PRIVACY LAW (U.S.A)

Privacy law refers to the laws which deal with the regulation of personal information about individuals which can be collected by governments and other public as well as private organizations and its storage and use.
Privacy laws are considered in the context of an individual’s privacy rights or reasonable expectation of privacy.

Classification of privacy laws

Privacy laws can be broadly classified into:

• General privacy laws have an overall bearing on the personal information of individuals and affect the policies that govern many different areas of information.
• Specific privacy laws

These laws are designed to regulate specific types of information. Some examples include:

• Health privacy laws 
• Financial privacy laws 
• Online privacy laws 
• Communication privacy laws 
• Information privacy laws
• Privacy in one’s home 

International Legal Standards on Privacy

Article 8 of the European Convention on Human Rights, which was drafted and adopted by the Council of Europe in 1950 and meanwhile covers the whole European continent except for Belarus and Kosovo, protects the right to respect for private life: “Everyone has the right to respect for his private and family life, his home and his correspondence.” Through the huge case-law of the European Court of Human Rights in Strasbourg, privacy has been defined and its protection has been established as a positive right of everyone.

Article 17 of the International Covenant on Civil and Political Rights of the United Nations of 1966 also protects privacy: “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

United States

Data privacy is not highly legislated or regulated in the U.S.. In the United States, access to private data contained in for example third-party credit reports may be sought when seeking employment or medical care, or making automobile, housing, or other purchases on credit terms. Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, in the U.S., whoever can be troubled to key in the data is deemed to own the right to store and use it, even if the data were collected without permission. For instance the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Children’s Online Privacy Protection Act of 1998 (COPPA), and the Fair and Accurate Credit Transactions Act of 2003 (FACTA), are all examples of U.S. federal laws with provisions which tend to favor information flow efficiencies and operational profits over the rights of individuals to control their own personal data.

The Supreme Court interpreted the Constitution to grant a right of privacy to individuals in Griswold v. Connecticut. Very few states, however, recognize an individual’s right to privacy, a notable exception being California. An inalienable right to privacy is enshrined in the California Constitution‘s article 1, section 1, and the California legislature has enacted several pieces of legislation aimed at protecting this right. The California Online Privacy Protection Act (OPPA) of 2003 requires operators of commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site and to comply with its policy.

The safe harbor arrangement was developed by the United States Department of Commerce in order to provide a means for U.S. companies to demonstrate compliance with European Commission directives and thus to simplify relations between them and European businesses.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) were enacted by the U.S. Congress in 1996. HIPAA is also known as the Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA-Public Law 104-191), effective August 21, 1996. The basic idea of HIPAA is that an individual who is a subject of individually identifiable health information should have:
Established procedures for the exercise of individual health information privacy rights.
The use and disclosure of individual health information should be authorized or required.

One difficulty with HIPAA is that there must be a mechanism to authenticate the patient who demands access to his/her data. As a result, medical facilities have begun to ask for Social Security Numbers from patients, thus arguably decreasing privacy by simplifying the act of correlating health records with other records. The issue of consent is problematic under HIPAA, because the medical providers simply make care contingent upon agreeing to the privacy standards in practice.

FCRA

The Fair Credit Reporting Act applies the principles of the Code of Fair Information Practice to credit reporting agencies. The FCRA allows individuals to opt out of unwanted credit offers:

• Equifax (888) 567-8688 Equifax Options, P.O. Box 740123 Atlanta GA 30374-0123. 
• Experian (800) 353-0809 or (888) 5OPTOUT P.O. Box 919, Allen, TX 75013 
• Trans Union (800) 680-7293 or (888) 5OPTOUT P.O Box 97328, Jackson, MS 39238. 

Because of the Fair and Accurate Credit Transactions Act, each person can obtain a free annual credit report.


The Fair Credit Reporting Act has been effective in preventing the proliferation of specious so-called private credit guides. Previously, private credit guides offered detailed, if unreliable, information on easily identifiable individuals. Before the Fair Credit Reporting Act salacious unsubstantiated material could be included, in fact gossip was widely included in credit reports. EPIC has a FCRA page. The Consumer Data Industry Association, which represents the consumer reporting industry, also has a Web site with FCRA information.


The Fair Credit Reporting Act provides consumers the ability to view, correct, contest, and limit the uses of credit reports. The FCRA also protects the credit agency from the charge of negligent release in the case of misrepresentation by the requester. Credit agencies must ask the requester the purpose of a requested information release, but need make no effort to verify the truth of the requester’s assertions. In fact, the courts have ruled that, “The Act clearly does not provide a remedy for an illicit or abusive use of information about consumers” (Henry v Forbes, 1976). It is widely believed that in order to avoid the FCRA, Choice Point was created by Equifax at which time the parent company copied all its records to its newly created subsidiary. Choice Point is not a credit reporting agency, and thus FCRA does not apply.


The Fair Debt Collection Practices Act similarly limits dissemination of information about a consumer’s financial transactions. It prevents creditors or their agents from disclosing the fact that an individual is in debt to a third party, although it allows creditors and their agents to attempt to obtain information about a debtor’s location. It limits the actions of those seeking payment of a debt. For example, debt collection agencies are prohibited from harassment or contacting individuals at work. The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (which actually gutted consumer protections, for example in case of bankruptcy resulting from medical cost) limited some of these controls on debtors.

ECPA

The Electronic Communications Privacy Act (ECPA) establishes criminal sanctions for interception of electronic communication. However, the loopholes are so large as to render the Act effectively meaningless. For example, consent can be implied to any reading of electronic communications by accepting employment with an organization that practices surveillance against its employees.

Computer Security, Privacy and Criminal Law

The following summarized some of the laws, regulations and directives related to the protection of information systems:

• 1970 U.S. Fair Credit Reporting Act
• 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Act
• 1974 U.S. Privacy Act
• 1980 Organization for Economic Cooperation and Development (OECD) Guidelines
• 1984 U.S. Medical Computer Crime Act
• 1984 U.S. Federal Computer Crime Act (strengthened in 1986 and 1994) 
• 1986 U.S. Computer Fraud and Abuse Act (amended in 1986, 1994, 1996 and 2001) 
• 1986 U.S. Electronic Communications Privacy Act (ECPA)
• 1987 U.S. Computer Security Act
• 1988 U.S. Video Privacy Protection Act
• 1990 United Kingdom Computer Misuse Act
• 1991 U.S. Federal Sentencing Guidelines
• 1992 OECD Guidelines to Serve as a Total Security Framework
• 1994 Communications Assistance for Law Enforcement Act
• 1995 Council Directive on Data Protection for the European Union (EU)
• 1996 U.S. Economic and Protection of Proprietary Information Act
• 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added in December 2000) 
• 1998 U.S. Digital Millennium Copyright Act (DMCA)
• 1999 U.S. Uniform Computer Information Transactions Act (UCITA)
• 2000 U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”)
• 2001 U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act

In the US additional statutes cover various types of private information. For example, the Family Educational Rights and Privacy Act (FERPA), enacted in 1974, require parent or adult student consent to access student records for most purposes.

Several US federal agencies have privacy statutes that cover their collection and use of private information. These include the Census Bureau, the Internal Revenue Service, and the National Center for Education Statistics (under the Education Sciences Reform Act). In addition, the CIPSEA statute protects confidentiality of data collected by federal statistical agencies.