National Academies Press: OpenBook

Engaging Privacy and Information Technology in a Digital Age (2007)

Chapter: 4 The Legal Landscape in the United States

« Previous: 3 Technological Drivers
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

4
The Legal Landscape in the United States

Many discussions of privacy ultimately end up turning toward the law. How have legislatures and the courts defined and interpreted privacy? What are individuals’ and organizations’ rights and obligations under the law? Is there a constitutional right to privacy? These are the sorts of questions that have inspired hundreds of books and journal articles about the legal underpinnings of privacy. This chapter presents an overview of the legal landscape as background for discussion elsewhere in the report.

4.1
CONSTITUTIONAL FOUNDATIONS

This section addresses constitutional safeguards for a citizen’s privacy against government invasion and intrusion. Although the word “privacy” does not appear expressly in the U.S. Constitution, the Supreme Court has made clear that this fundamental right is implicit from the panoply of other rights guaranteed in the First, Fourth, and Ninth Amendments.

4.1.1
The Fourth Amendment

The source of constitutional protection for privacy (now embodied most clearly in the Constitution’s Fourth Amendment) lies deep in English history. Precisely four centuries ago, British courts declared in Semayne’s Case that “the house of every one is to him as his castle and fortress.”1

1

Semayne’s Case, 5 Co. Rep. 91a, 91b, 77 Eng. Rep. 194, 195 (K.B. 1603).

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

From that bold beginning developed a more specific expectation that government may search a person’s house, or personal papers, only with a valid reason (later, “probable cause”), legal authority (eventually in the form of a search warrant), and only after giving adequate notice before seeking entry or access.

Prominent among the principles that the U.S. Constitution’s framers felt imperative to embody in the Bill of Rights was that of privacy. The Fourth Amendment has for the past 212 years been the bulwark of such privacy protection. Most states have comparable provisions in their own constitutions, and in 1963 the U.S. Supreme Court declared that state and local governments are as fully bound to respect privacy as is the national government, since the due process clause of the Fourteenth Amendment incorporates or absorbs the basic safeguards of the Fourth and makes those safeguards fully applicable to official action at all levels.

Interpreting and applying the spare words of the Fourth Amendment have posed a major and continuing challenge for the courts. Indeed, hardly a term of the U.S. Supreme Court passes without at least one case on the docket that juxtaposes government’s need for information, usually pursuant to law enforcement investigation, and a citizen’s or organization’s wish to withhold that information, or to prevent government from gathering the information by invading premises or conducting surveillance in other forms.

The Supreme Court’s recognition of a citizen’s right to be secure against unauthorized government intrusion dates at least to a batch of cases in the 1880s, beginning with Kilbourn v. Thompson, 103 U.S. 168, 190 (1880), noting that Congress does not “possess the general power of making inquiry into the private affairs of the citizen.” Later rulings extended the same principle to inquiries by federal administrative agencies. In 1886, in Boyd v. United States, 116 U.S. 616, 530 (1886), the Court struck down a regulatory measure that it found unduly intrusive into “the sanctity of a man’s home and the privacies of life.”

The later evolution of Fourth Amendment privacy guarantees highlights several notable 20th-century decisions. While the Court ruled in Olmstead v. United States, 277 U.S. 438 (1928), that the use of a wiretap did not violate the Fourth Amendment because there had been no physical invasion of a citizen’s home, person, or papers, later judgments importantly qualified the potential scope of that decision. Notably, the Court held in Katz v. United States, 389 U.S. 347 (1967), that privacy rights did extend to a telephone booth, noting that “wherever a man may be, he is entitled to know that he will remain free from unreasonable searches and seizures.”

The Supreme Court has dealt extensively in the last half century with conditions and circumstances under which searches of automobiles,

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

pedestrians, hotel rooms, and offices may or may not be deemed reasonable. These rulings have usually reflected close divisions within the Court, often by the narrowest of margins. While the prevailing principles remain constant, variations in circumstances, in the potential effect of a particular search, and in the claimed needs of law enforcement inevitably affect the outcome.

A more recent decision affecting privacy of the home may aptly illustrate the process. In 2001, the Supreme Court considered for the first time whether the use of a thermal imaging device aimed at a private home from a public street to detect relative amounts of heat within the home—to determine whether marijuana was probably being grown within—constituted a “search” for Fourth Amendment purposes. Distinguishing permissible “naked eye surveillance of a home” the Court held on a 5-4 vote that thermal-imaging surveillance was constitutionally different and did involve an unlawful search. The explanation recalls the clarity and simplicity of basic Fourth Amendment precepts: “Where, as here, the Government uses a devise that is not in general public use, to explore details of the home that would not previously have been knowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.”2

Within the ambit of protecting privacy against government action, the Supreme Court declined in Paul v. Davis, 424 U.S. 693 (1976), to extend privacy interests to the “stigma” created by official publication of a person’s name and photo on a list of “active shoplifters” after a larceny charge filed against him had been dismissed. While renewing the broad scope of the “zone of privacy,” the Court distinguished other situations in which it had recognized such interests, noting that the claim posed here was not legally analogous, but simply sought to avoid unwelcome publicity. The high Court’s 2003 decisions, rejecting similar claims against the display on state Internet Web sites of the identities of past sex offenders who had served time and been released, are much in the same vein.

Finally, the Court has long held that the probable cause standard of the Fourth Amendment does not apply to individuals seeking to enter the country (as opposed to those individuals already in the United States). For example, the Supreme Court has held that “searches of persons or packages at the national border rest on different considerations and different rules of constitutional law from domestic regulations,”3 and has thus recognized the right of Congress to grant the executive “plenary authority to conduct routine searches and seizures at the border, without probable

2

Kyllo v. United States, 533 U.S. 27 (2001).

3

United States v. 12 200-Ft. Reels of Film, 413 U.S. 123 (1973).

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

cause or a warrant, in order to regulate the collection of duties and to prevent the introduction of contraband into this country.”4

4.1.2
The First Amendment

The First Amendment’s recognition of free speech and press safeguards citizens’ privacy in several distinct ways: Government may not compel citizens to reveal certain highly sensitive information (e.g., membership in controversial political groups) or require them to disclaim membership in such organizations as a condition of receiving public benefits such as food stamps. Nor may government require a postal patron to declare publicly a desire to continue to receive mail from Communist countries.

The Supreme Court has also found in the First Amendment rights to speak, write, or publish anonymously or pseudonymously (especially in making political statements). Beginning with its 1960 decision in Talley v. California, 362 U.S. 60 (1960), the Court has consistently found in freedom of expression a right to resist compelled disclosure of one’s identity, especially in the context of volatile political communications. Some years later, in McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995), the justices reaffirmed their commitment to protection of anonymity, insisting that governments that had legitimate reasons to regulate political communications could use less intrusive means.

In a similar vein, the Court also struck down on First Amendment grounds a law that required citizens who wished to receive “communist political propaganda” to explicitly notify the post office. The Court’s reasoning was that such notification was a limitation on the unfettered exercise of the addressee’s First Amendment rights. That decision, in Lamont v. Postmaster General, 381 U.S. 301 (1965), retains much value to privacy law, and is indeed the touchstone of current debate about the “opt-in” provision of the federal law that requires public libraries to filter Internet access, but permits patrons wishing unfiltered access to request it.

However, the legal status of potentially intrusive government surveillance is less clear under the First Amendment; three decades ago, the Supreme Court rejected citizens’ efforts to enjoin the government’s Vietnam era surveillance and infiltration of controversial anti-war political groups. The high Court has never revisited this issue, although a few lower courts have been more protective—notably the California Supreme Court, a few years after the high Court ruling, in barring police departments from sending undercover agents into university classrooms, posing as students, to compile dossiers on suspected radicals.

4

U.S. v. Montoya de Hernandez, 473 U.S. 531, 537, 105 S. Ct. 3304, 3308 (1985).

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

The First Amendment has also served as the basis for protecting privacy in the home. Starting with Breard v. Alexandria, 341 U.S. 622 (1951), the Supreme Court has shown substantial deference to local ordinances that protect privacy by forbidding door-to-door solicitation without the homeowner’s permission—save when such laws unduly burden free expression, as the justices found in their most recent encounter with such privacy-protecting measures, Watchtower Bible & Tract Soc’y v. Stratton, 536 U.S. 150 (2002). In Watchtower, the Court held that a requirement to register with the mayor’s office and to obtain a local permit prior to engaging in door-to-door advocacy violated the First Amendment as it applied to religious proselytizing, anonymous political speech, and the distribution of handbills.

Turning to legal protection for privacy that concerns intrusion by individuals rather than by government, the case law is more easily summarized. Publication of the truth—no matter how unwelcome or invasive of privacy—is almost invariably protected under U.S. law, though less clearly under the laws of most other nations.

The Supreme Court has stopped just short of declaring flatly that speaking truth is categorically protected. What the justices have consistently said on this subject is that a publisher may not be held criminally or civilly liable if the challenged information meets three conditions, spelled out in cases like Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975), and The Florida Star v. B.J.F., 491 U.S. 524 (1989). The statements must be accurate, else they would be subject to a legal claim for defamation. They must hold public interest—which means little more than that someone wishes to read or hear them. Finally, the information or images must not have been unlawfully obtained. This last criterion created substantial confusion over the issue of whose unlawful conduct would taint the information. That issue has now been largely resolved by the Supreme Court’s 2001 ruling in Bartnicki v. Vopper, 532 U.S. 514 (2001), that even if a tape recording that was eventually broadcast on the defendant’s radio station resulted from a clearly illegal wiretap, the station would not be liable if the evidence showed no complicity on its part in the unlawful taping. The case did involve, beyond a finding for the station’s innocence, subject matter of great public interest and value to the community, and a privacy interest on the part of the illegally taped parties, which—given the illegality of the activities they were plotting on the phone—the Court characterized as “attenuated.”

The Supreme Court’s reluctance ever to declare unambiguously that truth trumps privacy may give pause to some publishers, and might imply that the ghost of Warren and Brandeis survives. Indeed, there are several situations in which truthful publications might generate liability. Clearly if the information was unlawfully obtained by the publisher or

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

by someone for whose conduct the publisher bears responsibility—by hacking into an electronic database or breaching a legal privilege such as that between physician and patient, the legal immunity no longer applies. If truthful information is presented in a damaging “false light,” the law of some states affords redress, which the Supreme Court seems to have condoned. Conceivably an intrusive publication could be deemed to lack public interest, and forfeit protection on that basis.

The ultimate question remains: If information has clear public interest, is accurate, and was not unlawfully obtained, can there ever be liability? The short answer seems to be no, and perhaps the longer answer as well. Yet one can imagine two cases in which such a negative answer would at least compel reflection. One would be the widespread dissemination—through a popular Web site, for example, of a photograph taken on a public street by a concealed camera of a female pedestrian’s intimate apparel and private features. Since the site was public—a place where there is no expectation of privacy (unlike a bathroom, dressing room, etc.)—the general policy is that anyone walking there is fair game for potentially embarrassing images. (As close as Canada, the law differs on just this point; a Canadian may be photographed with impunity at a rally or athletic event, but not without consent when sitting on a doorstep, even in clear public view.) There have been persistent suggestions that U.S. law should recognize some exception to the publisher’s immunity in such a situation.

The other poignant case involves a person whose HIV-positive status is unknown to friends, family, employer, and neighbors but is disclosed to the world by someone who obtained this highly sensitive information “not unlawfully” (an estranged ex-spouse, for example). Here again, the revelation may not be actionable for a violation of a federal right of privacy, although it may be actionable under state constitutional privacy jurisprudence, for a variety of torts (e.g., tortuous interference with business relations), state or federal statutes, or for violation of contractual rights (e.g., divorce settlement agreements often have gag provisions). Yet there is something about such a case that gives even the most ardent free-press advocate some pause. For the moment, the short answer—“the truth shall set you free”—remains the long answer as well.

4.1.3
The Ninth Amendment

Finally among constitutional safeguards for privacy (though not for informational privacy), a “penumbral” protection derived in part from the Ninth Amendment has recently joined more traditional sources. Among the most prominent cases in this regard is Griswold v. Connecticut, 381 U.S. 479 (1965). In this case, the Supreme Court held unconstitutional a Con-

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

necticut law banning the use even by married couples of contraceptives, stating that the ban violated basic privacy precepts since it invaded “a zone of privacy created by several fundamental constitutional guarantees.” In that case, Justice William O. Douglas concluded his opinion for the Court with a reminder that is useful here: “We deal with a right of privacy older than the Bill of Rights—older than our political parties, older than our school system.” Such statements remind us that the framers of the Constitution and of the Bill of Rights were not creating protection for privacy against government, but codifying ancient precepts in new language, and with new force behind those words.

On the other hand, a sharply split Court failed in Bowers v. Hardwick, 478 U.S. 186 (1986), to find in the right of privacy a constitutional basis for protection against state laws criminalizing homosexual sodomy. The status of that case had become increasingly problematic. Before his death, one justice who had voted in the majority declared he had been wrong in so doing. At least five states declined to follow Hardwick, granting protection to private homosexual activity under their own constitutions—as states are free to do, since the national Bill of Rights sets only a floor and not a ceiling. Thus when the issue returned to the Supreme Court during the 2002-2003 term, the likelihood of an overruling seemed substantial. Only the margin was in doubt, as well as the precise rationale a differently disposed majority would adopt.

On June 26, 2003, the final day of its term, the justices by a decisive 6-3 vote overruled Bowers v. Hardwick, in Lawrence v. Texas, 539 U.S. 558 (2003). Justice Anthony M. Kennedy, writing for the majority, posed in this way the central question of the case: “whether [the defendants] were free as adults to engage in the private conduct in the exercise of their liberty under the Due Process Clause….” After reviewing the high Court’s own post-Hardwick privacy rulings, and taking an unprecedented account of foreign judgments, the majority concluded that the Constitution did and should protect such activity among consenting adults. Though primary emphasis rested on due process and equal protection, the Court did stress a strong privacy interest as well: “The [defendants] are entitled to respect for their private lives. The State cannot demean their existence or control their destiny by making their private sexual conduct a crime.” The majority quoted a passage from one of the earlier abortion-rights cases, recognizing “that there is a realm of personal liberty which the government may not enter,” and concluded that “the Texas statute furthers no legitimate state interest which can justify its intrusion into the personal and private life of the individual.”

Not every recent ruling has favored privacy claims, however. A few years ago, the Court declined in Washington v. Glucksberg, 521 U.S. 702 (1997), to find in the due process clause a privacy interest sufficient to

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

invalidate state laws that ban assisted suicide—a ruling that was actually consistent with the high Court’s earlier refusal in Cruzan v. Missouri Health Dep’t, 497 U.S. 261 (1990), to order the removal (pursuant to parental pleas) of life support from a vegetative accident victim.

4.2
COMMON LAW AND PRIVACY TORTS

The modern quest for recognition of such a right of privacy is often traced to a seminal Harvard Law Review article, published in 1890 by a young Louis D. Brandeis and his senior partner Samuel Warren.5 The article reflected growing concern about unwelcome and intrusive media publicity about the private lives of the rich and famous (notably the newspaper publication of sensitive guest lists for social events hosted by the Warrens). The thesis of the piece was that courts should be more receptive to claims of privacy, and should develop “a right to an inviolate personality.”

Today, common law regarding privacy is formulated in terms of a set of four privacy torts for which legal recourse may be appropriate—although when the threat is created by a publisher, broadcaster, or other entity protected by the First Amendment, courts will not always grant relief to the person whose privacy has been compromised. First articulated by William Prosser,6 these torts include:

  • Intrusion—Objectionable intrusion into the private affairs or seclusion of an individual. The intrusion may be physical or electronic and is oriented toward improper information gathering. For example, watching someone urinating in a bathroom stall—whether through a peephole or using a video camera—is likely such an intrusion. Intrusion would generally not be applicable when someone is seen or photographed in public, although certain exceptions can be easily imagined (e.g., an out-of-visual-band camera that could generate realistic images of human bodies underneath clothing or “up-skirt” cameras embedded in the sidewalk.

  • Public disclosure of private facts—Publication of personal information

5

Samuel Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4(5):193, 1890.

6

William L. Prosser, “Privacy,” California Law Review 48:383, 1960. The discussion in this section draws on Joey Senat, “4 Common Law Privacy Torts,” 2000, an online study reference, available at http://www.cas.okstate.edu/jb/faculty/senat/jb3163/privacytorts.html; “The Privacy Torts: How U.S. State Law Quietly Leads the Way in Privacy Protection,” a special report issued by Privacilla.org, July 2002, available at http://www.privacilla.org/releases/Torts_Report.html; and National Research Council, Who Goes There? Authentication Through the Lens of Privacy, Stephen T. Kent and Lynette I. Millett, eds., The National Academies Press, Washington, D.C., 2003.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

that a reasonable person would object to having made public. The information must be both true and reasonably construable as private (e.g., a person’s height would be less private than an account of his sexual past). In addition, the disclosure must be public—disclosure to a small number of people or those with a legitimate need to know does not count as public. Disclosure in the form of a movie that reveals someone by name is public; discussion among a group of acquaintances is not. Finally, the disclosure must not be newsworthy—thus making publication about the private lives of celebrities fair game. In an information age context, publication of a non-celebrity’s personal information on a publicly accessible Web page is largely uncharted territory.

  • Misappropriation of name or likeness—Unauthorized use of an individual’s picture or name for commercial advantage. The misappropriation tort applies if and when a person’s name, likeness, or identity is used without his or her permission for trade or advertising purposes. The misappropriation tort relates to information privacy, but only insofar as it deals with a particular kind of use of a certain kind of personal information.

  • False light—Publication of objectionable, false information about an individual. The intent of this tort is to protect people against being cast in a false light in the public eye. For example, this tort would apply when someone’s photograph is publicly exhibited in a way or a context that creates negative inferences about him. The false light tort has been found applicable when people have been wrongly associated with juvenile delinquents or drug dealing, for example. Of the four privacy torts, the false light tort is least applicable to informational privacy, since it deals with false information.

The 1964 Restatement of the Law of Torts (a clarification and compilation of the law by the American Law Institute) adopted the Prosser framework.7 Together, these torts provide a basis for privacy suits against the disclosure, without consent, of embarrassing false information about a person, or of intimate details or images from a person’s private life, or unauthorized use for profit or commercial gain of an individual’s image, likeness, voice, or reputation.

As a matter of practice, these privacy torts have not been used much to protect the information-age privacy of individuals. However, the principles behind these torts are useful reminders of some of the interests that privacy is designed to protect against—intrusion into personal affairs and disclosure of sensitive personal information, among others.

As a historical matter, the Warren-Brandeis article may not fully

7

American Law Institute, Restatement of the Law of Torts, Philadelphia, 1964.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

deserve the credit it usually draws. Fully a decade earlier, Judge Thomas Cooley had written in his Treatise on the Law of Torts that “the right to one’s person may be said to be a right of complete immunity: to be let alone.”8 Although Cooley seems to have been more focused on physical than psychological intrusion, the phrase that he used first gave momentum to the quest for broader protection. Warren and Brandeis, in fact, fashioned an analogy between the legal basis for physical privacy (well established in British case law) and the emerging and more subtle value of protection for feelings, personal dignity and the like, for which they would invoke the new doctrine championed in their article.

The impact of the Warren-Brandeis thesis, well over a century later, is still not easily assessed. On the one hand, nearly every state has adopted statutory protection for privacy claims that extend well beyond the physical sanctity of the home and office; at last count, North Dakota and Wyoming were the only holdouts. On the other hand, the degree to which the Warren-Brandeis view really has gained legal acceptance remains far less uniform.

The most recent Restatement of the Law of Torts, issued in 1977, recognized a cause of action for unconsented “public disclosure of private facts” but qualified that recognition by noting, for example, that “while [a person] is walking on the public highway, there can be no liability for observing him or even taking his photograph.”9

Nonetheless, another comment to the 1977 Restatement posits that publishing “without consent, a picture of [the subject nursing her child]” would be actionable even if taken in a public place. In short, there is uncertainty and substantial ambivalence on the precise contours of this legal claim. Scholars, too, have remained ambivalent. In the mid-1960s, Harry Kalven asked rhetorically (in the title of an article on just this subject), “Were Warren and Brandeis Wrong?,” concluding that we are probably better off today because their plea for broad protection of privacy never has been fully embraced by the courts.

4.3
FREEDOM OF INFORMATION/OPEN GOVERNMENT

Freedom of information has been and remains in this country a creature of statute and not of constitutional right. Save for a few situations (notably the criminal trial) where courts have recognized a First Amendment claim of access, obtaining government information or covering sen-

8

Thomas Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract, Callaghan, Chicago, 1879.

9

American Law Institute, Restatement of the Law of Torts, 2nd Edition, Philadelphia, 1977, pp. 379-380.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

sitive proceedings remains subject to the will of that government which controls the data or the site. Since 1965, at the federal level, the Freedom of Information Act (FOIA) has been the vital basis for access claims, many of which have been litigated with varying results.

Among the nine statutory exemptions to a citizen’s right of access under FOIA, those most likely to precipitate privacy tensions are Exemptions 6 and 7c. The first of these relates to information such as personnel and medical files, the disclosure of which would “constitute a clearly unwarranted invasion of personal privacy.” Exemption 7c excludes records or information compiled for law enforcement purposes, “but only to the extent that the production of such [materials] … could reasonably be expected to constitute an unwarranted invasion of personal privacy.”

In the major decision construing and applying Exemption 7c, United States Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749 (1989), the Supreme Court noted the need, under the statute, to balance the interests of openness and accountability against the statutory recognition of individual privacy. The justices unanimously rejected claims of access to a suspect’s rap sheet, noting the vital distinction (in FOIA) between the statute’s “purpose to ensure that the Government’s activities be opened to the sharp eye of public scrutiny” and the contrasting claim that “information about private citizens that happens to be in the warehouse of the Government be so disclosed.”

But in a case that eventually led to extensive revelations of truly chilling law enforcement activity in the 1960s, a federal appeals court ruled in Rosenfeld v. Department of Justice, 57 F.3d 803 (9th Cir. 1995), that Exemption 7 would not justify withholding FBI documents pertaining to investigations of faculty and students at Berkeley during the Vietnam War era, the court noting that the FBI had no legitimate law enforcement interest in its probe of the Free Speech Movement and thus could not invoke a valid privacy interest to resist disclosure.

Tensions between privacy and access arise occasionally in a very different context. The Supreme Court has twice in recent years resolved those debates in favor of the privacy interest. California law, in the interests of privacy, limited to certain groups ready access to records including the addresses of persons arrested on driving charges. Commercial enterprises were excluded from the access pathway and challenged the restriction through the state courts to the U.S. Supreme Court. The justices, in Los Angeles Police Department v. United Reporting Publishing Co., 528 U.S. 32 (1999), rejected, at the least, the challenge brought forward by the proprietary data seekers, leaving open the possibility of a future attack on the statute as it had been applied.

Finally, in the aftermath of the September 11, 2001, attacks, regulations binding on federal agencies have been promulgated to reduce the

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

amount of information available through the Freedom of Information Act. Specifically, in October 2001, Attorney General John Ashcroft promulgated a memorandum throughout the executive branch that established a “sound legal basis” standard for governing the Department of Justice’s decisions on whether to defend agency actions under FOIA when they are challenged in court. That is, the Department of Justice would defend all decisions to withhold information under FOIA “unless they lack a sound legal basis or present an unwarranted risk of adverse impact on the ability of other agencies to protect other important records.” This new standard changed the previously operative “foreseeable harm” standard that was employed under previous guidance, which would defend a decision to withhold information only in those cases where the agency reasonably foresees that disclosure would be harmful to an interest protected by that exemption.

4.3.1
Federal Laws Relevant to Individual Privacy

Over the past three decades, many federal laws have been enacted to protect individual privacy.10 Often they have responded to growing public awareness of privacy invasions made possible by technology developments.

In commerce, one of the most important pieces of legislation with privacy impact is the FTC Act (15 U.S.C. 41-58, as amended), enacted by the U.S. Congress in 1914. The FTC Act established the Federal Trade Commission and charges it with, among other things, protecting the public from unfair and deceptive trade practices.

In recent years, the FTC has brought a number of cases to enforce the promises in statements of privacy policy, including promises about the security of consumers’ personal information, and to challenge practices that cause substantial consumer injury. These cases include actions against companies with faulty information security practices that allow sensitive customer data to be exposed to unauthorized parties (a typical settlement might require the offending company to implement a comprehensive information security program and to obtain audits by independent third-party security professionals every other year for 20 years) and companies that use collected data in a manner inconsistent with their stated policies (a typical settlement agreement might require the offending company to

10

Many of the thumbnail descriptions of the laws in this section draw heavily on a description of laws related to information law and privacy prepared by the John Marshall Law School, “Information Law and Policy: Existing U.S. Information-related Law,” 2000, available at http://www.citpl.org/infolaw/spring2000/law.html.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

forego monetary gains from its improper use and to agree to not engage in such improper use in the future).

In addition, in late 2005 and early 2006, the FTC has also used its authority to hold companies liable for insufficient security measures in place to protect customer information, and at least two cases have been brought against companies on this basis, both of which resulted in consent agreements to obtain security audits and be subject to FTC oversight of their security practices.11 A complete listing of cases undertaken by the FTC can be found on the FTC Web site.12

In the financial area, Congress has enacted several bills that relate to privacy. Some are intended to enhance individual privacy, and some detract from it.

  • The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681 (1970), broadly regulates the consumer reporting agencies in the interest of protecting the confidentiality and privacy rights of the consumer. The FCRA requires credit investigations and reporting agencies to make their records available to the subjects of the records, provides procedures for correcting information, and permits disclosure only to authorized customers.

  • The Bank Secrecy Act, 31 U.S.C. 5311-5355 (1970), was designed to aid the federal government in detecting illegal activity through tracking certain monetary transactions, and it requires financial institutions to file reports of certain kinds of cash transactions and to keep records on other kinds of transactions for which no record-keeping or filing requirements previously existed.

  • The Right to Financial Privacy Act (RFPA), 12 U.S.C. 3401 et seq. (1978), provides some confidentiality for the financial records of depositors by governing the transfer of financial records. In general, the act prohibits banks from disclosing client payment information to the government without a court order or other formal request. In some instances, the consumer has the right to challenge the request.

  • The Consumer Credit Reporting Reform Act, 15 U.S.C. 1681-1681t (1997), helps to close some of the loopholes found in the FCRA. The act

11

The FTC identified six practices that contribute to a judgment that security practices were insufficient: storing sensitive information in multiple files when the company no longer had a business need to keep the information; failure to encrypt consumer information when it was transmitted or stored on computers in company stores; failure to use readily available security measures to limit access to its computer networks through wireless access points on the networks; storing the information in files that could be easily accessed using a commonly known or default user ID and password; failure to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and failure to employ sufficient measures to detect unauthorized access.

12

See http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

narrows the broad “legitimate need” purpose for which credit reports can be disseminated. Consumer credit reports cannot be furnished for employment purposes except if the employer certifies that the employee has consented in writing.

  • The Gramm-Leach-Bliley Act (1999) requires financial institutions to notify consumers of their privacy policies and gives them the opportunity to prevent disclosure of nonpublic personal information about them to nonaffiliated third parties. It also makes the practice of “pretexting” unlawful (i.e., seeking financial information under the pretext of being the customer). See Section 6.3 for more on the Gramm-Leach-Bliley Act.

In the area of electronic communications (including telephone, pager, and computer-based communications), Congress has passed several acts.

  • The Omnibus Crime Control and Safe Street Act (1968) in Title III sets forth specific requirements for conducting telephone wiretaps. The legislation today is typically known as the Title III Wiretap Act. Under Title III legislation, law enforcement authorities must usually obtain a warrant based on a court’s finding that “there is probable cause [to believe] that an individual is committing, has committed, or is about to commit a particular offense … [and that] normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous.” Only certain federal crimes may be investigated under Title III authority (e.g., murder, kidnapping, child molestation, racketeering, narcotics offenses), and Title III also has a variety of provisions that minimize the intrusiveness of the wiretap on telephonic communications that are unrelated to the offense being investigated, provide for civil and criminal penalties for law enforcement officials or private citizens who violate its provisions, and allow the suppression of evidence obtained in violation of the central features of Title III requirements, even if such evidence meets the relevant Fourth Amendment tests.

  • The Foreign Intelligence Surveillance Act (1978), enacted as a reaction to an asserted executive branch authority to conduct wiretaps without restriction in intelligence matters, establishes mechanisms through which court-approved legal authority for obtaining a wiretap can be granted. Passed at the time with strong support from the American Civil Liberties Union, this extent of this law’s reach is now being challenged, as discussed in Chapter 9.

  • The Cable Communications Policy Act, 47 U.S.C. 551 (1984), requires cable services to inform their customers of the nature of personally identifiable information and the use of that information, and also places restrictions on the cable services’ collection and disclosure

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

of information. Significantly, it requires that cable operators utilize fair information procedures and that they not disclose identifiable information, including viewer choices or retail transactions, without written or electronic consent. Subscribers are given the right to limit disclosure of name and address for mail solicitation purposes and have a right of accuracy and correction. However, restrictions in this act on disclosure of information related to the cable provision of communications services such as voice-over-IP phone service were substantially relaxed by the USA PATRIOT Act in response to law enforcement requests for information.

  • The Electronic Communications Privacy Act (ECPA), 18 U.S.C. 2510-2520, 2701-2709 (1986), amends the Title III Wiretap Act. ECPA extends the coverage of Title III to new forms of voice, data, and video communications including cellular phones, electronic mail, computer transmissions, and voice and display pagers.

  • The Telephone Consumer Protection Act (1991) protects the consumer’s right to be left alone by authorizing the FCC to require telemarketers to create and maintain lists of consumers who do not wish to be called (do not call lists). The law also protects consumers from some forms of marketing by banning the use of unsolicited prerecorded telephone calls, and unsolicited advertisements by fax.

  • The Communications Assistance for Law Enforcement Act (CALEA; 1994) requires telecommunications carriers to expeditiously isolate and enable the government to surreptitiously intercept all wire and electronic communications in the carrier’s control to or from the equipment, facilities, or services of a subscriber, in real time or at any later time acceptable to the government. CALEA covers telephone communications carried over traditional circuit-switched networks, but it provides an exemption for “information service providers” unless they are providing services that are “a replacement for a substantial portion of the local telephone exchange service” as determined by the FCC. In May 2006, the FCC determined that voice-over-IP providers were indeed subject to the requirements of CALEA.13

  • The Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. 6101-6108 (1994), places constraints on telemarketing calls, especially those made by autodialers, and also forbids telemarketing conducted in a pattern that is abusive of consumers’ privacy.

  • The Telecommunications Act, 47 U.S.C. 222 (1996), was a major overhaul of telecommunications law. Certain provisions impose restrictions on the use of automated phone dialing systems, artificial or prerecorded voice messages, and fax machines to send unsolicited advertise-

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

ments. Where calling information (which might be regarded as sensitive personal information) is obtained by one telecommunications carrier from another, the Telecommunications Act stipulates that the sole purpose must be the provision of communications service or ancillary purposes necessary to or used in the provision of such services, including the publishing of directories.

In the area of information contained in government records, Congress has passed several acts.

  • The Freedom of Information Act (1996) establishes a presumption that records in the possession of agencies and departments of the executive branch of the U.S. government are accessible to the people. Federal agencies are required to disclose records upon receiving a written request for them, except for those records that are protected from disclosure by any of the nine exemptions or three exclusions of FOIA. This right of access is enforceable in court. In 1996, Congress passed the Electronic Freedom of Information Act (E-FOIA) Amendments, which provided for public access to information in an electronic format and for the establishment of electronic FOIA reading rooms through agency FOIA sites on the Internet.

  • The Privacy Act of 1974, 5 U.S.C. 552a, provides safeguards against an invasion of privacy through the misuse of records by federal agencies. In general, the act allows a citizen to learn how records are collected, maintained, used, and disseminated by the federal government. The act also permits an individual to gain access to most personal information maintained by federal agencies and to seek amendment of any inaccurate, incomplete, untimely, or irrelevant information. Note that the Privacy Act is concerned primarily with systems of records rather than data accrued from networks.

  • The Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721, was passed subsequent to the stalking and murder of actress Rebecca Schaeffer by a fan who allegedly retrieved her name and address from a motor vehicle department. The act, which became effective in 1997, prohibits state Departments of Motor Vehicles and their employees from releasing “personal information” from a driver’s record unless the request fits within 1 of 14 exemptions. As originally passed, it also required state motor vehicle departments to provide a citizen an opt-out means of prohibiting the disclosure of certain personal information to other individuals, although businesses could still receive such information for certain specified purposes. The act was subsequently amended to require opt-in consent for disclosure of personal information to other individuals, and also for the disclosure of “highly restricted personal information” (an

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

individual’s photograph or image, Social Security number, or medical or disability information) for almost all purposes.

  • Megan’s Law, 42 U.S.C. 14071 (1999), obligates states to require prison officials or courts to inform convicted sex offenders of their obligation to register with state law enforcement authorities and to re-register if they move to another state. The state agencies in turn are to inform local law enforcement authorities, typically the local police department, of convicted sex offenders who reside in their jurisdiction. The state law enforcement agencies are also required to inform the FBI about the whereabouts of convicted sex offenders. (In many cases, states have gone farther in requiring the publishing of the addresses of sex offenders so that the communities in which they reside will be alerted to their presence.)

Also, a number of federal laws require the attorney general to promulgate regulations for access to criminal history and incarceration records of individuals. These regulations, 28 C.F.R. 20, are intended to ensure the accuracy, completeness, currency, integrity, and security of such information and to protect individual privacy.

In 1996 Congress passed a major piece of health care legislation called the Health Insurance Portability and Accountability Act (HIPAA). Among its privacy provisions, it mandates regulations to protect the confidentiality of individually identifiable health information and is further discussed in Chapter 7.

In 2001, Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, and in 2006, a number of amendments to the act. In general, the USA PATRIOT Act and subsequent amendments lower some of the barriers to conducting surveillance in the United States for national security or foreign intelligence purposes, provide the U.S. intelligence community with greater access to information uncovered during criminal investigations, and encourage cooperation between law enforcement and foreign intelligence investigators. The USA PATRIOT Act also lessens certain restrictions on criminal investigations, such as delayed notification of physical searches executed pursuant to a search warrant under some circumstances and court-enabled access to otherwise-protected educational records in terrorism cases. Finally, the USA PATRIOT Act creates judicial oversight for e-mail monitoring and grand jury disclosures.14

14

This discussion is based on Charles Doyle, The USA PATRIOT Act: A Legal Analysis, Order Code RL31377, Congressional Research Service, Washington, D.C., April 15, 2002, available at http://www.fas.org/irp/crs/RL31377.pdf; and Brian T. Yeh and Charles Doyle, USA PATRIOT Improvement and Reauthorization Act of 2005: A Legal Analysis, Order Code RL33332, Congressional Research Service, Washington, D.C., March 24, 2006, available at http://www.fas.org/sgp/crs/intel/RL33332.pdf.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

A host of miscellaneous privacy protection acts have also been passed in the last 30 years.

  • The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g (1974), regulates institutions that receive public funds. The act requires educational institutions to grant students, or parents of students, access to student records, establishes procedures to challenge and correct information, and limits disclosure to third parties. Section 6.2 discusses the impact of this legislation. Section 5.1 addresses FERPA’s origins.

  • The Computer Fraud and Abuse Act, 18 U.S.C. 1030, was originally passed in 1986 and subsequently amended in 1994, 1996, and 2001 to criminalize certain computer “hacking” activities, such as intentionally accessing a computer without authorization to obtain information contained in a financial record of a financial institution, information from any department or agency of the United States, or information from any protected computer if the conduct involves an interstate or foreign communication and knowingly causing damage through the use of a computer. Authorities under this act have been used to protect the privacy and confidentiality of computer-resident information.

  • The Video Privacy Protection Act, 18 U.S.C. 2710, was passed in 1988 in response to actions taken by reporters covering the hearings for Judge Robert Bork’s nomination to the Supreme Court. Reporters were able to gain access to records of the Bork family’s video rentals. Congress deemed this an invasion of privacy and reacted by enacting the Video Privacy Protection Act.

  • The Children’s Online Privacy Protection Act, 15 U.S.C. 6501-6506 (1998), requires the FTC to prescribe regulations to protect the privacy of personal information collected from and about children on the Internet and to provide greater parental control over the collection and use of that information.

  • The Identity Theft and Assumption Deterrence Act, 18 U.S.C. 1028 (1998), addresses the problem of identity theft (Box 4.1). It stipulates that the person whose identity was stolen is a true victim (whereas previously only the credit grantors who suffered monetary losses were considered victims); enables the Secret Service, the FBI, and other law enforcement agencies the authority to investigate this crime; allows the identity theft victim to seek restitution if there is a conviction; and establishes the FTC as a central agency to act as a clearinghouse for complaints, referrals, and resources for assistance for victims of identity theft.

  • The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act), 15 U.S.C. 7701-7713 (2003), applies to unsolicited commercial e-mail. In such e-mails, the act bans false or misleading header information (e.g., false “From” information) and deceptive subject lines, requires that recipients be given a method for opting out of receiv-

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

BOX 4.1

Identity Theft

Identity theft or fraud is a major and growing concern in the information age. In 1998, it was made a federal crime under the Identity Theft and Assumption Deterrence Act. The crime consists of stealing key pieces of another’s personal information such as Social Security, credit card, or bank account numbers, and using that information to obtain credit or purchase goods or services.

In the typical case, the thief uses the personal information to open a new credit card account, cellular phone service, or new checking account (with new blank checks). Or the thief uses a stolen account number to gain access to the account, and then changes the address on the account and runs up a huge bill before the account owner discovers what has happened.

The injury to consumers is considerable, even though much of the ultimate financial loss falls on financial institutions. The injury to consumer victims takes many forms, including the significant amount of time and frustration involved in tracking down the extent of the theft, and reporting it to all the various institutions that must be notified, such as credit card issuers, banks, lenders, credit reporting agencies, and so on. Injury can also take the form of lost credit, insurance, and even jobs and driver’s licenses, before victims are able to correct their financial records.

Identity theft also has implications for national security. For example, Dennis M. Lormel, chief of the FBI’s Terrorist Financial Review Group, testified on July 9, 2002, before the Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information:1

The threat [of identity theft] is made graver by the fact that terrorists have long utilized identity theft as well as Social Security Number fraud to enable them to obtain such things as cover employment and access to secure locations. These and similar means can be utilized by terrorists to obtain Driver’s Licenses, and bank and credit card accounts through which terrorism financing is facilitated. Terrorists and terrorist groups require funding to perpetrate their terrorist agendas. The methods used to finance terrorism range from the highly sophisticated to the most basic. There is virtually no financing method that has not at some level been exploited by these groups. Identity theft is a key catalyst fueling many of these methods.

For example, an Al-Qaeda terrorist cell in Spain used stolen credit cards in fictitious sales scams and for numerous other purchases for the cell. They kept purchases below amounts where identification would be presented. They also used stolen telephone and credit cards for communications back to Pakistan, Afghanistan, Lebanon, etc. Extensive use of false passports and travel documents were used to open bank accounts where money for the Mujahadin movement was sent to and from countries such as Pakistan, Afghanistan, etc.

Identity thieves obtain information in a variety of ways. Often old-fashioned techniques are used, e.g., retrieving numbers from paperwork in trash bins (“dumpster diving”) and observing numbers entered by consumers at ATMs, pay telephones, or on forms at bank counters (“shoulder surfing”). These techniques seem more common than more sophisticated methods, such as hacking into databases on the Internet.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

But modern information technology facilitates identity theft on a large scale. For example, 8 of the 36 incidents of large-scale compromise of personal information reported by the Identity Theft Resource Center2 involved the theft of computers containing personal information. In other cases, the compromise of personal information arises from unauthorized break-ins into databases containing such information or the loss or theft of tapes and other storage media with such information in unencrypted form.3

The Internet is also increasingly important in facilitating the use of illicitly acquired information, since online transactions require no personal interaction. The speed of the Internet also allows thieves to engage in large numbers of transactions in a very short period of time, thus increasing the losses that result from identity theft. For example, in November 2005 six men who administered and operated the “Shadowcrew.com” Web site—one of the largest online centers for trafficking in stolen credit and bank card numbers and identity information—pleaded guilty to charges of conspiracy to commit credit and bank card fraud, as well as identification document fraud.

Some have argued that identity theft is more accurately described as a financial crime than as a privacy problem. They argue that solutions should focus on stopping the behavior of wrongdoers, and express concern about solutions that might have the effect of limiting the availability of information.

But stopping wrongdoers is a real challenge. The thieves are difficult to identify and locate; often consumers do not know how their information was stolen and remain unaware of the theft for some time (on average from 6 months to a year). Notification of consumers does help, but in some instances, the notification is accompanied by an offer of a year of free credit monitoring, and to obtain this service consumers have to provide personal information as an authenticating mechanism to prove who they are. This approach thus opens yet another mechanism for identity theft—a forged letter or e-mail from identity thieves notifying consumers of a purported compromise of personal information. Finally, such crimes may not be a high priority for federal or local prosecutors. While the Federal Trade Commission (which receives the complaints and refers cases to law enforcement agencies) reports that prosecutions have increased, criminal law enforcement can never be expected to address more than a small percentage of the cases.

Private sector solutions offer an alternative to law and regulation for reducing the impact of identification theft. Financial institutions, which bear the considerable financial loss from identity theft, have considerable incentive and capacity to find effective tools for detecting fraud and preventing the misuse of stolen information.

Consumer education is also part of the solution. And increasingly, word is getting out through government and private sector initiatives on how consumers can prevent their information from being stolen.

It is too soon to tell whether all these efforts will put a real dent in identity theft. The Federal Trade Commission’s call center reports continuing increases in the number of complaints. While these numbers no doubt reflect greater consumer awareness of the problem and the toll free number, they also suggest a growing problem and the considerable challenge ahead.

  

2See http://www.idtheftcenter.org/breaches.pdf.

  

3See, for example, http://www.consumersunion.org/campaigns//learn_more/002232indiv.html. In a quite recent—and large-scale—incident, Social Security numbers and other personal information for as much as 80 percent of the U.S. active-duty military force were among the unencrypted data stolen from the home of a Department of Veterans Affairs analyst in May 2006. See Ann Scott Tyson and Christopher Lee, “Data Theft Affected Most in Military: National Security Concerns Raised,” Washington Post, June 7, 2006, p. A01.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

ing further communications, and requires that the e-mail is identified as an advertisement and includes the sender’s valid physical postal address. The act also gives the FTC the authority to enforce it, and the Department of Justice the authority to enforce its criminal sanctions.

  • The Real ID Act (2005) requires federal agencies to accept drivers’ licenses or personal identification cards as identification after May 11, 2008, only if these documents meet certain federal standards. These documents must include, at a minimum, a person’s full legal name, date of birth, gender, driver’s license or personal ID card number, digital photograph, address of legal residence, and signature; physical security features designed to prevent tampering, counterfeiting, or duplication for fraudulent purposes; and a common machine-readable format for defined data elements. In addition, states must require the presentation and verification of a photo identity document (except that a non-photo identity document is acceptable if it includes both the person’s full legal name and date of birth), documentation showing the person’s date of birth, proof of the person’s Social Security number (SSN) or verification that the person is not eligible for an SSN, and documentation showing the person’s name and address of principal residence. States are also required to provide to all other states electronic access to information contained in the motor vehicle database of the state.

4.3.2
Federal Laws Relevant to Confidentiality

A number of federal laws protect the confidentiality of personal information collected by the statistical agencies of the United States. For example, the Census Bureau collects detailed personal information on most Americans every decade. Such information includes but is not limited to income, housing situation and living arrangements, employment, and ethnicity. These data, collected via survey, are protected by the provisions of Title 13, Section 9, which prohibits dissemination of such data in a manner that allows identification of the respondent. This prohibition applies to individuals who have not been sworn as agents of the census. In addition, the Census Bureau is explicitly prohibited from using survey information in any way apart from statistical purposes. Survey information may also not be used as legal evidence.

A second relevant law is the Confidential Information Protection and Statistical Efficiency Act (CIPSEA), passed as Title V of the E-Government Act of 2002. CIPSEA strengthens and extends confidentiality protection for all statistical data collections of the U.S. government. If data are furnished by individuals or organizations to an agency under a pledge of confidentiality for exclusively statistical purposes, CIPSEA provides that the data will be used only for statistical purposes and will not be disclosed in identifiable form to anyone not authorized by the title. Data covered

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

under CIPSEA are also not subject to release under a Freedom of Information Act request.

A third example (and there are still others) is the confidentiality of information collected for public health purposes, specified by Section 308(d) of the Public Health Service Act (42 U.S.C. 242m). This section requires that the information collected can be used only for the stated purposes unless consent for another purpose is obtained.

Note also that laws protecting the confidentiality of personal information can be, and have been, altered to allow uses other than the one for which such information was originally collected. For example, the USA PATRIOT Act amended the National Education Statistics Act of 1994 to allow the U.S. attorney general or assistant attorney general to submit a written application to a court of competent jurisdiction for an ex parte order to collect reports, records, and information from the National Center for Education Statistics (NCES), all of which may have been collected under the confidentiality guarantee, if they are related to investigations and prosecutions of terrorism.

4.3.3
Regulation

Regulations related to privacy are extensive and too voluminous to recap fully in this report. At the federal level, most privacy statutes are implemented through rule making. The U.S. Congress passes legislation that lays out the general issues and principles in question, but leaves to a regulating agency the responsibility of working out the details of how that legislation will be implemented. The agency proposes the regulations, invites public comment on the proposal, and issues the final regulation, which can be challenged in court. Once promulgated, regulation has the force of law. Enforcement actions may be taken for violations of regulations, often resulting in a consent decree, in which a company agrees to take actions to ensure that the offending behavior will not be repeated. Typically, consent decrees are enforceable in federal courts.

Although many agencies have regulatory authority, the Federal Trade Commission has played a key role in enforcing regulations related to information-age privacy and has some authority to promulgate regulations as well. For example, the FTC states,

Privacy is a central element of the FTC’s consumer protection mission. In recent years, advances in computer technology have made it possible for detailed information about people to be compiled and shared more easily and cheaply than ever…. At the same time, as personal information becomes more accessible, each of us—companies, associations, government agencies, and consumers—must take precautions to protect against the misuse of our information.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

Under a number of statutory provisions (including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, and the Children’s Online Privacy Protection Act), the FTC—often jointly with other regulatory agencies—has issued a variety of regulations that relate to privacy.

  • Under the Gramm-Leach-Bliley Act (also known as the Financial Modernization Act of 1999 and codified at 15 U.S.C. 6801-6809 and 6821-6827), the FTC has issued regulations (16 C.F.R. Part 313) to ensure that financial institutions protect the privacy of consumers’ personal financial information.15 The main privacy protection provision is the Financial Privacy Rule, which governs the collection and disclosure of customers’ personal financial information by financial institutions.16 In brief, the Financial Privacy Rule requires covered institutions to give consumers privacy notices that explain the institutions’ information-sharing practices, gives consumers the right to limit certain types of sharing of their financial information on an opt-out basis, and puts some limits on how anyone receiving nonpublic personal information from a financial institution can use or re-disclose the information.

    In addition, the FTC has also promulgated the Safeguards Rule, which requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. Such a plan has administrative, technical, and physical information safeguards, and is intended to protect against any unauthorized access that might harm the consumer. Finally, other provisions of the Gramm-Leach-Bliley Act also affect how a company conducts business, such as a prohibition on financial institutions disclosing customers’ account numbers to non-affiliated companies for marketing purposes.

  • Under Section 114 of the Fair and Accurate Credit Transactions Act of 2003, the FTC (in cooperation with the federal agencies regulating financial services, such as the Securities and Exchange Commission and the Commodity Futures Trading Commission, and the National Credit Union Administration) promulgated regulations specifying procedures under which financial institutions would protect account holders from

15

“Financial institutions” include banks, securities firms, insurance companies, and other companies providing certain types of financial products and services to consumers, including lending, brokering, or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities.

16

See Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act,” available at http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

identity theft. Section 151 directed these agencies to jointly develop a summary of the rights of identity theft victims that would be made available to all such victims. Regulations issued under Section 211 established a single source through which a consumer could obtain a free credit report. Section 216 directed these agencies and the Securities and Exchange Commission to promulgate regulations for the disposal of consumer report information and records, whether they are stored in electronic or paper form. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, and medical history.

  • Under the Children’s Online Privacy Protection Act (15 U.S.C. 6501-6506), the FTC is responsible for promulgating regulations (16 C.F.R. Part 312) implementing the protections of the act. These protections require that operators of commercial Web sites and online services directed to collect or knowingly collecting personal information from children under 13 must (1) notify parents of their information practices; (2) obtain verifiable parental consent before collecting a child’s personal information; (3) give parents a choice as to whether their child’s information will be disclosed to third parties; (4) provide parents access to their child’s information; (5) let parents prevent further use of collected information; (6) not require a child to provide more information than is reasonably necessary to participate in an activity; and (7) maintain the confidentiality, security, and integrity of the information.

The rule-making authority of the FTC described above illustrates a common relationship between statutory authority and regulation. The U.S. Congress passes legislation that lays out the general issues and principles in question, but leaves it to a regulating agency to work out the details of how that legislation should be implemented. But this relationship is not the only possible one, and in some instances, Congress has delegated extremely broad regulatory authority to an agency, thus making it the primary source of guidance on a major privacy-related topic.

A good example of this phenomenon is apparent in the privacy-protecting regulations of the Health Insurance Portability and Accountability Act of 1996. Legislators understood very well that the privacy of personal health information was a central issue for health insurance portability, but they were unable to reach agreement on the nature and scope of the appropriate privacy protections. Thus, Section 264 of HIPAA directed the secretary of the Department of Health and Human Services (DHHS) to promulgate regulations on appropriate privacy standards (covering at least the rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

established for the exercise of such rights, and the uses and disclosures of such information that should be authorized or required) if the U.S. Congress did not pass appropriate privacy legislation within 3 years of HIPAA’s enactment. This is indeed what happened, and the final privacy rule was published in the Federal Register (65 FR 82462) on December 28, 2000. On August 14, 2002, the Final Modifications to the Privacy Rule were published in the Federal Register.17

In short, Congress anticipated its possible inability to reach agreement on the contentious issue of health care privacy, and delegated to the DHHS secretary the regulatory authority to act in its stead.

4.4
EXECUTIVE ORDERS AND PRESIDENTIAL DIRECTIVES

As the chief executive, the president of the United States has considerable latitude to direct the activities of various executive branch agencies. Some directives or executive orders have a bearing on privacy, as illustrated below.

One example is Executive Order 13145, issued on February 8, 2000. This executive order prohibited the federal government and its agencies from using genetic testing in any employment decision, and specifically forbids federal employers from requesting or requiring that employees undergo genetic tests of any kind. In addition, it forbids federal employers from using genetic information to classify employees in such a way that deprives them of advancement opportunities, such as promotion for overseas posts.

A second example is Executive Order 13181, issued on December 20, 2000. This executive order declared as the policy of the government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use.

A third example is a presidential order issued in 2002 that authorized the U.S. National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity under certain circumstances without the court-approved warrants ordi-

17

For more information, see U.S. Department of Health and Human Services, “Medical Privacy—National Standards to Protect the Privacy of Personal Health Information: Background and General Information,” available at http://www.hhs.gov/ocr/hipaa/bkgrnd.html.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

narily required for domestic wiretapping.18 This presidential order is still classified.

Orders and directives such as these clearly have a potential for affecting the privacy interests of Americans. But it is important to note that they are limited in at least three important ways.

  • Though they are authoritative statements of presidential direction, their implementation must be consistent with existing statutory law.

  • Executive orders have the force of law, but only with respect to executive branch agencies.

  • Executive orders have no direct impact or force on private sector entities, although because they change the behavior of government, they can have considerable indirect impact.

Upon signing a law, presidents often issue a signing statement that is published in the Federal Register and that documents the presidential interpretation of how the law should be construed. Signing statements do not have the force of law, but if a president directs an agency to behave in a manner that is allegedly contravened by the law, or by some other law, only court action can force the agency to cease and desist.

4.5
STATE PERSPECTIVES

As one might expect within a federal system such as the U.S. system, legal protection of privacy varies vastly from state to state—reflecting what are often little more than anecdotal experiences that have triggered legislative safeguards. Table 4.1 indicates the variation in state laws regarding privacy for the first 16 states, listed alphabetically.

Such diversity is not inherently problematic; one recalls Justice Louis Brandeis’s commendation for the role that unusually progressive states might play as “laboratories” for reform and innovation. The problem in regard to privacy protection, however, is the inevitably broad reach across much (if not all) of the nation of especially restrictive measures, and the potentially heavy burdens of compliance for those business entities that serve clients and customers in many states.

Efforts to protect the privacy of sensitive (and even not-so-sensitive) financial data illustrate the problem extremely well. In the mid to late 1990s, North Dakota and Minnesota each enacted uniquely protective measures, ostensibly to shield its own citizens from unwelcome sharing or disclosure of financial information. It soon became apparent to insur-

18

James Risen and Eric Lichtblau, “Bush Lets U.S. Spy on Callers Without Courts,” New York Times, December 16, 2005.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

TABLE 4.1 Privacy Laws by State

Category

US

Statea

AL

AK

AZ

AR

CA

CO

CT

DE

DC

FL

GA

HI

IL

IN

IA

KS

Arrest records

O

X

O

X

O

X

X

X

X

X

X

X

X

X

X

O

O

Bank records

X

X

X

O

O

X

O

X

O

O

X

O

O

X

O

X

O

Cable TV

X

O

O

O

O

X

O

X

O

X

O

O

O

X

O

O

O

Computer crime

X

X

X

X

X

X

X

X

X

O

X

X

X

X

X

X

X

Credit

X

O

O

X

O

X

O

X

X

O

X

X

O

O

O

X

X

Criminal justice

X

X

X

X

X

X

X

X

X

O

X

X

X

X

X

X

X

Government data banks

X

X

X

X

O

X

X

X

X

X

X

O

X

X

X

X

X

Employment

X

O

X

O

O

X

O

X

X

X

X

O

X

X

O

X

O

Insurance

X

O

O

X

O

X

O

X

O

X

X

X

O

X

O

O

X

Mailing lists

X

O

O

X

O

X

O

X

X

O

X

O

X

O

X

X

X

Medical

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

Miscellaneous

X

O

O

O

O

X

O

X

O

O

X

O

X

X

X

O

O

Polygraph results

X

X

X

X

X

X

O

X

X

X

O

X

X

X

O

X

O

Privacy statutes

X

O

X

X

O

X

O

O

X

O

X

X

X

X

O

O

O

Privileges

O

X

X

O

O

O

X

X

X

O

O

X

O

O

X

O

O

School records

X

O

O

X

O

X

X

X

X

O

X

O

O

X

O

X

O

Social Security numbers

O

O

O

O

O

O

O

O

O

O

O

O

O

O

O

O

O

Tax records

X

O

X

X

O

O

X

O

X

O

O

X

X

O

O

O

X

Telephone solicitation

X

O

X

X

X

X

X

X

O

O

X

X

X

X

X

X

X

Testing

O

O

O

O

O

O

O

X

O

O

X

O

X

O

O

X

O

Wiretaps

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

aAn X in indicates that the state has a privacy law relevant to the category indicated, although it does not indicate how effective or strong the law is. Only the first 16 states (in alphabetical order) are listed.

SOURCE: Data from http://www.epic.org/privacy/consumer/states.html.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

ance and financial service providers that the need for compliance with this exceptionally protective law went well beyond the state of its origin and initial reach. Since North Dakotans and Minnesotans might well move to other states, while policy holders or customers from elsewhere would move to North Dakota and Minnesota, the costs of bringing the entire national business enterprise into compliance with the strictest standard eventually seemed less onerous than the incalculable costs of confining compliance to residents of the target state. What ensued was a novel kind of reverse Gresham’s law, in which the most rigorous standard eventually shaped the norm, effectively forcing divergent standards to yield by default.

Congress could, of course, achieve uniformity in several ways. In a very few areas—patent, copyright, and admiralty being the most familiar—the Constitution itself makes federal law exclusive and thus completely forestalls any possibility of variant regulation at other levels. But the exclusively federal field is the rarity, and in most regulatory realms power is shared between national and state government until and unless Congress or the federal courts declare otherwise.

The most obvious means of setting a single national standard would be for Congress itself to regulate the activity in question, and in so doing either declare that inconsistent state and local standards were being preempted, or establish that the federal norm was the exclusive mode of regulation, thus precluding even consistent action by state and local government. A less obvious but theoretically possible approach would be for Congress to enter a regulatory area only to the extent necessary to limit or ensure uniformity in the standards that states and localities may set, but without creating its own federal regulatory system—in other words, leaving the actual regulation to other levels of government, but at the same time ensuring a degree of uniformity by setting parameters and boundaries for the exercise of that authority by states and localities.

There is one precedent for such action. In 1999, Congress amended the Driver’s Privacy Protection Act (DPPA) to forbid state departments of motor vehicles and law enforcement officials to sell or otherwise release personal information obtained in connection with any motor vehicle or license record without affirmative opt-in consent. The constitutionality of this law was challenged by a group of states that apparently wished to retain the revenue streams associated with the sale of such data.

In 2000, the U.S. Supreme Court unanimously sustained the constitutionality of this act in Reno v. Condon, 528 U.S. 141 (2000). The DPPA was found to be not only an appropriate exercise of Congress’s power over interstate commerce, but also one that invaded no state powers protected by the Ninth and Tenth Amendments.

The Condon decision was unusual and stands as one among a very

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

few decisions in the Rehnquist Court that sustains an act of Congress imposing obligations on the states or limiting state power. By contrast, during the late 1980s and much of the 1990s the Supreme Court was generally unsympathetic to congressional initiatives in areas of state and local interest and authority. Whereas previous Courts would likely have had little trouble finding federal power under the commerce (or other) clause, the Rehnquist Court rejected on constitutional grounds a number of acts that seemed to be perfectly reasonable and appropriate exercises of federal power. Two such decisions were one striking down federal laws that sought to ensure public school safety by requiring installation of metal detectors, and another that granted relief to women who had been victims of sexual assaults and wished to seek redress in federal courts. In these and a host of other situations in which the Warren Court and even the Burger Court would almost routinely have sustained the power of Congress to act, the Rehnquist Court found federal power lacking under its view of Article I of the Constitution, and deferred to state power under the Ninth and Tenth Amendments. Although the justices were sharply divided in these cases, a clear majority consistently sided with the states throughout this decade.

Thus, the extent to which the Condon decision indicates a willingness of the Supreme Court to uphold congressional preemption of state laws regarding privacy is unknown. And a new chief justice—John Roberts—has been recently sworn in, making predictions about future court action in this domain much more uncertain than they already were.

Finally, it should be noted that state laws can have national impact. The best such example is California’s SB-1386 (sometimes known as the California Security Breach Information Act), which mandated the disclosure of compromises in the security of certain types of personal information. Even though the law ostensibly affected only enterprises operating in California, that many businesses affected by the law have multistate operations has meant that residents of other states have also sometimes been notified when their personal information has been compromised. In addition, the passage of this law has spurred a number of other states to attempt the passage of similar legislation.19 (As this report is being written, Congress is considering a law (H.R. 4127, the Data Accountability and Trust Act) to set uniform standards across the states for disclosure in the event of such breaches; as written, some proposals for this law would reduce notification and disclosure requirements for some states.)

19

For additional discussion, see Eric M. Friedberg and Michael F. McGowan, Lost Backup Tapes, Stolen Laptops and Other Tales of Data Breach Woe, white paper from Stroz Friedberg, LLC, Washington, D.C., June 26, 2006.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

4.6
INTERNATIONAL PERSPECTIVES ON PRIVACY POLICY

Interest in and concern about privacy as a legal and a policy matter are certainly not limited to the United States. A review of perspectives on privacy around the world (Appendix B) suggests that the issues usually covered under the rubric of privacy in the United States are also evident in other Western nations, although they tend to be couched in a language that avoids explicit reference to “privacy” or closely related terms. Instead, the term “data protection” seems to have gained broad popularity, especially in Europe and, to a lesser extent, elsewhere, although the term “data privacy” is becoming more prominent. A number of other nations also use terms such as “personal integrity” or “information self-determination.”

U.S. perspectives on privacy rights are shaped by a view that tends to focus primarily on the benefits of such rights for individuals as individuals: individuality, autonomy, dignity, emotional release, self-evaluation, and so on. Although such concerns also characterize the debate in many other nations, the balance and emphases of these other debates are often different. For example, the German jurisprudential perspective emphasizes that the value of data privacy norms lies in their ability to secure the necessary conditions for active citizen participation in public life, in other words, to secure a flourishing democracy, whereas this perspective is arguably underdeveloped in U.S. jurisprudence.

Finally, it is important to note that the United States does not protect privacy as extensively or as comprehensively as some other nations, notably the member states of the European Union. This is best illustrated by the absence of comprehensive data privacy legislation regulating the U.S. private sector and the absence of an independent agency (data protection authority or privacy commissioner) to specifically oversee regulation of data privacy matters. Whether this absence reflects differences in the popular support for privacy in various nations is much less clear. For example, it can be attributable to differences in perceptions of the degree to which privacy is or will be threatened—one might easily argue that the comprehensive nature of European data privacy regulation reflects traumas induced by relatively recent, firsthand experience of totalitarian oppression. Or the U.S. approach might be due to skepticism about the value and appropriateness of government involvement in the social sphere.

4.7
THE IMPACT OF NON-U.S. LAW ON PRIVACY

In an increasingly globalized economy, it might be expected that the laws of foreign nations might have a privacy impact on U.S. citizens and businesses—and this is indeed the case. Two examples will illustrate:

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
  • In 1998, the European Commission’s Directive on Data Protection went into effect. This directive was intended to prohibit the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. However, differing approaches of the United States and the European Union to protecting privacy might have hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.20 While some privacy advocates at the time had hoped that the directive would force the United States to move significantly in the direction of the European approach to protecting privacy (i.e., in the direction of comprehensive privacy protection), the United States and the European Union agreed on a “safe harbor” approach.21 Under this approach, any U.S. company may self-certify that it agrees to adhere to the safe harbor’s requirements, which are based in large measure on the fair information practices described in Chapter 1. Enforcement of the safe harbor takes place in the United States in accordance with U.S. law and is carried out primarily by the private sector, backed up as needed by government enforcement of the federal and state statutes prohibiting “unfair and deceptive” trade practices. Companies in certifiable compliance with safe harbor requirements are deemed to meet the European “adequacy” standard.

  • In 2004, Yahoo! (more specifically, its Chinese subsidiary) provided Chinese government authorities the computer IP address and other information that was used to link specific e-mail messages to the e-mail account of Shi Tao, a former Chinese journalist. The information—generally regarded as non-public—was used to convict and sentence Tao to 10 years in prison in 2004, for e-mailing groups in the United States about the return of Chinese emigrants for the 15th anniversary of the Tiananmen Square incident.22 More recently, Yahoo! has been accused of releasing information generally regarded as non-public from an online discussion group that led to the conviction of Li Zhi, a former civil servant, in December 2003, who is serving 8 years in prison for the charge of “inciting sub-

20

As discussed in Appendix B, the United States protects privacy by relying on a sectoral approach based on a mix of legislation, regulation, and self-regulation. The European Union relies on comprehensive legislation that is, in part, based on the use of government data protection agencies, registration of databases containing personal information with those agencies, and in some instances prior approval of the data subject before any processing of that data may begin.

21

For more information, see http://www.export.gov/safeharbor.

22

Court documents, released by Reporters Without Borders, reveal that the Yahoo! subsidiary in Hong Kong supplied the information to the Chinese authorities revealing the user’s identity. For a translated copy of the court verdict, see http://www.rsf.org/article.php3?id_article=14884.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

version.”23 Yahoo! has declined to comment on these cases or to disclose how often it provides user information to Chinese authorities. However, Yahoo! has acknowledged that it lacks control over some operations since Yahoo! China merged with Alibaba.com, a Chinese company that holds 60 percent of the company.24

These examples barely scratch the surface of an extraordinarily complex and ill-defined international policy environment in which non-U.S. organizations and institutions have an impact on U.S. companies and policy. For many years, the Organisation for Economic Co-operation and Development was actively involved in the negotiation of guidelines for the management and protection of personal information that had become a substantial part of the trans-border data flows essential to international trade in information goods and services. Although debates about trade became tangled up within fierce ideological struggles about “cultural imperialism” and the New World Information and Communication Order,25 ideological concerns were replaced to some degree by concerns about market power as the development of a more closely integrated European marketplace was thought to depend on more uniform policies regarding the treatment of personal information.

In order to understand the development of privacy policies at the international level, it is important to understand the interests, strategies, and resources of different sorts of participants in the policy process. Although traditional sources of power and influence such as national governments and representatives from key missions and administrative agencies with interests and responsibility for national security and foreign trade have to be considered along with the more complex interests of transnational firms, it is also important to consider the role of the epistemic community of policy experts who are engaged in the elaboration of new ways of thinking about the international arena.26

Policy formation at the international level is also characterized by a considerable amount of negotiation, bargaining, and compromise among

23

Hiawatha Bray, “Yahoo Said to Aid China in 2003 Subversion Trial,” Boston Globe, February 9, 2006, available at http://www.boston.com/business/technology/articles/2006/02/09/yahoo_said_to_aid_china_in_2003_subversion_trial/.

24

Eric Schonfeld, “Analysis: Yahoo’s China Problem,” CNNMoney.com, February 8, 2006, available at http://money.cnn.com/2006/02/08/technology/yahoo_china_b20/.

25

Thomas L. McPhail, “Electronic Colonialism: The Future of International Broadcasting and Communication,” Sage Library of Social Research, Revised Second Edition, Vol. 126, Sage Publications, 1987.

26

Jonathan D. Aronson, “The Evolution of Global Networks: The Precarious Balance Between Governments and Markets,” pp. 241-255 in Eli Noam and Alex Wolfson, eds., Globalism and Localism in Telecommunications, Elsevier Science, 1997.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×

different stakeholders. Coalitions among business leaders facing similar limitations on their ability to make use of personal information for marketing purposes pooled their resources to support intensive lobbying efforts against the opt-in requirements that seemed likely in the European Union in 1990.27 These business coalitions also sought and received support from their nations’ trade commissions because of a well-placed concern about regulatory threats to the market in data-processing services. Coalitions among regulators were also common.28 Privacy and data protection commissioners met to develop strategies for preserving what they saw as important progress in the protection of privacy.

One result of the participation of so many actors with such varied interests and resources was the development of highly complex policy instruments. Unique and often contradictory policy perspectives continue to challenge policy advocates largely dependent on grants from foundations. Global policies regulating the treatment of personal information as it moves across virtual borders raise important questions about national sovereignty and respect for policies reflecting cultural values and social history.29 The presumed need to identify the location of the jurisdiction from which an order is placed, or is to be delivered, in order to determine whether a particular transaction can be completed within the laws of that region raises a complex set of issues for supporters of autonomous choice.30

27

Priscilla M. Regan, “American Business and the European Data Protection Directive: Lobbying Strategies and Tactics,” pp. 199-216 in Colin Bennett and Rebecca Grant, eds., Visions of Privacy: Policy Choices for the Digital Age, University of Toronto Press, 1999.

28

Colin J. Bennett and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate Publishing, 2003.

29

National Research Council, Global Networks and Local Values: A Comparative Look at Germany and the United States, National Academy Press, Washington, D.C., 2001.

30

Priscilla M. Regan, “‘Dry Counties’ in Cyberspace: Governance and Enforcement Without Geographic Borders,” pp. 257-276 in Thomas Leinbach and Stanley Brunn, eds., Worlds of E-Commerce: Economic, Geographical and Social Dimensions, John Wiley & Sons, 2001.

Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 122
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 123
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 124
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 125
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 126
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 127
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 128
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 129
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 130
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 131
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 132
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 133
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 134
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 135
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 136
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 137
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 138
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 139
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 140
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 141
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 142
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 143
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 144
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 145
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 146
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 147
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 148
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 149
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 150
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 151
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 152
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 153
Suggested Citation:"4 The Legal Landscape in the United States ." National Research Council. 2007. Engaging Privacy and Information Technology in a Digital Age. Washington, DC: The National Academies Press. doi: 10.17226/11896.
×
Page 154
Next: 5 The Politics of Privacy Policy in the United States »
Engaging Privacy and Information Technology in a Digital Age Get This Book
×
Buy Hardback | $59.95 Buy Ebook | $47.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Privacy is a growing concern in the United States and around the world. The spread of the Internet and the seemingly boundaryless options for collecting, saving, sharing, and comparing information trigger consumer worries. Online practices of business and government agencies may present new ways to compromise privacy, and e-commerce and technologies that make a wide range of personal information available to anyone with a Web browser only begin to hint at the possibilities for inappropriate or unwarranted intrusion into our personal lives. Engaging Privacy and Information Technology in a Digital Age presents a comprehensive and multidisciplinary examination of privacy in the information age. It explores such important concepts as how the threats to privacy evolving, how can privacy be protected and how society can balance the interests of individuals, businesses and government in ways that promote privacy reasonably and effectively? This book seeks to raise awareness of the web of connectedness among the actions one takes and the privacy policies that are enacted, and provides a variety of tools and concepts with which debates over privacy can be more fruitfully engaged. Engaging Privacy and Information Technology in a Digital Age focuses on three major components affecting notions, perceptions, and expectations of privacy: technological change, societal shifts, and circumstantial discontinuities. This book will be of special interest to anyone interested in understanding why privacy issues are often so intractable.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!