state statutes prohibiting “unfair and deceptive” trade practices. Companies in certifiable compliance with safe harbor requirements are deemed to meet the European “adequacy” standard. In 2004, Yahoo! (more specifically, its Chinese subsidiary) provided Chinese government authorities the computer IP address and other information that was used to link specific e-mail messages to the e-mail account of Shi Tao, a former Chinese journalist. The information—generally regarded as non-public—was used to convict and sentence Tao to 10 years in prison in 2004, for e-mailing groups in the United States about the return of Chinese emigrants for the 15th anniversary of the Tiananmen Square incident.22 More recently, Yahoo! has been accused of releasing information generally regarded as non-public from an online discussion group that led to the conviction of Li Zhi, a former civil servant, in December 2003, who is serving 8 years in prison for the charge of “inciting sub- 20 As discussed in Appendix B, the United States protects privacy by relying on a sectoral approach based on a mix of legislation, regulation, and self-regulation. The European Union relies on comprehensive legislation that is, in part, based on the use of government data protection agencies, registration of databases containing personal information with those agencies, and in some instances prior approval of the data subject before any processing of that data may begin. 21 For more information, see http://www.export.gov/safeharbor. 22 Court documents, released by Reporters Without Borders, reveal that the Yahoo! subsidiary in Hong Kong supplied the information to the Chinese authorities revealing the user’s identity. For a translated copy of the court verdict, see http://www.rsf.org/article.php3?id_article=14884.
OCR for page 153
Engaging Privacy and Information Technology in a Digital Age version.”23 Yahoo! has declined to comment on these cases or to disclose how often it provides user information to Chinese authorities. However, Yahoo! has acknowledged that it lacks control over some operations since Yahoo! China merged with Alibaba.com, a Chinese company that holds 60 percent of the company.24 These examples barely scratch the surface of an extraordinarily complex and ill-defined international policy environment in which non-U.S. organizations and institutions have an impact on U.S. companies and policy. For many years, the Organisation for Economic Co-operation and Development was actively involved in the negotiation of guidelines for the management and protection of personal information that had become a substantial part of the trans-border data flows essential to international trade in information goods and services. Although debates about trade became tangled up within fierce ideological struggles about “cultural imperialism” and the New World Information and Communication Order,25 ideological concerns were replaced to some degree by concerns about market power as the development of a more closely integrated European marketplace was thought to depend on more uniform policies regarding the treatment of personal information. In order to understand the development of privacy policies at the international level, it is important to understand the interests, strategies, and resources of different sorts of participants in the policy process. Although traditional sources of power and influence such as national governments and representatives from key missions and administrative agencies with interests and responsibility for national security and foreign trade have to be considered along with the more complex interests of transnational firms, it is also important to consider the role of the epistemic community of policy experts who are engaged in the elaboration of new ways of thinking about the international arena.26 Policy formation at the international level is also characterized by a considerable amount of negotiation, bargaining, and compromise among 23 Hiawatha Bray, “Yahoo Said to Aid China in 2003 Subversion Trial,” Boston Globe, February 9, 2006, available at http://www.boston.com/business/technology/articles/2006/02/09/yahoo_said_to_aid_china_in_2003_subversion_trial/. 24 Eric Schonfeld, “Analysis: Yahoo’s China Problem,” CNNMoney.com, February 8, 2006, available at http://money.cnn.com/2006/02/08/technology/yahoo_china_b20/. 25 Thomas L. McPhail, “Electronic Colonialism: The Future of International Broadcasting and Communication,” Sage Library of Social Research, Revised Second Edition, Vol. 126, Sage Publications, 1987. 26 Jonathan D. Aronson, “The Evolution of Global Networks: The Precarious Balance Between Governments and Markets,” pp. 241-255 in Eli Noam and Alex Wolfson, eds., Globalism and Localism in Telecommunications, Elsevier Science, 1997.
OCR for page 154
Engaging Privacy and Information Technology in a Digital Age different stakeholders. Coalitions among business leaders facing similar limitations on their ability to make use of personal information for marketing purposes pooled their resources to support intensive lobbying efforts against the opt-in requirements that seemed likely in the European Union in 1990.27 These business coalitions also sought and received support from their nations’ trade commissions because of a well-placed concern about regulatory threats to the market in data-processing services. Coalitions among regulators were also common.28 Privacy and data protection commissioners met to develop strategies for preserving what they saw as important progress in the protection of privacy. One result of the participation of so many actors with such varied interests and resources was the development of highly complex policy instruments. Unique and often contradictory policy perspectives continue to challenge policy advocates largely dependent on grants from foundations. Global policies regulating the treatment of personal information as it moves across virtual borders raise important questions about national sovereignty and respect for policies reflecting cultural values and social history.29 The presumed need to identify the location of the jurisdiction from which an order is placed, or is to be delivered, in order to determine whether a particular transaction can be completed within the laws of that region raises a complex set of issues for supporters of autonomous choice.30 27 Priscilla M. Regan, “American Business and the European Data Protection Directive: Lobbying Strategies and Tactics,” pp. 199-216 in Colin Bennett and Rebecca Grant, eds., Visions of Privacy: Policy Choices for the Digital Age, University of Toronto Press, 1999. 28 Colin J. Bennett and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate Publishing, 2003. 29 National Research Council, Global Networks and Local Values: A Comparative Look at Germany and the United States, National Academy Press, Washington, D.C., 2001. 30 Priscilla M. Regan, “‘Dry Counties’ in Cyberspace: Governance and Enforcement Without Geographic Borders,” pp. 257-276 in Thomas Leinbach and Stanley Brunn, eds., Worlds of E-Commerce: Economic, Geographical and Social Dimensions, John Wiley & Sons, 2001.
Representative terms from entire chapter: