The IT Law Wiki
The IT Law Wiki
Privacy is the quietest of our freedoms . . . Privacy is easily drowned out in public policy debates . . . Privacy is most appreciated by its absence, not its presence.[1]

Overview[]

Privacy today is not just preserving individual control of personal data, Privacy means preserving the original sense of unlimited opportunity the internet seemed to offer, as an unconstrained space for individual action.[2]

It is difficult to define privacy in a precise and concise fashion, even for those who express strong feelings about its value. The concept of "privacy" is colored by the history, culture, and political system of a particular people. Privacy includes concerns about autonomy, individuality, personal space, solitude, intimacy, anonymity, and a host of other related concerns. There have been many attempts to give meaning to the term for policy purposes.

In terms of information and recordkeeping (as opposed to personal association) it appears to mean, to most people, the ability to keep certain kinds of personal information from other people or to restrict its use, except as one freely chooses to permit its disclosure or use.

In a modern society, it is difficult to keep all personal information absolutely confidential. In practice, individuals generally seek to restrict some kinds of personal information to those who have a legally defined or socially sanctioned need to know, or to those who can provide some benefit or service in return. There may be many reasons for wishing to withhold information about oneself, other than concern about government encroachment on civil liberties. Information may expose one to censure or punishment; it may threaten one's reputation, social status, or self-esteem; it may give others some advantage or power over oneself, or lessen one's advantage over others in competitive situations.

Concepts of privacy[]

At a high-level, privacy covers a number of other broad (sub-)concepts, that in themselves partially overlap:

  1. Decisional privacy: This conception of privacy addresses issues related to an individual's authority to make decisions that affect the individual's life and body and that of the individual's family members such as end of life issues.
  2. Spatial privacy (also referred to as locational privacy): This conception of privacy addresses issues related to physical spaces like the home, the bedroom, etc. Concerns usually focus on the authority of the individual to determine who may enter or observe the objects and/or the activities that occur in the particular place.
  3. Intentional privacy: This conception of privacy addresses issues related to intimate activities or characteristics that are publicly visible. Concerns usually focus on the authority of the individual to bar further communication of the observable event or feature. Examples typically include claims against repeating conversations that occurred in public but were directed to specific individuals and publishing photographs of unintended nudity, etc.
  4. Informational privacy: This conception of privacy addresses issues related to the (un)availability and use of information that relates to an individual. Concerns usually focus on the extent of the individual's authority to control how that information is collected and used in the broadest sense (by whom and for what purpose) and the corresponding responsibility of other individuals and organizations to include the individual in decision-making processes that drive subsequent use.
  5. Communicational privacy: This conception of privacy addresses issues related to communication between individuals, in other words the exchange of information, data, thoughts, impressions, and feelings in whatever form: verbal (conversation, speech), written (letter), or digital (phoneemailchat). Concerns usually focus on the right of the individual to communicate ("communication freedom", e.g., for prisoners) and to choose the persons included in the communication ("communication secrecy"). The overlap of the latter with intentional privacy (see 3 above) is obvious.
  6. Physical and psychological privacy: This conception of privacy addresses issues related to the body and mind of every individual. Concerns usually focus on respect for and dignity of the individual. Examples typically include examinations and experiments like personality tests, psycho-physiological tests, lie detector tests, narcoanalysis, analysis of brain waves, genetic research, police searches, frisking, body scans, etc.

​ The last three (4, 5 and 6) concepts are explored in further detail in relation with labor law in a Belgian 1999 PhD study.[3]

The impact of new technologies[]

The development of new information technologies . . . has almost always raised questions about how privacy can be maintained in the face of the new technology. Today's advances in computing technology can be seen as no more than a recurrence of this trend, or can be seen as different in that new technology, being fundamentally concerned with the gathering and manipulation of information, increases the potential for threats to privacy.[4]

Beginning with the emergence of the mass-market Internet, privacy law around the world has been in transition. During the past 15 years, networked information technologiespersonal computers, mobile phones, and other devices — have been transforming the U.S. economy and social life. Uses of personal information have also multiplied, and many believe that privacy laws have struggled to keep up. The lag between developments in intensive uses of personal information and the responses of current systems of privacy regulation around the world leaves consumers with a sense of insecurity about whether using new services will expose them to harm.

Notions of privacy change generationally. One sees today marked differences between the younger generation of 'digital natives' and their parents or grandparents. In turn, the children of today's digital natives will likely have still different attitudes about the flow of their personal information. Raised in a world with digital assistants who know everything about them, and (one may hope) with wise policies in force to govern use of the data, future generations may see little threat in scenarios that individuals today would find threatening, if not Orwellian.[5]

Commercial data privacy policy must address a continuum of risks to personal privacy, ranging from minor nuisances and unfair surprises, to disclosure of sensitive information in violation of individual rights, injury or discrimination based on sensitive personal attributes that are improperly disclosed, actions and decisions in response to misleading or inaccurate information, and costly and potentially life-disrupting identity theft. In the aggregate, even the harms at the less severe end of this spectrum have significant adverse effects, because they undermine consumer trust in the Internet environment. Diminished trust, in turn, may cause consumers to hesitate before adopting new services and impede innovative and productive uses of new technologies, such as cloud computing systems.

Though existing U.S. commercial data privacy policy has enabled the digital economy to flourish, current challenges are likely to become more acute as the U.S. economy and society depend more heavily on broadened use of personal information that can be more easily gathered, stored, and analyzed. At the same time, innovators in information technology face uncertainty about whether their innovations will be consistent with consumer privacy expectations.

Definitions[]

Privacy is an ill-defined concept in the sense that people use the term to mean many different things, but it resists a clear, concise definition because it is experienced in a variety of social contexts.[6]

Privacy is:

[e]nsuring that information about a person is protected in accordance with national, regional, or global regulations. Such information may be contained within a message, but may also be inferred from patterns of communication; e.g. when communications happen, the types of resource accessed the parties with whom communication occurs, etc.[7]
[t]he appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual’s expectations; also, the right of an individual to control the collection, use, and disclosure of personal information."[8]
[t]he assurance that legal and constitutional restrictions on the collection, maintenance, use, and disclosure of behaviors of an individual — including his/her communications, associations, and transactions — will be adhered to by criminal justice agencies, with the use of such information to be strictly limited to circumstances in which legal process authorizes surveillance and investigation.[9]
a personal construct that accrues to individuals, not to the information itself. In other words, a person may have the right to have certain personal information kept private by the state. That right does not accrue to the information itself. An individual's right to information privacy is a separate concept from the confidentiality rights that may apply to a corporation regarding its intellectual property or other business-related information which, if wrongfully disclosed or misappropriated, could result in economic harm.[10]
the ability of individuals to control personal information that is not knowable from their public presentations of themselves.[11]
the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.[12]

Privacy

encompasses not only avoiding observation, or keeping one's personal matters and relationships secret, but also the ability to share information selectively but not publicly.[13]
refers to the social balance between an individual right to keep information confidential and the societal benefit derived from sharing information, and how this balance is codified to give individuals the means to control personal information.[14]
refers to individuals' interests in preventing the inappropriate collection, use, and release of personally identifiable information.[15]

OECD[]

The Organization for Economic Cooperation and Development (OECD) adopted guidelines in 1980 to protect the privacy and transborder flows of personal data. The OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data are:

1. Collection Limitation Principle: "There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject";

2. Data Quality Principle: "Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date";

3. Purpose Specification Principle: "The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose";

4. Use Limitation Principle: "Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except:

a. with the consent of the data subject; or
b. by the authority of law";

5. Security Safeguards Principle: "Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data";

6. Openness Principle: "There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller";

7. Individual Participation Principle: "An individual should have the right:

a. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b. to have communicated to him, data relating to him
i. within a reasonable time;
ii. at a charge, if any, that is not excessive;
iii. in a reasonable manner; and
iv. in a form that is readily intelligible to him;
c. to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
d. to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended";

8. Accountability Principle: "A data controller should be accountable for complying with measures which give effect to the principles stated above."

United Nations[]

The Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights recognized privacy as a fundamental human right and attempt to shield the individual from abuse by protecting his/her personal data.

International Covenant on Civil and Political Rights[]

Article 17(1) of the International Covenant on Civil and Political Rights (ICCPR) states:

No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

Universal Declaration of Human Rights[]

Article 12 of the Universal Declaration of Human Rights states:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

UN Guidelines for the Regulation of Computerized Personal Data Files[]

The UN Guidelines for the Regulation of Computerized Personal Data Files recognize many of the same rights in information as the OECD Privacy Guidelines, providing in addition that

data likely to give rise to unlawful or arbitrary discrimination, including information on racial or ethnic origin, colour, sex life, political opinions, philosophical and other beliefs . . . should not be compiled.[16]

United States[]

Constitutional Law[]

Overview[]

The U.S. Constitution makes no explicit mention of a right of privacy. However, the rights and protections spelled out in the ten amendments of the Bill of Rights and in the Fourteenth Amendment affirm and define a sphere of personal autonomy that is protected against any but the most powerful overriding interests of state. This principle was a basic tenet of 18th century political thought and was and is a cornerstone of constitutional government.

First Amendment[]

First Amendment principles bear on privacy, both in the sense of protecting it,[17] but more often in terms of overriding privacy protection in the interests of protecting speech and press.[18]

Fourth Amendment[]

The Fourth Amendment "search and seizure" provision protects a right of privacy by requiring warrants before government may invade one's internal space or by requiring that warrantless invasions be reasonable. However, "the Fourth Amendment cannot be translated into a general constitutional 'right to privacy.' That Amendment protects individual privacy against certain kinds of governmental intrusion, but its protections go further, and often have nothing to do with privacy at all."[19]

Fifth Amendment[]

The Fifth Amendment's self-incrimination clause was once thought of as a source of protection from governmental compulsion to reveal one's private papers,[20] but the Court has refused to interpret the self-incrimination clause as a source of privacy protection.[21]

The due process clause of the Fifth and Fourteenth Amendments, to some degree, may be construed to protect the "liberty" of persons in their privacy rights in cases that implicate "fundamental rights," or those "implicit in the concept of ordered liberty" such as marriage, procreation, contraception, family relationships, child rearing, and education.[22]

Supreme Court Decisions[]

In an important decision in Whalen v. Roe,[23] the Supreme Court recognized a "right of informational privacy." Whalen concerned a New York law that created a centralized state computer file of the names and addresses of all persons who obtained medicines containing narcotics pursuant to a doctor's prescription. Although the Court upheld the state's authority, it found this gathering of information to affect two interests. The first was an "individual interest in avoiding disclosure of personal matters"; the other, "the interest in independence in making certain kinds of important decisions."[24] These two interests rest on the substantive due process protections found in the Fifth and Fourteenth Amendments.

Similarly, in Griswold v. Connecticut,[25] the Supreme Court struck down an anticontraceptive statute as an infringement of the fundamental right of "marital privacy." The Court recognized a limited constitutional right applicable to certain intimate decisions related to family or marital matters.

Common law[]

Privacy is a value that continues to be highly esteemed in American society, yet its meaning, especially for policy purposes, is often unclear.

In 1890, Samuel Warren and Louis Brandeis defined "privacy" as "the right to be let alone."[26] They found the primary source for a general right to privacy in the common law protection for intellectual and artistic property, and argued that:

the principle which protects personal writings and all other personal productions, not against theft and physical appropriation, but against publication in any form, is in reality not the principle of private property, but that of an inviolate personality.

In 1905, a Georgia state court held that the right of privacy has its foundation in the instincts of nature and has been recognized intuitively.[27]

Later when Brandeis was on the U.S. Supreme Court he referred to privacy as "the most comprehensive of rights, and the right most valued by civilized men."[28]

Subsequent legal debates have been structured by two points raised by Warren and Brandeis. The first is whether privacy is an independent value whose legal protection can be justified separately from other related interests, such as peace of mind, reputation, and intangible property. The second is the controversy over their definition of the "right to privacy" as the "right to be let alone." Such a definition is so broad and vague that the qualifications necessary to make such a definition practical in society negate the right itself.

Second only to the Warren and Brandeis article in influence on the development of legal thinking regarding protection of privacy in the United States is Dean Prosser's 1960 California Law Review article, "Privacy."[29] His primary finding is that:

At the present time the right of privacy, in one form or another is declared to exist by the overwhelming majority of the American courts.

Prosser analyzed four distinct tortsintrusion upon seclusion, public disclosure of private facts, false light, and appropriation — that could be isolated in state common law decisions and that represented four different types of privacy invasions. Each of these torts depends on physical invasion or requires publicity, and hence offers little protection for privacy of personal information. Although Prosser's analysis has received wide acceptance as a way of categorizing tort law relating to privacy, most legal scholars doubt that these traditional privacy protections in common law can, or should, be extended to cover more general privacy concerns.

In the mid-1960s, concern with the "privacy" of computerized personal information held by credit agencies and the government rekindled interest in defining a right to privacy. Edward Shils viewed privacy of personal information as:

a matter of the possession and flow of information, . . . Privacy in one of its aspects may therefore be defined as the existence of a boundary through which information does not flow from the persons who possess it to others.[30]

Privacy expert Alan Westin conceived of privacy as "an instrument for achieving individual goals of self-realization," and defined it as "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others."[31] He defined information privacy as the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.[32]

The "right to privacy" as "the right to control information about oneself" has served as the definition for policy purposes in the United States. Various statutes have been designed to give individuals the means to control information about themselves. Such means include primarily the right to know and the right to challenge and correct. Organizations are also expected to follow "Principles of Fair Information Use,"[33] which establish standards and regulations for collection and use of personal information.

In 1974, Congress established the Privacy Protection Study Commission to undertake a broad study of whether privacy rights were being adequately protected in the emerging information society. In its final report, issued in 1977, the Commission concluded that federal privacy laws should advance three concurrent policy goals —

  • To minimize intrusiveness by creating a proper balance between what an individual is expected to divulge to a record-keeping organization and what he or she seeks in return;
  • To maximize fairness by opening up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is itself a source of unfairness in any decision about him or her; and
  • To create legitimate, enforceable expectations of confidentiality by creating and defining obligations with respect to the uses and disclosures that will be made of recorded information about an individual.
Today . . . there have been further advances in telecommunications and information technology. Given the proliferation of computerized data collection and the prospect of converging technologies — computers, telephones, and mass media — it is time to reconsider what privacy means in developing electronic communities.[34]

More recently, one commentator has defined privacy as a

broad, all-encompassing concept that envelops a whole host of human concerns about various forms of intrusive behavior, including wiretapping, surreptitious physical surveillance, and mail interception. Individuals claim a right of privacy for an enormously wide range of issues, from the right to practice contraception or have an abortion to the right to keep bank records confidential.[35]

The U.S. Department of Commerce wrote:

There is no single privacy law in the United States, rather, U.S. privacy law is a patchwork of constitutional, statutory, regulatory, and common law protections. While the Supreme Court has held that the Fourth Amendment restricts the ability of government to collect information from places in which an individual has a reasonable expectation of privacy, there is no constitutional right to be free from analogous intrusions by private parties. Tort law limits intrusive collection of private information, penalizes unwarranted disclosure of erroneous information about individuals. A number of statutes, at both the federal and state level, protect individuals from governmental misuse of personal information, while other statutes adopt "fair information principles" for private sector record keepers in specific industries.[36]

Courts have held that a corporation has no common law right of privacy.[37]

Statutory Law[]

There is no comprehensive federal statute that protects the privacy of personal information held by the public sector or the private sector. Instead federal law tends to employ a sectoral approach to the regulation of personal information. Statutes also make a distinction between whether the information being addressed is personally identifiable information (PII) or non-personally identifiable information.

Statutes relating to the federal government's collect, storage and use of personal information include the:

Figure 2 provides a chronology of key privacy laws and new technologies:

Privacy2

Federal agencies[]

Several laws grant the FTC, FCC and other agencies regulatory authority over online privacy. The FTC has used its authority to prohibit unfair or deceptive trade practices and enforce promises made in corporate privacy statements on websites.[40] The FCC, for its part, typically works with the providers of broadband access to the Internetphone, cable and wireless network providers — and the Communications Act contains various provisions outlining consumer privacy protections.[41] However, existing regulatory frameworks provide only a partial solution to consumer concerns and consist of a patchwork of potentially confusing regulations. For instance, online communications are subject to the Electronic Communications Privacy Act of 1986 (ECPA),[42] but the privacy protections in the ECPA may not apply to the information that websites collect from individual website visitors.[43]

The Gramm-Leach-Bliley Act's protections for personal financial data apply only to financial institutions (such as banks, credit institutions and non-bank lenders), even though non-financial institutions (such as data brokers) may possess comparable information but not subject to the same protections.[44] And while traditional telephone and cable TV networks are subject to privacy protections, ISPs operating in an unregulated environment can theoretically obtain and share consumer data through technologies such as deep packet inspection.[45]

Europe[]

Much of modern European privacy law arose from the atrocities of World War II, when large databases of personal information were used to segregate populations, target minority groups and facilitate genocide.

European Union Basic Texts[]

European Convention on Human Rights[]

Privacy is recognized as a fundamental human right by the European Convention on Human Rights (ECHR). This Convention has entered the basic texts of the European Union as of 1 December 2009 (1) as paragraph 2 of Article 6 of the Treaty on the European Union and (2) as a protocol to the Treaty on the European Union as amended by the Lisbon Treaty of 13 December 2007. The full name of that protocol is "Protocol relating to Article 6(2) of the Treaty on European Union on the accession of the Union to the European Convention on the Protection of Human Rights and Fundamental Freedoms".

Charter of Fundamental Rights of the European Union[]

The Charter of Fundamental Rights of the EU assembles the fundamental rights protected in the EU in a single document . Relevant with regard to privacy are Article 3 (integrity), Article 7 (respect of private and family life) and Article 8 (protection of personal data). The Charter is consistent with the European Convention on Human Rights: the rights in the Charter that stem from the Convention have the same meaning and scope.

The Charter was first proclaimed on 7 December 2000 in Strasbourgh in the context of the Nice European Council. At the time it only had a moral and signaling power. That changed on 1 December 2009 with the entry into force of the Lisbon Treaty of 13 December 2007, particularly Article 6(1) of the Treaty on the European Union. However in a protocol to the Treaty on the European Union the UK and Poland have uttered some preservations with regard to the binding force. 

The European Commission implements the Charter in line with a strategy set out in October 2010 and operational guidance set out in May 2011. The European Commission report on the progress of the implementation in annual reports since 2010 .

European Union Directives[]

Most privacy legislation at the level of the European Union (supra-national) are directives. These are one of the means for the European Union legislator to harmonize the legislation of the member states. EU Directives — in principle — have to be transposed by the EU member states into member state law to have effect.

General Personal Data Protection Directive[]

Privacy legislations aimed at governing how personal data is processed, were introduced in a few individual EU member states in the 1970s and 1980s. The European Union harmonized that legislation in a directive, namely the Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data, also known as the (General) Data Protection Directive. The Directive had to be transposed into EU member state law by the end of 1998 (Article 34 of the Directive).

Directive on Privacy and Electronic Communication []

The Directive on Privacy and Electronic Communication is a more specific data protection legislation. The full name of the directive is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. It was amended by the 2009 Cookies Directive, in full the Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. A recasted text after the amendment can be found on the website of the European Commissioner for Justice (subsection data protection).

The Directive is best known for its rules on unsolicited communications ("spam" — Article 13), as that part impacts most businesses, whereas the other provisions mainly address telecom service providers.

Data Retention Directive[]

The Data Retention Directive is a more specific legislation with an important impact on privacy. The full name of the directive is Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

The Directive sets out the rules for collection, retention, security, and deletion of data ("traffic and location", not "content"; sometimes referred to as communication attributes or meta-data of the communication) by providers of publicly available electronic communications services or of public communications networks in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of "serious crime." 

The Directive has stirred the EU community as it has shocked some EU citizens, some data protection authorities and even the courts in some EU member states.

European Union Case Law[]

Notably also the EU Case Law by the European Court of Justice has to be taken into account. The Court's case law is generally available on its website and on the official Eur-Lex website. Specific references to case law relation to personal data protection are available on the website of the European Commissioner for Justice (subsection data protection).

National Legislation of the EU Member States[]

As stated above the directives have to be transposed into member state law. So it remains important to look at that level of the legislation. There are only limited official sources that provide the overview of the legislation in the EU member states, so often the practitioner will (have to) rely on the website of the supervisory authority in the EU member state or on commercially generated overview mostly by global law firms.

Other international instruments[]

The right to privacy has been codified in a growing number of universal and regional human rights instruments, including:

References[]

  1. Privacy and Human Rights 2006: An International Survey of Privacy Laws and Developments, at 2.
  2. The Significance of the Frontier: Why Privacy and Cybersecurity Clash, at 1.
  3. Frank Hendrickx, Privacy En Arbeidsrecht (1999) (full-text).
  4. Engaging Privacy and Information Technology in a Digital Age, at 88.
  5. Big Data and Privacy: A Technological Perspective, at 17.
  6. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 100.
  7. NSTAC Report to the President on Identity Management Strategy, at C-5.
  8. National Strategy for Trusted Identities in Cyberspace: Creating Options for Enhanced Online Security and Privacy, at 33.
  9. Baseline Capabilities for State and Major Urban Area Fusion Centers, at 52.
  10. Keeping Citizen Trust: What Can A State CIO Do To Protect Privacy?, at 3 (emphasis in original).
  11. Putting People on the Map: Protecting Confidentiality with Linked Social-Spatial Data, at 13.
  12. Alan Westin, Privacy and Freedom 7 (1967).
  13. Big Data and Privacy: A Technological Perspective, at 2.
  14. Information Security and Privacy in Network Environments, at 4 n.10.
  15. National Criminal Intelligence Sharing Plan, at 6.
  16. UN Guidelines for the Regulation of Computerized Personal Data Files.
  17. See, e.g., Frisby v. Schultz, 487 U.S. 474 (1988) (full-text) (using privacy rationale in approving governmentally-imposed limits on picketing of home).
  18. See, e.g., Florida Star v. B.J.F., 491 U.S. 524 (1989) (full-text) (newspaper could not be liable for violating state privacy statute when it published the name of a rape victim that it had lawfully obtained through public sources).
  19. Katz v. United States, 389 U.S. 347, 350 (1967) (full-text).
  20. Boyd v. United States, 116 U.S. 616, 627-630 (1886) (full-text).
  21. Fisher v. United States, 425 U.S. 391, 399 (1976) (full-text).
  22. See, e.g., Paul v. Davis, 424 U.S. 693, 713-14 (1976) (full-text).
  23. 429 U.S. 589 (1977) (full=text).
  24. Id. at 592-93.
  25. 381 U.S. 479 (1965) (full-text).
  26. Samuel Warren & Louis Brandeis, "The Right to Privacy," 4 Harvard L. Rev. (1890) (full-text).
  27. Pavesich v. New England Life Ins. Co., 122 Ga. 190, 50 S.E. 68, 69 (1905).
  28. Olmstead v. United States, 277 U.S. 438, 478 (1928) (full-text) (Brandeis, J., dissenting).
  29. William L. Prosser, "Privacy," 48 Cal. L. Rev. 383, 386 (1980).
  30. Edward Shils, "Privacy: Its Constitution and Vicissitudes," 31 L. & Contemp. Problems 281, 282 (1966).
  31. Alan Westin, Privacy and Freedom 39 (1967). This definition served as the basis for the Privacy Act of 1974.
  32. Id. at 7. See also Alan Westin, The Equifax Report on Consumers in the Information Age XVIII (1990).
  33. A "Code of Fair Information Practice" was first developed in U.S. Department of Health, Education, and Welfare, "Records, Computers and the Rights of Citizens" (1973).
  34. Id.
  35. See David Flaherty, Protecting Privacy in Surveillance Societies (1989).
  36. Department of Commerce, Inquiry on Privacy Issues Relating to Private Sector Use of Telecommunications-Related Personal Information, 59 Fed. Reg. 6841, 6843 (Feb. 11, 1994) (footnotes omitted).
  37. See, e.g., Huntingdon Life Sciences, Inc. v. Stop Huntingdon Animal Cruelty USA, Inc., 129 Cal.App.4th 1228, 1260, 29 Cal.Rptr.3d 521 (2005) (full-text); Coulter v. Bank of America, 28 Cal.App.4th 923, 930, 33 Cal. Rptr.2d 766 (1994) (full-text).
  38. The Transportation, Treasury, Independent Agencies and General Government Appropriations Act of 2005 applies to the Department of Transportation, Department of the Treasury, Executive Office of the President, Architectural and Transportation Barriers Compliance Board, Election Assistance Commission, Federal Election Commission, Federal Labor Relations Authority, Federal Maritime Commission, General Services Administration, Merit Systems Protection Board, Morris K. Udall Scholarship and Excellence in National Environmental Policy Foundation, National Archives and Records Administration, National Historical Publications and Records Commission, National Transportation Safety Board, Office of Government Ethics, Office of Personnel Management, Office of Special Counsel, U.S. Postal Service, and U.S. Tax Court.
  39. This law grants the Privacy and Civil Liberties Oversight Board authority to require any other agency or element of the executive branch to establish a privacy and civil liberties officer. Further, this law specifies that if covered agencies have another statutorily designated privacy officer, this officer must also undertake the responsibilities described in the Act.
  40. See Protecting Personal Information: A Guide for Business. For example, the FTC has found violations of Section 5 of the FTC Act because a company's privacy practices were false and misleading (see, e.g., In re Gateway Learning Corp, 2004 WL 1632833 (FTC July 7, 2004); In re GeoCities, 1998 WL 473217 (FTC Aug. 13, 1998)), and for failure to implement reasonable and appropriate measures to protect personal information (see, e.g., In re Life Is Good, Inc., 2008 WL 258309 (FTC Jan. 17, 2008); In re Petco Animal Supplies, Inc., 2004 WL 2682593 (FTC Nov. 8, 2004); In re MTS, Inc. d/b/a/ Tower Records/Books/Video, 2004 WL 963226 (FTC Apr. 21, 2004); In re Guess?, Inc., 2003 WL 21406017 (FTC June 18, 2003); In re Eli Lilly, 133 F.T.C. 20 (2002)). The FTC also has found violations of Section 5 and the Gramm-Leach-Bliley Act for failure to provide reasonable and appropriate security for consumers' sensitive personal information (see, e.g., In re Goal Financial, LLC, 2008 WL 625340 (FTC Mar. 4, 2008); In re Premier Capital Lending, Inc., 2008 WL 4892987 (FTC Nov. 6, 2008).
  41. 47 U.S.C §§222, 551.
  42. 18 U.S.C. §§2510–2521 (protecting against acquisition of the content of communications without the consent of one of the parties to the communication).
  43. See In re DoubleClick, Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001) (full-text); see also Cybertelecom, "Electronic Communications Privacy Act (ECPA)" (full-text) (explaining the ECPA).
  44. 15 U.S.C. §6801 et seq.
  45. For example, a cable operator must inform its subscribers what personally identifiable information it collects, how it is used and for how long it is kept, and the cable operator may not disclose such information without the prior consent of the subscriber. See 47 U.S.C. §551. Similarly, customers of telecommunications carriers have statutory protections against the non-consensual disclosure of information about the telecommunications service or habits of the customer, such as to or from whom the customer makes or receives calls, call location (if mobile), and the times that calls are made. See 47 U.S.C. §222. Although privacy protections exist for traditional services and have even been applied to newer services like interconnected VoIP (see 47 C.F.R. §64.2003(k)), it is unclear whether, and to what extent, these protections apply to broadband ISPs. See, e.g., Klimas v. Comcast Cable, Inc., 465 F.3d 271, 276 (6th Cir. 2006) (full-text) (finding that section 631 does not apply to the broadband ISP services offered by a cable operator).

Source[]

See also[]