On-line Privacy: the Push and Pull of Self-Regulation and Law

by Ann K. Moceyunas

Since the commercialization of the Internet, the issue of privacy and the protection of personal information has made its way to the forefront of U.S. business, lawmakers, and newspapers. Privacy issues prior to that point mostly addressed keeping the government out of our homes or maintaining the traditionally confidential communications. U.S. law reflected that limitation by developing a patchwork of privacy laws. But policy makers are pushing and pulling to arrive at a more coherent policy toward the privacy of personal information.

Constitutional law protects individuals from government invasion of the individual's private life and personal decision-making. Many state laws protect an individual from the unauthorized public revelation of personal information. Additional federal and state laws place narrow restrictions on the ability of the government and private organizations to gather, maintain, and distribute certain categories of personal information. Yet, taken altogether, these laws still do not define the fullness of "privacy".

The First Question: Is Privacy a Good Thing?

Reviewing privacy laws reveals some aspect of what a society holds as its ideal notions about privacy. However, law usually reflects the minimum acceptable conduct. In many ways, privacy is a function of the culture. However, there are universal aspects of privacy that "form an integral part of social life, preserving both the individual's separateness from society and his existence within it." [1] All cultures recognize some form of privacy, that allows for: 1) respect for other people (immunity from intrusion) and 2) respect and understanding of oneself (according a sphere of autonomy). [2]

Some theorists on the development of privacy believe that privacy in Western Culture arose as a consequence of the social and historical forces specific to post-medieval Europe. Social differentiation and role fragmentation forced individuals to seek "refuge" in the home for true freedom. As a result, the Western notions of privacy are closely linked to the home and body and, consequently, have a close association with notions of property. Thus, one has a "right" to privacy as one as a "right" to property. [3] As reflected in U.S. law, privacy is protected by balancing the right of the individual against the right of the data collector (be it the government or private industry or other individuals). However, this view emphasizes the individual's rights without really considering the benefit of a privacy system to society against the data collector.

The Internet challenges existing U.S. privacy laws. "A territorial view of privacy, which associates the concept of privacy with the sanctity of certain physical spaces, has no application in a realm in which there is no space. Similarly, a right to privacy that is grounded in ownership of material possessions cannot arise in a world composed entirely of ideas." [4]

One commentator has suggested that privacy should be protected by placing the burden on the data collector to justify the need for the information (similar to the European Union Directive on Privacy). [5] On the other end of the spectrum, one commentator has suggested a "transparent society", where complete openness will strike a balance between the power of the individual and the power of the institution. [6]

Privacy and Ethical Practices

Governments and private groups have been debating the standards for the collection and use of personally identifiable data for several decades. For example, in 1973 a special committee of the U.S. Department of Health, Education, and Welfare developed a “Code of Fair Information Practices” in connection with the publication of a report “Records, Computer, and the Rights of Citizens.” The Code of Fair Information Practices provided for no secret record-keeping systems, a range of rights for data subjects including the right to be notified, to correct errors, and to limit the disclosure of personally identifiable data. In 1980, the international Organization for Economic Cooperation and Development developed “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”, setting out eight principles for data protection, addressing: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. [6.5]

The United States Federal Trade Commission studied on-line privacy practices from 1995 - 1998 and determined that U.S. industry associations support five core principles of individual data collection: 1) notice; 2) choice; 3) access; 4) security; and 5) enforcement mechanisms. However, as of 1998, these principles were widely disregarded in practice and "substantially greater incentives are needed to spur self-regulation." [7] The FTC recently issued another report in July 1999, concluding that although progress in self-regulation has not been as far as hoped, the FTC still recommends self-regulation over passing new legislation. [8]

Many businesses as well as professional organizations advocate ethical standards which typically include particular aspects of privacy. [9] For example, in the United States, the Association of Computing Machinery's Code of Ethics is specific about privacy concerns. [10] Other professional organizations address privacy, but without such specificity. [11]

Most of these guidelines and codes recognize the following principles for the collection of personally identifiable data:

• Notice – the data collector provides notice to the data subject prior to the collection, use, and disclosure of personally identifiable data, which includes the intended purpose of the data and the identity of those to whom the data will be disclosed.
• Relevancy – the data collector collects only those data necessary to fulfill the purpose set forth in the notice and maintains only the relevant information. Over time, some of the data may need to be purged if it is no longer relevant.
• Choice – the data subject has the right to choose and consent to whether to divulge the data for the purposes set forth in the notice. “Opt-in” refers to consent that is affirmatively made by the data subject. “Opt-out” refers to consent by default (if the data subject does not affirmatively indicate otherwise, consent is assumed).
• Scrutiny – the data subject is entitled to review the data for accuracy, demand corrections, and demand deletion from the database.
• Security – the data collector uses reasonable means to ensure the security of the data from disclosure to unauthorized users.

Although people in the U.S. often talk about a "right of privacy" in the same manner as they speak of a "right of free speech" or "right to bear arms", the United States Constitution does not explicitly provide for a "right of privacy". The United States Supreme Court has found an implied right of privacy from governmental intrusion in the other constitutional rights. "[S]pecific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance. . .Various guarantees create 'zones of privacy'." [12]

The United States Supreme Court, in 1965, described constitutionally-based privacy as having two components: "one is the individual interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions." [13] Constitutional privacy law has developed out of a concern for balancing governmental needs and policies against the individual's desire to be free from governmental intrusion. The law has continued to develop in response to the increased ability and agility of the government to collect, sort, and disclose data by computer databases concerning individuals.

The courts have relied the most upon two constitutional provisions:

• First Amendment to the U.S. Constitution - "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and petition the Government for redress of grievances."
• Fourth Amendment to the U.S. Constitution - "The right of the people to be secure in their persons, house, paper, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Privacy Laws Prior to the Internet

Prior to the commercialization of the Internet around 1994, the United States Congress had passed only a few laws to limit the collection and use of individual data in the public and private sector. Federal statutes limit the collection, use and transfer of personal data by and between federal agencies. [15] Federal law also restricted the government and private parties’ ability to wiretap electronic communications. [16] Other federal statutes regulate personal data usage in specific industries:

Healthcare [17] financial and banking [18] credit bureaus [19] educational institutions [20] videotape rental stores [21] cable service providers [22].

However, Congress had passed no general statutes concerning the collection, use, and disclosure of personal information. When the Internet was opened to commercial enterprises, there were no federal laws regulating the on-line collection of personal data.

State laws on privacy have developed into four categories: a. protection from intrusion; b. protection from the public disclosure of embarrassing private facts; c. protection from publicity that places the individual in a false light; and d. protection from the use of a person's name or likeness. [23] Some states offer more protection than others, but, like federal law, none addressed the general issue of the collection of personal information outside the traditional areas of confidential communications.

Federal Legislation After the Internet

The Internet has focused the discussion of privacy issues on the easy collection and disclosure of personal information over the Internet by "information brokers." Since the commercialization of the Internet and the World Wide Web, the U.S. federal government has passed some laws specific to certain industries restricting the collection and use of personally identifiable data:

COPPA – Children’s Online Privacy Protection Act [24]. This Act affects Web sites that are targeted at children (under age 14). It requires notice of the Web site’s privacy policy and intended use for the data. This law requires specific parental consent for the collection of personally identifiable data (“opt-in”).

GLM – Graham-Leach-Bliley Act [25](P.L. 1056-102, 1999). This Act affects financial institutions (broadly defined) and their collection of personally identifiable data from individuals. This law requires the financial institutions to provide notices to individual customers regarding its privacy policy and intended use for personally identifiable data and to provide individual consumers with the choice to “opt-out”of having non public personal information shared with unaffiliated third parties other than for permitted business exceptions.

HIPAA – Health Insurance Portability and Accountability Act of 1996 and corresponding regulations effective April 2001. [26] This law covers health care providers, health plans, health care clearinghouses, and indirectly their business associates. The law requires patient consent to use any personally identifiable and health information. The law also requires specific written consent (“opt-in”) for use of the data for a purpose other than providing health care. Covered entities must obtain contracts with “business associates” to ensure coherent privacy compliance. The law also provides patients with access to their data, request corrections and file complaints.

Privacy Beyond the U.S. Shores: The European Directive on Privacy

The Directive of the European Parliament on the protection of personal data became effective in 1998. [27] The directive requires the member countries of the European Union to adopt these directives. This Directive contrasts sharply with U.S. law, as: 1) it seeks a coherent system of privacy protection for individual information, rather than a patchwork of laws, and 2) it places the burden on the collector of personal data to justify the need and use for the data, in contrast to U.S. law that generally places the burden on the individual to show how he has been damaged by the collection and use of his personal information.

The Directive requires that the member nations enact national laws to ensure that an individual's rights to privacy in personal data are enforced, including:

the right to information about who is using personal data and how; the right to access the information; the right to rectify inaccurate data; and the right to opt out of allowing the data to be used.

The Directive affects U.S. data collectors as well. Under the Directive, personal data may not be transferred to non-E.U. countries that do not have privacy safeguards similar to those under the Directive. As the United States does not have privacy safeguards similar to those under the Directive, it is a trading obstacle. The United States, led by the Department of Commerce has reached an agreement with the E.U. to allow the transfer of personal data with U.S. companies that adopt self-regulatory privacy guidelines and are subject to the jurisdiction of the FTC (the “Safe Harbor”). [28] The E.U. has also promulgated E.U. “contracts” deemed to be acceptable for transfer of personal data out of the E.U.

Conclusion: The Struggle Continues Between Self-Regulation and Government Regulation

On-line privacy is by no means settled by law or regulation in the United States. Both industry and government in the United States hope to encourage innovation and commerce on the Internet while striking a balance with what is generally held to be core principles about the privacy of personal information. That "balance" may be pushed by outside forces, such as the "Safe Harbor" arrangement between the E.U. and the U.S.. Further, the FTC has been clear that if the speed at which businesses voluntarily comply with self-regulation does not pick up, it will recommend legislation.

-------------------------------------------------------------

Endnotes

[1] Katrin Schatz Byford, Privacy in Cyberspace: Constructing a Model of Privacy for The Electronic Communications Environment, 24 Rutgers Computer & Technology Law Journal 1 (1998).

[2] Idem.

[3] Idem.

[4] Idem.

[5] Idem.

[6] David Brin, The Transparent Society, Will Technology Force Us to Choose Between Privacy and Freedom? (Reading, Massachusetts: Addison-Wesley, 1999).

[6.5] OECD Privacy Guidelines available at http://www.oecd.org/oecd/pages/home/displaygeneral/0,3380,EN-document-43-1-no-24-102 55-43,FF.html.

[7] Federal Trade Commission, "Privacy Online: A Report to Congress, June 1998", http://www.ftc.gov/reports/privacy3/toc.htm.

[8] See, "Self-Regulation and Privacy Online: A Report to Congress", Federal Trade Commission, July 1999, http://www.ftc.gov/os/1999/9907/privacy99.pdf.

[9] See, for example, J.A.N.Lee, Codes of Conduct/Practice/Ethics from Around the World, ~http://ei.cs.vt.edu/~cs3604/lib/WorldCodes/WorldCodes.html , updated May 13, 1999; Illinois Insitute of Technology, Codes of Ethics Online: Computing and Information Systems, http://csep.iit.edu/codes/computer.html.

[10] ACM Code of Ethics 1.7, http://www.acm.org/constitution/code.html

[11] See, for example, American Society for Information Science Professional Guidelines, adopted May 30, 1992, http://www.asis.org/AboutASIA/professional-guidelines.html. "Responsibilities to Employer/Client/System Users. . . To uphold each user's, provider's, or employer's right to privacy and confidentiality and to respect whatever proprietary rights belong to them, by limiting access to, providing proper security for and ensuring proper disposal of data about clients, patrons or users." Compare with the IEEE Code of Ethics, http://www.ieee.org/about/whatis/code.html which does not mention privacy.

[12] Griswold v. Connecticut, 381 U.S. 479 (1965) (available at http://supct.law.cornell.edu/supct/cases/name.htm).

[13] Griswold v. Connecticut, supra.

[14] See, e.g., OCGA 16-11-62; 47 U.S.C.A 605.

[15] Privacy Act of 1974, Public Law 93-579; 5 U.S. C. §552a.

[16] Electronic Communications and Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (codified as amended in scattered sections of 18 U.S.C.A.).

[17] For example, 42 U.S.C. Chapter 6A, et seq.

[18] 12 U.S.C. 3401 et seq.

[19] Fair Credit Reporting Act of 1970; 12 U.S.C.A. §1681; The Consumer Credit Reporting Reform Act (CCRRA), 15 U.S.C.A. §§1681-1681t.

[20] 20 U.S.C.A. §1232g.

[21] Video Privacy Act of 1988, Public Law 100-618; 18 U.S.C.§2710.

[22] Cable Communications Policy Act of 1984, Public Law 98-549; 47 U.S.C.§551.

[23] See, William L. Prosser, Privacy: A Legal Analysis, 48 Cal. L. Rev. 383 (1960).

[24] 15 U.S.C.A. §§6501-6506; see also F.T.C. Children’s Online Privacy Protection Rules, 16 C.F.R. Pt. 312 (2000).

[25] 15 U.S.C.A. §§6801-6809.

[26] P.L. 104-191; see, H.H.S. Fact Sheet, “Protecting the Privacy of Patients’ Health Information”, dated July 6, 2001 (available at: .http://www.hhs.gov/news/press/2001pres/01fsprivacy.html).

[27] Directive 95/46/EC, available at http://www.europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html

[28] Available at http://www.ita.doc.gov/ecom/menu.htm).

Last Updated October 2001.

Computer Ethics is a course taught for the CS/IS Department at Kennesaw State University by Ann K. Moceyunas

Last updated: August 25, 2002. Opinions expressed on this website are those of the author, Ann K. Moceyunas. Certain Portions Copyright © 1996 -2002 Moceyunas P.C. All rights reserved. Have Questions? Contact Ann Moceyunas at ann@moceyunas.com.