National Academies Press: OpenBook
« Previous: 5 Free Speech and the Internet
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 133
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 134
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 135
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 136
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 137
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 138
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 139
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 140
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 141
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 142
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 143
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 144
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 145
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 146
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 147
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 148
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 149
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 150
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 151
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 152
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 153
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 154
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 155
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 156
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 157
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 158
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 159
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 160
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 161
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 162
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 163
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 164
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 165
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 166
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 167
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 168
Suggested Citation:"6 Privacy and Freedom of Information." National Research Council. 2001. Global Networks and Local Values: A Comparative Look at Germany and the United States. Washington, DC: The National Academies Press. doi: 10.17226/10033.
×
Page 169

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

6 Privacy and Freedom of Information 6.1 INTRODUCTION Chapter 5 discussed how the United States and Germany differed in their approaches to resolving the tensions between formal and substan- tive values. Both countries subordinated the formal value of free speech to certain substantive values, but in the case of the United States, the trumping substantive value was an aversion to pornography, while for Germany it was an aversion to hate speech and its Nazi overtones. This chapter examines potential tensions between another substan- tive value (privacy) and a formal value (transparency in government, as exemplified by notions of "freedom of information," or FOI). The situa- tion is not quite the same as that in the earlier chapter, however. Free speech is more or less understood in the same way in both nations and it enjoys explicit constitutional protection, which can be abridged only in very limited circumstances. Privacy, on the other hand, is not interpreted in the same way in the two countries and, at least in the United States, arguments continue as to whether it enjoys constitutional protection. Freedom of information is also interpreted in different ways in the United States and Germany, and is not explicitly protected in either con- stitution. How privacy and freedom of information are actually inter- iRecall (Chapter 3) that formal values can be regarded as general principles by which individuals choose to live, while substantive values relate to specific aspects of one's envi- ronment and behavior. 133

34 GLOBAL NETWORKS AND LOCAL VALUES preted in the two countries determines when and how they are in tension as values. What kinds of information are explicitly designated as public in the pertinent statutes, and, at least in the United States, what protection of privacy is provided for in statute, determine when and how they are in tension as a legal matter. Although neither nation protects privacy or freedom of information as strongly as it does free speech, to the extent that they do provide pro- tection Germany puts greater emphasis on privacy and the United States favors transparency. Germany, and Europe more generally, have com- prehensive systems of law and regulation in place to protect privacy. The United States, by contrast, has a patchwork of incomplete protections. With respect to freedom of information, the situation is reversed. The United States has a comprehensive system that provides the public with access to an enormous range of information and data, while Germany has a patchwork system. With respect to freedom of information, both countries rely on ordi- nary legislation rather than constitutional law to specify which documents should be accessible to the public and under what terms. The situation with respect to privacy is somewhat different, in that German constitu- tional jurisprudence does recognize the right explicitly and many Ameri- can scholars argue that privacy protection is implicit in a number of con- stitutional provisions. Nevertheless, here too legislation plays the more important role in defining the meaning of the right. A further distinction between the tensions described in this chapter and the one addressed in the preceding chapter is that the threat to pri- vacy does not necessarily come about because of information made avail- able by the government; it often derives from information collected by and/or shared between private parties.2 Privacy and freedom of information are not always in tension; in some instances, society's commitment to freedom of information is the key to maintaining a person's privacy. That is, if an individual can invoke FOI rights to learn what personal information the government holds about him or her and how it has used the information, the government can be held accountable for any misuse. Thus, the person can effectively exercise some control over abuse of the information, which is one of the important dimensions of privacy. In many other cases, rights to privacy and FOI rights do not intersect at all for instance, data on the performance of the economy, on land use, 2The distinction is not always clear-cut. For example, personal data in a company's pos- session may enter government records (e.g., through a bankruptcy or other court proceed- ing). In such a case, information may be subject to FOI disclosure.

PRIVACY AND FREEDOM OF INFORMATION 135 or on a host of other issues of importance to governments are not obvi- ously relevant to privacy.3 In other words, to the extent that privacy re- fers to keeping personal information private and under the control of the individual with whom it is associated, privacy rights need not conflict with the free disclosure of information relevant to the workings of gov- ernment. Even in these cases, however, the formal value of transparency of state activities is not necessarily viewed by governments as an unal- loyed good. That is, a question arises concerning the extent to which gov- ernments need to be able to deliberate in private or to control the release of raw data to prevent public panic (one end of the spectrum) or provide a desired spin (perhaps the other end). But despite these caveats, privacy rights and FOI rights do, in many instances, come into conflict. In these cases, privacy is in conflict not only with the formal value of transparency of state activities, but also with the public interest (e.g., in the prevention and prosecution of criminal of- fenses) or commercial interests (e.g., in the collection and exploitation of data). Global networks such as the Internet have raised the stakes signifi- cantly for both privacy and freedom of information. Clearly, they facili- tate dissemination of information held by both public and private institu- tions. But perhaps even more significantly, the capabilities of computers and software to mine, sort, and reorganize data have increased the ability of many institutions to exploit that information. They can more readily put it into useful formats and tease out of disparate databases compre- hensive and accessible profiles on private individuals and the actions of governmental bodies. 6.2 PRIVACY 6.2.1 The Values Involved Privacy is the epitome of a substantive value. It encompasses ideas of autonomy, dignity, and personal freedom and control, and it provides protection for the individual. Box 6.1 describes examples of what might be regarded as violations of privacy. Privacy is different from secrecy and confidentiality. Secrecy is a func- tional concept, requiring an agreement on the part of those who are party 3The development of new technologies make statements of this kind always subject to caveats. For example, the increasing capacity to mine nominally "anonymous" data to back out information about individuals is often acknowledged. Further, even when data are gathered remotely, low-orbit photoreconnaissance satellites with high resolution (or even photoreconnaissance aircraft) might yield data on the behavior of individuals.

36 GLOBAL NETWORKS AND LOCAL VALUES to some information to not share it with others. It generally does not require (or seek) the sanction of society, merely the commitment of those who share the information. Confidentiality is a more formal and social concept, a set of rules that govern the use of information held by institu- tions about individuals and the conditions under which that information can be shared. Privacy is quite distinct from both of these concepts; it refers to the right of individuals to control information about themselves- to keep it secret or to share it with others only as they see fit. Although privacy in essence serves individuals by protecting and empowering them, it also serves society and government. When a person believes that his or her privacy is threatened, that individual may become defensive, minimizing personal exposure by being cautious about ex- pressing views and disengaging from society as much as possible. But because democratic societies rely on full participation and free expression

PRIVACY AND FREEDOM OF INFORMATION 137 by its citizens, the threat that gives rise to the individual's defensiveness becomes a threat to society as well. Obviously, privacy is not an absolute right. For example, commit- ments to maintain privacy may conflict with free expression (if, for ex- ample, that free expression might divulge private information). Societies have asserted a need (and therefore a right) to gather and use information about individuals for such purposes as taxation, census, and health; to hold people to their obligations as citizens; to serve them in accordance with their entitlements; and to support law enforcement efforts. Such societal assertions must be balanced against the desirability of the per- sonal right of individuals to know what information about them is being gathered and used; in that way, they can monitor the conformity of such use to law, and control any uses beyond those sanctioned purposes. Private institutions or other individuals do not have a constitutional right to violate an individual's privacy, although they may gain the privi- lege of using someone's personal information in certain ways under a contractual arrangement with that person. (On the Web, personal infor- mation is often collected under a theory of "implied consent," in which use of a Web site grants the site operator the right to collect certain per- sonal information automatically through "cookies" and the like (Box 6.2~. To illustrate the conflicting pressures, it is instructive to compare dis- closure policies for health records with policies for pizza-delivery records. There are many users who can legitimately argue for access to patient health records without the specific authorization of the patient. In order to meet a number of social, economic, and health needs, a society may allow access to some parts of health records by public health authorities, health researchers, fraud and abuse investigators, accreditation firms, and even law-enforcement agencies under some circumstances. Actually, elec- tronic databases may provide for greater privacy protection in these in- stances than traditional paper records because it is easier to limit access to only certain parts of the patient record. For pizza-delivery records, on the other hand, it may never be appropriate to allow for any nonconsensual disclosures because there are no overriding societal needs that justify it. The privacy interests of individuals are likely to be greater in their medical records, however, than in their pizza-delivery records. And, the public uproar over unauthorized release of medical records is inevitably much larger than in the case for pizza delivery records. Confidentiality of medical information has also been regarded as a prerequisite for free and candid discussions between health-care professionals and their patients. For these reasons, a culture of resistance to unauthorized disclosure of medical records is common in the health profession.

38 GLOBAL NETWORKS AND LOCAL VALUES 6.2.2 German and American Perspectives In 1983 the German Constitutional Court summarized the underlying value balance as follows: The individual . . . has the right to know and to decide on the information being processed about him. At the same time, as a social being the indi- vidual cannot avoid becoming the object of information processing. However, limitations to his basic right have only to be accepted when there is an overriding general interest and if that interest is molded into a law that follows the basic requirements of clarity and proportionality. To protect these principles a number of safeguards are required; these safeguards consist of data processing principles (correctness, timeliness, purpose limitation, fairly and lawfully obtained), derived rights (access, correction), and organizational safeguards (independent institutions).4 In the United States, the development of privacy policy has been slow and uneven, with the privacy of information collected and held by gov- ernment receiving much more attention than information collected and held by private companies and organizations. For example, the Privacy Act of 1974 (P.L. 93-579) and the subsequent Privacy Protection Study Commission both focused on information collected and held by the gov- ernment as the potential misuser of personal information. The Privacy 4BVerfGE 65,1 (41 95).

PRIVACY AND FREEDOM OF INFORMATION 139 Act in particular provides a broad policy framework for privacy relevant to such information. Some specialized privacy protections applicable to nongovernmental entities emerged in the 1970s and 1980s, including the Fair Credit Report- ing Act of 1970, the Family Educational Rights and Privacy Act of 1974, the Cable Communications Policy Act of 1984, the Electronic Communi- cations Privacy Act of 1986, and the Video Privacy Protection Act of 1988. The privacy of health information was addressed in the Health Insurance Portability and Accountability Act of 1998 and the Children's Online Pri- vacy Protection Act of 1999. However, U.S. privacy policy remains un- settled, in part because of concerns about the costs (and other burdens) of compliance, ambiguity about the appropriate application of underlying philosophical principles (property and free speech, for example), and un- resolved political clashes between those who collect and process data and those who advocate for broad privacy protection. As the above paragraphs illustrate, the United States and Germany (which is much like the rest of Europe in this respect) approach privacy from very different political and legal traditions. The German approach is rooted in its experience with totalitarian regimes and military occupa- tion, which has given rise in Europe to a strong antipathy toward, even an anxiety about, invasions of privacy or illegal surveillance. On the other hand, Europeans, and Germans in particular, tend to trust their govern- ment more than Americans do and turn to it to protect their interests. Thus the first data-protection law in the world, the Hesse Data Protection Act, was passed in Germany in 1970, and it established an enforcement structure that became the model for data protection all over Europe. The act created a governmental structure to preserve each individual's pri- vacy rights, and it stipulated that the data-protection officer established under this act, though formally a public official, would be independent from all other branches of government.5 As importantly, the willingness to trust government has made it ac- ceptable for German privacy law to take a comprehensive approach. All record keepers, public and private, have to comply with fair information practices (Box 6.3~. Although earlier laws imposed different rules on pub- lic and private record keepers, more recent legislation dealing with the Internet largely removes that distinction. The 1997 Teleservices Data Pro- tection Act6 implementing the European Union directive on the protec- 5The Federal Data Protection Commissioner's independence is laid down in sect. 22 par. 4 sent. 2 and 3 of the Federal Data Protection Act. He is independent in the performance of his duties and subject to the law only. According to Art. 28 par. 1 subpart 2 of the European Directive the data protection authorities act with complete independence in exercising the functions entrusted in them. 6BGB1. I 1997 S. 1871-1872

40 GLOBAL NETWORKS AND LOCAL VALUES lion of privacy in the telecommunications sector,7 and the 2001 amend- ments to the German Federal Data Privacy Acts implementing the 1998 European Union's directive on data protection,9 apply to private compa- nies and individuals as well as to public authorities. German law does distinguish between privacy ("Schulz personenbezogener Daten") and busi- ness secrets, providing less protection for business secrets on the argu- ment that the individual rights at stake are not of the same order. Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommu- nications sector: Of ficial Journal L 024,30/01 /1998, p.0001-0008. Available online at <http: / /europa.eu.int/eur-lex/en/lif/dat/1997/en_397L0066.html>. Federal Data Protection Act of December 20, 1990 (BGB1.I 1990 S.2954) as amended by law of May 23, 2001 (BGB1 I S. 904~. 9Council Directive 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, art. 32, 1995 O.J. (L 281) 31,49 (requiring member states to adopt legislation conforming to terms of directive) [hereafter European Privacy Directive]. Available online at <http:// europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html>.

PRIVACY AND FREEDOM OF INFORMATION 14 By contrast, the United States has a populist mistrust of governmental institutions and a strong tradition of relying on market forces not only to regulate the economy but to serve many social needs as well. Thus while the U.S. Congress has adopted legislation to protect personal privacy from encroachment by federal agencies,~° the regulation of private industry has moved more slowly and in a piecemeal manner. In practice, the U.S. norm is a patchwork of legislation and court decisions arising from epi- sodic scandals and political pressures from both industry and privacy advocates. Thus, highly specialized solutions have been crafted for dif- ferent technologies (e.g., statutory regimes specific to the protection of postal mail, telephone communications, e-mail, and other Internet com- munications) and for different subject areas (Box 6.4~. Finally, in U.S. law, privacy that is, the control of one's personal data is basically understood as a property right. Individuals can trans- fer or sell their property rights to a firm interested in its use or even to government, provided that the transfer is voluntary and the terms and conditions are fair. But the traditional European approach treats indi- viduals' interests in data about themselves as an inalienable liberty right- that is, a right that cannot be given up, even voluntarily. i°Federal Privacy Act, 5 U.S.C. § 552a.

42 GLOBAL NETWORKS AND LOCAL VALUES Yet despite the differences in legal traditions, both Germany and the United States over the last 25 years have developed what have become known as "fair information principles" that reflect substantial agreement on basic issues. This common ground is summarized in Box 6.3. The ques- tion is whether these commonalties coupled with the strong linking forces introduced by global networks in general as well as the more specific desire to exploit them for commercial uses will ultimately lead to harmoniza- tion, in which the United States moves toward the more comprehensive and integrated approach to privacy that is prevalent in Europe. If privacy is to be protected by direct legal enforcement, then there are two possible approaches (regardless of whether privacy rights are charac- terized as property or liberty interests). The first approach is to establish independent governmental data-protection authorities responsible for monitoring and enforcing fair information principles, as is done in the Ger- man system. This approach avoids the high transaction costs, and the diffi- culty of proving cause and establishing injury, that may make individual enforcement illusory. However, as a practical matter, it is difficult for pub- licly funded enforcement authorities to handle all individual complaints. The second approach is to allow individuals to bring lawsuits to pro- tect their privacy rights and to recover damages for injuries resulting from violation of those rights. This approach decentralizes enforcement of pri- vacy rights, but it may not be efficacious because it is difficult to prove cause, and the stakes involved in any particular invasion of personal pri- vacy may be so small that individuals are unwilling to pay the costs of litigation (though efficiency can be increased when numerous injury cases are grouped into class actions). 6.2.3 Technology and Privacy Individuals have many good reasons to want information about them- selves to be stored electronically and to be made available over communi- cations networks. The rapid and accurate transfer of electronically stored medical records can improve a person's medical care and might even save a life; stored credit card and address information makes Internet shop- ping convenient; and user-friendly online banking transactions have at- tracted millions of customers. Yet advances in information technology can also threaten privacy. A visitor to a Web site may involuntarily leave behind personal information that the Web site owner can later use for commercial purposes. Seem- ingly harmless fragments of information left at different sites can be com- bined into a potentially harmful aggregate. Even easier, cookies can be set in a user's hard drive, creating a built-in history of sites visited, mate- rial browsed, and purchases made. Such data can be used for marketing

PRIVACY AND FREEDOM OF INFORMATION 143 purposes targeting an individual with ads that are customized to his or her tastes which may represent a convenience to some and little more than an annoyance to others. However, it is the absence of control over the collection or the use of the information that is the quintessential viola- tion of privacy, and it is not difficult to construct scenarios in which that violation can be harmful to individuals. Of course, personal information can be collected by Internet service providers as well as by Web site hosts. ISPs can and do record informa- tion on user actions for internal purposes or to comply with court orders, and this might include sites visited, the amount of information down- loaded, and when such visits occurred. Databases containing "public" information are another source of pri- vacy concern. Much of such information e.g., records pertaining to property tax, motor vehicles, drivers' licenses, convictions was hereto- fore not public because it was hard to access or extract from voluminous databases. Making such information easily available to the general pub- lic through the Internet may well be viewed as a violation of an individual's privacy rights because this allows it to be used for purposes other than those for which it was originally collected (together with the individual's implied or explicit consent). In the United States, for ex- ample, these databases have been a valuable source of information for telephone-solicitation operations. Other methods of data collection are possible as well, including records of cellular-telephone location, records of building ingress and egress (created when magnetic cards are used to gain access), and records of credit-card and telephone usage. And the World Wide Web itself is a source of information about individuals. Commercial transactions and political dialogues posted in forums create opportunities to collect infor- mation about personal interests and activities. Today, different structures exist for regulating personal data collec- tion and use in each of these areas of activity from local exchange to long distance telephone companies to cable television companies and Internet service providers. That is certainly a source of confusion and chaos. Tech- nological convergence, however, is leading companies to strive to become sole-source information providers and handlers, and the differing regula- tory traditions and customs that characterize each domain may well come to overlap, leading, at least initially, to greater turmoil even within na- tional borders. The technical convergence can also create the opportunity for a kind of regulatory arbitrage that can work to the detriment of pri- iiIn Germany, third-party access to all these kinds of information is severely controlled by law, so that the term "public" in this discussion is even more properly put in quotation marks.

44 GLOBAL NETWORKS AND LOCAL VALUES vacy rights. On the other hand, the turmoil and the obvious regulatory inequities may serve as a stimulus to rationalize the present cacophony of regulatory regimes. In so doing, it could reinforce the fundamental con- cepts of privacy sometimes lost or distorted in the past as individual sec- tors developed rules that weighed particular political, commercial, and even technical factors more heavily than privacy per se. Information technology is not only a threat to privacy; it can also pro- vide the technical means for increasing one's privacy. For example: · Encryption (Box 6.5) is widely used to ensure privacy and to en- able secure commerce. Encryption (at the sending end) and decryption (at the receiving end) provide end-to-end confidentiality when the inter-

PRIVACY AND FREEDOM OF INFORMATION 145

46 GLOBAL NETWORKS AND LOCAL VALUES mediate communications channels are either public or, if private, subject to malicious intrusion. · Anonymization enables a user to send (and sometimes to receive) messages anonymously (Box 6.6~. Anonymizing services make it very difficult and sometimes impossible to trace the identity of a user. · Automated privacy-negotiation protocols, such as the Platform for Privacy Preferences Project (P3P), enable Web site operators to express their privacy policies in a standardized machine-readable format that can be interpreted by clients linking to the Web site. Clients "remember" their users' own privacy preferences, which are automatically compared with the policies of the visited Web site. If the two match, the connection is allowed; otherwise, discrepancies are called to the user's attention. Thus, the human user need not read the privacy policies at every site he or she visits, but rather can rely on his client for this task. Reliance on technical approaches has two major drawbacks. First, technical approaches generally require explicit user action an individual wanting to protect privacy must take an action to do so (this may change in the future if defaults for encryption are widely built into e-mail or other communications software). Because many individuals do not know that the tools exist or do not have the skills to use them effectively, the privacy interests of those individuals may be compromised. Second, if privacy protection relies on software that both client and provider must install, such as P3P, then it is viable as a privacy-protection mechanism only if a large number of Web site operators adopt the same software and a critical mass of users install it in some relatively brief ini- tial period. The issue of timing is important because the value of the sys- tem grows with numbers of users (an illustration of positive network ex- ternalities discussed further in Chapter 7), so that the willingness of operators to invest in such a system depends strongly on how rapidly users can be recruited and a financial return generated. In any case, although technical tools can offer some degree of data protection, few in the United States or Europe advocate relying on them exclusively. Technical tools per se do not provide a framework for bal- ancing competing values where privacy is involved or, for that matter, in any other case. The appropriate balance cannot and should not depend on the ever-changing state of technology and the relative power it may confer at any particular moment on those who seek to protect their pri- vacy or on those who seek to invade it. It is the role of communities to come to agreement about the appropriate framework and to use institu- tional structures to regulate, guide, or stimulate the use of technical and other tools to achieve the desired value balance.

PRIVACY AND FREEDOM OF INFORMATION 6.2.4 Privacy Protection as a Challenge to Governance 147 Although, or perhaps because, European and American approaches to privacy differ, together they provide a rich array of tools to help an individual maintain control over personal information. These include not only mandatory legal regulations introduced through laws and enforced bv courts and Government agencies but also a variety of self-regulatory ~ ~ ~ , procedures and practices. The Limited Power of Traditional National Regulation The globalization of information flows makes it much more difficult for a single nation-state to unilaterally protect the privacy of its citizens. Routine consumer transactions can involve players in five or even more countries, given that consumers, merchants, manufacturers, Web site op- erators, credit-card issuers, and other parties to a single transaction can all be located in different political jurisdictions. In effect, a nation's data-protection laws are subject to a kind of com- petitive pressure. In many instances, strict privacy legislation in one nation-state can be circumvented by shifting the collection and use of the data to another nation-state that has less restrictive laws. However, data protection differs from content regulation in the global-networked envi- ronment. The businesses collecting personal data during commercial transactions often require a local presence in order to make money. If so, this feature makes an out-of-nation vendor vulnerable to the extraterrito- rial application of national rules. Even if the actual storing or processing takes place abroad, local data-protection authorities can argue that the local entity representing the operator is subject to local law and, more- over, responsible for the parent company's actions. Thus, the local au- thorities can take action against the local representative. Neither the argument nor the threat is merely theoretical. In the well- publicized conflict between the European Union and the United States concerning e-commerce transactions, the European position embodied in the European Privacy Directive which stated that personal data cannot, in most instances, be transferred out of the European Union to countries that do not provide an "adequate" level of privacy protections was ef- i2Article 26 of the European Privacy Directive provided several exceptions to this general prohibition. In particular, transfers of personal data to third countries that do not ensure an adequate level of protection can take place anyway if (1) the data subject has given his or her consent unambiguously to the proposed transfer, or (2) the transfer is necessary for the performance of a contract between the data subject and the controller or for the implemen- tation of precontractual measures taken in response to the data subject's request, or (3) the

48 GLOBAL NETWORKS AND LOCAL VALUES fectively an extraterritorial applicability argument.~3 The fact that U.S. corporations were vulnerable to prosecution through their local offices gave significant negotiating power to the European position, resulting in the "safe harbor" compromise whereby American corporations undertook a contractually enforceable commitment to privacy protection (see dis- cussion below). International Legal Harmonization A straightforward solution to harmonizing data protection would be the conclusion of an international treaty on the issue. Within Europe, this is precisely what happened. The Council of Europe prepared its Conven- tion for the Protection of Individuals with Regard to Automated Process- ing of Personal Data, and the European Union used its power to legislate the Directive on Data Protection. These two legal instruments effectively harmonize the standards and, more to the point, spread and reinforce the substantive value. Similar approaches have been tried in the broader international arena as well. In September 1980 the Organization for Economic Cooperation and Develoment (OECD) adopted Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,~4 and in December 1990 the Gen- eral Assembly of the United Nations adopted Guidelines Concerning Computerized Personal Data Files.~5 But neither instrument has the en- forceability associated with domestic law. Indeed, as noted elsewhere, substantive international treaties work only when there is such complete transfer is necessary for the conclusion or for the performance of a contract concluded in the interest of the data subject between the controller and a third party, or (4) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims, or (5) the transfer is necessary in order to protect the vital interests of the data subject, or (6) the transfer is made from a register that according to laws or regulations is intended to provide information to the public and that is open to consulta- tion either by the public in general or by any person who can demonstrate legitimate inter- est, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. i3Although prohibiting data transfers out of Europe does not, in a formal sense, contra- vene international-law principles of prescriptive, adjudicative, and enforcement jurisdic- tion, the practical effect of such a prohibition is to disrupt international commerce. See Henry H. Perritt, Jr. and Margaret G. Stewart, 1999, "False Alarm," Fed. Commun. L.J. 51:811. i40ECD Document C(80~58 (Final). Available online at <http://www.oecd.org/dsti/sti/ it/secur/prod/PRIV-EN.HTM>. i5Resolution Number A/RES/45/95. Available online at <http://www.un.org/docu- ments/ga/res/45/a45rO95.htm>.

PRIVACY AND FREEDOM OF INFORMATION agreement on the values 149 involved that domestic law is, or can easily be made, consistent with the treaty's provisions. There are in fact sufficient differences between the United States and Europe on defining what privacy does and does not mean with respect to government and commercial institutions that such agreement has proven difficult to obtain. Moreover, both jurisdictions fundamentally differ in their approach to structuring institutions of enforcement. While the Eu- ropeans are willing indeed, prefer to rely on command-and-control regulation and governmental enforcement authorities, the United States prefers industrial self-regulation and litigation. Finally, it should be noted that the traditional international treaty pro- cess is slow and cumbersome, certainly more so than the process of reach- ing agreement within the European Union. Few who are familiar with the International Telecommunications Union or the World Trade Organi- zation would view a similar approach to privacy protection as practical, particularly within the context of the rapidly evolving technical environ- ment of the Internet. Internationally Coordinated Private Law A second technique for resolving the U.S.-European conflict over data protection involves coordinating legislation with the help of each nation's rules on the application of foreign commercial law to international cases. This technique, called the conflict-of-laws approach, is available because the protection of data among private parties is generally covered by pri- vate rather than public law,~7 and privacy issues on the Internet often involve the use of data by private businesses rather than by government. One obstacle to this approach, however, arises from the distinct dif- ference between the U.S. view of privacy (analogous to a property right) and the traditional European view (which deems individuals' interests in data about themselves as an inalienable liberty right). In a case in which this difference was significant, it is quite possible that Europeans might not regard the U.S. legal provisions as being functionally equivalent to their European counterparts. Under those circumstances, the national conflict rules might require that the European, rather than the U.S. rules, apply. i6Henry H. Perritt, Jr. 1997. "Regulatory Models for Protecting Privacy in the Internet," in William M. Daley, ea., Privacy and Self-Regulation in the Information Age, U.S. Department of Commerce, Washington, D.C., Chapter 3. Available online at <http://www.ntia.doc.gov/ reports/privacy/selfreg3.htm>. i7Reinhard Ellger. 1990. Der Datenschutz im grenzuberschreitenden Datenverkehr. Eine rechtsvergleichende und kollisionsrechtliche Untersuchung. Baden-Baden, 582 s.

50 GLOBAL NETWORKS AND LOCAL VALUES There are other complications as well. If a private lawsuit is brought by a foreign customer in the country of origin of the supplier, will the courts be convinced that an Internet transaction between these two parties is prop- erly viewed as having occurred in the home country of the customer (so that the customer's national laws apply)? Furthermore, even though the private-law rules can generally be applied where only private entities are concerned, nation-states have generally been unwilling to apply foreign rules if they are perceived as a hidden regulatory tool. This is likely to be the case with data-protection rules, given the conceptual differences be- tween nations about what should be protected and howdy Indeed, the fact that independent public officials have jurisdiction to intervene would sig- nal the inherent public-law character of data protection laws. Finally, from a pragmatic point of view, it seems doubtful that Europeans would accept, for example, a data-protection arrangement under which European nation- als would have to sue U.S. firms before U.S. tribunals; nor would Ameri- cans be comfortable with the opposite arrangement. Self-regulation Without Direct State Intervention Many data users in the United States have expressed a strong prefer- ence for self-regulation, and American industry has begun to move in that direction. Whether motivated by the need to respond to consumer pres- sure or the desire to avoid legislation, American companies acknowledge the pressures that lead to calls for regulation but assert that they can po- lice their own actions. When the Federal Trade Commission (FTC) under- took a series of investigations of online privacy in the mid-199Os and be- gan to develop guidelines for possible regulation, the Direct Marketing Association responded by adopting a code of Fair Information Practices. Since 1998, industry representatives have worked with the Federal Trade Commission to develop credible and effective self-regulatory approaches and accompanying audit and enforcement mechanisms. There are limits to how far the FTC can go. For example, the Children's Online Privacy Protection Act, which was passed in 1999, makes the Commission respon- sible for rulemaking and requires any Web site or online service that is directed to children to obtain parental consent before collecting personal information from children under the age of 13. Self-regulatory approaches can be more decentralized and flexible than governmental regulation, and thus more responsive to particular cir- cumstances. On the other hand, they are unlikely to have much credibil- i8For greater detail, see Ellger (supra note 17) 597-604.

PRIVACY AND FREEDOM OF INFORMATION 151 ity if they comprise no more than broad guidelines. Effective self-regula- tion needs substantive rules, as well as mechanisms to ensure that con- sumers know the rules e.g., a requirement that companies publish pri- vacy policies. Furthermore, there must be some sanction for failure to comply with these rules. Among the suggested approaches are the cre- ation of certifying seals or logos, which can be withdrawn for noncompli- ance; publishing the names of noncompliant companies on a "bad actor" list; or making a company liable under fraud laws. Other possibilities are audits of compliance with established fair information practices or inde- pendent authorities with power to resolve complaints. None of these self-regulatory approaches, including the publication of codes of good practice, are acceptable to most privacy advocates, who view them as toothless and therefore not truly protective of individual interests. However, some of these advocates are willing to agree to a sys- tem with "opt-in" provisions, which requires individuals to agree explic- itly to the collection or use of personal information. (Industry usually argues for "opt-out" provisions that permit collection or use of personal information unless individuals explicitly object.) Self-regulation has been strongly opposed on the European side for many of the same reasons advanced by the privacy advocates. Many, perhaps even most, Europeans do not trust the mechanism, suspecting that self-regulation is merely a cover for lowering the standards of data protection, or ignoring them entirely. Hybrid Regulation Thus there is a growing interest in new forms of governance, which might be characterized as "hybrid" in character, that feature flexible inter- national public-law frameworks within which private self-regulation is used to work out the details. Private self-regulation within a public inter- national law framework may not only provide solutions to the inherently international character of traffic in personal data; they also may avoid some of the problems of the fragmented regulatory structures currently in place. Some precedent for such an approach can be found in a German- U.S. contract between the Berlin Data Protection Commissioner and Citibank (Box 6.7~. A more contemporary example, and one that has received a great deal of attention, is the hybrid regulatory scheme developed by the European Commission and the United States government to avoid privacy-related disruptions of transborder data flows and international trade. In 2000, they exchanged letters that articulated a "safe harbor" for U.S. companies and other organizations receiving personal data from the European

52 GLOBAL NETWORKS AND LOCAL VALUES

PRIVACY AND FREEDOM OF INFORMATION 153 Unions Organizations receiving personal data transfers from the EU and complying with certain principles (Box 6.8) would be regarded as meet- ing the "adequacy" requirements for data protection in accordance with the European Union's Directive on Data Protection. In this instance, hybridization allowed the United States and Europe to organize the coexistence of their diverging regulatory traditions and styles. The Europeans came to the negotiation table with their trust in government, and with an existing framework of independent data-pro- tection officers. The United States, for its part, had neither a strong regu- latory framework nor the inclination to impose one. The compromise was self-regulation with public oversight via the Federal Trade Commis- sion i.e., a hybrid solution.20 The actual implementation mechanism is complex, with roles estab- lished for both government and nongovernment organizations, the issu- ance of a "seal of compliance," and the creation of a dispute-resolution body. Noncompliance is penalized by a range of sanctions, including publicity for findings of noncompliance, the requirement to delete data in certain circumstances, suspension and removal of a seal, compensation for individuals for losses incurred, and injunctive orders. In addition, the U.S. Federal Trade Commission has committed itself to reviewing allega- tions of noncompliance with safe-harbor principles made by privacy self- regulatory organizations; the Commission will be looking to see whether the alleged actions amount to violations of the FTC Act prohibiting unfair or deceptive acts or practices in commerce. In this context, all of the usual tools available to the FTC can be applied, including administrative cease- and-desist orders prohibiting the challenged practices, as well as pursu- ing complaints in U.S. federal courts to obtain judicial remedies. Persis- tent failure to comply can be punished by denying the violator the benefits of the safe harbor. The success of these safe-harbor negotiations between the European Union and the United States does not mean that the agreement is without controversy. For example, the Trans Atlantic Consumer Dialogue (TACD), representing a group of consumer and orivacv Groups argued that the c~f~_h~rLnr rent " 1 .J to 1 ' to ma ~ ~ . . . fails to provide adequate privacy protection for consumers in the United States and Europe. It lacks an effective means i9The U.S. letter can be found online at <http: / /www.export.gov/safeharbor/ larussacovernote717.htm>. The European Commission letter can be found at <http:// www.export.gov/safeharbor/EUletter27JulyHeader.htm>. Other related documents can be found at <http://www.export.gov/safeharbor/sh_documents.html>. 20Henry Farrell. 2000. "Negotiating Privacy Across Arenas The KU-US 'Safe Harbor' Dis- cussions," in Adrienne Heritier, ea., The Provision of Common Goods: Governance Across Mul- tiple Arenas, Boulder, CO: Rowman and Littlefield.

54 GLOBAL NETWORKS AND LOCAL VALUES

PRIVACY AND FREEDOM OF INFORMATION 155

56 GLOBAL NETWORKS AND LOCAL VALUES of enforcement and redress for privacy violations. It places unreasonable burdens on consumers and unfairly requires European citizens to sacri- fice their legal right to pursue privacy complaints through their national authorities. The proposal also fails to ensure that individual consumers will be able to access personal information obtained by businesses." The controversy illustrates what is bound to be a continuing debate between those who see hybrid regulation as the answer to the conflict- ing approaches and inconsistent regulations between one country and another, and those who see it as a threat to the existing protections that national regulation provides in at least some countries. Experience gained in these next years with the Safe Harbor agreement may well provide important evidence for future decisions on whether or not to use this approach. 6.3 FREEDOM OF INFORMATION The term "freedom of information," as used in this report, is not only a legal concept but also a social and political one. In the former sense, it refers to the legally enforceable right of access to information an indi- vidual right. But in the social and political sense, it is a measure of the openness of the society, as discussed below. It is in this context that we may define what kinds of information ought to be accessible and, addi- tionally, begin to understand the associated conflicts in public and private interests. 6.3.1 The Value Involved As pointed out in the introduction to this chapter, freedom of infor- mation is a formal value. Adherence to this value safeguards transpar- ency and accountability of governmental action, and it is closely related to the Western concept of democracy. Access to information gives citi- zens a sense of ownership of their society, and it creates confidence in the legitimacy and appropriateness of government administration. Freedom of information is a tool for engaging citizens in the work of government, alerting them to any excesses of government, and providing them with the basis to exercise their rights and obligations more knowledgeably. In 2iAvailable online at <http://www.epic.org/privacy/intl/TACD_SH_1299.html>.

PRIVACY AND FREEDOM OF INFORMATION 157 Thomas lefferson's words, "The best protection of a democratic society is an informed public." Technological developments have affected the availability of infor- mation in at least two ways. First, the Internet and the World Wide Web have made it increasingly practical for enormous amounts of information to be made available quickly, easily, and inexpensively to the public. The complete texts of laws, court records, judicial findings, administra- tive rules and records, statements of public officials, transcripts or min- utes of public meetings, and the like can all be put online for the public to access, copy, or search. This is an extraordinary new tool for implement- ing freedom of information in societies unambiguously committed to that value. However, it is also a challenge to those who are less than enthusi- astic about such total disclosure (and who, in the past, could be shielded from the need to justify restrictions on the distribution of information by simply citing its impracticality). Second, new computer tools allow the manipulation and reorganiza- tion of data and records into much more useful and transparent forms. Tools for searching, filtering, organizing, and analyzing data can produce intermediate products that, in a very practical sense, make the raw data significantly more accessible and, in so doing, make freedom of informa- tion as much a practical reality as a formal commitment or value. How- ever, these new technical tools create two problems. First, the very capac- ity to manipulate and mine public data may expose private information embedded within it; thus a formal balancing of interests is involved in the collection and publication of data for public purposes. Again, this is a problem that did not need to be urgently confronted in the past because of the practical limitations on teasing the private information out of the pub- lic database. Furthermore, because many intermediate data products serve a pub- lic purpose, it is in the public interest for government to encourage the growth of markets for these products. That means creating incentives for the private sector to invest in their development. Generally, these incen- tives have taken the form of intellectual-property protection. Conflict then arises in determining what balance between the public nature of informa- tion and the private protection of intellectual property will maximize free- dom of information as a practical reality. In the following sections, such conflicts and tensions are examined in the context of specific kinds of public information and specific legal approaches.

58 GLOBAL NETWORKS AND LOCAL VALUES 6.3.2 Types of Information Subject to Freedom of Information Primary Legal Information "Primary legal information" information having the force of law, such as parliamentary enactments, judicial decisions,22 and comparable instruments from administrative agencies such as rules and orders is the raw material of democracy. Most observers committed to freedom of information would agree that making primary legal information widely accessible to the public is not only consistent with individual rights but also important for effective governance. Indeed, if the public doesn't know the law, it can't follow it. In addition, if it doesn't have complete access to information about the operations of government, it can't exer- cise democratic oversight. Thus there is an overriding public interest in easy and inexpensive access to primary legal information. An important and ongoing controversy related to the public's right to legal information is the issue of who may hold a copyright on information subject to disclosure under freedom-of-information laws. If private enti- ties obtain information from public entities under such laws and then re- organize it, may they copyright the product thus created? If so, what does the copyright cover? In the United States, these controversial questions have been raised in connection with the U.S. Congress's consideration of two database-pro- tection bills23 modeled in part on the European database-protection di- rective.24 Specifically, both of these proposed bills would have granted certain property-like rights to database owners entirely apart from what- ever copyright interest they did or did not hold; in general, these rights would have forbidden other parties from extracting large quantities of information from these databases in a way that caused financial harm to the database owner. On the other hand, federal entities in the United States are precluded from copyrighting public information. In Germany, the situation is slightly more complicated. According to Article 5 of the Copyright Act, 22Germany is a civil-law country. Court decisions thus do not, in and of themselves, have legal force erga omnes, though the decisions of the upper courts have high persuasive author- ity. This does not, however, change the desirability of having easy and inexpensive access to their texts. 23H.R. 354 in the 106th Congress, the Collections of Information Antipiracy Act, and H.R. 1858 IH, the Consumer and Investor Access to Information Act of 1999. 24Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (O.J. 27/3/96 no L 77 p. 20~.

PRIVACY AND FREEDOM OF INFORMATION 159 "Laws, ordinances, official decrees and notices [and] also decisions and official grounds [for] decisions" cannot be copyrighted. The same applies to other official works published to satisfy the official goal of informing the public. But information collected and maintained by public agencies can be granted a private copyright when it is material actually written by private individuals. In the United States, some courts have held that certain state and local laws can sometimes be copyrighted, and have forced third parties to re- frain from reproducing or distributing primary legal information con- tained in such statutes and court decisions. For example, Peter Veeck posted on a private Web site the municipal building code for Denison, Texas. The text of this building code is actually owned by the Southern Building Code Congress International (SBCCI), a private, not-for-profit organization whose primary mission is to develop and maintain a set of model building codes. The SBCCI has developed the building code and gives it free to municipalities as an incentive for adopting it. However, sales of the code to engineers and architects is a revenue-generating enter- prise for SBCCI, and thus it sued Veeck for copyright infringement. The case is working its way through the U.S. court system; in February 2001, a panel of the Fifth Circuit Court of Appeals upheld by a vote of 2-1 that SBCCI had the right to force Veeck to refrain from publishing these mate- rials on the Web.25 It has been argued in the past that the private publication of govern- ment information is the only practical way to ensure its broad distribu- tion, and that the incentive of copyright protection is necessary to encour- age the involvement of the private sector. However, Internet and PC technologies have sharply reduced the costs and increased the ability of government agencies to publish their own material. As noted earlier, these same technologies have also created incentives for the private sector to create value-added products from the raw data produced by govern- ment agencies. The challenge is to develop appropriate criteria to protect private-sector innovations that enhance the usability of original govern- ment data without depriving the public of its access to that data.26 25The opinion of the panel can be found at <http://www.ca5.uscourts.gov/opinions/ pub/99/9940632-cvO.htm>. A press article on this controversy is in Daniel Fisher, 2001, "We Own That Law," Forbes, April 30, p. 60. 26This is a topic of ongoing debate in the United States. The Computer Science and Tele- communications Board is participating in a National Research Council project that addresses these issues for weather-related information.

160 Public Records Containing Personal Information GLOBAL NETWORKS AND LOCAL VALUES Public records that contain personal information create an obvious conflict between freedom of information and privacy rights. In principle, this is not a new concern, but advances in information technology have made it a practical concern. In the past, the cost and effort of extracting personal data from public records was so great that few attempted it. However, as such records are computerized and become available under freedom-of-information law, the threat to privacy becomes quite real. Whether privacy or freedom of information takes precedence depends on the particular situation. If the invasion of an individual's privacy is limited and noninjurious, one might argue that the cost is worth the ben- efit of retaining the public's access to government information. On the other hand, if the interest in access to public records is purely commercial and unrelated to the democratic and integrative functions of freedom of information, then one might argue that protection of individual privacy should be given greater weight. In addition to facilitating the mining of databases for personal infor- mation, technological advances affect the balance of rights in two other ways. First, information technology enables "profiling" the linking of data from a number of different sources to create much more serious in- vasions of individual privacy than would be possible with any single record. The possibilities for such profiling are thus an element in judging the harm to individuals that results from granting access to public records, though the number of actual instances in which an individual has been harmed by profiling is apparently small. Second, and on the other hand, information technology also facilitates the anonymization of data, a prac- tice that can help to protect privacy without compromising the public's access to the aggregated database.27 Some have argued that anonymizing data can reduce its worth be- cause the process essentially blocks certain information that might, in fact, be useful. But that raises the question of whether the competing prin- ciples of privacy and public interest have, in the past, been thoroughly weighed in deciding what information on individuals it is appropriate for governments to collect. In the past, the government may have had no alternative but to gather more information than it had a right to gather, in order to glean the information that it needed and to which it was entitled. The practice may not have been challenged because, as a practical matter, there were limitations on the misuse of the private data. However, the 27Such an outcome depends on the particulars of the data in question, because sometimes even anonymized data can be assembled in such a way as to uniquely identify an indi- vidual.

PRIVACY AND FREEDOM OF INFORMATION 161 mere fact that the government has collected or is in possession of the ag- gregated database does not mean that it is actually entitled to use all of the data or to use it for any purpose. Because technology increases the ability to link information, the potential for such misuse by government- and others increases, and government agencies will have to revise their past approaches to collecting data and weigh the competing claims of pri- vacy and public need more rigorously. Notes, Drafts, and Intermediate Documents of Public Officials and Bodies Documents that shed light on the administrative aspects of government's decision-making process (e.g., preliminary or internal drafts) present thorny problems, and how far a society should go in pro- viding access to such documents is a matter requiring much further dis- cussion.28 On the one hand, transparency in the political and administra- tive decision-making process is of major importance in a democracy and one of the strongest arguments for a freedom-of-information principle. On the other hand, disclosure of every conversation and recorded thought between administrators or judges and their advisors would have a chill- ing effect on candid deliberation that would, in fact, reduce the quality of decisions. Government needs space and time in which to assess argu- ments and conduct internal debates with a certain degree of privacy of its own. Technology (though not necessarily as part of global networks) again complicates matters. In the past, a good deal of highly informal conversa- tion might have taken place on the telephone or in face-to-face meetings. It was possible to record these kinds of conversations, but not required.29 When they were recorded, they might well have been subject to freedom- of-information requests (or subpoena, as Richard Nixon learned). The applicability of freedom-of-information regulations in these instances was often debated, even litigated. But the participants had an option that al- lowed them to control the balance between privacy privilege and the public's right to information; except where public meetings were involved (itself a question of definition), they could decide whether or not to record the conversation. 28It was discussed in the United Kingdom. See "Your Right to Know. The Government's Proposals for a Freedom of Information Act," presented to Parliament by the Chancellor of the Duchy of Lancaster by Command of Her Majesty, December 1997. Available online at <http://www.official-documents.co.uk/document/cabOff/foi/foi.htm> (03.03.2000~. 29Indeed, in many jurisdictions, it would be illegal to record such conversations for ex- ample, if the recording were carried out by third parties or without appropriate notice.

62 GLOBAL NETWORKS AND LOCAL VALUES Now, many of these same interactions are conducted through vehicles such as e-mail or bulletin board postings. Electronic records of these ex- changes exist and are frequently the subject of freedom-of-information requests. In effect, technology has shifted the balance and the control without any change in the substantive social and political facts. In this, as in other instances, each society must determine if the shift is consistent with its balance of the values involved. The technology itself should not be the determining factor. Records Associated with Publicly Funded Research A relatively new area of contention, particularly in the United States, is the public accessibility of research data produced with government grants. Although the principle of openness in research is, in and of itself, an important value in the scientific community, freedom-of-information requests for scientific data in recent years seem to have been motivated by political agendas outside that community. As scientists have become more engaged in issues with strong political overtones such as the health effects of tobacco, the environmental effects of industrial wastes, or the relative contributions of nature and nurture to I.Q., lawyers, lobbyists, and other advocates have sought access to scientists' raw data. The rea- sons for such requests vary, and how they are viewed depends on the eye of the beholder. What is seen by one party as a legitimate attempt to understand the basis of a scientist's conclusions can be seen by another as an effort to discredit or harass. The matter has been further complicated by the heightened concern about scientific fraud. Public bodies, including congressional commit- tees, have sought access to the notebooks of scientists in order to assess the veracity of their published works. They have used forensic approaches to determine the time sequence of notebook entries, the actual (expected) randomness in raw data, the inclusion or exclusion of data in final re- ports, and the laboratory instruments actually used in measurements. In so doing, they have tried to assess not only the integrity of scientists, but their competence as well. In some respects, this is a rather new facet of the issue of privacy. That is, to what extent is the practice of one's profession the way one thinks, how one creates, what one's personal style is like a public activ- ity for which the researcher must be accountable? Where should we draw the line between legitimate access and inappropriate revelation of one's personal information and idiosyncrasies? The balance to be struck must ensure accountability while respecting the intellectual process and avoid- ing the chilling effects of harassment or intimidation. The U.S. Congress attempted to balance these considerations in a law

PRIVACY AND FREEDOM OF INFORMATION 163 recently enacted30 that requires all recipients of federal research grants to disclose research data in accordance with the provisions of the Freedom of Information Act. However, the law defines the term "research data" as "the recorded factual material commonly accepted in the scientific com- munity as necessary to validate research findings, but not" such things as trade secrets, commercial information, personnel and medical informa- tion, and any "similar information which is protected under law." In ad- dition, it limits the application of the new provision to "research data re- lating to published research findings," which it defines as either "[rJesearch findings [that] are published in a peer-reviewed scientific or technical journal" or those that are "publicly and officially cited . . . in support of an agency action that has the force and effect of law." It is too early to assess the effects of the law, because it is still being shaped as administrators develop rules for its enforcement and requests for infor- mation lead to court cases that will provide further interpretation. Cer- tainly, the issue remains one of great concern to the scientific community. 6.3.3 Global Networks Affecting Freedom of Information As with privacy, global networks exert direct and indirect pressure on national disclosure policies. Global networks are multiplying the op- tions through which citizens can gain access to information and are mak- ing it more difficult for nations to maintain restrictive policies. New Technical Options In the past, even if the public was legally entitled to access govern- mental files, in practical terms it was not easy to exercise this right. In the earliest times, the citizen had to go to the appropriate office and transcribe excerpts by hand. Photocopiers significantly reduced the logistical bur- den on these efforts. But the digital representation of public documents means that they can be searched, stored, and combined at will. Moreover, if these files are available online, access becomes so comfortable that it can become a routine operation for citizens. There has been considerable progress in this direction. Congressional legislation is available online; all of the opinions of the U.S. federal appel- late courts are available in full-text form and in popular word-processing formats on the Web, and a growing number of state courts and agencies 30Office of Management and Budget's Appropriations Act for Fiscal Year 1999, Public Law No. 105-227. See FOlA Update, VoL XIX. No. 4, available online at <htip: / /www.usdoj. gov/oip/foia_updates/Vol_XIX_4/page2.htm> (03.03.2000~.

64 GLOBAL NETWORKS AND LOCAL VALUES also publish information on the Web. German authorities are moving into the same direction, albeit at a somewhat slower pace. All decisions of the Bundesverfassungsgericht are already available online free of charge. Other federal courts in Germany are planning to follow, and the Euro- pean Commission has launched a similar initiative. The Modest Effect of Globalization Although the Internet has had a strong impact on national policies concerning free speech and privacy, its effect on FOI policies is much weaker because it is the disclosure of information held by local govern- ments that is often at issue. Global networks do not change the local char- acter of the source. Thus, even under changed technological conditions, each country can in principle pursue its own policy. However, for a num- ber of reasons, this may be an unwise choice for nations where present policy appears to limit freedom of information, or at least to not promote it vigorously. First, global networks expose people to new ideas from other places. Thus citizens in a more restrictive nation who see examples of govern- mental openness in other nations may demand more openness and access at home.3~ Given the pronounced differences in regulatory traditions, there is a great potential for such policy diffusion. Of course, it took hun- dreds of years for the legal structure providing for freedom of informa- tion to spread beyond the borders of Sweden (where the first law on the subject was enacted in 1766~. But with the present high degree of connect- edness between nations it is inconceivable that a concept such as freedom of information could long remain contained within the borders of one or a few nations. Other hastening factors include the concept's inherently de- mocracy-promoting character, the United States' broad commitment to it, and its manifestation on the Web. In the United States, freedom-of-information norms are expressed in a collection of federal and state statutes: the Freedom of Information Act of 1966; 32 the Paperwork Reduction Act of 1980 (revised subsequently in 1995~;33 the Federal Register Act of 1935;34 and the Electronic Freedom of 3iOf course, such change is possible only when the government of the more restrictive nation is responsive to the popular will. Indeed, some government in general, those of the more authoritarian nations may impose restrictions on access to certain Internet content precisely in order to prevent their citizens from seeing the openness of other nations. 325 U.S.C. § 552. 33Paperwork Reduction Act of 1980 (94 Stat. 2825; 44 U.S.C. § 3503 note) [set out as a note under § 3503 of Title 44, Public Printing and Documents]. 3444 U.S.C. § 1505.

PRIVACY AND FREEDOM OF INFORMATION 165 Information Act of 1996.35 Most American states also have freedom-of- information laws. These typically adopt the same norms as those of the federal laws. There are, however, some differences. Many states provide no deadlines for agency responses to private requests for information. Others are vague about the availability of judicial review. Still others require the identification of a legitimate private interest in the informa- tion requested. And some distinguish between requests that are made for personal reasons, which are favored, and those made by commercial enti- ties for a profit-making purpose, which are not favored.36 Germany, on the other hand, has not yet established a Freedom of Information Act at the federal level. The only applicable provisions are those of the German Basic Law art. 5, subsec. 137 and the Federal Law on Administrative Procedure §§ 29, 30.38 These legal instruments, however, actually express a principle of secrecy rather than openness, restricting provision of information on administrative procedures to persons who take part in the procedures or who might be affected by their outcomes. This tradition obviously does not give rise to a general public right to government information, and no other specific law addresses such access. Still, there is currently some movement away from government se- crecy and toward greater transparency, both in Germany and throughout Europe. The general approach is to build on the foundation of individual rights, beginning with the existing rights of participants in particular pro- ceedings to obtain information pertinent to those proceedings. This is rather different from the American approach, which links freedom of in- formation to democratic oversight of governmental operations and thus grants rights of access to all citizens. Nonetheless, the strategy has al- ready been successful in several cases. For example, in 1994, the German Federal Freedom of Access to Environmental Information Act was adopted,39 implementing a European Union directive granting access to environmental information held by public authorities.40 35Electronic FOIA Amendments Act of 1996, P.L. 104-231, 110 Stat. 3048 (Oct. 2, 1996), amending 5 U.S.C. § 552. 36Media requests, which obviously serve commercial, profit-making purposes, have al- ways been given exceptional status in the United States under the protection of the First Amendment of the Constitution (see Chapter 8~. 37Grundgesetz fur die Bundesrepublik Deutschland of May 23, 1949 (BGB1. I S. 1) as amended up to and including Gesetz zur Anderung des Grundgesetzes of July 16, 1998 (BGB1. I S. 1822~. 38Verwaltungsverfahrensgesetz vom 25 Mai 1976 (BGB1. I S.1253), as amended up to and including Gesetz of August 6, 1998 (BGB1 I 1998, 2022~. 39BGB1. I, 1490. 40Council Directive 90/313 /EEC of 7 June 1990 on the freedom of access to information on the environment, Official Journal L 158, 23/06/1990, p. 0056-0058. See <http://europa.eu. int/eur-lex/en/lif/dat/1990/en_390L0313.html>. Note that the directive allows a number

66 GLOBAL NETWORKS AND LOCAL VALUES On the state level, the East German States of Brandenburg and Mecklenburg-Vorpommern provide a general right of access to informa- tion in their constitutions. General freedom-of-information acts were also enacted in Brandenburg and Berlin42 in 1998 and 1999, respectively. However, comprehensive nationwide or EU-wide legislation on freedom of information is not yet a reality, although it is becoming a goal. Indeed, the present coalition government in Germany has expressed its intention to enact a general freedom-of-information law on the federal level. In addition, Directorate General 13 of the European Commission has been working for more than 5 years on the development of a legal regime for freedom of information, seeking to implement the transparency guaran- tee of the Maastricht treaty. However, recently published drafts have been criticized for being too tentative (Box 6.9~. Second, the impact of global networks is not limited to disseminating a normative yardstick. A restrictive national policy with respect to free- dom-of-information principles can be undermined to a certain extent by use of the Internet. Ironically, this became obvious recently as drafts of the European Community's freedom-of-information regulation were leaked and published on the Internet. Third, and perhaps most important, economic considerations in a glo- balized world may provide an even stronger motivation for adopting free- dom-of-information principles in Germany. As the European Com- mission's "Green Paper on Access to Public Information"43 states, "Without user-friendly and readily available administrative, legislative, financial, or other public information, economic actors cannot make fully informed decisions." Therefore, the Commission notes, "the ready avail- ability of public information is an absolute prerequisite for the competi- tiveness of European industry. In this respect, EU companies are at a serious competitive disadvantage compared to their American counter- of exemptions that specify environmental information that can be withheld from the public. Specifically, it may be withheld if the release of the information affects the "confidentiality of the proceedings of public authorities, international relations and national defence; public security; matters which are, or have been, sub judice, or under inquiry (including disciplin- ary inquiries), or which are the subject of preliminary investigation proceedings; commer- cial and industrial confidentiality, including intellectual property; the confidentiality of per- sonal data and/or files; material supplied by a third party without that party being under a legal obligation to do so; material the disclosure of which would make it more likely that the environment to which such material related would be damaged." In addition, requests for information may be refused "where it would involve the supply of unfinished documents or data or internal communications, or where the request is manifestly unreasonable or formu- lated in too general a manner." 4iAkteneinsichts- und Informationszugangsgesetz (AIG) vom 10. Marz 1998 (GVB1. I S. 46~. 42Berliner Informationsfreiheitsgesetz vom 15. Oktober 1999 (GVB1. I, S.561~. 43COM (1998) 585 final.

PRIVACY AND FREEDOM OF INFORMATION 167 parts, which benefit from a highly developed, efficient public-informa- tion system at all levels of the administration." In addition, public-sector information may itself be a vehicle for economic growth, as the public sector is the biggest single producer of information in areas such as legis- lation, statistics, culture, finance, geography, transport, and research. Box 6.10 provides more discussion. Because nations can determine their own FOI policies that are, in their essence, nonoverlapping, there is no particular need for international harmonization of freedom-of-information laws. It is important, how-

68 GLOBAL NETWORKS AND LOCAL VALUES ever, to ensure that international treaties do not hamper national free- dom-of-information policies. A case in point is internationally harmo- nized copyright law. So far, the pertinent international rules are silent with respect to copyrighting governmental information; neither the TRIPs agreements under the WTO treaty,44 the Berne treaty,45 nor the 44The TRIPS Agreement (Agreement on Trade-Related Aspects of Intellectual Property Rights) is Annex 1C of the Marrakesh Agreement Establishing the World Trade Organiza- tion signed in Morocco on 15 April 1994. It is available online at <http://www.wto.org/ english/tratop_e/trips_e/t_agmO_e.htm>. 45Berne Convention for the Protection of Literary and Artistic Works of September 9,1886, as amended on September 28, 1979, UNTS No. 11850, available online at <http:// www.wipo.int/treaties/ip/index.html>.

PRIVACY AND FREEDOM OF INFORMATION 169 World Intellectual Property Organization (WIPO) conventions46 deal with the issue. If they were extended to such information, the potential for conflict between treaty obligation and FOI for government data would be obvious. NOTE ADDED IN PROOF In the wake of the horrific events in New York City and Washington, D.C., on September 11, 2001, the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terror- ism" (USA PATRIOT) Act was enacted into law (P.L. 107-56~. Reflecting congressional concern that the legislative tools available to law enforce- ment were inadequate in an advanced-technology environment in which terrorists can freely travel and operate relatively free of the constraints imposed by national borders, the act expanded government authority to monitor Internet traffic, to compel disclosure of information contained in public and private records if approved by the judicial branch, and to share information collected in grand jury investigations with "any Federal law enforcement, intelligence, protective, immigration, national defense, or national security official in order to assist the official receiving that infor- mation in the performance of his official duties."47 This legislation has implications for privacy interests of individuals vis a vis government, and a number of public interest groups have strongly criticized this legislation for weakening protection for these interests.48 In addition, in the freedom of information domain, the Bush adminis- tration has promulgated a policy that "discretionary decision by [a federal] agency to disclose information protected under the FOIA should be made only after full and deliberate consideration of the institutional, commercial, and personal privacy interests that could be implicated by disclosure of the information.... When [an agency] carefully considers FOIA requests and deciders] to withhold records, in whole or in part, [it] can be assured that the Department of Justice will defend [its] decisions unless they lack a sound legal basis or present an unwarranted risk of adverse impact on the ability of other agencies to protect other important records."49 46WIPO Copyright Treaty adopted by the Diplomatic Conference on certain copyright and neighboring rights questions, Geneva, on December 20, 1996 and WIPO Performances and Phonograms Treaty adopted by the Diplomatic Conference on December 20, 1996. Available online at <http://www.wipo.int/treaties/ip/index.html>. 47See <http: / /thomas.loc.gov/cgi-bin/bdquery/z?dlO7:h.r.03162:>. 48See, for example <http://www.cdt.org/press/011025press.shtml> and <http:// www.epic.org>. 49See <http: / /www.usdoj.gov/oip /foiapost/2001foiapostl9.htm>.

Next: 7 The Impact of Global E-Commerce on Local Values »
Global Networks and Local Values: A Comparative Look at Germany and the United States Get This Book
×
Buy Paperback | $44.00 Buy Ebook | $35.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Whether you call it the third wave, the information revolution, or the virtually connected world, the implications of a global information network are profound. As a society, we want to forestall the possible negative impacts without closing the door to the potential benefits. But how?

Global Networks and Local Values provides perspective and direction, focusing on the relationship between global information networks and local values-that is, the political, economic, and cultural norms that shape our daily lives. This book is structured around an illuminating comparison between U.S. and German approaches toward global communication and information flow. (The United States and Germany are selected as two industrialized, highly networked countries with significant social differences.)

Global Networks and Local Values captures the larger context of technology and culture, explores the political and commercial institutions where the global network functions, and highlights specific issues such as taxation, privacy, free speech, and more. The committee contrasts the technical uniformity that makes global communication possible with the diversity of the communities being served and explores the prospects that problems resulting from technology can be resolved by still more technology. This thoughtful volume will be of interest to everyone concerned about the social implications of the global Internet.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!