2.1.2 PRIVACY LAW AND REGULATIONS
Many countries have regulated privacy protections through national laws—often with reference to or based on the fair information practice principles. We provide an overview of those laws with a specific emphasis on the U.S. and Europe, due to their prominent roles in developing and shaping privacy law and their differing approaches for regulating privacy.
Privacy Law and Regulations in the United States
The U.S. Constitution does not lay out an explicit constitutional right to privacy. However, in a landmark case, Griswold vs. Connecticut 1965,6 the U.S. Supreme Court recognized a constitutional right to privacy, emanating from the First, Third, Fourth, Fifth, and Ninth Amendments of the U.S. Constitution.7 The First Amendment guarantees freedom of worship, speech, press, assembly and petition. Privacy under First Amendment protection usually refers to being unencumbered by the government with respect to one’s views (e.g., being able to speak anonymously or keeping one’s associations private). The Third Amendment provides that troops may not be quartered (i.e., allowed to reside) in private homes without the owner’s consent (an obvious relationship to the privacy of the home). The Ninth Amendment declares that the listing of individual rights is not meant to be comprehensive, i.e., that the people have other rights not specifically mentioned in the Constitution [National Archives]. The right to privacy is primarily anchored in the Fourth and Fifth Amendments [Solove and Rotenberg, 2003].
• Fourth Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
• Fifth Amendment: No person shall be […] compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
In addition, the Fourteenth Amendment’s due process clause has been interpreted to provide a substantive due process right to privacy.8
• Fourteenth Ammendment: No state shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any state deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.
While the U.S. Constitution recognizes an individual right to privacy, the constitution only describes the rights of citizens in relationship to their government, not to other citizens or companies9 [Cate, 1997]. So far, no comprehensive legal privacy framework exists in the United States that equally applies to both governmental and private data processors. Instead, federal privacy law and regulation follows a sectoral approach, addressing specific privacy issues that arise in certain public transactions or industry sectors [Solove and Schwartz, 2015].
Privacy with respect to the government is regulated by the Privacy Act of 1974, which only applies to data processing at the federal level [Gormley, 1992]. The Privacy Act roughly follows the Fair Information Principles set forth in the HEW report (mentioned earlier in this section), requiring government agencies to be transparent about their data collections and to support access rights. It also restricts what information different government agencies can share about an individual and allows citizens to sue the government for violating these provisions. Additional laws regulate data protection in other interactions with the government, such as the Driver’s Privacy Protection Act (DPPA) of 1994, which restricts states in disclosing or selling personal information from motor vehicle records, or the Electronic Communications Privacy Act (ECPA) of 1986, which extended wiretapping protections to electronic communication.
Privacy regulation in the private sector is largely based on self-regulation, i.e., industry associations voluntarily enact self-regulations for their sector to respect the privacy of their customers. In addition, federal or state privacy laws are passed for specific industry sectors in which privacy problems emerge. For instance, the Family Educational Rights and Privacy Act (FERPA) of 1974 regulates student privacy in schools and universities; and the Children’s Online Privacy Protection Act (COPPA) of 1998 restricts information collection and use by websites and online services for children under age 13.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 gives the Department of Health and Human Services rule making authority regarding the privacy of medical records. The HIPAA Privacy Rule requires privacy notices to patients, patient authorization for data processing and sharing, limits data processing to what is necessary for healthcare, gives patients data access rights, and prescribes physical and technical safeguards for health records. Commonly, federal privacy laws are amended over time to account for evolving privacy issues. For instance the Genetic Information Nondiscrimination Act (GINA) of 2008 limits the use of genetic information in health insurance and employment decisions.
Privacy in the financial industry is regulated by multiple laws. The Fair Credit Reporting Act (FCRA) of 1970 governs how credit reporting agencies can use consumer information. It has been most recently amended by the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018, which, as a reaction to the 2017 Equifax Data Breach, gave consumers the right to free credit freezes to limit access to their credit reports and thus reduce the risk of identity theft. The Gramm-Leach-Bliley Act (GLBA) of 1999 requires that financial institutions store financial information in a secure manner, provide customers with a privacy notice annually and gives consumers the right to opt-out or limit sharing of personal information with third parties.
The Telephone Consumer Protection Act (TCPA) of 1991 provides remedies from repeat telephone calls by telemarketers and created the national Do Not Call registry.10 The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 created penalties for the transmission of unsolicited email and requires that email newsletters and marketing emails must contain an unsubscribe link. The Video Privacy Protection Act (VPPA) of 1988 protects the privacy of video rental records.
Those federal privacy laws are further complemented by state laws. For instance, many states have passed RFID-specific legislation that prohibits unauthorized reading of RFID-enabled cards and other devices (e.g., the state of Washington’s Business Regulation Chapter 19.300 [Washington State Legislature, 2009]). The state of Delaware enacted four privacy laws in 2015, namely the Online and Personal Privacy Protection Act (DOPPA), the Student Data Privacy Protection Act (SDPPA), the Victim Online Privacy Act (VOPA), and the Employee/Applicant Protection for Social Media Act (ESMA).
One of the more well-known state privacy laws is California’s Online Privacy Protection Act (CalOPPA) of 2004, which poses transparency requirements, including the posting of a privacy policy, for any website or online service that collects and maintains personally identifiable information from a consumer residing in California. Because California is the most populous U.S. state with a large consumer market and due to the difficulty of reliably determining