Data Privacy

Privacy is the right to be left alone. Louis Brandeis and Samuel Warren

Privacy in the USA: Where It Is, Where It's Going, Where It Should Be

Optional: Read this excerpt from The Transparent Society by David Brin. The cameras are coming. They're getting smaller and nothing will stop them. The only question is: who watches whom?

Where It Is
There is no overall right to control sensitive personal information about yourself in the United States. Personal data is viewed as a commodity and firms that collect it expect to be able to reuse or resell it. That data is often stored insecurely and accessed by unauthorized people.

Spend some time exploring the resources at one of the following sites: Electronic Frontier Foundation, Privacy; Electronic Privacy Information Center; or the Federal Trade Commission's Privacy Initiatives.

Optional: Take a quick look at some of these privacy statements: Gmail, Google, Microsoft, Yahoo, Amazon.com, Facebook.

Read EPIC's "Privacy Self Regulation: Decade of Disappointment" for commentary on the current approach of self-regulation, including a brief history of other ways the FTC has more effectively protected privacy, and a discussion of Google's email "content extraction" practices. In particular, note the "Fair Information Practices" which echo some of the same principles we've previously discussed. Are these the guidelines the government should be focusing on when writing legislation? What other things would you take into consideration?

The focus of most of the current privacy and data protection laws is the collection of use of personal data. One key concept is choice and consent; individuals should have the ability to choose whether their personal information can be used or shared for secondary use - use beyond that necessary to accomplish the purpose for which the individual provided the information.

Skim one of the following: Sector-specific privacy law includes the Gramm-Leach-Bliley Act for financial institutions, the Health Insurance Portability and Accountability Act (HIPAA) for health care providers, the Fair and Accurate Credit Transactions Act for the credit industry, and the Red Flag final rules for the FACTA. In addition, the Children's Online Privacy Protection Act protects children's privacy online.

Read this summary and analysis of Federal Information Security and Data Breach Notification Laws.

Do these laws accurately reflect the "Fair Information Practices" from earlier? What about the other issues you want to take into consideration? Are they targeting the correct people in the correct ways?

Is legislation and regulation the best way to protect privacy? Read a summary of Trusted Computing and two critiques of it, "Can You Trust Your Computer" and "Who Owns Your Computer". Is this a better form of protection? Why or why not?

Where It's Going

Optional: The government is noticing online privacy these days. See "Congress to Push Web Privacy" and "Web Privacy on the Radar in Congress".

Skim one of the following: Current legislation pending before Congress: Personal Data Privacy and Security Act of 2007 and Data Accountability and Trust Act.

Where It Should Be

Download and read these two articles from SSRN: "Privacy as Contextual Integrity" and "Privacy Wrongs in Search of Remedies".

After reading current and pending legislation and the law review articles, do you think the legislation and regulations are adequately protecting personal data privacy? Are they even focusing on the correct policy of and standards for protection? What would you suggest instead? d

Privacy in the European Union

The EU takes a very different approach to personal data privacy; its law views privacy as a human right and the EU data directive requires members to enact laws to limit how private firms can collect, retain, and reuse personally identifying information.

Law enforcement concers did pressure the EU into adopting a directive which requires communication service providers to collect and retain communication records for law enforcement. Skim EPIC's data retention page.

Explore the European Commission's Data Protection page and skim at least one legislative document here.

Skim the EU proposal to amend the ePrivacy Directive to add a breach notification requirement. (Page 52 - 67.)

Should the U.S. adopt policies of and standards for personal data protection from the EU? Most companies would balk at such changes. Is there anything in particular you think should influence what the U.S. does in the future?

There is some difficulty with regard to cross border data flow because of the different approaches, especially with the increased data demand in the post-9/11 U.S. Is the Safe Harbor response the best way to deal with those problems?

Conclusion Questions

Should the U.S. become more like the EU, with overarching personal data protection laws, or should we continue with self-regulation coupled with sector-specific laws as needed? Is it a good idea to leave most of the regulating to the people who potentially benefit the most from weak privacy laws? Based on what has been done so far, what is the most compelling balance between individuals' control of their personal data and commercial interests?

Return to the syllabus